© cyber security consulting 2318 monkton rd. monkton md 21111 usa 410.472.1588 proprietary &...
TRANSCRIPT
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Automation and SecurityAutomation and SecurityConsulting Services forConsulting Services for
Industrial Process AutomationIndustrial Process Automation
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Mission StatementMission Statement
Cyber SECurity Consulting provides our provides our customers with information, support, customers with information, support, training, engineering and consulting training, engineering and consulting
services to enable them to create and services to enable them to create and maintain a safe and secure business maintain a safe and secure business
operating environmentoperating environment
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Industries ServedIndustries Served
• Refining and Petro-ChemicalRefining and Petro-Chemical
• Electric Power T&DElectric Power T&D
• Electric Power GenerationElectric Power Generation
• Water/Waste-WaterWater/Waste-Water
• Chemical ProductionChemical Production
• Discrete ManufacturingDiscrete Manufacturing
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Cyber SECcurity Consulting has on-staff senior consultants with expertise in the following industries:
• Electrical power generation, transmission and distribution
• Electrical substation automation
• Water and Waste-Water processing
• Oil and gas pipelines, distribution terminals and storage facilities
• Refining and petrochemical plants
• Specialty and intermediate chemical plants
• Regulated industries such as pharmaceutical, food/beverage
• General high-volume manufacturing
Our Consultant ExperienceOur Consultant Experience
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Our Consultant ExperienceOur Consultant Experience
Our consulting staff includes personnel with:
• Advanced technical and Engineering degrees including PhD• CISSP – Certified Information System Security Professional• Business process analysis and re-engineering • Over 25 years of experience deploying an designing
Supervisory Control (SCADA) Systems Distributed Control (DCS) Systems PLC-based Automation Systems Substation Integration/Automation Systems
• Plant automation experience in a wide range of industries • Extensive Customer Training/Educational Experience• Knowledge of the current Cyber Security technologies• Familiarity with Government/Industry efforts in the area of
automation system/plant security (NERC, ISA, DHS, etc…)
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Service OfferingsService Offerings
Training Services:Training Services:
• Technology Training ClassesTechnology Training Classes- Introduction to DCS and PLC Technology- Introduction to DCS and PLC Technology- Introduction to SCADA TechnologyIntroduction to SCADA Technology- Basic Process Measurement & ControlBasic Process Measurement & Control- Communications & NetworkingCommunications & Networking
• Security Training ClassesSecurity Training Classes - Introduction to Security Concepts- Introduction to Security Concepts- NERC CIP-002 to 009 - NERC CIP-002 to 009 - Understanding ISA SP99 Recommendations- Understanding ISA SP99 Recommendations
- Cyber Security & Cyber Threats- Cyber Security & Cyber Threats- Industrial Automation Security- Industrial Automation Security- Vulnerability and Risk Assessment- Vulnerability and Risk Assessment
Consulting Services:Consulting Services:• Vulnerability Assessments/Gap AnalysisVulnerability Assessments/Gap Analysis• Risk Assessments/CountermeasuresRisk Assessments/Countermeasures• Policy and Procedure DevelopmentPolicy and Procedure Development• Security Program ManagementSecurity Program Management• Disaster Recovery PlanningDisaster Recovery Planning• Compliance with NERC Requirements Compliance with NERC Requirements
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Service OfferingsService Offerings
NERC-Specific Services:NERC-Specific Services:
• Management Briefing on CIP-001/009Management Briefing on CIP-001/009• Identification of Critical Cyber AssetsIdentification of Critical Cyber Assets• Physical and Electronic Perimeter DefinitionsPhysical and Electronic Perimeter Definitions• Vulnerability AssessmentsVulnerability Assessments• Risk and Gap AnalysisRisk and Gap Analysis• Development of Implementation PlansDevelopment of Implementation Plans• Employee TrainingEmployee Training• Policy and Procedure DevelopmentPolicy and Procedure Development• Disaster Recovery PlanningDisaster Recovery Planning• Program Auditing and Incident ReportingProgram Auditing and Incident Reporting
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
NERC Compliance ProcessNERC Compliance Process
NERC CIP Vulnerability Assessment ProcessNERC CIP Vulnerability Assessment Process
Identify and Identify and document Critical document Critical
Cyber AssetsCyber Assets
Identify and Identify and document Critical document Critical Cyber Information Cyber Information
Identify and Identify and document Physical document Physical Security Perimeter Security Perimeter
Identify and Identify and document document
communication and communication and network connections network connections
Identify and Identify and document all document all
