getting physical with security risk & compliance isaca 9-20-11 pdf

8/2/2019 Getting Physical With Security Risk & Compliance ISACA 9-20-11 PDF

1/37

2011 ISACA. All rights reserved.

GettingPhysicalwithSecurity,Risk

andCompliance

MarkL.Feldman,Ph.D.

AlertEnterprise,

Inc.


2/37


DaffyDuck

Syndrome


3/37


PopQuiz

What is the difference between Risk & Uncertainty?

So what?

Too many locations, targets, points of entry and threats

Too much data

Too fast Too many sources

Too many distributed assets

Too many data silos

Too little context - All of the time

Hazards: Safety, Security, Revenue, Cost, Reputation,Operator Confidence


4/37


NoGorillas!


5/37


The

Mad

Hatter

Response


6/37


Whats

Missing?

The Big Picture

Context not only what, but what else

Real-time interaction across systems

Physical

IT

Industrial control

Safety and environmental

Automated, rules-based prevention of access andauthorization violations


7/37


Why

Its

Important

Blended Threats At the Simplest Level

Logged in remotely & physically Active online after badging out

After hours physical access

Violation of segregation of physical / logical access Account sharing

Disgruntled employees/contractors


8/37


Why

Its

Important

Blended Threats: A Path to.

Sensitive Asset Diversion Dangerous Chemicals, Pathogens, Nuclear material

Cyber Attacks

Utilities (Water, Power, Gas), Smart Grid, Transportation

Terrorism

Chemicals stolen to make explosives

Bio Terrorism

Food & Beverage, Consumer Products


9/37


Threats&Responsesare

IncreasinglyComplex

Up against Organized and State Sponsored Crime

Often invisible and distant and zealots

Geographically distributed assets/locations

Guards with guns?

Technology challenges - weatherMobile assets

Remote monitoring and response challenges

Is it natural, mechanical or man-made

Weather, equipment failure, deliberate actsFast AND informed response

Interoperable systems

Correlated data and rules


10/37


TopTargets


11/37


LargeTargets

ControlSystems

Linkage ToCorporateNetworks

DispersedAssets

WhyCriticalInfrastructure?

Highly VisibleTargets

Not Designed withSecurity in mind

Integration withbusiness creates

more vulnerability

Gates, Guns andGuards not effective

over thousands ofmiles


12/37


WhyCriticalInfrastructure?

Creating catastrophic incident is possible

Impact Large Populations

Gain Attention

Loss Of Public Confidence In Government

Instill Fear


13/37


BioTerror SystemsDisabled,

MaterialAltered

and

Contaminated

No correlated event monitoring Physical security teams received no

signal of systems tampering

Control systems do not have accesssecurity

A

CREDIBLE THREAT

FoodProcessing

Plant

ContaminatedLate nightintruders

entered plant,

accessedinventorysystem andadjusted the

Highlights

Adjusted Production Cycle viainventory system

After-Hours Physical Intrusion Control System production settings

changed

Why it happened

food production control system

to remove preservatives.

Result: Economic loss andhealth risks to consumers


14/37


BhopalTragedy

DeliberateDisabling

of

Safety

System

Primary safety system turned off bystaffer to save cost

Poor maintenance and compliancestatus not visible

Changes to SCADA configurationsand privileged user actions notvisible to security.

CREDIBLE THREAT

Deliberate Disabling ofSafety System

Poisonous gasflooded Bhopal,

India the night arefinery watertank ruptured.

Citizens woke toburning sensation in lungs.

Thousands died immediately andmany trampled in the panic.

Result: Loss of life, high economicand reputational cost

Highlights

Large amount of water entered Tank

containing 42 metric tons of methylisocyanate.

Exothermic reaction raisedpressure to level tank was notdesigned to withstand.

Why it happened


15/37


TexasCity,TXExplosion

Unauthorized

Override,

Slow

Response

Operator actions not monitored No adequate authorization or

process controls

No audit trail to determine who,

what, when, so no determinationof malicious or unintentional

CREDIBLE THREAT

Explosive vapor causesRefinery Explosion

Major explosion

in isomerizationunit at Texas CityRefinery, 3rdlargest in US.

Explosion killed 15, injured over 170.

Result: Loss of life, high economiclegal and reputational cost.

Highlights

Unauthorized action leads to tank

overfill, exceeding pressure limits Tank ruptures at top, creating pool

of combustible liquid

A running truck ignites vaporcloud above the liquid.

