Upload
ahmed-al-enizi
View
1.044
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Managing The Security Risks Of Your Scada System, the presentation of the workshop I gave at the Saudi SCADA Summit 2012
Citation preview
Agenda
• Risk Management
• Challenges In Deploying Technical Risk Treatment Controls For SCADA System
• Developing Incidents Response And Remediation Plans
• Best Practice Strategies To Prevent Worm And Virus Threats
3/21/2012 2 Managing the Security Risks of Your SCADA
System
Risk Management
• Risk Management in general
• Before we can do risk assessment we have to understand Risk
• We have to know some definitions first
• What is the relation between these definitions?
• Risk management concept
• The two Risk assessment methodologies
• Basic risk management requirements
• Example from ISO27001
3/21/2012 3
Managing the Security Risks of Your SCADA System
Risk Management in General
• Risk management is a proven framework that does the following
1. Schedule risk assessments during the year
2. Defines risk assessment methodology
– Defines Risk Evaluation Criteria
– Defines Risk Acceptance criteria
3. Defines a process for closing risk assessment findings.
3/21/2012 4 Managing the Security Risks of Your SCADA
System
Some Definitions Related to Risk
• What is risk? Risk is the likelihood of an action on a weakness resulting an impact
• Threat is a potential danger • Vulnerability is a known weakness • Exposure is the opportunity for a threat to cause impact • Controls are administrative, technical, or physical measures
taken to mitigate a risk • Safeguards are controls applied before the fact (prevent,
detect, Deterrent, Directive) • Counter Measures are controls applied after the fact
(Corrective, Recovery, Compensating)
3/21/2012 5 Managing the Security Risks of Your SCADA
System
What is the relation between these definitions?
Attack / Exploit Exposure Threat Agent
Threat
Compromised Asset
Threat Source Weakness/
Vulnerability Safeguards Assets
Counter Measures
Technical Impact
Business Impact
Risk
Controls
Based OWSAP Model
3/21/2012 6 Managing the Security Risks of Your SCADA
System
Risk management concept
CC Risk Management Concept Flow
3/21/2012 7 Managing the Security Risks of Your SCADA
System
The two Risk assessment Methodologies
• Two ways to calculate the Risk, Qualitative and Quantitative risk analysis
• Qualitative Risk analysis: We predict the level of risk
• We use this approach when we are unable to accurately calculate asset value
• Example: we define a scenario where it is possible that a hacker can gain access from the internet to a database
• Asset = database
• Likelihood = 2
• Impact/consequences = 5
Consequences
Insi
gnif
ican
t
Min
or
Mo
der
ate
Maj
or
Cat
astr
op
hic
Likelihood 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H
E Extreme Risk, immediate action
H High Risk, action should be taken to
compensate
M Moderate Risk, action should be
taken to monitor
L Low Risk, routine acceptance of risk 3/21/2012 8 Managing the Security Risks of Your SCADA
System
The two Risk assessment methodologies cont.
• Quantitative Risk analysis: is the calculation of ALE
• Example: probability = 3, asset value = 1,478,390 , 60%
• ALE = 3 x (1,478,390 x 60% ) = 3 x 887,034 = 2,661,102
• ROI = ALE – security control cost
• ROI is the return on security investment, the amount of money that will be saves from loss
Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss)
3/21/2012 9 Managing the Security Risks of Your SCADA
System
Basic management requirements
• The board of directors need to agree on the following
– The scope of the risks that are going to be managed
– The type of risks such as financial risks, operational risks, technical and security risks, or business risks related to the market, but in our case we are concerned about technical and security risks
– Risk Assessment Methodology: OCTAVE (IT Risk), AS/NZ 4360, NIST, ISO27005, each one of these methodologies certain steps for assessing risk.
• Risk Evaluation Criteria: either we go with quantitative or qualitative risk evaluation or mix of both.
• Risk treatment criteria: we define the conditions under which we chose one of the treatment strategy
– We accept the risk if it under the risk acceptance level and otherwise we :
– Transfer the risk to an assurance company or outsource from a managed service provider
– Mitigate the risk by deploying controls
– Avoid the risk by canceling the whole business
3/21/2012 10 Managing the Security Risks of Your SCADA
System
ISO27001 Risk Management Example
• ISO27001 provides a generic way to manage risk: 1. Identify Assets 2. Identify threats to assets 3. Identify vulnerabilities that might be exploited by the
threats 4. Identify the impacts on the assets 5. Analyze and evaluate the risks. 6. Identify the treatment of risks (accept, transfer, avoid,
mitigate) 7. Select control objectives and controls 8. Follow PDCA cycle.
