Agenda

• Risk Management

• Challenges In Deploying Technical Risk Treatment Controls For SCADA System

• Developing Incidents Response And Remediation Plans

• Best Practice Strategies To Prevent Worm And Virus Threats

3/21/2012 2 Managing the Security Risks of Your SCADA

System

Risk Management

• Risk Management in general

• Before we can do risk assessment we have to understand Risk

• We have to know some definitions first

• What is the relation between these definitions?

• Risk management concept

• The two Risk assessment methodologies

• Basic risk management requirements

• Example from ISO27001

3/21/2012 3

Managing the Security Risks of Your SCADA System

Risk Management in General

• Risk management is a proven framework that does the following

1. Schedule risk assessments during the year

2. Defines risk assessment methodology

– Defines Risk Evaluation Criteria

– Defines Risk Acceptance criteria

3. Defines a process for closing risk assessment findings.

3/21/2012 4 Managing the Security Risks of Your SCADA

System

Some Definitions Related to Risk

• What is risk? Risk is the likelihood of an action on a weakness resulting an impact

• Threat is a potential danger • Vulnerability is a known weakness • Exposure is the opportunity for a threat to cause impact • Controls are administrative, technical, or physical measures

taken to mitigate a risk • Safeguards are controls applied before the fact (prevent,

detect, Deterrent, Directive) • Counter Measures are controls applied after the fact

(Corrective, Recovery, Compensating)

3/21/2012 5 Managing the Security Risks of Your SCADA

System

What is the relation between these definitions?

Attack / Exploit Exposure Threat Agent

Threat

Compromised Asset

Threat Source Weakness/

Vulnerability Safeguards Assets

Counter Measures

Technical Impact

Business Impact

Risk

Controls

Based OWSAP Model

3/21/2012 6 Managing the Security Risks of Your SCADA

System

Risk management concept

CC Risk Management Concept Flow

3/21/2012 7 Managing the Security Risks of Your SCADA

System

The two Risk assessment Methodologies

• Two ways to calculate the Risk, Qualitative and Quantitative risk analysis

• Qualitative Risk analysis: We predict the level of risk

• We use this approach when we are unable to accurately calculate asset value

• Example: we define a scenario where it is possible that a hacker can gain access from the internet to a database

• Asset = database

• Likelihood = 2

• Impact/consequences = 5

Consequences

Insi

gnif

ican

t

Min

or

Mo

der

ate

Maj

or

Cat

astr

op

hic

Likelihood 1 2 3 4 5

A (almost certain) H H E E E

B (likely) M H H E E

C (possible) L M H E E

D (unlikely) L L M H E

E (rare) L L M H H

E Extreme Risk, immediate action

H High Risk, action should be taken to

compensate

M Moderate Risk, action should be

taken to monitor

L Low Risk, routine acceptance of risk 3/21/2012 8 Managing the Security Risks of Your SCADA

System

The two Risk assessment methodologies cont.

• Quantitative Risk analysis: is the calculation of ALE

• Example: probability = 3, asset value = 1,478,390 , 60%

• ALE = 3 x (1,478,390 x 60% ) = 3 x 887,034 = 2,661,102

• ROI = ALE – security control cost

• ROI is the return on security investment, the amount of money that will be saves from loss

Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss)

3/21/2012 9 Managing the Security Risks of Your SCADA

System

Basic management requirements

• The board of directors need to agree on the following

– The scope of the risks that are going to be managed

– The type of risks such as financial risks, operational risks, technical and security risks, or business risks related to the market, but in our case we are concerned about technical and security risks

– Risk Assessment Methodology: OCTAVE (IT Risk), AS/NZ 4360, NIST, ISO27005, each one of these methodologies certain steps for assessing risk.

• Risk Evaluation Criteria: either we go with quantitative or qualitative risk evaluation or mix of both.

• Risk treatment criteria: we define the conditions under which we chose one of the treatment strategy

– We accept the risk if it under the risk acceptance level and otherwise we :

– Transfer the risk to an assurance company or outsource from a managed service provider

– Mitigate the risk by deploying controls

– Avoid the risk by canceling the whole business

3/21/2012 10 Managing the Security Risks of Your SCADA

System

ISO27001 Risk Management Example

• ISO27001 provides a generic way to manage risk: 1. Identify Assets 2. Identify threats to assets 3. Identify vulnerabilities that might be exploited by the

threats 4. Identify the impacts on the assets 5. Analyze and evaluate the risks. 6. Identify the treatment of risks (accept, transfer, avoid,

mitigate) 7. Select control objectives and controls 8. Follow PDCA cycle.

