Transcript Slide 1
2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Automation and Security Consulting Services for Industrial Process Automation © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Mission Statement Cyber SECurity Consulting provides our customers with information, support, training, engineering and consulting services to enable them to create and maintain a safe and secure business operating environment © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Industries Served • Refining and Petro-Chemical • Electric Power T&D • Electric Power Generation • Water/Waste-Water • Chemical Production • Discrete Manufacturing © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com Our Consultant Experience 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Cyber SECcurity Consulting has on-staff senior consultants with expertise in the following industries: • Electrical power generation, transmission and distribution • Electrical substation automation • Water and Waste-Water processing • Oil and gas pipelines, distribution terminals and storage facilities • Refining and petrochemical plants • Specialty and intermediate chemical plants • Regulated industries such as pharmaceutical, food/beverage • General high-volume manufacturing © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com Our Consultant Experience 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Our consulting staff includes personnel with: • • • • Advanced technical and Engineering degrees including PhD CISSP – Certified Information System Security Professional Business process analysis and re-engineering Over 25 years of experience deploying an designing Supervisory Control (SCADA) Systems Distributed Control (DCS) Systems PLC-based Automation Systems Substation Integration/Automation Systems • Plant automation experience in a wide range of industries • Extensive Customer Training/Educational Experience • Knowledge of the current Cyber Security technologies • Familiarity with Government/Industry efforts in the area of automation system/plant security (NERC, ISA, DHS, etc…) © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Service Offerings Training Services: • Technology Training Classes - Introduction to DCS and PLC Technology Introduction to SCADA Technology Basic Process Measurement & Control Communications & Networking • Security Training Classes - Introduction to Security Concepts - NERC CIP-002 to 009 - Understanding ISA SP99 Recommendations - Cyber Security & Cyber Threats - Industrial Automation Security - Vulnerability and Risk Assessment Consulting Services: • Vulnerability Assessments/Gap Analysis • Risk Assessments/Countermeasures • Policy and Procedure Development • Security Program Management • Disaster Recovery Planning • Compliance with NERC Requirements © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Service Offerings NERC-Specific Services: • Management Briefing on CIP-001/009 • Identification of Critical Cyber Assets • Physical and Electronic Perimeter Definitions • Vulnerability Assessments • Risk and Gap Analysis • Development of Implementation Plans • Employee Training • Policy and Procedure Development • Disaster Recovery Planning • Program Auditing and Incident Reporting © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 NERC Compliance Process NERC CIP Vulnerability Assessment Process Identify and document Critical Cyber Assets Identify and document Critical Cyber Information Physical Inspection Identify and document communication and network connections Information gathering phase Action plan formulation phase © Cyber SECurity Consulting Review findings versus NERC requirements Physical Audit Identify and document Physical Security Perimeter Physical Inspection Develop action plan for addressing all short-comings Physical Audit Identify and document all personnel who have access rights Identify and review all existing cyber security policies and procedures NERC 1200 Noncompliance levels Background checks NERC checklist Key methodology/standard Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 NERC Compliance Process NERC CIP Compliance Attainment Process Develop and document necessary policies and procedures Test and validate system/component test/commissioning procedures Iterative reviews Select methods for creating electronic security perimeter Technology survey Implement and test the electronic perimeter Technology survey Plan implementation phase © Cyber SECurity Consulting Test and validate Systems Management and recovery procedures PEN testing Select methods for creating the physical security perimeter Implement and test the physical security perimeter Provide security training to all employees as needed Structured audit Disaster Simulation & audits Social engineering testing Awareness campaign Key methodology/standard Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com NERC Compliance Process 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 NERC CIP Compliance - Ongoing • You must maintain audit logs for a wide range of items, actions & changes • You must review your policies/procedures on a regular (annual) basis • You must test your procedures, especially disaster recovery, regularly • You must maintain training and awareness programs • You must regularly re-certify/test your physical & electronic perimeters • You MUST INSURE that policies and procedures are being followed !!! (If not, then find out why and change them if you need to do so…) © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Security Program Management 15. Develop Additional Elements of the CSMS Plan 13. Develop Detailed IACS Cyber Security Policies and Procedures 18. Establish, Refine and Implement the CSMS 19. Adopt Continuous Improvement Operational Measures 14. Define the Common Set of IACS Security Risk Mitigation Controls 17. Charter, Design, and Execute Cyber Security Risk Mitigation Projects Cyber SEC suggests following the recommended 19-step program delineated in the ISA’s TR-99.002 Technical report as the basis for moving forward with the initial creation of, and long-term support for, an industrial automation security program. This program approach addresses physical, operational [personnel] and cyber [electronic] security and provides the basis for an on-going cycle of review and improvement. 