Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

InduSoft Speaks at Houston Infragard on February 17, 2015

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio

Eche un vistazo a continuación

1 de 105 Anuncio

InduSoft Speaks at Houston Infragard on February 17, 2015

Descargar para leer sin conexión

One of InduSoft's Cybersecurity Engineers, Richard Clark, along with Professor Stephen Miller of Eastern New Mexico University – Ruidoso spoke at the February meeting of the Houston Infragard on the subject of "Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications". InduSoft and ENMU-Ruidoso have collaborated to produce a Security Guidance eBook and an eTextbook that will be used in the Cybersecurity Certificate curriculum at ENMU.

One of InduSoft's Cybersecurity Engineers, Richard Clark, along with Professor Stephen Miller of Eastern New Mexico University – Ruidoso spoke at the February meeting of the Houston Infragard on the subject of "Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications". InduSoft and ENMU-Ruidoso have collaborated to produce a Security Guidance eBook and an eTextbook that will be used in the Cybersecurity Certificate curriculum at ENMU.

Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (20)

A los espectadores también les gustó (20)

Anuncio

Similares a InduSoft Speaks at Houston Infragard on February 17, 2015 (20)

Más de AVEVA (20)

Anuncio

Más reciente (20)

InduSoft Speaks at Houston Infragard on February 17, 2015

  1. 1. Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications February 17, 2015
  2. 2. Agenda
  3. 3. Agenda Introductions
  4. 4. Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources
  5. 5. Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance eBook and Engineering Services available from InduSoft
  6. 6. Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance eBook and Engineering Services available from InduSoft Deeper dive into the Security eBook – a look inside.
  7. 7. Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance eBook and Engineering Services available from InduSoft Deeper dive into the Security eBook – a look inside. Discussion of the new SCADA Cybersecurity Framework eBook and the associated certificate courses at Eastern New Mexico University-Ruidoso
  8. 8. Agenda Introductions Discussion of the current state of Cybersecurity for Controls Systems with discussions from outside sources New Cybersecurity Guidance eBook and Engineering Services available from InduSoft Deeper dive into the Security eBook – a look inside. Discussion of the new SCADA Cybersecurity Framework eBook and the associated certificate courses at Eastern New Mexico University-Ruidoso Q&A Session
  9. 9. Speakers Today (in order of presentation) Richard Clark – Technical Marketing and Cybersecurity Engineer
  10. 10. Richard H Clark Cybersecurity Background Mr. Clark has been in Automation, Process System, and Control System design and implementation for more than 25 years and was employed by Wonderware where he developed a non-proprietary means of using IP-Sec for securing current and legacy Automation, SCADA, and Process Control Systems, and developed non-proprietary IT security techniques. Industry expert by peer review and spokesperson on IT security; consultant, analyst and voting member of ISA- SP99. Contributor to PCSF Vendor Forum. Consultant to NIST and other government labs and NSA during the development of NIST Special Publication 800-82. Published engineering white papers, manuals, and instruction documents, developed and given classes and lectures on the topic of ICS/SCADA Security. – Participated in forming the NIST Cybersecurity Framework during the workshops last year along with our second speaker today…
  11. 11. Speakers Today (in order of presentation) Richard Clark – Technical Marketing and Cybersecurity Engineer Stephen Miller – Associate Professor and Department Chair of Business and Information Systems/Cybersecurity Center of Excellence at Eastern New Mexico University-Ruidoso
  12. 12. Stephen Miller Cybersecurity Background Mr. Miller (Associate Professor/Director of Eastern New Mexico University- Ruidoso Cybersecurity Center of Excellence) has been in the Information Systems profession since 1966 working in many business, government, and educational sectors; including being IT/Technology Manager and Advisor at ExxonMobil Global Information Systems. Mr. Miller worked for Univac Corp at NASA Mission Control for the Apollo Mission, including Apollo 13 and Skylab missions, he also worked for Ford Tech-rep Division and TRW Controls, among others. Stephen developed the online computer and network Cybersecurity Certification program at ENMU-Ruidoso, and revised the Information Systems Associates Applied Science Degree Programs under INFOSEC 4011, 4016E, and Center of Academics (CAE-2Y) certifications
