Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

Similar documents
Building owners and managers, facility engineers,

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Blue Team Handbook: Incident Response Edition

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

FISMAand the Risk Management Framework

Introduction to ICS Security

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

DFARS Defense Industrial Base Compliance Information

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Your Control Systems Have Been Hacked, Now What?

Addressing Cyber Threats in Power Generation and Distribution

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Cybersecurity: Protecting Your Buildings - and Your Company

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cyber Security For Business

SANS SCADA and Process Control Europe Rome 2011

Continuous Monitoring Strategy & Guide

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

NW NATURAL CYBER SECURITY 2016.JUNE.16

Encrypted Traffic Security (ETS) White Paper

IC32E - Pre-Instructional Survey

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

How to manage evolving threats on evolving ICT assets across Enterprise

Cyber Security & Homeland Security:

Information Security Controls Policy

Cyber Security Requirements for Supply Chain. June 17, 2015

CND Exam Blueprint v2.0

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

DoD Advanced Control Systems Tactics, Techniques and Procedures

Dynamic Datacenter Security Solidex, November 2009

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Maximum Security with Minimum Impact : Going Beyond Next Gen

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Training for the cyber professionals of tomorrow

Interactive Remote Access FERC Remote Access Study Compliance Workshop October 27, Eric Weston Compliance Auditor Cyber Security.

The Water Sector Approach to Cybersecurity

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Security+ SY0-501 Study Guide Table of Contents

SECURITY & PRIVACY DOCUMENTATION

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cyber security - why and how

Procurement Language for Supply Chain Cyber Assurance

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

IPM Secure Hardening Guidelines

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Monthly Cyber Threat Briefing

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

Overview of the. Computer Security Incident Response Plan. Process Resource Center

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

10 FOCUS AREAS FOR BREACH PREVENTION

INFORMATION ASSURANCE DIRECTORATE

FISMA Cybersecurity Performance Metrics and Scoring

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Milestone Systems. XProtect VMS. Hardening Guide. XProtect Corporate XProtect Expert XProtect Professional+ XProtect Express+ XProtect Essential+

i-pcgrid WORKSHOP 2016 INTERACTIVE REMOTE ACCESS

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Contemporary Challenges for Cloud Service Providers Seeking FedRAMP Compliance

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Cyber Security. June 2015

NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation

Detection and Analysis of Threats to the Energy Sector (DATES)

READ ME for the Agency ATO Review Template

Cyber security for digital substations. IEC Europe Conference 2017

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Education Network Security

Bird of a Feather Automated Responses

DRAFT Cyber Security Incident Reporting and Response Planning

ICS/SCADA Cybersecurity and IT Cybersecurity: Comparing Apples and Oranges

IoT & SCADA Cyber Security Services

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Ransomware. How to protect yourself?

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Influence and Implementation

Medical Device Cybersecurity: FDA Perspective

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

DHS Cybersecurity Services and Resources

External Supplier Control Obligations. Cyber Security

FedRAMP JAB P-ATO Process TIMELINESS AND ACCURACY OF TESTING REQUIREMENTS. VERSION 1.0 October 20, 2016

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

INFORMATION ASSURANCE DIRECTORATE

ISACA Arizona May 2016 Chapter Meeting

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

JARGON ALERT! VULNERABILITY SCAN PENETRATION TEST RED TEAM/BLUE TEAM

Building a resilient ICS

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Transcription:

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response Michael Chipley, PhD PMP LEED AP President January 6, 2014 mchipley@pmcgroup.biz 1

Risk Assessments Multiple Standards and Tools For Conducting Cyber Risk Assessments DHS CSET SANS Top 20 Controls ISA GSA FedRamp Kali Linux SamuraiFTSU Gleg Wireshark Risk Assessment model based on: NIST SP 800-53 Rev 4 NIST SP 800-82 Rev 1, Rev in Spring 2014 2

SANS Twenty Critical Security Controls http://www.sans.org/critical-security-controls/ 3