Why it happened


16/37


GovernmentRegulatorsPressing

Physical/Cyber

Security

Government Agency Critical Infrastructure

Homeland Security Information technology TelecommunicationsChemicals Transportation systems (masstransit, aviation, maritime, ground/surface,and rail and pipeline systems), Emergencyservices, Postal and shipping services

Agriculture Agriculture, food (meat, poultry, egg

products)

Health and Human Services Public health, healthcare, and food (otherthan meat, poultry, egg products)

EPA Drinking water and waste water treatmentsystems


17/37


GovernmentRegulatorsPressing

Physical/Cyber

Security

Government Agency Critical Infrastructure

Energy Energy, including the productionrefining, storage, and distribution ofoil and gas, and electric power

Treasury Banking and finance

Interior National monuments and iconsDefense Defense industrial base

Nuclear Regulatory Commission Commercial nuclear power facilities

and storage & transport of nuclear

materials (in coordination with DOE &DHS)


18/37


Regulatory

Rorschach


19/37


SituationalIntelligence

Operating status

Out-of-band performance

Unscheduled physical access

Weather conditions othernatural events

Online chatter - activism

Unauthorized use of resources

Performance history

Port scans

Sorting out simultaneous events to understand

relationships between objects, functions and events in real-time

Unauthorized systems access

Configuration changes

Policy changes

User access to assets

Incident alerts

Error conditions

Non-privileged access

KPIs

Maintenance history


20/37


TwoBigChallenges

Reduce risk & uncertainty by

accelerating INFORMED action-taking andevent resolution;

AUTOMATING compliance documentation

of adherence to policies, procedures andregulations


21/37


Solution

Accelerate informed decision-making, action-takingand compliance

Integrate real-time data on access, authorization and changes tophysical, logical and control systems

Execute rules-based correlation

Add information on external context (what else? Natural? man-made?)

Automate online action scripts

Automated audit trail for documentation for regulatorycompliance, audit,

Benefits -

Security, Safety, Revenue protection, Cost-Reduction,Regulatory Compliance


22/37


IntegrateThreatSignalsAcrossITSystems,

PhysicalSecurity

and

Control

Systems

Risk analysisacross all threedomains

Detect

Identify andeliminate risksbefore they

manifest, fromthreats, sabotageand terrorism

Prevent

Incidentmanagement withbuilt-inprogrammedremediation

Respond

Policy Based(Compliance tovarious regulations

/ policies)

Comply


23/37


Terminated user has Physicalaccess to Critical Cyber Assets

TerminatedEmployeehas

PhysicalAccesstoSubstation


24/37


PredictiveAnalyticscanIdentifyRisks


25/37


AutomatedRemediatedandPrevention


26/37


DashboardwithRealTimeMonitoring

andActive

Policy

Enforcement


27/37


SituationalAwareness:ConvergedDashboard

forOil

&

Gas

Industry

Wel l Trend

User Based R isk Ana lys is


28/37


AirportSecurity: IntegratingIdentityData

with

Physical

Security

Information


29/37


DetectUnauthorizedAccessAttempt


30/37


AutomatingIncidentManagement

andResponse

Identify&ConfirmInitiateNotificationWorkflowInitiateLockdownNotifyFirstRespondersforDispatch


31/37


GeospatialviewofSubstation


32/37


Highseverity drilldownfordetail


33/37


Substation Sabotagerisk!


34/37


AccessLiveVideoand

InitiatePhysical

Lockdown


35/37


RecommendationtoProtect

Critical

InfrastructureCreateanIntegratedViewofIncidents

Physical

Logical

Correlatedatainrealtime&logactiontaken

Rules

based

Automatedaudittrailfordocumentedcompliance

MonitorInsiderswithPrivilegedAccess

MonitorRisksbyStatus/SeverityLevel

SegregationofAccess

Establishmitigatingcontrolswithspecialaccess

IndustrialControls

External

Factors


36/37


Most InnovativeCompany Awards RSA Security Conference 09 Security Summit 09 Demo Jam at SAP TechEd 08 ASIS Top 10 Award 09 Gartner Cool Vendor 2010

Key Partners SAP, Cisco, HP, IBM

PwC, Deloitte, SAIC Physical Security: GE, JCI,Lenel

Plant Security: OSIsoft,Matrikon

Unique Differentiators Security Convergence Active policy Enforcement True prevention of theft,

sabotage, terrorism Eliminating Silos (IT, Physical,

Operational Systems)

Flagship Customers

Florida Power & Light Oklahoma Gas & Energy Coca-Cola Cisco

TSA

Special Projects NERC Monitoring of un-

manned critical assets

Smart Grid Cyber Security pilotwith top utilities

Nuclear Cyber Security

Experienced Teamwith UnparalleledTrack Record

Founded Application SecurityCompany Virsa (now SAPGRC)

AboutAlertEnterprise:TruePreventionof

Theft,Sabotage

and

Acts

of

Terrorism

AlertEnterprise Confidential Information


37/37


NoGorillas!

ThankYou!

MarkL.Feldman,Ph.D.

AlertEnterprise

[email protected]

getting physical with security risk & compliance isaca 9-20-11 pdf

Documents