SOC and ICS/SCADA Security

1SOC and ICS/SCADA Security

80%

20%

! % 20


365*7*24

(KPI)

Attack vector Forensic CSIRT CERT ISO27001


SOC

Real-Time Monitoring- Data Aggregation - Data Correlation - Aggregates Logs- Coordinates Response- Automates Remediation

Reporting- Executive Summary- Audit and Assessment - Security Metric Reporting- KPI Compliance- SLA Reporting

Security Incident Management - Pre and Post Incident Analysis- Forensics Analysis- Root Cause Analysis- Incident Handling - aeCERT Integration


10

1

2

3

4

5

6

7

8

9

10


))


Business Continuity


Talented

Trained

Experience


DATA SECURITY AND MONITORING

Data Asset Classification Data Collection Data Normalization Data at Rest and In Motion Data Protection Data Distribution


EVENT MANAGEMENT

Event Correlation Identification Triage Roles Containment Notification Ticketing Recovery Forensics and Situational Awareness


INCIDENT RESPONSE PRACTICE

Security Incident Reporting Structure Security Incident Monitoring Security Incident Escalation Procedure Forensics and Root Cause Analysis Return to Normal Operations Post-Incident Planning and Monitoring Communication Guidelines SIRT Integration


SOC OPERATING GUIDELINES

SOC Workflow Personnel Shift Description Shift Reporting Shift Change Information Acquisition SOC Monitoring Suite SOC Reporting Structure Organizational Chart


ESCALATION MANAGEMENT

Escalation Procedure Pre-Escalation Tasks IT Security Network Operation Center Security Engineering SIRT Integration Law Enforcement 3rd Party Service Providers and Vendors


DATA RECOVERY PROCEDURES

Disaster Recovery and BCP Procedure Recovery Time Objective Recovery Point Objective Resiliency and High Availability Facilities Outage Procedure


SECURITY INCIDENT PROCEDURES

Email Phishing - Email Security Incident Virus and Worm Infection Anti-Virus Management Incident NetFlow Abnormal Behavior Incident Network Behaviour Analysis Incident Distributed Denial of Service Incident Host Compromise - Web Application Security Incident Network Compromise Internet Misuse Human Resource - Hiring and Termination Domain Hijack or DNS Cache Poisoning Suspicious User Activity Unauthorized User Access (Employee)


VULNERABILITY AND PATCH MANAGEMENT

Vulnerability Research Patch Management - Microsoft SCOM Identification Dissemination Compliance Monitoring Network Configuration Baseline Anti-Virus Signature Management Microsoft Updates


TOOLS OPERATING MANUAL FOR SOC PERSONNEL

Operating Procedure for SIEM Solutions Event Management and FlowCollector/Processor Firewall Security Logs IDS/IPS Security Logs DMZ Jump Server / SSL VPN logs Endpoint Security logs (AV, DLP, HIPS) User Activity / Login Logs Operating Procedure for Policy and Configuration Compliance Operating Procedure for Network Monitoring Systems Operating Procedure for Vulnerability Assessment


SECURITY ALARMS AND ALERT CLASSIFICATION

Critical Alarms and Alerts with Action DefinitionNon-Critical and Information AlarmsAlarm reporting and SLA to resolve the alarms


SECURITY METRIC AND DASHBOARD EXECUTIVE SUMMARY

Definition of Security Metrics based on Center of InternetSecurity standards Security KPI reporting definition Security Balanced Scorecard and Executive Reporting


Penetration testing

Real-Time network security monitoring

Vulnerability scanning and management

Threat intelligence

Incident investigation

Malware forensics

Cybersecurity exercise creation and delivery


SegmentationFirewallsIDPSHonepotsAntivirusHardening...

!...


:

Security Camera

Fencing

Guards

Gates

Smart Locks


:

Switch

Router

Firewalls

Modems


:DMZ

Web Server

FTP

SMTP

DNS


:

Profibus

Modbus

OPC


:

PLC

RTU

IEDs

HMI


Security Plans, Policies Asset Inventory, System Documentation Change management Risk Management Patch Management Assessment Crisis Management Backup and Recovery


Asset Management

Name Description Weight OS Location Business Owner Business Owner Contact Information Technical Owner Technical Owner Contact Information


Asset Management

39

Vector

Extranet

Intranet

Internet

Data Center

Active Directory

Malware / Virus Infection and Propagation

NetFlow Analysis

Remote Sites / WAN

Remote Access IPSEC VPN / SSL VPN

Wireless

... 40SOC and ICS/SCADA Security

Workflow


1.

