SlideShare ist ein Scribd-Unternehmen logo

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012

Ahmed Al Enizi
Ahmed Al Enizi

Managing The Security Risks Of Your Scada System, the presentation of the workshop I gave at the Saudi SCADA Summit 2012

1 von 19
Downloaden Sie, um offline zu lesen
Agenda • Risk Management • Challenges In Deploying Technical Risk Treatment Controls For SCADA System • Developing Incidents Response And Remediation Plans • Best Practice Strategies To Prevent Worm And Virus Threats Managing the Security Risks of Your SCADA 3/21/2012 2 System
Risk Management • Risk Management in general • Before we can do risk assessment we have to understand Risk • We have to know some definitions first • What is the relation between these definitions? • Risk management concept • The two Risk assessment methodologies • Basic risk management requirements • Example from ISO27001 Managing the Security Risks of Your SCADA 3/21/2012 3 System
Risk Management in General • Risk management is a proven framework that does the following 1. Schedule risk assessments during the year 2. Defines risk assessment methodology – Defines Risk Evaluation Criteria – Defines Risk Acceptance criteria 3. Defines a process for closing risk assessment findings. Managing the Security Risks of Your SCADA 3/21/2012 4 System
Some Definitions Related to Risk • What is risk? Risk is the likelihood of an action on a weakness resulting an impact • Threat is a potential danger • Vulnerability is a known weakness • Exposure is the opportunity for a threat to cause impact • Controls are administrative, technical, or physical measures taken to mitigate a risk • Safeguards are controls applied before the fact (prevent, detect, Deterrent, Directive) • Counter Measures are controls applied after the fact (Corrective, Recovery, Compensating) Managing the Security Risks of Your SCADA 3/21/2012 5 System
What is the relation between these definitions? Risk Weakness/ Counter Technical Business Threat Source Vulnerability Safeguards Assets Measures Impact Impact Threat Agent Attack / Exploit Exposure Compromised Asset Controls Threat Based OWSAP Model Managing the Security Risks of Your SCADA 3/21/2012 6 System
Risk management concept CC Risk Management Concept Flow Managing the Security Risks of Your SCADA 3/21/2012 7 System
The two Risk assessment Methodologies • Two ways to calculate the Risk, Consequences Qualitative and Quantitative risk Catastrophic Insignificant analysis Moderate • Qualitative Risk analysis: We predict Minor Major the level of risk • We use this approach when we are Likelihood 1 2 3 4 5 unable to accurately calculate asset A (almost certain) H H E E E value B (likely) M H H E E • Example: we define a scenario where C (possible) L M H E E it is possible that a hacker can gain D (unlikely) L L M H E access from the internet to a database E (rare) L L M H H • Asset = database E Extreme Risk, immediate action • Likelihood = 2 High Risk, action should be taken to H • Impact/consequences = 5 compensate Moderate Risk, action should be M taken to monitor Managing the Security Risks of Your SCADA 3/21/2012 System L Low Risk, routine acceptance of risk8
The two Risk assessment methodologies cont. • Quantitative Risk analysis: is the calculation of ALE Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss) • Example: probability = 3, asset value = 1,478,390 , 60% • ALE = 3 x (1,478,390 x 60% ) = 3 x 887,034 = 2,661,102 • ROI = ALE – security control cost • ROI is the return on security investment, the amount of money that will be saves from loss Managing the Security Risks of Your SCADA 3/21/2012 9 System
Basic management requirements • The board of directors need to agree on the following – The scope of the risks that are going to be managed – The type of risks such as financial risks, operational risks, technical and security risks, or business risks related to the market, but in our case we are concerned about technical and security risks – Risk Assessment Methodology: OCTAVE (IT Risk), AS/NZ 4360, NIST, ISO27005, each one of these methodologies certain steps for assessing risk. • Risk Evaluation Criteria: either we go with quantitative or qualitative risk evaluation or mix of both. • Risk treatment criteria: we define the conditions under which we chose one of the treatment strategy – We accept the risk if it under the risk acceptance level and otherwise we : – Transfer the risk to an assurance company or outsource from a managed service provider – Mitigate the risk by deploying controls – Avoid the risk by canceling the whole business Managing the Security Risks of Your SCADA 3/21/2012 10 System
ISO27001 Risk Management Example • ISO27001 provides a generic way to manage risk: 1. Identify Assets 2. Identify threats to assets 3. Identify vulnerabilities that might be exploited by the threats 4. Identify the impacts on the assets 5. Analyze and evaluate the risks. 6. Identify the treatment of risks (accept, transfer, avoid, mitigate) 7. Select control objectives and controls 8. Follow PDCA cycle. Managing the Security Risks of Your SCADA 3/21/2012 11 System
Challenges In Deploying Technical Risk Treatment Controls For SCADA System • We assume that a risk assessment had been done and security controls objectives have been selected, • Part of the challenges we might face: – Choosing a security control compatible with SCADA and able to understand its traffic, a security control should protect the service without impacting it – The geographical distance impacts support, maintenance, and operation – Solve the communication bandwidth problem, because we need in real time monitoring and control Managing the Security Risks of Your SCADA 3/21/2012 12 System
Developing Incidents Response And Remediation Plans • Why do we need a plan for response – Because we need to be prepared to effectively solve different kinds of problem in the shortest time possible in order to reduce the impact and prevent disturbance. • The NIST Special Publication 800-61 “Computer Security Incident Handling Guide” • first the definitions then we are going to look into policy, plan, and process. • Security incident is a violation of policy. Virus infection, password brut-force • An event is any observable occurrence in a system or network, example failed authentication. Managing the Security Risks of Your SCADA 3/21/2012 13 System
Developing Incidents Response And Remediation Plans • In order to build an effective incident respond we have to define the policy, plan, and procedure • The policy should – Define the scope of incidents that are going to be handled – Define what will be considered security incident and its impact on the company – Define response and remediation requirements – Defines roles and responsibilities and level of authority given to the response team in case of each incident kind – Defines incident severity rating – Defines response and remediation KPI – Defines the escalation procedure for each kind of incident – Defines incident alerting and reporting requirements Managing the Security Risks of Your SCADA 3/21/2012 14 System
Developing Incidents Response And Remediation Plans, Cont. • The incident response plan should : – Define the approach for incident response – Implement the capabilities need to provide incident response service to the company and per its requirements defined in the policy. – Define the resources and management support needed to enable the capabilities – Defines how the KPI are measured – Implement incident reporting and alerting and escalation capability – Define how the incident response capabilities are coordinated and communicated inside the company – Define an incident response and remediation procedure for each kind of incident and the procedure should consider the severity of the incident Managing the Security Risks of Your SCADA 3/21/2012 15 System
Developing Incidents Response And Remediation Plans, Cont. • The incident response and remediation procedure should: – React based on the severity of the incident. – Reliable and effective and efficient – Detailed and supported with checklists Managing the Security Risks of Your SCADA 3/21/2012 16 System
Developing Incidents Response And Remediation Plans, Cont. • Incident response lifecycle 1. Preparation 1. Preparing the team by training and drills. 2. Providing the needed tools and logistics to carryout response capabilities. 2. Detection and analysis 1. Accurate detection by filtering out false positives and false negatives 2. Incident categorization, identifying the category leads to choosing the right response procedure 3. Incident analysis, finding the root cause, related and impacted assets 4. Incident documentation involves recording of all facts in a secure system that will help us keeping track of incident developments 5. Incident prioritization, simply prioritizing incidents based on their severity 6. Incident notification involves alerting related persons in the company to take action 3. Response action: 1. Choosing a containment strategy in order to stop it from spreading to other assets 2. Gather evidence for forensics investigations, tag them and bag them 3. solve the problem, and recover the system if needed 4. Post-incident activity 1. Lesson learned documentation and meeting Managing the Security Risks of Your SCADA 3/21/2012 17 System
Best Practice Strategies To Prevent Malicious code • Defense in depth – Choosing the right antivirus – Antivirus infrastructure design and support – Network security, firewall (risky ports) and IPS – Email antivirus and spam protection – Web content filtering and scan – End point protection (new antivirus trend) – Limiting user privileges – Continuously patching the system and 3rd party software – Force file integrity check – Blocking USP, CDROM – Hardening the system – Dividing the network (security zones) – Prevent user from installing software. – NAC Managing the Security Risks of Your SCADA 3/21/2012 18 System
Thank you Q/A

Empfohlen

Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Risk Management Remediation Overview
Risk Management Remediation OverviewRisk Management Remediation Overview
Risk Management Remediation Overview
Russ Pizzuto
 