personnel who have personnel who have access rights access rights
Identify and review Identify and review all existing cyber all existing cyber
security policies and security policies and proceduresprocedures
Information gathering phaseInformation gathering phase
PhysicalPhysicalAuditAudit
PhysicalPhysicalAuditAudit
PhysicalPhysicalInspectionInspection
PhysicalPhysicalInspectionInspection
BackgroundBackgroundcheckschecks
NERCNERCchecklistchecklist
Review findings Review findings versus NERC versus NERC requirements requirements
Develop action plan Develop action plan for addressing all for addressing all
short-comingsshort-comings
Non-Non-compliance compliance
levelslevels
Action plan formulation phaseAction plan formulation phaseKey methodology/standardKey methodology/standard
NERCNERC12001200
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
NERC Compliance ProcessNERC Compliance Process
NERC CIP Compliance Attainment ProcessNERC CIP Compliance Attainment ProcessDevelop and Develop and
document document necessary policies necessary policies
and proceduresand procedures
Select methods for Select methods for creating electronic creating electronic security perimeter security perimeter
Implement and Implement and test the electronic test the electronic
perimeter perimeter
Select methods for Select methods for creating the physical creating the physical security perimeter security perimeter
Implement and test Implement and test the physical security the physical security
perimeter perimeter
Provide security Provide security training to all training to all
employees as neededemployees as needed
Plan implementation phasePlan implementation phase
Iterative Iterative reviewsreviews
Technology Technology surveysurvey
PEN PEN testingtesting
Technology Technology surveysurvey
Social Social engineering engineering
testingtesting
Awareness Awareness campaigncampaign
Test and validate Test and validate Systems Systems
Management and Management and recovery procedures recovery procedures
Test and validate Test and validate system/component system/component test/commissioningtest/commissioning
proceduresprocedures
Disaster Disaster Simulation Simulation
& audits& audits
Key methodology/standardKey methodology/standard
Structured Structured auditaudit
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
NERC Compliance ProcessNERC Compliance Process
NERC CIP Compliance - OngoingNERC CIP Compliance - Ongoing
• You must maintain audit logs for a wide range of items, actions & changesYou must maintain audit logs for a wide range of items, actions & changes
• You must review your policies/procedures on a regular (annual) basisYou must review your policies/procedures on a regular (annual) basis
• You must test your procedures, especially disaster recovery, regularlyYou must test your procedures, especially disaster recovery, regularly
• You must maintain training and awareness programsYou must maintain training and awareness programs
• You must regularly re-certify/test your physical & electronic perimetersYou must regularly re-certify/test your physical & electronic perimeters
• You MUST INSURE that policies and procedures are being followed !!!You MUST INSURE that policies and procedures are being followed !!! (If not, then find out why and change them if you need to do so…)(If not, then find out why and change them if you need to do so…)
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Security Program ManagementSecurity Program ManagementM
atu
rity
Time
1. Develop a Business Case
2. Obtain Leadership Commitment, Support,
and Funding
3. Define the Charter and Scope of IACS Security for Your
Organization
4. Form a Team of Stakeholders
6. Characterize the Key IACS
Risks
7. Prioritize and Calibrate Risks
8. Establish High-Level Policies that Support the Risk Tolerance
Level
10. Inventory IACS Devices and Networks
9. Organize for Security
11. Screening and Prioritization of IACS
13. Develop Detailed IACS Cyber Security
Policies and Procedures
14. Define the Common Set of IACS
Security Risk Mitigation Controls
15. Develop Additional Elements of the CSMS
Plan
16. Quick Fix
18. Establish, Refine and Implement the
CSMS
12. Conduct a Detailed Security Assessment
17. Charter, Design, and Execute Cyber
Security Risk Mitigation Projects
19. Adopt Continuous Improvement
Operational Measures
5. Raise Staff Cyber Security Capability through Training
Plan Phase
Do Phase
Check Phase
Act Phase
Activity MUST be completed before proceeding to next activity
Activity DOES NOT need to be completed before proceeding to next activity
Legend
Cyber SEC suggests following the recommended 19-step program delineated in the ISA’s TR-99.002 Technical report as the basis for moving forward with the initial creation of,
and long-term support for, an industrial automation security program. This program approach addresses physical,
operational [personnel] and cyber [electronic] security and provides the basis for an on-going cycle of review and
improvement.
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Vulnerability AssessmentVulnerability Assessment
Cyber SEC uses a modified version of the DuPont DNSAM vulnerability assessment methodology. The major difference being the consideration of a range of technical, physical and administrative countermeasures when addressing probable threats.