ISA Security for Industrial Control Systems http://www.isa.org/template.cfm?section=standards2&templa te=/ecommerce/productdisplay.cfm&productid=13420 4

GSA FedRamp Templates http://www.gsa.gov/portal/category/102371 5

GSA FedRamp Security Assessment Report 4. SECURITY ASSESSMENT RESULTS Developed for Cloud Providers, but uses common standards This section describes all security weaknesses found during testing. The following elements for each security weakness are reported. Identifier Name Source of Discovery Description Affected IP Address/Hostname/Database Source Applicable Threats Likelihood Impact Risk Statement Risk Exposure Recommendation 6

DoD ICS Overlay and RMF Implementation 2015? ICS Overlay v1, v2 Initial ATO s 2014? Began in 2013 Use CSET Tool IT RMF Model Can be Readily Adopted for ICS RMF 7

CSET Resource Library 8

CSET Step 1 Assessment Mode 9

CSET Step 2 Questions and Standards 10

CSET Step 3 Security Assurance Level 11

CSET Architecture Diagram 12

CSET Controls Questions Complete Family, Control, Supplemental, Enhancements, Parameter, Regulatory Sections 13

CSET Dashboard 14

CSET Reports 15

Continuous Monitoring & Intrusion Detection Continuous Monitoring is Step 6 of the RMF IT systems OT systems CM Tools DHS CM Program Sophia Vendors (McAffee, Symantec, Tofino, Industrial Defender, etc.) 16

NIST SP 800-137 ISCM Organizations take the following steps to establish, implement, and maintain Information Security Continuous Monitoring (ISCM): Define an ISCM strategy; Establish an ISCM program; Implement an ISCM program; Analyze data and Report findings; Respond to findings; and Review and Update the ISCM strategy and program. 17

DHS Continuous Diagnostics and Mitigation http://www.gsa.gov/portal/content/176671?utm_source=fas&utm_medium=printradio&utm_term=cdm&utm_campaign=shortcuts 18

IT Versus OT Continuous Monitoring Host Based Security Systems Scanning (Active) Windows, Linux HTTP, TCP, UDP Intrusion Detection Systems (Passive) PLC, RTU, Sensor Modbus, LonTalk, BACNet, DNP 3 19

Sophia Passive Monitoring of Control Systems http://nexdefense.com/about-sophia/how-does-it-work/ 20

DHS ICS-CERT Common Vulnerabilities 21

Key Signs You Are Compromised 1. Look at number of highest IP address out of your network 2. Look at longest number of connections 3. Look at where most data is being sent 4. Look at percent of traffic out (filter for Cloud based services) 5. Look for new IP addresses never connected before Building control systems typically transmit data to the Human Machine Interface, Historian and other sensors, and typically don t need to connect to other outside IP address's (except for remote maintanence) Advanced Meter Infrastructure (AMI) and other Smart devices DO need two way communication, encrypt data The Internet of Everything and IPV6 will connect billions of devices and sensors at every level. Control Systems are becoming Cyber-Physical Systems, they will be compromised, malware specifically targeting these systems 22

CSET Incident Guidance 23

Incidents: NIST SP 800-61 Rev 2 http://csrc.nist.gov/publications/nistpubs/800-61rev2/sp800-61rev2.pdf 24

CSET Incident Response Plan Templates 25

DHS ICS-CERT Incident Response Report https://www.us-cert.gov/forms/report 26

SANS Incident Handling and Suspicious Events 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned http://www.giac.org/cissp-papers/17.pdf http://pen-testing.sans.org/resources/downloads 27

CSET SANS Incident Identification Template 28

Control Systems Key Concepts Control systems are good candidates for Whitelisting Eliminate direct facing internet connections, route through an Operations Center with CM and IDS Keep backup software down to the device level firmware Complete a CSET Evaluation Prepare a Security Assessment Report Prepare a Systems Security Plan Prepare a CONOPS Plan Prepare an Incident Response Plan Inbound Protection, Outbound Detection 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback