IoT & SCADA Cyber Security Services

Similar documents
The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

External Supplier Control Obligations. Cyber Security

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Cyber Security Program

European Union Agency for Network and Information Security

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

AUTHORITY FOR ELECTRICITY REGULATION

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Innovation policy for Industry 4.0

align security instill confidence

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Manchester Metropolitan University Information Security Strategy

Tiger Scheme QST/CTM Standard

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Building a Resilient Security Posture for Effective Breach Prevention

Professional Services Overview

A Government Health Agency Trusts Tenable to Protect Patient Data and Manage Expanding Attack Surface

CompTIA Cybersecurity Analyst+

Information Security Controls Policy

Cloud Security Standards and Guidelines

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cloud Security Standards

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Security Solutions. Overview. Business Needs

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Enhancing the cyber security &

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Version 1/2018. GDPR Processor Security Controls

Procurement Language for Supply Chain Cyber Assurance

[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

RiskSense Attack Surface Validation for IoT Systems

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

8 Must Have. Features for Risk-Based Vulnerability Management and More

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Healthcare Security Success Story

A company built on security

Internet of Things Security standards

SECURITY & PRIVACY DOCUMENTATION

TAN Jenny Partner PwC Singapore

Vulnerability Assessments and Penetration Testing

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

NCSF Foundation Certification

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

Continuous protection to reduce risk and maintain production availability

ASSURANCE PENETRATION TESTING

Data Sheet The PCI DSS

Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Digital Health Cyber Security Centre

Security Awareness Training Courses

Security by Default: Enabling Transformation Through Cyber Resilience

K12 Cybersecurity Roadmap

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

The NIST Cybersecurity Framework

CYBER RESILIENCE & INCIDENT RESPONSE

Certified Information Systems Auditor (CISA)

Cloud Security Standards Supplier Survey. Version 1

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Cyber security - why and how

Security and Architecture SUZANNE GRAHAM

locuz.com SOC Services

Brian Russell, Chair Secure IoT WG & Chief Engineer Cyber Security Solutions, Leidos

The NIS Directive and Cybersecurity in

Penetration Testing. Strengthening your security by identifying potential cyber risks

Certified Cyber Security Specialist

Department of Management Services REQUEST FOR INFORMATION

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

DELIVERING SIMPLIFIED CYBER SECURITY JOURNEYS

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

NW NATURAL CYBER SECURITY 2016.JUNE.16

Effective Strategies for Managing Cybersecurity Risks

DISTRICT OF COLUMBIA WATER AND SEWER AUTHORITY ATTACHMENT A A-1: BACKGROUND AND CONTRACTOR QUALIFICATIONS A-2: SCOPE OF WORK

Ensuring System Protection throughout the Operational Lifecycle

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

deep (i) the most advanced solution for managed security services

SRM Service Guide. Smart Security. Smart Compliance. Service Guide

RiskSense Attack Surface Validation for Web Applications

Protect Your Organization from Cyber Attacks

Cyber Security Strategy

TRAINING CURRICULUM 2017 Q2

General Data Protection Regulation

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

The Perfect Storm Cyber RDT&E

Transcription:

RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au

Table of Contents 1 Overview... 3 1.1 Offer of Professional Services... 3 1.2 Skills and Experience... 4 2 Services... 5 2.1 IoT Cyber Security Assessment... 5 2.2 ICS/SCADA Cyber Security Assessment... 9 3 Pricing... 12 Page 2 of 12

1 Overview RIoT Solutions offers a range of cyber security services to meet clients digital technology needs. Specifically, these relate to IoT (Internet of Things) technologies and SCADA (Supervisory Control and Data Acquisition) systems. As technology solutions are designed and implemented for IoT projects, there is a requirements for security assessments that are performed by an independent 3 rd party organisation specialising in cyber security, with an appropriately qualified resources. The purpose of this document is to outline the approach and proposed services that RIoT Solutions recommends, and to assist organisations in understanding the scope of the work and effort required to achieve the desired business outcomes. 1.1 Offer of Professional Services RIoT Solutions offers the following key cyber security services to enable organisations to attain the desired outcomes listed in the previous section. The services are packaged and available on a fixed-scope fee basis. Further aspects of each service are listed in section 2: Services. 1.1.1. IoT Systems Service Description Deliverables IoT Cyber Security Assessment (High-level) IoT Cyber Security Assessment (Detailed) Review overall security against key IOT vulnerability categories in: OWASP IoT Top 10 Review overall security design and the elements of a Protection Architecture for IoT, utilising Cloud Security Alliance (CSA) reference: Security Guidance for Early Adopters of the IoT Provide a report with: - Identified vulnerabilities, and the resulting risks - Prioritised list of recommendations for risk mitigations Provide a report with: - Identified security architecture issues, vulnerabilities, and the resulting risks, plus rating against CSA s list of recommended security controls - Prioritised list of recommendations for addressing security architecture weaknesses IoT Security Vulnerability Testing Perform vulnerability testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution Identify, and where safe to do so, exploit vulnerabilities to confirm risk exposure Provide a report with: Table 1: Professional Services Security Assessments of IoT Systems - Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks - Identified effective security controls - Prioritised list of recommendations for risk mitigations Page 3 of 12