10. Inventory IACS Devices and Networks 9. Organize for Security 11. Screening and Prioritization of IACS 12. Conduct a Detailed Security Assessment Maturity 8. Establish High-Level Policies that Support the Risk Tolerance Level 16. Quick Fix 7. Prioritize and Calibrate Risks 6. Characterize the Key IACS Risks 4. Form a Team of Stakeholders 5. Raise Staff Cyber Security Capability through Training 3. Define the Charter and Scope of IACS Security for Your Organization Legend Plan Phase Do Phase 2. Obtain Leadership Commitment, Support, and Funding Activity MUST be completed before proceeding to next activity Check Phase 1. Develop a Business Case Act Phase Activity DOES NOT need to be completed before proceeding to next activity Time © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com Vulnerability Assessment 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Cyber SEC uses a modified version of the DuPont DNSAM vulnerability assessment methodology. The major difference being the consideration of a range of technical, physical and administrative countermeasures when addressing probable threats. Assessment takes the entire range of interconnected LAN and WAN ‘segments’ and identifies critical systems and assets located on each and then identifies the available connectivity onto, and accessibility of, each segment. The critical systems could be controllers, HMIs, supervisory computers, historians, servers, ESD systems, batch managers, etc. Assets can be information, files, software, database, etc. Segment connectivity could be via gateways, WAN connections, telephone dial in/out, wireless access points, and even through portable media or computer equipment © Cyber SECurity Consulting Segments are formed by the presence of an ‘isolation’ appliance (a firewall) that controls traffic between the two adjacent segments Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Risk Assessment Cyber SEC uses a qualitative risk assessment methodology that assigns every threat a probability and consequence rating. A three or four level scale is used for each of the two categories. Consequences are ranked based on a range of impacts including health, safety, environmental, business, facilities and regulatory impacts. The end result of the assessment will be a Pareto chart of vulnerabilities ranked on an A through D classification, where the priority order of the countermeasure implementation will be in that same order. Countermeasures will be recommended based on their comparative cost-performance ratio A consequence table will be developed that reflects your business risk-tolerance and safety requirements level and used to rank threats © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Assessment Tools Provides: NERC CIP 001/009 Vulnerability Assessment Workbook © Cyber SECurity Consulting 1. A centralized document for enumerating the identified critical cyber assets 2. Documentation of the physical security perimeter 3. Documentation of the electronic security perimeter 4. Segment-by-segment delineation of the critical cyber assets on each LAN and WAN (sub) network that forms the critical cyber infrastructure 5. Risk/Consequence analysis for each segment 6. Documentation of the information cyber assets 7. Documentation of the existing/missing policies Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Assessment Tools Countermeasure Business Case Justification Development Workbook Provides: 1. A way to document and record the vulnerabilities and threats deemed worth of consideration and for which countermeasures need to be put into place 2. A financial assessment of consequences with a corresponding financial budget estimate for countermeasures, based on company risk-aversion levels 3. An budget estimate for the investment level justified by the exposure reduction generated by countermeasures © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Gap Analysis Cyber SEC teams with Neurametrics to perform gap analysis and to gather information that is used to assess current policies and procedures and training programs. Their web based tools enable convenient, automated data collection across the entire organization, regardless of facility locations Views can be generated by location, department, group and topic Consolidated ‘layers’ view gives a quick assessment of each area of consideration This version is configured to perform a NERC gap analysis based on CIPs 001 to 009 © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Gap Analysis This version is configured to assess process/manufacturing plant security per TR-99.001 & 002 © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Educational Materials Chapter Outline: Technical Book on SCADA System Cyber Security Issues and Approaches Available from PennWell Publishing © Cyber SECurity Consulting 1. The Technological Evolution of SCADA Systems 2. Remote Terminal Units 3. Telecommunications Technologies 4. Supervisory Control Applications 5. Operator Interface 6. Conventional Information Technology (IT) Security 7. Identifying Cyber security Vulnerabilities 8. Classifying Cyber Attacks and Cyber Threats 9. Physical Security 10. Operational Security 11. Electronic/Systems Security 12. Electric Utility Industry - Specific Cyber security Issues 13. Water/Wastewater Industry - Specific Cyber Security Issue 14. Pipeline Industry - Specific Cyber Security Issues 15. The Emerging Cyber Threat to SCADA Systems 16. Commercial Hardware and Software Vulnerabilities 17. Traditional Security Features of SCADA Systems 18. Eliminating the Vulnerabilities of SCADA Systems Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Educational Materials In addition to on-site customer training classes, Cyber SECurity Consulting offers several courses on DVD Available Topics: 1. 2. 3. 4. 5. 6. 7. 8. Self-Paced Courses on DVD Introduction to DCS Technology Introduction to PLC Technology Introduction to SCADA Technology Communications & Networking Introduction to Security Concepts Cyber Security & Cyber Threats Industrial Automation Security and SP99 Vulnerability and Risk Assessment © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com 2318 Monkton Rd. Monkton MD 21111 USA 410.472.1588 Thank You For Your Time ! Automation and Security Consulting Services for Industrial Process Automation Questions ? © Cyber SECurity Consulting Proprietary & Confidential www.industryconsulting.org www.cybersecconsulting.com