Project risk management
Project risk managementProject risk management
Project risk management
Er Swati Nagal
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Risk ppt1672
Risk ppt1672Risk ppt1672
Risk ppt1672
Dr. Ravneet Kaur
 
Microsoft Power Point Simon Final
Microsoft Power Point Simon FinalMicrosoft Power Point Simon Final
Microsoft Power Point Simon Final
guesta09d518
 

Empfohlen

Risk Management Framework
Risk Management FrameworkRisk Management Framework
Risk Management Framework
Anand Subramaniam
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
 
Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
Carahsoft
 
Risk Management Remediation Overview
Risk Management Remediation OverviewRisk Management Remediation Overview
Risk Management Remediation Overview
Russ Pizzuto
 
Project risk management
Project risk managementProject risk management
Project risk management
Er Swati Nagal
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
Digicomp Academy AG
 
Risk ppt1672
Risk ppt1672Risk ppt1672
Risk ppt1672
Dr. Ravneet Kaur
 
Microsoft Power Point Simon Final
Microsoft Power Point Simon FinalMicrosoft Power Point Simon Final
Microsoft Power Point Simon Final
guesta09d518
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
NASAPMC
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
Enterprising Non-Profits
 
Doug brown
Doug brownDoug brown
Doug brown
NASAPMC
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Michael.bay
Michael.bayMichael.bay
Michael.bay
NASAPMC
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Risk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongRisk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy Wong
BCM Institute
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
Seema Sheth-Voss
 
Why Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas SectorWhy Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas Sector
janknopfler
 
Project mngmnt risks3.2
Project mngmnt risks3.2Project mngmnt risks3.2
Project mngmnt risks3.2
Ananya Indrajith
 
Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides
SlideTeam
 
Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) - Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) -
Shashi Kumar
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
Claude Baudoin
 
Project risk management (pmp)
Project risk management (pmp)Project risk management (pmp)
Project risk management (pmp)
Hieu Dang
 
Risk eng
Risk engRisk eng
Risk eng
artipradhan
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenya
chasecooper
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
Conferencias FIST
 
Nichols.hornback.moses
Nichols.hornback.mosesNichols.hornback.moses
Nichols.hornback.moses
NASAPMC
 
Homayoon.dezfuli
Homayoon.dezfuliHomayoon.dezfuli
Homayoon.dezfuli
NASAPMC
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
ICS security
ICS securityICS security
ICS security
Ahmed Shitta
 

Weitere ähnliche Inhalte

Was ist angesagt?

A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
NASAPMC
 
Doug brown
Doug brownDoug brown
Doug brown
NASAPMC
 
Michael.bay
Michael.bayMichael.bay
Michael.bay
NASAPMC
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Risk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongRisk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy Wong
BCM Institute
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
Seema Sheth-Voss
 
Why Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas SectorWhy Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas Sector
janknopfler
 
Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides
SlideTeam
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
Claude Baudoin
 
Nichols.hornback.moses
Nichols.hornback.mosesNichols.hornback.moses
Nichols.hornback.moses
NASAPMC
 
Homayoon.dezfuli
Homayoon.dezfuliHomayoon.dezfuli
Homayoon.dezfuli
NASAPMC
 

Was ist angesagt? (20)

A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)
 
Doug brown
Doug brownDoug brown
Doug brown
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Michael.bay
Michael.bayMichael.bay
Michael.bay
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Risk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongRisk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy Wong
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
Why Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas SectorWhy Traditional Risk Management fails in the Oil+Gas Sector
Why Traditional Risk Management fails in the Oil+Gas Sector
 
Project mngmnt risks3.2
Project mngmnt risks3.2Project mngmnt risks3.2
Project mngmnt risks3.2
 
Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides Risk Management Plan Analysis PowerPoint Presentation Slides
Risk Management Plan Analysis PowerPoint Presentation Slides
 
Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) - Unit 8-risk manaegement (1) -
Unit 8-risk manaegement (1) -
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Project risk management (pmp)
Project risk management (pmp)Project risk management (pmp)
Project risk management (pmp)
 
Risk eng
Risk engRisk eng
Risk eng
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenya
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
Nichols.hornback.moses
Nichols.hornback.mosesNichols.hornback.moses
Nichols.hornback.moses
 