  13. 13. RICHARD H CLARK Cybersecurity eBooks/Guidance
  14. 14. Introduction
  15. 15. Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world
  16. 16. Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications
  17. 17. Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single eBook
  18. 18. Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single eBook InduSoft has recently added On-Demand Engineering Services to assist your development and engineering teams
  19. 19. Introduction InduSoft is used in various Oil and Gas, Refinery, and Pipeline applications around the world We strive to assist customers in designing and building safe, secure and functional applications We have condensed a great deal of our security guidance and discussions into a single eBook InduSoft has recently added On-Demand Engineering Services to assist your development and engineering teams InduSoft has assisted in creating the NIST Cybersecurity Framework and collaborated with ENMU-Ruidoso in creating a curriculum textbook
  20. 20. The Scope of the Problem
  21. 21. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity.
  22. 22. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t.
  23. 23. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  24. 24. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  25. 25. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  26. 26. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  27. 27. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  28. 28. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  29. 29. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  30. 30. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach”
  31. 31. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach” – Major Problems that I have with this “Unified Approach”:
  32. 32. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach” – Major Problems that I have with this “Unified Approach”: • They’ve thrown the SME’s (plant engineers) “under the bus”
  33. 33. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach” – Major Problems that I have with this “Unified Approach”: • They’ve thrown the SME’s (plant engineers) “under the bus” • They are only addressing security patches and antivirus
  34. 34. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach” – Major Problems that I have with this “Unified Approach”: • They’ve thrown the SME’s (plant engineers) “under the bus” • They are only addressing security patches and antivirus • It is being managed from a central location which is the same entry vector used in the retail and healthcare cyberattacks
  35. 35. The Scope of the Problem IT Departments believe that they are equipped to handle Control System Cybersecurity. They aren’t. – Example: AutomationWorld, February 10, 2015, “Shell Works with Yokogawa and Cisco on a Unified Cybersecurity Approach” – Major Problems that I have with this “Unified Approach”: • They’ve thrown the SME’s (plant engineers) “under the bus” • They are only addressing security patches and antivirus • It is being managed from a central location which is the same entry vector used in the retail and healthcare cyberattacks • They are considering the refinery as part of the IOT, which is to say that they think it is just as important as Mrs. Fitsby’s new hot water heater, not critical infrastructure.
  36. 36. New SCADA Cybersecurity eBooks InduSoft Security Guide NIST Cybersecurity Framework ISBN 978-1311-49042-1 ISBN 978-1310-30996-0 Available at Smashwords.com and other major booksellers
  37. 37. Available to you as “Name Your Price” InduSoft Security Guide NIST Cybersecurity Framework ISBN 978-1311-49042-1 ISBN 978-1310-30996-0 Download at Smashwords.com to “Name Your Price”
  38. 38. All eBook Proceeds Benefit the Eastern New Mexico University-Ruidoso Foundation
  39. 39. InduSoft Security Guide– Why?
  40. 40. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place
  41. 41. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place – There is a chapter on guidelines for designing and building your projects
  42. 42. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place – There is a chapter on guidelines for designing and building your projects – Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks
  43. 43. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place – There is a chapter on guidelines for designing and building your projects – Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks – The eBook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance
