3. Purpose
• Provide a quick reference guide to the
framework
• Promote awareness of
– Cybersecurity Critical Infrastructure Framework
– SCADA Cybersecurity threats and vulnerabilities
– The importance of risk assessments
– How to use the framework
– Look into applying security to Indusoft Web Studio
3
CAE-2Y Accredited
4. Key Objectives
• Knowledge of SCADA and cybersecurity
environment
– Types of SCADA systems
– Threats and risks
• Understanding of framework
• Knowledge of tools and processes for risk
analysis
• Ability to apply risk management processes to
obtain the right framework tier for an
organization. 4
CAE-2Y Accredited
5. Outline Of Content
• Chapter 1 - SCADA Cybersecurity Introduction
and Review
– What is SCADA
– Overview of Cybersecurity Vulnerabilities
– Understanding Control System Cyber Vulnerabilities
• Chapter 2 – Cybersecurity Framework
Introduction
– Framework Introduction
– Risk Management and
– the Cybersecurity Framework
5
CAE-2Y Accredited
6. Outline Of Content
• Chapter 3 – Cybersecurity Framework Basics
– Basic framework overview
– Framework core
• Chapter 4 – How to Use the Framework
– Basic Review of Cybersecurity Practices
– Establishing or Improving a Cybersecurity Program
– Communicating Cybersecurity Requirements with
Stakeholders
• Chapter 5 – Indusoft Security Guide
– Embedded in this chapter.
6
CAE-2Y Accredited
7. Outline Of Content
• Appendix (Framework Core, CSET Tool, References, and
Glossary)
7
CAE-2Y Accredited
9. Training Plans:
Cybersecurity Programs
• Computer and Network Security Certification Program (Online)
Credited or Self-paced
• This program is specifically designed to prepare students as
Information Systems Security (INFOSEC) Professionals, NSTISSI No.
4011and CNSSI No. 4016 Entry Level Risk Analysts and is CAE-2Y
Accredited.
– IS 131: Network Security Fundamentals-3
– IS 136: Guide to Disaster Recovery- 3
– IS 153/L: Introduction to Information System- 4
– IS 253: Firewalls and How They Work- 3
– IS 257: Network Defense and Counter Measures- 3
– IS 258: Cyber Ethics, Professionalism, and Career Development- 3
9
CAE-2Y Accredited
10. Training Plans:
Cybersecurity Programs
• Associates of Applied Science Degree - Information Systems
Cybersecurity (Online) Credited (CAE-2Y,4011 & 4016-E, DOD
8570) Career pathway to 4-yr degrees
• The focus of this program will be on the key components of
information systems assurance and cybersecurity:
– People
– Software
– Hardware
– Data
– Security
– Communication technologies
– How these components can be integrated and managed to create
competitive advantage.
10
CAE-2Y Accredited
11. Training Plans:
Boot Camp
• 4 day Boot Camp covering:
– Course Orientation and Introduction to Cybersecurity and SCADA
• CompTIA-Security+ Key Topics
• SCADA Cybersecurity Recommended Practice/ Infrastructure
Guiding Principles/National Infrastructure Protection Plan
– IS-821 Critical Infrastructure and Key Resources Support Annex
– IS-860.a National Infrastructure Protection Plan (NIPP)
• Cybersecurity Critical Infrastructure Framework / CAP
Process/Intro to a SCADA Product (IDUSOFT)
• CSET Department of Homeland Security Risk Assessment Process
and Tools Using the Cybersecurity Critical Infrastructure Framework
11
CAE-2Y Accredited
12. About ENMU-Ruidoso
The National Security Agency and the Department of Homeland
Security have designated Eastern New Mexico University - Ruidoso
National Center of Academic Excellence in Information
Assurance/Cybersecurity Defense through academic year 2019.
Based on the universities ability to meet the increasing demands
of the program criteria will serve the nation well in contributing to
the protection of the National Information Infrastructure.
Meets the eleven Knowledge Units learning objectives
Recognized by the National Initiative in Cybersecurity Education
(NICE) as a certified Training Institution for the NIST National
Cybersecurity Workforce Framework.
http://csrc.nist.gov/nice/index.htm
12
CAE-2Y Accredited
Chapter 1: This chapter will provide an introduction to Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), and Process Control Systems (PCS). What they are and how they are used. Then we will look at cybersecurity vulnerabilities in general and those that are of a higher concern for SCADA and PCS systems.
Section 1: What is SCADA?
Overview
History and Installed Base
How SCADA Systems Work
A More In-Depth Look at a SCADA System
Field Devices Measure the Process for Flow Rate, Pressure, Temperature, Level, Density, Etc.