2.

1.1 Access Control

1.2 Use Control

1.3 Data Integrity

1.4 Data Confidentiality

1.5 Restrict Data Flow

1.6 Timely Response to An Event

1.7 Resource Availability


Author: Ali Abdollahi

References:

"Managed Services at the Tactical FLEX, Inc. Network Security Operations Center (NSOC)". Tactical FLEX, Inc. Retrieved 20 September 2014.

Transaction Monitoring for HMG Online Service Providers" . CESG. Retrieved 22 June 2014

"Managed Services at the Tactical FLEX, Inc. Network Security Operations Center (NSOC)". Tactical FLEX, Inc. Retrieved 20 September 2014.

Dts building scada security operation center EY-security Security Operations Centers helping you get ahead

of cybercrime Nadel, Barbara A. (2004). Building Security: Handbook for Architectural Planning

and Design. McGraw-Hill. p. 2.20. ISBN 978-0-07-141171-4.

SOC and ICS/SCADA Security 48

https://www.aanval.com/nsochttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/271268/GPG_53_Transaction_Monitoring_issue_1-1_April_2013.pdfhttps://www.aanval.com/nsochttps://en.wikipedia.org/wiki/International_Standard_Book_Numberhttps://en.wikipedia.org/wiki/Special:BookSources/978-0-07-141171-4

Date post:	14-Apr-2017
Category:	Internet
Author:	ali-abdollahi
View:	154 times
Download:	3 times

SOC and ICS/SCADA Security

Internet

SCADA/ICS › FTP_files › SCADAandICSLabJuly2015.pdf · SCADA and DCS systems. The two acronyms SCADA/ICS stand for “Supervisory Control and Data Acquisition” (SCADA) and “Industrial

systems ICS/SCADA. Representatives from government and ...systems ICS/SCADA. Representatives from government and infrastructure providers will talk about major efforts that are providing

ICS/SCADA Top 10 Most Dangerous Software Weaknesses€¦ · ToolsWatch.Org November 5, 2015 ICS/SCADA Top 10 Most Dangerous Software Weaknesses by NJ OUCHN This study is not affiliated

Independent Study Pinpoints Significant SCADA/ICS ... · 3 REPORT: INDEPENDENT STUDY PINPOINTS SIGNIFICANT SCADA/ICS CYBERSECURITY RISKS EXECUTIVE SUMMARY Many businesses and government

ICS/SCADA Attack Detection 101 · proto, non-whitelisted function codes, serial function code use on non-serial devices etc. Known ICS/SCADA malware. Signatures associated with known

SCADA Cyber Security - Yokogawa Electric · SCADA Cyber Security | 4 Introduction The Industrial Control Systems (ICS), including SCADA, are known for their high availability. The

2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabilities & Threats

7 Steps to ICS and SCADA Security · Web viewEffective ICS and SCADA security is not a one-time project. ... Established by several of the world’s top safety, security, and reliability

ICS/SCADA SECURITY TESTING AND CERTIFICATION

A modern approach to safeguarding your ICS and SCADA systems

Analysis of ICS-SCADA Cyber Security Maturity Levels in ...

from SCADA to IoT - OWASP · ICS and SCADA Industrial Control Systems (ICS) is an umbrella term covering many historically different types of control system such as SCADA (Supervisory

Industrial Control Systems Securitysoci.aspenergia.eu/public/6_10_VEMsistemi_10122015.pdf · ¾ Capabilities for attacks on ICS/SCADA 1 systems (collectively referred to as ICS below)

Communication network dependencies for ICS/SCADA Systems

Developing Cyber Forensics for SCADA Industrial Control ...d.researchbib.com/f/5nZwD5ZQVhpTEz.pdf · SCADA, ICS, Cyber Forensics, Cyber Security 1. INTRODUCTION . Industrial Control

ICS/SCADA & IoT SECURITY TESTING · ICS/SCADA & IoT SECURITY TESTING DIMITRIOS GLYNOS (@dfunc) [email protected] STERGIOS KOLIOS [email protected] ICS-CSR CONFERENCE

ICS Shield Product Description - Honeywell · ICS Shield is a top-down OT security management solution for securing connected ICS/SCADA environments. Empowering organizations to implement

Building Security Into ICS/SCADA Products - sans.org · Building Security Into ICS/SCADA Products George Wrenn, ... 9 Repeatable Standards ... Engage deeply with partners to “secure