Assessment takes the entire range of interconnected LAN and WAN ‘segments’ and identifies critical systems and assets located on each and then identifies the available connectivity onto, and accessibility of, each segment.
The critical systems could be controllers, HMIs, supervisory computers, historians, servers, ESD systems, batch managers, etc. Assets can be information, files, software, database, etc.
Segments are formed by the presence of an ‘isolation’ appliance (a firewall) that controls
traffic between the two adjacent segments
Segment connectivity could be via gateways, WAN
connections, telephone dial in/out, wireless access points,
and even through portable media or computer equipment
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Risk AssessmentRisk Assessment
Cyber SEC uses a qualitative risk assessment methodology that assigns every threat a probability and consequence rating. A three or four level scale is used for each of the two categories. Consequences are ranked based on a range of impacts including health, safety, environmental, business, facilities and regulatory impacts.
The end result of the assessment will be a Pareto chart of vulnerabilities ranked on an A through D classification, where the priority order of the countermeasure implementation will be in that same order. Countermeasures will be recommended based on their comparative cost-performance ratio
A consequence table will be developed that reflects your business risk-tolerance and
safety requirements level and used to rank threats
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Assessment ToolsAssessment Tools
Provides: 1. A centralized document for enumerating the
identified critical cyber assets 2. Documentation of the physical security
perimeter3. Documentation of the electronic security
perimeter4. Segment-by-segment delineation of the critical
cyber assets on each LAN and WAN (sub) network that forms the critical cyber infrastructure
5. Risk/Consequence analysis for each segment6. Documentation of the information cyber assets7. Documentation of the existing/missing policies
NERC CIP 001/009Vulnerability Assessment
Workbook
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Assessment ToolsAssessment Tools
Provides: 1. A way to document and record the vulnerabilities and threats deemed worth of
consideration and for which countermeasures need to be put into place
2. A financial assessment of consequences with a corresponding financial budget estimate for countermeasures, based on company risk-aversion levels
3. An budget estimate for the investment level justified by the exposure reduction generated by countermeasures
Countermeasure Business Case
Justification Development Workbook
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Gap AnalysisGap Analysis
Cyber SEC teams with Neurametrics to perform gap analysis and to gather information that is used to assess current policies and procedures and
training programs. Their web based tools enable convenient, automated data collection across the entire organization, regardless of facility locations
Consolidated ‘layers’ view gives a quick assessment
of each area of consideration
Views can be generated by
location, department, group
and topic
This version is configured to perform a NERC gap analysis based on CIPs 001 to 009www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Gap AnalysisGap Analysis
This version is configured to assess process/manufacturing plant security per TR-99.001 & 002www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Educational MaterialsEducational Materials
Chapter Outline: 1. The Technological Evolution of SCADA Systems2. Remote Terminal Units3. Telecommunications Technologies4. Supervisory Control Applications5. Operator Interface6. Conventional Information Technology (IT) Security7. Identifying Cyber security Vulnerabilities8. Classifying Cyber Attacks and Cyber Threats9. Physical Security10. Operational Security11. Electronic/Systems Security12. Electric Utility Industry - Specific Cyber security Issues13. Water/Wastewater Industry - Specific Cyber Security Issues14. Pipeline Industry - Specific Cyber Security Issues15. The Emerging Cyber Threat to SCADA Systems16. Commercial Hardware and Software Vulnerabilities17. Traditional Security Features of SCADA Systems18. Eliminating the Vulnerabilities of SCADA Systems
Technical Book on SCADA System Cyber Security
Issues and Approaches
Available from PennWell Publishing
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Educational MaterialsEducational Materials
Available Topics:
1. Introduction to DCS Technology2. Introduction to PLC Technology3. Introduction to SCADA Technology4. Communications & Networking5. Introduction to Security Concepts6. Cyber Security & Cyber Threats7. Industrial Automation Security and SP998. Vulnerability and Risk Assessment
Self-Paced Courses on DVD
In addition to on-site customer training classes,
Cyber SECurity Consulting offers several
courses on DVD
www.industryconsulting.org
© Cyber SECurity Consulting www.cybersecconsulting.com
2318 Monkton Rd.Monkton MD 21111
USA 410.472.1588
Proprietary & Confidential
Thank You For Your Time !Thank You For Your Time !
Questions ?Questions ?
www.industryconsulting.org
Automation and SecurityAutomation and SecurityConsulting Services forConsulting Services for
Industrial Process AutomationIndustrial Process Automation