Field Control Uses Two Types of Controllers
Examples of HMI Screens and Displays Used Within SCADA Systems
Section 2: Overview of Cyber Vulnerabilities
In this section the key objectives are:
Challenges of Securing Information
Understanding and Defining Information Security
Cyber Threat Source to Control/SCADA Systems Descriptions
GAO Threat Table
Cyber-Attacks and Defenses
Vulnerability Scanning vs. Penetration Testing
Section 3: Understanding Control System Cyber Vulnerabilities
Gaining Control of the SCADA System
Three Categories of SCADA Systems
Chapter 2: To strengthen the resilience of this infrastructure, President Obama issued Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity”, on February 12, 2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost- effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services. The Framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk.
Executive Order no. 13636, "Improving Critical Infrastructure Cybersecurity", DCPD-201300091, February 12,2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
Chapter 2: Cybersecurity Framework Introduction
Section 1: Framework Introduction
Overview of the Framework
Framework Core
Framework Implementation Tiers
Framework Profile
Section 2: Risk Management and the Cybersecurity Framework
Risk Management Redefined
Chapter 3: The purpose of the Framework is to provide a common language to enable understanding, managing, and communicating cybersecurity risk both internally and externally. It is intended for use in helping identify and prioritize actions for reducing cybersecurity risk. The Framework is a tool, used for aligning policy, business, and technological approaches to managing that risk. It is meant to be used to manage cybersecurity risk across entire organization or can be focused to service, department within the organization. “Different types of entities - including sector coordinating structures, associations, and organizations - can use the Framework for different purposes, including the creation of common Profiles.”
"Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0", National Institute of Standards and Technology, February 12, 2014
The ebook introduces a business process perspective in looking at the framework and how to apply the framework from a Business Process Re-engineering perspective.
Chapter 3: Cybersecurity Framework Basics
Section 1: Framework Basics
Section 2: Framework Core
Functions
Categories
Subcategories
Framework Implementation Tiers
Section 3: How Does it All Come Together?
Coordination of Framework Implementation
Business Process Management (BPM) Approach to the Framework
Cybersecurity Framework Assessment Process Model Breakdown and Component Parts
Chapter4: The purpose of this chapter is to look at how an organization can use the Framework as a key part or enabler of its current process for identifying, assessing, and managing cybersecurity risk. Note, the Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. Using the Framework as a cybersecurity risk management tool, can enable the organization in determining activities that are most important to critical service delivery and prioritize the cost of those activities to reduce the risk and maximize the impact of the investment.
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014
Chapter 4: How to Use the Framework
Section 1: Basic Review of Cybersecurity Practices
Section 2: Establishing or Improving a Cybersecurity Program
Step 1: Prioritize and Scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze, and Prioritize Gaps
Step 7: Implement Action Plan
Section 3: Communicating Cybersecurity Requirements with Stakeholders
Identifying Gaps
Appendix A: Framework Core
Information regarding Informative References described in Appendix A may be found at the following locations:
Appendix B: Cyber Security Evaluation Tool (CSET) Information
Appendix C: References
Recommended Publications for Purchase
Further Reading and Links to Organizations
Appendix D: Glossary
Terms Used in this Publication
Acronyms Used in this Publication
CSET Tool
The Cyber Security Evaluation Tool (CSET®) is a Department of Homeland Security (DHS) no-cost tool that assists organizations in protecting their key national cyber assets. The tool was developed by the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) with assistance from the National Institute of Standards and Technology (NIST). This tool provides users with a systematic, consistent, and standards based approach for assessing the security posture of their Information Technology systems and networks. The tool uses high-level and detailed questions related to all industrial control and IT systems that includes the NIST Cybersecurity Critical Infrastructure Framework, referenced in the tool standards as “NCSF V1”.
The value of the tool is that it can guide the key stakeholders, custodians, and owners in systematically understanding their current IT and control system environment, potential gaps in security, and assist in developing a plan to close those gaps. The tool includes instructional videos, help screens, and information not only about how to use the tool but information on what standards might apply to one’s organization.
The tool gives organizations who have not conducted any sort of comprehensive risk assessment of the IT infrastructure, an excellent starting point.
1.1. Basic Data Analysis 1.2. Basic Scripting or Introductory Programming (4 yr core) 1.3. Cyber Defense 1.4. Cyber Threats 1.5. Fundamental Security Design Principles 1.6. IA Fundamentals 1.7. Intro to Cryptography 1.8. IT Systems Components 1.9. Networking Concepts 1.10. Policy, Legal, Ethics, and Compliance 1.11. System Administration