Homayoon.dezfuli
Homayoon.dezfuliHomayoon.dezfuli
Homayoon.dezfuli
 

Andere mochten auch

Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 
Qualitative & Quantitative Analysis
Qualitative & Quantitative AnalysisQualitative & Quantitative Analysis
Qualitative & Quantitative Analysis
Alin Veronika
 
BlackHat Europe 2010: SCADA and ICS for Security Experts
BlackHat Europe 2010: SCADA and ICS for Security ExpertsBlackHat Europe 2010: SCADA and ICS for Security Experts
BlackHat Europe 2010: SCADA and ICS for Security Experts
James Arlen
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
Maurice Dawson
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security Experts
James Arlen
 

Andere mochten auch (20)

Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
ICS security
ICS securityICS security
ICS security
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
nullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systemsnullcon 2011 - Exploiting SCADA Systems
nullcon 2011 - Exploiting SCADA Systems
 
Developing excellence in information security from corporate enterprise to ...
Developing excellence in information security from corporate enterprise to ...Developing excellence in information security from corporate enterprise to ...
Developing excellence in information security from corporate enterprise to ...
 
Qualitative & Quantitative Analysis
Qualitative & Quantitative AnalysisQualitative & Quantitative Analysis
Qualitative & Quantitative Analysis
 
War in the 5th domain: Cyber Offensive Capability
War in the 5th domain: Cyber Offensive CapabilityWar in the 5th domain: Cyber Offensive Capability
War in the 5th domain: Cyber Offensive Capability
 
BlackHat Europe 2010: SCADA and ICS for Security Experts
BlackHat Europe 2010: SCADA and ICS for Security ExpertsBlackHat Europe 2010: SCADA and ICS for Security Experts
BlackHat Europe 2010: SCADA and ICS for Security Experts
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
Dubai Cyber Security 02 Ics Scada Cyber Security Standards, Solution Tips...
 
Quantitative Analysis (Language and Literature Assessment)
Quantitative Analysis (Language and Literature Assessment)Quantitative Analysis (Language and Literature Assessment)
Quantitative Analysis (Language and Literature Assessment)
 
Quantitative risk assessment in chemical process
Quantitative risk assessment in chemical processQuantitative risk assessment in chemical process
Quantitative risk assessment in chemical process
 
Protecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber AttacksProtecting Infrastructure from Cyber Attacks
Protecting Infrastructure from Cyber Attacks
 
Notacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security ExpertsNotacon 7 - SCADA and ICS for Security Experts
Notacon 7 - SCADA and ICS for Security Experts
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
 
SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016 SANS ICS Security Survey Report 2016
SANS ICS Security Survey Report 2016
 
Scada security
Scada securityScada security
Scada security
 
Cyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control SystemsCyber Security Threats to Industrial Control Systems
Cyber Security Threats to Industrial Control Systems
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 

Ähnlich wie Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012

Software Risk Management
Software Risk ManagementSoftware Risk Management
Software Risk Management
Gunjan Patel
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
iaemedu
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 

Ähnlich wie Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012 (20)

Risk Management (1) (1).ppt
Risk Management (1) (1).pptRisk Management (1) (1).ppt
Risk Management (1) (1).ppt
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENTINFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
 
05-risk_assesment.ppt
05-risk_assesment.ppt05-risk_assesment.ppt
05-risk_assesment.ppt
 
Health information security session 4 risk management
Health information security session 4 risk managementHealth information security session 4 risk management
Health information security session 4 risk management
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
Software Risk Management
Software Risk ManagementSoftware Risk Management
Software Risk Management
 
Martin Smith, Tenix, presents at the OHS Leaders Summit 2013
Martin Smith, Tenix, presents at the OHS Leaders Summit 2013Martin Smith, Tenix, presents at the OHS Leaders Summit 2013
Martin Smith, Tenix, presents at the OHS Leaders Summit 2013
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Presentation qrm shc
Presentation qrm shcPresentation qrm shc
Presentation qrm shc
 
Understanding enterprise risk management and fair
Understanding enterprise risk management and fairUnderstanding enterprise risk management and fair
Understanding enterprise risk management and fair
 
Operational risks
Operational risksOperational risks
Operational risks
 
IS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdfIS-Risk-Management-Lecture-2.pdf
IS-Risk-Management-Lecture-2.pdf
 
Risk
RiskRisk
Risk
 
Webinar | Risk management in asset management
Webinar | Risk management in asset managementWebinar | Risk management in asset management
Webinar | Risk management in asset management
 
