SESSION ID: PS-F01 SDLC and 62443: Build It In, Don’t Bolt It On Shoshana Wodzisz Global Product Security Leader Rockwell Automation @slwodzisz #RSAC #RSAC Presenter’s Company Logo – replace or delete on master slide #RSAC Presenter’s Company Logo – replace or delete on master slide #RSAC What is IEC 62443? Series of global standards that define requirements for implementing electronically secure Industrial Automation and Control Systems (IACS). It covers the entire lifecycle of a product. In other words: Customers care because: Presenter’s Company Logo – replace or delete on master slide International Standard Cybersecurity Industrial Control Systems Globally recognized standard Independently certified They now know what to ask for 4 #RSAC IEC/ISA 62443 Defense in Depth Presenter’s Company Logo – replace or delete on master slide Risk Transference 5 How do companies start on the security journey ? Extra time they don’t know what to do with Value process over delivering products Love paying taxes Idolize Microsoft and their SDLC Industry standards Customer requests Presenter’s Company Logo – replace or delete on master slide 6 #RSAC We started using the “Bolt On” method Presenter’s Company Logo – replace or delete on master slide 7 #RSAC To add Security to your Development Process …. You must have development processes to start with We do have development processes…..lots of them !! We found that they were essentially all the same. Presenter’s Company Logo – replace or delete on master slide 8 #RSAC #RSAC Our SDLC Evolution #RSAC Started with a Framework Management Concept Development Utilization Production (Install, Commission, Validate, Operate, Maintain, Repair) Support (Modify, Retrofit, Support) Disposal Product Lifecycle: Concept  Disposal not just “development” ISO/IEC 15288:2015 Systems and Software Engineering System Life Cycle Processes Presenter’s Company Logo – replace or delete on master slide 10 #RSAC Processes in the Framework Reviews, Audits, Supply Chain, Skills/Training, Dev Environment, Governance Management Concept Requirements Presenter’s Company Logo – replace or delete on master slide Development Production Design Assess Risk Implement/Code Test Assess Risk Threat Modeling Configuration Mgmt. Release Utilization (Install, Commission, Validate, Operate, Maintain, Repair) Support (Modify, Retrofit, Support) Incident Response Metrics ISO/IEC TR24774 Systems and software engineering – Life cycle management – Guidelines for process description. Disposal #RSAC Defined the processes Leveraged 24774 as guidance to developing a process Focused on activities and tasks Created a process template for the teams to use Wrote processes based on industry and internal best practices Etc. ISO/IEC TR24774 Systems and software engineering – Life cycle management – Guidelines for process description. Presenter’s Company Logo – replace or delete on master slide 12 #RSAC Ideas & Theories Management Concept We really started here Just above the details Development Production Utilization (Install, Commission, Validate, Operate, Maintain, Repair) Support (Modify, Retrofit, Support) Disposal Frameworks Consistent Processes The Nitty Gritty Engineering Details Presenter’s Company Logo – replace or delete on master slide #RSAC How we really built security in #RSAC Cultural “Experiences” “We already do this today – just clean up a few processes and get them certified!” “Make sure all groups have a voice and buy-in” “We do development differently than all other groups in the company – our products are different” “We already have processes, let me show you my 8 tab excel checklist.” “We have a stage gate process. Get it – it’s our process !” Presenter’s Company Logo – replace or delete on master slide 15 #RSAC Company Policy Security is not optional. Processes Activities and tasks (IEC TR 24774) Templates Consistency in outputs Job Aids Work Instructions Procedures How we do our work Things we often forget Checklists Presenter’s Company Logo – replace or delete on master slide 16 A note on process development #RSAC Besides understanding what a Process is, these specific areas continue to trip people up – Outcome of a Process – what would it look like if the process were successfully executed? Not: The design is signed off Yes: Multiple design options are considered, documented, and communicated to help ensure that fu