  44. 44. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place – There is a chapter on guidelines for designing and building your projects – Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks – The eBook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance – Also contains an Appendix with NIST Framework information
  45. 45. InduSoft Security Guide– Why? The eBook is a compilation of InduSoft cybersecurity guidance making it available in one place – There is a chapter on guidelines for designing and building your projects – Includes reprints of many InduSoft white papers and published articles on cybersecurity guidance describing everything from runtime servers and IT guidance for control system networks, to handheld smart devices and wireless networks – The eBook contains transcripts of many InduSoft webinars on securing InduSoft Web Studio as well as broader IT and SCADA security guidance – Also contains an Appendix with NIST Framework information – Available in .mobi (Kindle), .epub, .pdf, .html, and .doc formats
  46. 46. Contents of “Security Guidance” eBook The Chapters and Sections contain many useful topics Chapter 1: New Projects and Security as a Design Consideration Section 1: Building your Project – Extract from the InduSoft Technical Note: Application Guidelines Chapter 2: Existing Projects Chapter 3: Cloud Based Applications Section 1: Working with Cloud Based Applications – The following is an extract from the InduSoft White Paper: Cloud Computing for SCADA Chapter 4: InduSoft Application Security Section 1: SCADA System Security Best Practices – The following is a transcript extract from the InduSoft Webinar: SCADA System Security Webinar Chapter 5: InduSoft Security Discussion for Web Based Applications Section 1: Using Security with Distributed Web Applications – Extract 1 - From InduSoft White Paper: Security Issues with Distributed Web Applications Section 2 – Using Security with Web-Based Applications – Extract 2 - From the InduSoft Tech Note: IWS Security System for Web Based Applications Section 3 – Using Security with Web-Based Applications – Reprint - Control Engineering Magazine - August 2014: Cybersecurity for Smart Mobile Devices Chapter 6: InduSoft Recommendations for IT Security Section 1: Firewalls and other SCADA Security Considerations – Transcript extract from the InduSoft Webinar: SCADA and HMI Security in InduSoft Web Studio Section 2: Control Systems Security Overview – Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Overview Section 3: SCADA Security - Operational Considerations – Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Operational Section 4: SCADA Security - Management Considerations – Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Management Appendix A: NIST Cybersecurity Framework Core Appendix B: Cyber Security Evaluation Tool (CSET) Information
  47. 47. Examples of topics and subjects covered
  48. 48. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following:
  49. 49. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration
  50. 50. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation
  51. 51. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  52. 52. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  53. 53. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  54. 54. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  55. 55. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  56. 56. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  57. 57. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  58. 58. New SCADA Projects Should be Designed with Security as a Primary Goal Good project design includes the following: Security as a primary design consideration Safety needs to be considered throughout project design and implementation Functionality should be moderated based on the first two design goals
  59. 59. Diverse SCADA Projects Require Different Types of Security Profiles
  60. 60. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways.
  61. 61. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. – This fact presents many differing security scenarios for our customers
  62. 62. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. – This fact presents many differing security scenarios for our customers – A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system.
  63. 63. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. – This fact presents many differing security scenarios for our customers – A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs
  64. 64. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. – This fact presents many differing security scenarios for our customers – A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs – Talks, classes, white papers, webinars, forums, Technical Support, and individualized guidance on projects has been available for quite some time