Solvency II IT Impacts
Solvency II IT ImpactsSolvency II IT Impacts
Solvency II IT Impacts
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
Introduction to Risk Management Fundamentals
Introduction to Risk Management FundamentalsIntroduction to Risk Management Fundamentals
Introduction to Risk Management Fundamentals
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 

Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012

  • 1.
  • 2. Agenda • Risk Management • Challenges In Deploying Technical Risk Treatment Controls For SCADA System • Developing Incidents Response And Remediation Plans • Best Practice Strategies To Prevent Worm And Virus Threats Managing the Security Risks of Your SCADA 3/21/2012 2 System
  • 3. Risk Management • Risk Management in general • Before we can do risk assessment we have to understand Risk • We have to know some definitions first • What is the relation between these definitions? • Risk management concept • The two Risk assessment methodologies • Basic risk management requirements • Example from ISO27001 Managing the Security Risks of Your SCADA 3/21/2012 3 System
  • 4. Risk Management in General • Risk management is a proven framework that does the following 1. Schedule risk assessments during the year 2. Defines risk assessment methodology – Defines Risk Evaluation Criteria – Defines Risk Acceptance criteria 3. Defines a process for closing risk assessment findings. Managing the Security Risks of Your SCADA 3/21/2012 4 System
  • 5. Some Definitions Related to Risk • What is risk? Risk is the likelihood of an action on a weakness resulting an impact • Threat is a potential danger • Vulnerability is a known weakness • Exposure is the opportunity for a threat to cause impact • Controls are administrative, technical, or physical measures taken to mitigate a risk • Safeguards are controls applied before the fact (prevent, detect, Deterrent, Directive) • Counter Measures are controls applied after the fact (Corrective, Recovery, Compensating) Managing the Security Risks of Your SCADA 3/21/2012 5 System
  • 6. What is the relation between these definitions? Risk Weakness/ Counter Technical Business Threat Source Vulnerability Safeguards Assets Measures Impact Impact Threat Agent Attack / Exploit Exposure Compromised Asset Controls Threat Based OWSAP Model Managing the Security Risks of Your SCADA 3/21/2012 6 System
  • 7. Risk management concept CC Risk Management Concept Flow Managing the Security Risks of Your SCADA 3/21/2012 7 System
  • 8. The two Risk assessment Methodologies • Two ways to calculate the Risk, Consequences Qualitative and Quantitative risk Catastrophic Insignificant analysis Moderate • Qualitative Risk analysis: We predict Minor Major the level of risk • We use this approach when we are Likelihood 1 2 3 4 5 unable to accurately calculate asset A (almost certain) H H E E E value B (likely) M H H E E • Example: we define a scenario where C (possible) L M H E E it is possible that a hacker can gain D (unlikely) L L M H E access from the internet to a database E (rare) L L M H H • Asset = database E Extreme Risk, immediate action • Likelihood = 2 High Risk, action should be taken to H • Impact/consequences = 5 compensate Moderate Risk, action should be M taken to monitor Managing the Security Risks of Your SCADA 3/21/2012 System L Low Risk, routine acceptance of risk8
  • 9. The two Risk assessment methodologies cont. • Quantitative Risk analysis: is the calculation of ALE Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss) • Example: probability = 3, asset value = 1,478,390 , 60% • ALE = 3 x (1,478,390 x 60% ) = 3 x 887,034 = 2,661,102 • ROI = ALE – security control cost • ROI is the return on security investment, the amount of money that will be saves from loss Managing the Security Risks of Your SCADA 3/21/2012 9 System
  • 10. Basic management requirements • The board of directors need to agree on the following – The scope of the risks that are going to be managed – The type of risks such as financial risks, operational risks, technical and security risks, or business risks related to the market, but in our case we are concerned about technical and security risks – Risk Assessment Methodology: OCTAVE (IT Risk), AS/NZ 4360, NIST, ISO27005, each one of these methodologies certain steps for assessing risk. • Risk Evaluation Criteria: either we go with quantitative or qualitative risk evaluation or mix of both. • Risk treatment criteria: we define the conditions under which we chose one of the treatment strategy – We accept the risk if it under the risk acceptance level and otherwise we : – Transfer the risk to an assurance company or outsource from a managed service provider – Mitigate the risk by deploying controls – Avoid the risk by canceling the whole business Managing the Security Risks of Your SCADA 3/21/2012 10 System
  • 11. ISO27001 Risk Management Example • ISO27001 provides a generic way to manage risk: 1. Identify Assets 2. Identify threats to assets 3. Identify vulnerabilities that might be exploited by the threats 4. Identify the impacts on the assets 5. Analyze and evaluate the risks. 6. Identify the treatment of risks (accept, transfer, avoid, mitigate) 7. Select control objectives and controls 8. Follow PDCA cycle. Managing the Security Risks of Your SCADA 3/21/2012 11 System