3/21/2012 11 Managing the Security Risks of Your SCADA

System

Challenges In Deploying Technical Risk Treatment Controls For SCADA System • We assume that a risk assessment had been done and

security controls objectives have been selected,

• Part of the challenges we might face: – Choosing a security control compatible with SCADA and able to

understand its traffic, a security control should protect the service without impacting it

– The geographical distance impacts support, maintenance, and operation

– Solve the communication bandwidth problem, because we need in real time monitoring and control

3/21/2012 12 Managing the Security Risks of Your SCADA

System

Developing Incidents Response And Remediation Plans

• Why do we need a plan for response – Because we need to be prepared to effectively solve

different kinds of problem in the shortest time possible in order to reduce the impact and prevent disturbance.

• The NIST Special Publication 800-61 “Computer Security Incident Handling Guide”

• first the definitions then we are going to look into policy, plan, and process.

• Security incident is a violation of policy. Virus infection, password brut-force

• An event is any observable occurrence in a system or network, example failed authentication. 3/21/2012 13

Managing the Security Risks of Your SCADA System

Developing Incidents Response And Remediation Plans

• In order to build an effective incident respond we have to define the policy, plan, and procedure

• The policy should – Define the scope of incidents that are going to be handled – Define what will be considered security incident and its impact

on the company – Define response and remediation requirements – Defines roles and responsibilities and level of authority given to

the response team in case of each incident kind – Defines incident severity rating – Defines response and remediation KPI – Defines the escalation procedure for each kind of incident – Defines incident alerting and reporting requirements

3/21/2012 14 Managing the Security Risks of Your SCADA

System

Developing Incidents Response And Remediation Plans, Cont.

• The incident response plan should : – Define the approach for incident response – Implement the capabilities need to provide incident response service

to the company and per its requirements defined in the policy. – Define the resources and management support needed to enable the

capabilities – Defines how the KPI are measured – Implement incident reporting and alerting and escalation capability – Define how the incident response capabilities are coordinated and

communicated inside the company – Define an incident response and remediation procedure for each kind

of incident and the procedure should consider the severity of the incident

3/21/2012 15 Managing the Security Risks of Your SCADA

System

Developing Incidents Response And Remediation Plans, Cont.

• The incident response and remediation procedure should:

– React based on the severity of the incident.

– Reliable and effective and efficient

– Detailed and supported with checklists

3/21/2012 16 Managing the Security Risks of Your SCADA

System

Developing Incidents Response And Remediation Plans, Cont.

• Incident response lifecycle

1. Preparation

1. Preparing the team by training and drills.

2. Providing the needed tools and logistics to carryout response capabilities.

2. Detection and analysis

1. Accurate detection by filtering out false positives and false negatives

2. Incident categorization, identifying the category leads to choosing the right response procedure

3. Incident analysis, finding the root cause, related and impacted assets

4. Incident documentation involves recording of all facts in a secure system that will help us keeping track of incident developments

5. Incident prioritization, simply prioritizing incidents based on their severity

6. Incident notification involves alerting related persons in the company to take action

3. Response action:

1. Choosing a containment strategy in order to stop it from spreading to other assets

2. Gather evidence for forensics investigations, tag them and bag them

3. solve the problem, and recover the system if needed

4. Post-incident activity

1. Lesson learned documentation and meeting

3/21/2012 17

Managing the Security Risks of Your SCADA System

Best Practice Strategies To Prevent Malicious code

• Defense in depth – Choosing the right antivirus – Antivirus infrastructure design and support – Network security, firewall (risky ports) and IPS – Email antivirus and spam protection – Web content filtering and scan – End point protection (new antivirus trend) – Limiting user privileges – Continuously patching the system and 3rd party software – Force file integrity check – Blocking USP, CDROM – Hardening the system – Dividing the network (security zones) – Prevent user from installing software. – NAC

3/21/2012 18 Managing the Security Risks of Your SCADA

System

Thank you

Q/A