  65. 65. Diverse SCADA Projects Require Different Types of Security Profiles We recognize that customers use InduSoft Web Studio in many different ways. – This fact presents many differing security scenarios for our customers – A specific type of security implementation to a particular SCADA system may be entirely inappropriate for a differing system. We have recommended many different ways that security can be implemented into SCADA and HMIs – Talks, classes, white papers, webinars, forums, Technical Support, and individualized guidance on projects has been available for quite some time – InduSoft now has on-demand engineering assistance available on our website!
  66. 66. Services On Demand is Now Live! Engineering assistance is available when designing projects and implementing project security
  67. 67. Stay Informed… How to get Product Update and Webinar Announcements
  68. 68. Stay Informed… How to get Product Update Announcements
  69. 69. THANKS FOR ATTENDING! Here’s how to contact us…
  70. 70. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Germany USA Brazil Contact InduSoft Today
  71. 71. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Germany USA Brazil Contact InduSoft TodayEmail richard.indusoft@gmail.com if you would like to request a copy of this presentation or with other questions.
  72. 72. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Germany USA Brazil Contact InduSoft TodayEmail richard.indusoft@gmail.com if you would like to request a copy of this presentation or with other questions. The upcoming InduSoft webinar tomorrow (Feb 18th) month will focus on Engineering Services and how you can get the most out of them. Visit: http://www.indusoft.com
  73. 73. Email (US) info@indusoft.com (Brazil) info@indusoft.com.br (Germany) info@indusoft.com.de Support support@indusoft.com Web site (English) www.indusoft.com (Portuguese) www.indusoft.com.br (German) www.indusoft.com.de Phone (512) 349-0334 (US) +55-11-3293-9139 (Brazil) +49 (0) 6227-732510 (Germany) Toll-Free 877-INDUSOFT (877-463-8763) Fax (512) 349-0375 Germany USA Brazil Contact InduSoft TodayEmail richard.indusoft@gmail.com if you would like to request a copy of this presentation or with other questions. The upcoming InduSoft webinar tomorrow (Feb 18th) month will focus on Engineering Services and how you can get the most out of them. Visit: http://www.indusoft.com Join our webinars and we will send you an InduSoft webinar series Tee-Shirt!
  74. 74. Next: STEPHEN MILLER SCADA Cybersecurity Framework
  75. 75. CAE-2Y Accredited
  76. 76. Topics Covered • E-Book Purpose • Key Objectives • Outline Of Content • Training Plans – Cybersecurity Programs – Boot Camp • About ENMU-Ruidoso • Q & A? 76 CAE-2Y Accredited
  77. 77. E-Book Purpose • Provide a quick reference guide to the framework Promote awareness of • Cybersecurity Critical Infrastructure Framework • SCADA Cybersecurity threats and vulnerabilities • The importance of risk assessments • How to use the framework • Look into applying security to Indusoft Web Studio 77 CAE-2Y Accredited
  78. 78. Key Objectives • Knowledge of SCADA and cybersecurity environment – Types of SCADA systems – Threats and risks Understanding of framework Knowledge of tools and processes for risk analysis Ability to apply risk management processes to obtain the right framework tier for an organization 78 CAE-2Y Accredited
  79. 79. Outline Of Content • Chapter 1 - SCADA Cybersecurity Introduction and Review – What is SCADA • How it works, In Depth Look, field devices, control units, HMI – Overview of Cybersecurity Vulnerabilities • Security Challenges, Understanding & defining information security, Cyber Threat Source to Control/SCADA Systems, GAO Threats, Attacks & Defenses, Vulnerability Scanning vs Penetration Testing – Understanding Control System Cyber Vulnerabilities • Gaining control of SCADA Systems, Categories of SCADA Systems 79 CAE-2Y Accredited
  80. 80. Information security components
  81. 81. Gov’t Acct. Office Threat Table
  82. 82. Steps of a cyberattack
  83. 83. Geographic Layer
  84. 84. Physical Network Layer
  85. 85. Logical Network Layer
  86. 86. Cyber Organization/Personal Layer “Internet of Things”
  87. 87. One individual… …with multiple, complex relationships to other levels of the environment... …that also change over time.
  88. 88. Control System Environment
  89. 89. Three Categories of SCADA Systems Modern/Common Diagram Modern/Proprietary Diagram Legacy/Proprietary Diagram
