Security Issues and Best Practices for Water Facilities

Similar documents
Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Security+ SY0-501 Study Guide Table of Contents

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

CCISO Blueprint v1. EC-Council

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

NEN The Education Network

Oracle Data Cloud ( ODC ) Inbound Security Policies

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

The Common Controls Framework BY ADOBE

Cyber Criminal Methods & Prevention Techniques. By

ANATOMY OF AN ATTACK!

Juniper Vendor Security Requirements

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Keys to a more secure data environment

University of Pittsburgh Security Assessment Questionnaire (v1.7)

K12 Cybersecurity Roadmap

ICS Security. Trends, Issues, and New Standards. Speaker: David Mattes CTO, Asguard Networks

Gujarat Forensic Sciences University

Take Risks in Life, Not with Your Security

IC32E - Pre-Instructional Survey

Cyber Security Audit & Roadmap Business Process and

locuz.com SOC Services

CIT 480: Securing Computer Systems. Putting It All Together

SECURITY & PRIVACY DOCUMENTATION

Data Security and Privacy Principles IBM Cloud Services

Cybersecurity Auditing in an Unsecure World

Changing face of endpoint security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Centralized Control System Architecture

CompTIA Security+ Study Guide (SY0-501)

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

10 FOCUS AREAS FOR BREACH PREVENTION

Internet of Things Toolkit for Small and Medium Businesses

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Certified Information Security Manager (CISM) Course Overview

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Protecting productivity with Industrial Security Services

Continuous protection to reduce risk and maintain production availability

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Security Solutions. Overview. Business Needs

Designing and Building a Cybersecurity Program

Cyber Security Program

Cybersecurity Session IIA Conference 2018

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Information Technology General Control Review

Cyber security tips and self-assessment for business

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

ADIENT VENDOR SECURITY STANDARD

Information Security in Corporation

Securing Industrial Control Systems

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Nebraska CERT Conference

CompTIA Security+ (Exam SY0-401)

LESSONS LEARNED IN SMART GRID CYBER SECURITY

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

No compromises for secure SCADA Communications even over 3rd Party Networks

716 West Ave Austin, TX USA

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

CND Exam Blueprint v2.0

A company built on security

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

the SWIFT Customer Security

Nine Steps to Smart Security for Small Businesses

align security instill confidence

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Software Development & Education Center Security+ Certification

Security analysis and assessment of threats in European signalling systems?

Altius IT Policy Collection

Heavy Vehicle Cyber Security Bulletin

HOSTED SECURITY SERVICES

Security Audit What Why

External Supplier Control Obligations. Cyber Security

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Combating Cyber Risk in the Supply Chain

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Checklist: Credit Union Information Security and Privacy Policies

Industry Best Practices for Securing Critical Infrastructure

Certified Information Systems Auditor (CISA)

Monthly Cyber Threat Briefing

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Jeff Wilbur VP Marketing Iconix

2017 Annual Meeting of Members and Board of Directors Meeting

Les joies et les peines de la transformation numérique

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Transcription:

Security Issues and Best Practices for Water Facilities Standards Certification Jeff Hayes Business Development Manager Beijer Electronics Education & Training Publishing Conferences & Exhibits 2013 ISA Water / Wastewater and Automatic Controls Symposium August 6-8, 2013 Orlando, Florida, USA

Jeff Hayes 15 years in product management for computer networking and security companies CISSP since March 2002 President of ISSA Utah Chapter Business Development Manager - Beijer Electronics Beijer is a 31 year old industrial automation firm from Sweden with Americas HQ in Salt Lake City Manufacturer of HMIs, touch-panel PCs, programming software and networking equipment for industrial applications including extreme environmental conditions. 2

Outline Premises Targets Closed Loop Corrective Action for Plants Security Policies Risk Analysis Countermeasures Monitor & Manager 3

Premises Security for infrastructure facilities is minimized, unfunded, and not part of best practices thinking. Security is not a core competency of most engineering, system integration, construction companies, nor of the operators and IT personal. Serious security incidents have not created ample awareness or panic to create action/funding. Cross-contamination risks of the corporate network domain vs. the process control domain. Safety and availability are jobs #1 and #2. 4

Target Is a water/wastewater facility a target? Who would target one? How difficult would it be to conduct surveillance to infiltrate a facility? Are we more secure today than a year ago? Yes, but the bad guys are better equipped and the attack surface is expanding Security is more of a people issue than a technology issue 5

Closed Loop Corrective Action for Plant Security Security Policies Monitor & Measure Closed Loop Corrective Action for Plant Security Risk Analysis Countermeasures 6

Security Policies Policies are the basis for security design, architecture, implementation, and practices Consider some computer, Internet, physical security and emergency management policies Computer, email, anti-virus Internet Passwords Social media and blogging Privacy Pandemic Clean desk Cell phones Concealed weapons Industrial accidents Bomb threats Security Policies 7

Security Policies Most water/wastewater facilities have weak policies Documented? Understood? Enforced? If they do exist, do they describe who owns, controls, may access what information and in what manner? delineate sharing vs. least privilege? define separation of duties? include a vulnerability / risk / gap / cost-benefit analysis? Security Policies 8

Risk Analysis Risk management components Evaluation and Assessment identify assets and evaluate their properties, characteristics and loss impact Risk Assessment discover threats and vulnerabilities that pose risk to assets Risk Mitigation transferring, eliminating or accepting Internal risks People (employees, contactors, visitors, ex-associates) Processes and procedures Computer systems External risks Geography, weather events, neighbors Terror, war, criminal, social & economical Risk Analysis 9