  • 12. Challenges In Deploying Technical Risk Treatment Controls For SCADA System • We assume that a risk assessment had been done and security controls objectives have been selected, • Part of the challenges we might face: – Choosing a security control compatible with SCADA and able to understand its traffic, a security control should protect the service without impacting it – The geographical distance impacts support, maintenance, and operation – Solve the communication bandwidth problem, because we need in real time monitoring and control Managing the Security Risks of Your SCADA 3/21/2012 12 System
  • 13. Developing Incidents Response And Remediation Plans • Why do we need a plan for response – Because we need to be prepared to effectively solve different kinds of problem in the shortest time possible in order to reduce the impact and prevent disturbance. • The NIST Special Publication 800-61 “Computer Security Incident Handling Guide” • first the definitions then we are going to look into policy, plan, and process. • Security incident is a violation of policy. Virus infection, password brut-force • An event is any observable occurrence in a system or network, example failed authentication. Managing the Security Risks of Your SCADA 3/21/2012 13 System
  • 14. Developing Incidents Response And Remediation Plans • In order to build an effective incident respond we have to define the policy, plan, and procedure • The policy should – Define the scope of incidents that are going to be handled – Define what will be considered security incident and its impact on the company – Define response and remediation requirements – Defines roles and responsibilities and level of authority given to the response team in case of each incident kind – Defines incident severity rating – Defines response and remediation KPI – Defines the escalation procedure for each kind of incident – Defines incident alerting and reporting requirements Managing the Security Risks of Your SCADA 3/21/2012 14 System
  • 15. Developing Incidents Response And Remediation Plans, Cont. • The incident response plan should : – Define the approach for incident response – Implement the capabilities need to provide incident response service to the company and per its requirements defined in the policy. – Define the resources and management support needed to enable the capabilities – Defines how the KPI are measured – Implement incident reporting and alerting and escalation capability – Define how the incident response capabilities are coordinated and communicated inside the company – Define an incident response and remediation procedure for each kind of incident and the procedure should consider the severity of the incident Managing the Security Risks of Your SCADA 3/21/2012 15 System
  • 16. Developing Incidents Response And Remediation Plans, Cont. • The incident response and remediation procedure should: – React based on the severity of the incident. – Reliable and effective and efficient – Detailed and supported with checklists Managing the Security Risks of Your SCADA 3/21/2012 16 System
  • 17. Developing Incidents Response And Remediation Plans, Cont. • Incident response lifecycle 1. Preparation 1. Preparing the team by training and drills. 2. Providing the needed tools and logistics to carryout response capabilities. 2. Detection and analysis 1. Accurate detection by filtering out false positives and false negatives 2. Incident categorization, identifying the category leads to choosing the right response procedure 3. Incident analysis, finding the root cause, related and impacted assets 4. Incident documentation involves recording of all facts in a secure system that will help us keeping track of incident developments 5. Incident prioritization, simply prioritizing incidents based on their severity 6. Incident notification involves alerting related persons in the company to take action 3. Response action: 1. Choosing a containment strategy in order to stop it from spreading to other assets 2. Gather evidence for forensics investigations, tag them and bag them 3. solve the problem, and recover the system if needed 4. Post-incident activity 1. Lesson learned documentation and meeting Managing the Security Risks of Your SCADA 3/21/2012 17 System
  • 18. Best Practice Strategies To Prevent Malicious code • Defense in depth – Choosing the right antivirus – Antivirus infrastructure design and support – Network security, firewall (risky ports) and IPS – Email antivirus and spam protection – Web content filtering and scan – End point protection (new antivirus trend) – Limiting user privileges – Continuously patching the system and 3rd party software – Force file integrity check – Blocking USP, CDROM – Hardening the system – Dividing the network (security zones) – Prevent user from installing software. – NAC Managing the Security Risks of Your SCADA 3/21/2012 18 System
  • 19. Thank you Q/A