  90. 90. Outline Of Content • Chapter 2 – Cybersecurity Framework Introduction • Framework Introduction – Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity” • Risk Management Process • The Cybersecurity Framework 90 CAE-2Y Accredited
  91. 91. Overview of the Framework
  92. 92. Risk Management Decomposition Diagram
  93. 93. Outline Of Content • Chapter 3 – Cybersecurity Framework Basics – Basic framework overview – Framework core CAE-2Y Accredited
  94. 94. Business Process Management (BPM) Approach to the Framework
  95. 95. How Does it All Come Together?
  96. 96. Outline Of Content • Chapter 4 – How to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders CAE-2Y Accredited
  97. 97. Using the CSET Tool for Risk Management and Future Framework Analysis
  98. 98. Select Standard(s)  NIST Framework for Improving Critical Infrastructure Cybersecurity V1 (Recommended)  NIST Special Publication 800-53 Rev 3 and NIST Special Publication 800-53 Rev 3 App l  NIST Special Publication 800-53 Rev 4 and NIST Special Publication 800-53 Rev 4 App l  Consensus Audit Guidelines (CAG)  Components Questions Set  CFATS Risk Based Performance Standard (RBPS) 8: Chemical Facilities Anti-Terrorism Standard, Risk- Based Performance Standards Guidance 8 - Cyber, 6 CFR Part 27  CNSSI No. 1253 Baseline  CNSSI No. 1253 Industrial Control System (ICS) Overlay V1  Catalog of Recommendations Rev 7 – (DHS Catalog of Control Systems Security: Recommendations for Standards Developers, Revisions 6 and 7)  INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry Key Questions Set  DoD Instruction 8500.2 Information Assurance Implementation, February 2, 2003  ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1  NERC Reliability Standards CIP-002-009 Revisions 3 and 4  NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011  NIST Special Publication 800-82 Rev 1  NIST Special Publication 800-82 Rev 2 (Draft)  NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls  NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010  NEI 0809 Cyber Security Plan for Nuclear Power Reactors  TSA Pipeline Security Guidelines April 2011  Universal Questions Set
  99. 99. Outline Of Content • Chapter 5 – Indusoft Security Guide – Embedded in this chapter. • Appendix (Framework Core, CSET Tool, References, and Glossary) CAE-2Y Accredited
  100. 100. CSET 6.1 Tool 100 https://ics-cert.us-cert.gov/Assessments CAE-2Y Accredited
  101. 101. ENMU-Ruidoso Cybersecurity Programs • Computer and Network Security Certification Program (Online) Credited or Self-paced ($2,495) • Associates of Applied Science Degree - Information Systems Cybersecurity • The programs are designed to prepare students as: – Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011 – CNSSI No. 4016 Entry Level Risk Analysts – CAE-2Y Information Assurance/Cyber Defense Accredited • IS 131: Network Security Fundamentals-3 • IS 136: Guide to Disaster Recovery- 3 • IS 153/L: Introduction to Information System- 4 • IS 253: Firewalls and How They Work- 3 • IS 257: Network Defense and Counter Measures- 3 • IS 258: Cyber Ethics, Professionalism, and Career Development- 3 • IS 285: Ethical Hacking – 3 • IS 289: Capstone/Internship/NCL Cybersecurity Challenge CAE-2Y Accredited
  102. 102. Training Plans: Boot Camp Four day Boot Camp covering: • Course Orientation and Introduction to Cybersecurity and SCADA • CompTIA-Security+ Key Topics • SCADA Cybersecurity Recommended Practice/ Infrastructure Guiding Principles/National Infrastructure Protection Plan – IS-821 Critical Infrastructure and Key Resources Support Annex – IS-860.a National Infrastructure Protection Plan (NIPP) • Cybersecurity Critical Infrastructure Framework / CAP Process/Intro to a SCADA Product (IDUSOFT) • CSET Department of Homeland Security Risk Assessment Process and Tools Using the Cybersecurity Critical Infrastructure Framework 102 CAE-2Y Accredited
  103. 103. About ENMU-Ruidoso  The National Security Agency and the Department of Homeland Security have designated Eastern New Mexico University - Ruidoso  National Center of Academic Excellence in Information Assurance/Cybersecurity Defense through academic year 2019. “CAE-2Y”  Based on the universities ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure.  Meets the eleven Knowledge Units learning objectives  Recognized by the National Initiative in Cybersecurity Education (NICE) as a certified Training Institution for the NIST National Cybersecurity Workforce Framework.  http://csrc.nist.gov/nice/index.htm 103 CAE-2Y Accredited
  104. 104. ENMU-Ruidoso Foundation Foundation, as noted below. If you find this ebook useful in your business, tax deductable donations to the university 501 (c) (3) foundation are encouraged by contacting:
  105. 105. http://www.us-cert.gov/control_systems/csstandards.html CAE-2Y Accredited