Risk Analysis Data Breach Frequency and costs continue to rise Detection Response Notification Ex-post Root Causes Malicious/Criminal Negligence System Glitch Risk Analysis 10

Risk Analysis Network Vulnerabilities Cloud Computing Remote access Protocol Vulnerabilities Ethernet & TCP/IP (no longer security by obscurity) Bottom-line Every security program is a risk program the only value proposition security policies, processes and technologies have is their effect on an organization's loss exposure the frequency and magnitude of loss. Jack Jones, Co-Founder of CXOWARE Risk Analysis 11

Security Architecture Properly aligned people, processes, & tools working to protect organizational assets, goals & strategic direction Potential components Account & identity management Access and border control Vulnerabilities & base configurations Privacy & integrity Security monitoring Incident response Disaster recovery User training Classification trusted, untrusted and DMZ Countermeasures 12

Vulnerability Assessments Identifying, quantifying, and prioritizing the vulnerabilities in a system Scanning Audit running processes, open ports, system OS details, user accounts, executable & DLL files Security, configuration and compliance audit Patch management Zero-day exploits and responses Mobile device management Monitoring and correlating logs and events Analysis and communication Countermeasures 13

Penetration Testing A live test of the effectiveness of security defenses through mimicking the actions of real-life attackers Determining the feasibility of a particular set of attack vectors Identifying vulnerabilities that may be difficult or impossible to detect with automated tools Assessing the impact of successful attacks Assess existing defenses, notification and responses Helps quantify what further investments are required Should include Internal External Social engineering Ethical hacking Countermeasures 14

Authentication Services Identity and access management (IAM) Identification, authentication and authorization Single- vs. multi-factor authentication Identity consolidation and single sign-on Passwords Characters, length, change frequency, re-use Initial, lost, re-assigned and forced change One-time passwords Switches and routers VLANs, Access Control Lists Wireless Remote access Countermeasures 15

Firewalls A system or combination of systems that enforces a boundary between networks typically a private and a public network; e.g., Internet Trusted, un-trusted and semi-trusted (DMZ) Implementations IP and TCP/UDP port-level rules Stateful / deep-packet inspection Deployments Network-based appliances, server/software, routers, switches, access points Host- & server-based Countermeasures 16

Encryption & VPN Encryption Process of taking an unencrypted message (plaintext), applying a mathematical function to it (encryption algorithm with a key) and producing an encrypted message (ciphertext) Data at rest ensuring integrity and privacy Data in motion Secure Virtual Private Network - private communication over a public network IPSec, HTTPS, SSL, SecureShell, etc. protocols Remote access client-to-machine and machine-to-machine Countermeasures 17

Mobile Devices & Applications Bring your own device (BYOD) Smartphones & tablets Remote access and management Mobile security controls Authentication & authorization VPN Lost Malware Personal vs. business functions Countermeasures 18

Intrusion Detection Act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource A burglar alarm for computer networks Types Network-based (NIDS) Host-based (HIDS) Physical IDS Intrusion Prevention Honey Pot Systems Decoy servers or systems setup to gather information regarding an attacker or intruder into your system Countermeasures 19

Web Application & Content Control Secure Web applications (PHP, C++, Java,.NET) Authentication & authorization Data validation & handling User and session management Points, time and state issues Error handling Encryption Content Filtering Limitations and enforcement points Legal issues Productivity issues Bandwidth/network issues Countermeasures 20

Operating System Hardening To configure a computer or other network device to resist attacks Secure or insecure by default? OS dependent Typical steps Perform initial system install Remove unnecessary software Disable or remove unnecessary usernames, passwords and accounts Disable or remove unnecessary services Apply patches Run Nessus or similar scan Countermeasures 21

Physical Security Part of a holistic security posture Based on layered defense design Physical security includes Asset protection Video surveillance and monitoring Employee protection and workplace violence prevention Fraud prevention Loss prevention Investigations & forensics Countermeasures 22

User Awareness & Training Knowing and understanding an individual s role in organizational and informational security and acting accordingly Constantly reinforce messaging to change behavior Some success elements Management support Partnering with other departments Creativity & multiple modes Use metrics Scope and timing Role-playing or exercises Countermeasures 23

Monitor & Measure Physical security monitoring Information vulnerability monitoring & action plans Security devices and software End systems and servers Network equipment Business Continuity Planning / Disaster Recovery Planning Threat & risk analysis Business impact analysis Monitor & Measure 24

Monitor & Measure Security Incident Response The complete response set of an organization to a disaster or other abnormal event Security information and event management Incident & data breach responses Secure critical evidence to support investigation/litigation Defend against internal and external exposure Determine the source, scope, and sensitivity of a data loss Identify your legal and regulatory obligations Retain customers and opportunities Apply processes for future prevention Monitor & Measure 25

Conclusions Infrastructure facilities are targets Cybersecurity is essential Create a reasonable security posture Policies Risk Analysis Countermeasures Monitor & Manage Monitor & Measure Security Policies Closed Loop Corrective Action for Plant Security Risk Analysis Countermeasures 26

Questions? Standards Certification Jeff Hayes jeff.hayes@beijerelectronicsinc.com 801-924-5424 Education & Training Publishing Conferences & Exhibits

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback