当前位置:首页 > 报告详情

资产管理或者说——我是如何学会不再拖延的.pdf

上传人: 可*** 编号:991910 2025-12-07 12页 1.70MB

1、Asset Management or:How I learned to stop kicking the can down the roadPresented by:Nikolas Upanavage,P.E.EPC Perspective2Engineering Requirements Identification Design DrawingsProcurement Specifications Material RequisitionsConstruction Work packages Field Change RequestsStartup Energization Loop T

2、ests Configuration changes3SANS ICS Critical Controls 2 and 5Source:Robert M.Lee and Tim Conway.(2022).The Five ICS Cybersecurity Critical Controls White paper.SANS Institute4Standards/Regulations/Frameworks/GuidanceIEC/ISA 62443-2-1:CM 1.1 Asset Inventory Baseline;CM 1.4 Change Control 62443-2-4:SP

3、.06.02 Base Requirement Inventory Register ISA-TR84.00.09-2024 Part 1:4.2.15 Cyber config and change managementNIST 800-53/800-82:CM-8 SYSTEM COMPONENT INVENTORY Nuclear 10 CFR 73.54”identify those assets that must be protected against cyber attacks”Reg Guide 5.71:Appendix C,C.11.9 Component Invento

4、ry NEI 08-09:Appendix E,10.9 COMPONENT INVENTORYWhy should we care about asset inventories?Arguments against:Asset inventory will never be 100%accurate Too many resources needed to maintain Well have a software tool to do this for us Other cyber design requirements are higher priority56Kicking the c

5、anIn my experience,with so many competing requirements and design focal points,asset inventory tends to be pushed down the road.Credit:Jurassic Park,dir.Steven SpielbergCredit:Explorers,dir.Joe Dante7Construction/StartupCentralized automated tools not useful when physical connections are not complet

6、e.https:/ Unknown Author is licensed under https:/creativecommons.org/licenses/by/3.0/Under Floor Cable Runs Str 2 by Robert.Harker is licensed under https:/creativecommons.org/licenses/by/3.0/8Factory Acceptance TestingLow risk opportunity to gather asset dataData often availabl

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要讨论了资产清单管理在工业控制系统(ICS)网络安全中的重要性。关键点如下: 1. **工业控制流程**:介绍了工程、采购、建设和启动等阶段,强调了在这些阶段中资产清单的必要性。 2. **标准和规定**:提到了IEC/ISA、NIST、核能行业的规定,都强调了资产清单的重要性。 3. **资产清单的争议**:有人认为资产清单难以做到100%准确,维护成本高,但文中指出其在网络安全中的基础性作用。 4. **测试和移交**:指出工厂接受测试(FAT)是收集资产数据的低风险机会;移交时,可追踪性和配置管理是关键。 5. **资产数据细节**:列出应捕获的详细信息,包括硬件、虚拟硬件和软件的相关信息。 6. **结论与建议**:强调FAT是收集数据的良好时机,建议组织成立专门的OT网络安全工程组来管理项目网络安全;提出行业应标准化手工收集的资产数据格式,以便于后续的管理和监控。 核心数据引用:“Model Number”, “Firmware Version”, “Inventory types”, 以及关于资产详细信息的来源链接。 最终答案以250字为限,以上内容已尽量简化以符合要求。
如何避免踢皮球?" "FAT阶段,资产数据如何轻松收集?" 标准化资产数据格式,你准备好了吗?"
客服
商务合作
小程序
服务号
折叠