Notas del editor

  • Chapter 1: This chapter will provide an introduction to Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), and Process Control Systems (PCS). What they are and how they are used. Then we will look at cybersecurity vulnerabilities in general and those that are of a higher concern for SCADA and PCS systems.
    Section 1: What is SCADA?
    Overview
    History and Installed Base
    How SCADA Systems Work
    A More In-Depth Look at a SCADA System
    Field Devices Measure the Process for Flow Rate, Pressure, Temperature, Level, Density, Etc.
    Field Control Uses Two Types of Controllers
    Examples of HMI Screens and Displays Used Within SCADA Systems
    Section 2: Overview of Cyber Vulnerabilities
    In this section the key objectives are:
    Challenges of Securing Information
    Understanding and Defining Information Security
    Cyber Threat Source to Control/SCADA Systems Descriptions
    GAO Threat Table
    Cyber-Attacks and Defenses
    Vulnerability Scanning vs. Penetration Testing
    Section 3: Understanding Control System Cyber Vulnerabilities
    Gaining Control of the SCADA System
    Three Categories of SCADA Systems
  • Modern/Common
    Figure 1.13 illustrates some of the technologies used in a control systems environment most likely to be of the Modern/Common type.
    This category of technologies inside the control systems domain will be those that would be most susceptible to modern cyber threats and vulnerabilities, at the same time being mature enough to allow some contemporary forensic methods to be successfully performed on them. Most common technologies that fall into this category include Microsoft Windows, UNIX platform, or another vendor specific solution that has functionality that can be investigated using standard forensics methodologies

    Modern/Proprietary
    Modern/Proprietary technologies (Figure 1.14) are those that are critical to a control systems operation, have been created within the last 10 years, are still fully supported and understood primarily by the vendor (or systems integrator).
    , the control systems technology and information about its operation are not generally available through open-source methods. Moreover, the technology and protocols associated with command and control of the operational environment may only be known to the vendor and just partially to the owner/operator.

    Legacy/Proprietary
    Legacy/Proprietary technologies (Figure 1.15) are those that are critical to a control systems operation, may have been deployed more than 10 years ago, have moderate computing capabilities (compared to modern systems), may or may not be supported be the vendor (if still around), in most cases only understood (in-depth) by the vendor.



  • Chapter 2: To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity”, on February 12, 2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost- effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The Framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk.
    Executive Order no. 13636, "Improving Critical Infrastructure Cybersecurity", DCPD-201300091, February 12,2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
    Chapter 2: Cybersecurity Framework Introduction
    Section 1: Framework Introduction
    Overview of the Framework
    Framework Core
    Framework Implementation Tiers
    Framework Profile
    Section 2: Risk Management and the Cybersecurity Framework
    Risk Management Redefined
  • The Tier definitions are based on the conditions of satisfaction of three attributes:
    Risk Management Process 2) Integrated Risk Management Program 3) External Participation
    Tier 1: Partial[58]
    Risk Management Process Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
    Integrated Risk Management Program There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
    External Participation An organization may not have the processes in place to participate in coordination or collaboration with other entities.
    Tier 4: Adaptive[61] Risk Management Process The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
    Integrated Risk Management Program There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
    External Participation The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.