3/21/2012 11 Managing the Security Risks of Your SCADA
System
Challenges In Deploying Technical Risk Treatment Controls For SCADA System • We assume that a risk assessment had been done and
security controls objectives have been selected,
• Part of the challenges we might face: – Choosing a security control compatible with SCADA and able to
understand its traffic, a security control should protect the service without impacting it
– The geographical distance impacts support, maintenance, and operation
– Solve the communication bandwidth problem, because we need in real time monitoring and control
3/21/2012 12 Managing the Security Risks of Your SCADA
System
Developing Incidents Response And Remediation Plans
• Why do we need a plan for response – Because we need to be prepared to effectively solve
different kinds of problem in the shortest time possible in order to reduce the impact and prevent disturbance.
• The NIST Special Publication 800-61 “Computer Security Incident Handling Guide”
• first the definitions then we are going to look into policy, plan, and process.
• Security incident is a violation of policy. Virus infection, password brut-force
• An event is any observable occurrence in a system or network, example failed authentication. 3/21/2012 13
Managing the Security Risks of Your SCADA System
Developing Incidents Response And Remediation Plans
• In order to build an effective incident respond we have to define the policy, plan, and procedure
• The policy should – Define the scope of incidents that are going to be handled – Define what will be considered security incident and its impact
on the company – Define response and remediation requirements – Defines roles and responsibilities and level of authority given to
the response team in case of each incident kind – Defines incident severity rating – Defines response and remediation KPI – Defines the escalation procedure for each kind of incident – Defines incident alerting and reporting requirements
3/21/2012 14 Managing the Security Risks of Your SCADA
System
Developing Incidents Response And Remediation Plans, Cont.
• The incident response plan should : – Define the approach for incident response – Implement the capabilities need to provide incident response service
to the company and per its requirements defined in the policy. – Define the resources and management support needed to enable the
capabilities – Defines how the KPI are measured – Implement incident reporting and alerting and escalation capability – Define how the incident response capabilities are coordinated and
communicated inside the company – Define an incident response and remediation procedure for each kind
of incident and the procedure should consider the severity of the incident
3/21/2012 15 Managing the Security Risks of Your SCADA
System
Developing Incidents Response And Remediation Plans, Cont.
• The incident response and remediation procedure should:
– React based on the severity of the incident.
– Reliable and effective and efficient
– Detailed and supported with checklists
3/21/2012 16 Managing the Security Risks of Your SCADA
System
Developing Incidents Response And Remediation Plans, Cont.
• Incident response lifecycle
1. Preparation
1. Preparing the team by training and drills.
2. Providing the needed tools and logistics to carryout response capabilities.
2. Detection and analysis
1. Accurate detection by filtering out false positives and false negatives
2. Incident categorization, identifying the category leads to choosing the right response procedure
3. Incident analysis, finding the root cause, related and impacted assets
4. Incident documentation involves recording of all facts in a secure system that will help us keeping track of incident developments
5. Incident prioritization, simply prioritizing incidents based on their severity
6. Incident notification involves alerting related persons in the company to take action
3. Response action:
1. Choosing a containment strategy in order to stop it from spreading to other assets
2. Gather evidence for forensics investigations, tag them and bag them
3. solve the problem, and recover the system if needed
4. Post-incident activity
1. Lesson learned documentation and meeting
3/21/2012 17
Managing the Security Risks of Your SCADA System
Best Practice Strategies To Prevent Malicious code
• Defense in depth – Choosing the right antivirus – Antivirus infrastructure design and support – Network security, firewall (risky ports) and IPS – Email antivirus and spam protection – Web content filtering and scan – End point protection (new antivirus trend) – Limiting user privileges – Continuously patching the system and 3rd party software – Force file integrity check – Blocking USP, CDROM – Hardening the system – Dividing the network (security zones) – Prevent user from installing software. – NAC
3/21/2012 18 Managing the Security Risks of Your SCADA
System
Thank you
Q/A