ICS Security Rapid Digital Risk Assessment

Transcription

1 ICS Security Rapid Digital Risk Assessment Identifying, Measuring, Understanding Dieter SANS EUROPEAN ICS SECURITY SUMMIT Stephen Smith

2 Agenda Stating the Facts Understanding the problems Applying a method Definitions System: Computing application including all connected devices and services (i.e. SCADA system) Component: Individual devices that forms part of a system (i.e. Workstation, PLC) or is stand alone (i.e. Switch)

3 Digital Computing: Fact 1 Any device with software-defined behaviour can be tricked into doing things its creators did not intend Any device connected to a network of any sort, in any way, can be compromised by an external party WEF Global Risk Report 2013

4 Computing User Effect: Fact 2 The user is going to pick dancing pigs over security every time Bruce Schneier

5 Computing Dis-believers : Fact 3 The systems have never had a security incident in the past, why should I expect them to have one in the future? We just spent large amounts of money on our security, we must be well protected!

6 Industrial Environment constrains: Fact 4 u Operations priorities Safety Availability u Business priorities Low Cost Efficiency Real-time, fast operational response

7 Technologies Aspects: Fact 5 u Aging & legacy stuff u Mix of several, different technologies u Mobile & connectivity trends u Vulnerabilities are rising u Computing technology build-up Off-the-shelf u Less knowledge about technology base

8 Agenda Stating the Facts Understanding the problems Applying a method To solve problems they must be first identified and understood

9 Understand the risk focus u What needs protection and why u The current cyber security maturity u The location priorities u How to apply risk management u How to convince the stakeholders Every site is unique yet many problems are common

10 Identifying the Digital Footprint u Internal digital infrastructure u Local and remote connectivity u Mobile capability and usage u external device usage u New system introduction

11 Select an approach fit for purpose A balanced Human vs Technology centric approach u Consider the location culture u Focus on critical systems u Ensure key players are involved u Select measurement criteria u Security mitigation capacity (resource and knowledge) u Aim for input quality u Focus on what will convince stakeholders One size fits all will never work!

12 Agenda Stating the Facts Understanding the problems Applying a method Understand, Measure & Ensure repeatability

13 Rapid digital Risk Assessment 1 Determine scope Ensure a full inventory of digital devices and capability are identified and classified by criticality Deliverables: Geographical and system scope 2 Discovery Measure security maturity applied throughout scoped area for each system Deliverables: Inventory, system criticality level, Security maturity levels measurement, Technical scan/pen test 3 Analysis & evaluation Determine threat and vulnerability for company/site Deliverables: Analysis and Mitigating activities, Cyber security roadmap

14 Rapid Digital Risk Assessment - Phase 2 2 Discovery Selection of systems for risk assessment Interview track Technical review track System criticality System Security maturity Share findings to focus on identifying unknown vulnerabilities Technical evaluations Pen testing Scans Walk through Consolidation of findings

15 Interview Sessions Managed level of risk mitigation measurements (Based on existing industry security standards) u Digital system criticality u Security governance maturity u System recovery capability u System logical access capability u System physical access capability u Hardware vulnerability u Software vulnerability Select meaningful categories to measure Base measurements on worst case scenarios

16 Technical Tests and Scans u u u u u u u u u... How easy it is to get on the network? Has patching been performed? How many vulnerabilities are there? Is hardening performed? How are applications started? How is the communication between apps? How easy it is to break out of an operator jail? Is there internet access?

17 Technology scans and testing Where to test? safely... All testing ok Take Care!! Forbidden zone l l l Sources:

18 Technology scans and testing u Focus on key element within scope Begin with potential weaknesses identified in scoping Pragmatic combination of technical tests u Think OT while testing What can cause significant harm? From what perspective?

19 Analysis and Evaluation u Low hanging fruit Security management approach Common mistakes Reoccurring vulnerabilities u Critical systems and components Weak recoverability Isolation (Zoning) Specific penetration testing

20 Turning Measurements in Meaning Key Performance Indicators (KPI) Examples # of systems at locations (or best approximation!) # of systems with identified criticality level # of systems with completed risk assessment Security Management maturity level Recovery maturity level Accessibility maturity level H&S Vulnerabilities maturity level # of systems technical testing

21 Turning Measurements in Meaning Example Risk Assessment of systems Criticality App 1 Vulnerability maturity Sec Management maturity App 2 App 3 App App 5 App 6 App 7 App 8 App 9 App 10 Accessibility maturity Recoverability maturity Cobit Maturity Levels

22 Turning Measurements in Meaning Example Risk Assessment for Site Criticality Vulnerability maturity Sec Management maturity Accessibility maturity Recoverability maturity

23 Turning Measurements in Meaning

24 The true Challenge Resilience Ensuring strategic enterprise capacity 1. Securing corporate mandate/local engagement 2. Budget capacity 3. Integration into existing processes 4. Knowledge and competence 5. Integration into enterprise risk methodology o o Continuous improvement Repeatable risk assessments 6. Responsive incident management 7. Recovery

25 Manage all your risks old and new! Progress just means bad things happen faster Terry Pratchett