  • Chapter 3: The purpose of the Framework is to provide a common language to enable understanding, managing, and communicating cybersecurity risk both internally and externally. It is intended for use in helping identify and prioritize actions for reducing cybersecurity risk. The Framework is a tool, used for aligning policy, business, and technological approaches to managing that risk. It is meant to be used to manage cybersecurity risk across entire organization or can be focused to service, department within the organization. “Different types of entities - including sector coordinating structures, associations, and organizations - can use the Framework for different purposes, including the creation of common Profiles.”
    "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0", National Institute of Standards and Technology, February 12, 2014
    The ebook introduces a business process perspective in looking at the framework and how to apply the framework from a Business Process Re-engineering perspective.
    Chapter 3: Cybersecurity Framework Basics
    Section 1: Framework Basics
    Section 2: Framework Core
    Functions
    Categories
    Subcategories
    Framework Implementation Tiers
    Section 3: How Does it All Come Together?
    Coordination of Framework Implementation
    Business Process Management (BPM) Approach to the Framework
    Cybersecurity Framework Assessment Process Model Breakdown and Component Parts
    critical infrastructure sectors:
    Chemical Sector
    Commercial Facilities Sector
    Communications Sector
    Critical Manufacturing Sector
    Dams Sector
    Defense Industrial Base Sector
    Emergency Services Sector
    Energy Sector
    Financial Services Sector
    Food and Agriculture Sector
    Government Facilities Sector
    Healthcare and Public Health Sector
    Information Technology Sector
    Nuclear Reactors, Materials, and Waste Sector
    Transportation Systems Sector
    Water and Wastewater Systems Sector


  • Chapter4: The purpose of this chapter is to look at how an organization can use the Framework as a key part or enabler of its current process for identifying, assessing, and managing cybersecurity risk. Note, the Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. Using the Framework as a cybersecurity risk management tool, can enable the organization in determining activities that are most important to critical service delivery and prioritize the cost of those activities to reduce the risk and maximize the impact of the investment.
    Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
    Chapter 4: How to Use the Framework
    Section 1: Basic Review of Cybersecurity Practices
    Section 2: Establishing or Improving a Cybersecurity Program
    Step 1: Prioritize and Scope
    Step 2: Orient
    Step 3: Create a Current Profile
    Step 4: Conduct a Risk Assessment
    Step 5: Create a Target Profile
    Step 6: Determine, Analyze, and Prioritize Gaps
    Step 7: Implement Action Plan
    Section 3: Communicating Cybersecurity Requirements with Stakeholders
    Identifying Gaps

  • Appendix A: Framework Core
    Information regarding Informative References described in Appendix A may be found at the following locations:
    Appendix B: Cyber Security Evaluation Tool (CSET) Information
    Appendix C: References
    Recommended Publications for Purchase
    Further Reading and Links to Organizations
    Appendix D: Glossary
    Terms Used in this Publication
    Acronyms Used in this Publication

    CSET Tool
    The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) no-cost tool that assists organizations in protecting their key national cyber assets. The tool was developed by the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) with assistance from the National Institute of Standards and Technology (NIST). This tool provides users with a systematic, consistent, and standards based approach for assessing the security posture of their Information Technology systems and networks. The tool uses high-level and detailed questions related to all industrial control and IT systems that includes the NIST Cybersecurity Critical Infrastructure Framework, referenced in the tool standards as “NCSF V1”.
    The value of the tool is that it can guide the key stakeholders, custodians, and owners in systematically understanding their current IT and control system environment, potential gaps in security, and assist in developing a plan to close those gaps. The tool includes instructional videos, help screens, and information not only about how to use the tool but information on what standards might apply to one’s organization.
    The tool gives organizations who have not conducted any sort of comprehensive risk assessment of the IT infrastructure, an excellent starting point.
  • 1.1. Basic Data Analysis 1.2. Basic Scripting or Introductory Programming (4 yr core) 1.3. Cyber Defense 1.4. Cyber Threats 1.5. Fundamental Security Design Principles 1.6. IA Fundamentals 1.7. Intro to Cryptography 1.8. IT Systems Components 1.9. Networking Concepts 1.10. Policy, Legal, Ethics, and Compliance 1.11. System Administration

×