1.1.2. SCADA Systems Service Description Deliverables SCADA Cyber Security Operations Review SCADA Security Vulnerability Assessment Review the current state of SCADA cyber security operations against industry best practice guidelines: NIST Framework for Improving Critical Infrastructure Cybersecurity Perform an independent testing of nominated SCADA network segments Provide a report showing: - How management of cyber security risks compares to best practice - Recommendations for addressing any identified gaps Provide a report with: Table 2: Professional Services Security Assessments of SCADA Systems - Identified technical vulnerabilities - Sample attack / exploitation steps (if permitted), and the resulting risks - Identified effective security controls - Prioritised list of recommendations for risk mitigations Note: the services above do not constitute a finite, locked service scope offering this initial service range had been put together without the known aspects of the scale and complexity of the targeted IoT or SCADA systems. RIoT Solutions can customise the services, or add additional ones, depending on specific requirements. 1.2 Skills and Experience Our experience covers all areas of cyber security and risk assessments of critical infrastructure consisting of potentially fragile network-connected systems such as Real-Time SCADA and other devices deployed within healthcare, transportation and energy supply industries. We are one of the few organisations that offer resources with ICS/SCADA security specific training and certification RIoT Solutions consultants have attained the Certified SCADA Security Architect (CSSA) qualification, attended a diverse range of ICS security focused training courses and conferences in Europe and USA, and have provided critical infrastructure security assessment services to many Queensland organisations that operate and/or build critical infrastructure systems. Our consultants had been involved in developing and executing successful Social Engineering campaigns, performing cyber-attack simulations, and also security research that led to identification of 0-day vulnerabilities and development of proof-of-concept exploits against Smart Meter infrastructure, SCADA power meter equipment, a national wireless BYOD rollout, and a biomedical infusion pump control unit. Page 4 of 12

2 Services The proposed cyber security services are specifically tailored to the unique characteristics of IoT and ICS/SCADA solutions. Sections 2.1 and 2.2 detail the approach and methodologies of each service offering. 2.1 IoT Cyber Security Assessment Assuring the security of each component within an IoT system is imperative in order to prevent malicious actors from gaining unauthorised access to, or the ability to tamper with, systems and data that form the IoT solution. Since a typical IoT solution will introduce large quantities of new devices and/or embedded components throughout an organization, it is highly likely that this will lead to an increase of potential cyber security risks within the IoT solution s deployment, and where connected to enterprise or ICS/SCADA systems it might also introduce additional risks of the IoT solution being used as an attack vector into an organisation s other critical assets. RIoT Solutions offers the following levels of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique solution requiring a security review: High-level Assessment Detailed Assessment Security Vulnerability Testing 2.1.1. High-level Assessment Service scope: Review overall security of the target IoT solution against list of the 10 key vulnerability categories specified in the OWASP Internet of Things Top 10 Project The Open Web Application Security Project (OWASP) is not-for-profit organisation focused on improving the security of software. Since 2003, it has been providing applications security testing and design guidance, and in 2014, OWASP compiled an IoT dedicated list: IoT Top 10. Whilst it is intended only as a high-level guidance for reviewing IoT security, it was designed to cover all attack surface areas, in order to get a good, high-level assessment of overall security. The IoT Top 10 categories are: Rank Title I-1 Insecure Web Interface I-2 Insufficient Authentication/Authorization I-3 Insecure Network Services I-4 Lack of Transport Encryption Page 5 of 12

I-5 Privacy Concerns I-6 Insecure Cloud Interface I-7 Insecure Mobile Interface I-8 Insufficient Security Configurability I-9 Insecure Software/Firmware I-10 Poor Physical Security Table 3: Top 10 IoT Vulnerabilities (OWASP 2014) Objectives: Evaluate the target IoT solution for security weaknesses, map the main attack surface areas for any IoT device, communication network and back-end systems, in order to provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities before solutions go live Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed, especially given the fact that many IoT devices have very little or no in-built security features. Deliverables: Provide a detailed report, clearly documenting any vulnerabilities and resulting risks, and showing the remediation recommendations. The report will also highlight all areas where best practice recommendations are already being met. Constraints: A comprehensive testing against every single category. For example, extended testing of the Insecure Web Interface of a complex IoT data analytics platform could involve an in-depth testing against OWASP Top 10 for web application security such engagements usually take more than five days. 2.1.2. Detailed Assessment Service Scope: Review overall security design and applicable details of the target IoT solution against guidance for the secure implementation of IoT-based systems, specified in Cloud Security Alliance (CSA) Security Guidance for Early Adopters of the Internet of Things Page 6 of 12

The CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. It maintains Working Groups across 28 domains of Cloud Security. One of the groups is the Internet of Things Working Group that conducts research into best practices for securing IoT implementations. The Security Guidance for Early Adopters of the IoT outlines the current challenges to secure IoT deployments, and seeks to address them via suggested Recommended Security Controls, tailored to IoT-specific characteristics. The CSA key recommended security controls are: Analyse privacy impacts to stakeholders (e.g. data capture at points of collection, processing, transport and storage) Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System (e.g. threat modelling, secure development, and secure supply chain) Implement layered security protections to defend IoT assets (at the Network, Application, Device, Physical and Human layers) Implement data protection best-practices to protect sensitive information (data identification, classification and security) Define lifecycle controls for IoT devices (plan, deploy, manage, monitor and detect, remediate) Define and implement an authentication/authorization framework for the organisation s IoT Deployments (the authentication method will depend on the constraints of the device) Define and implement a logging/audit framework for the organisation s IoT ecosystem (what events and metadata to log, and to where). CSA have tailored these controls to IoT-specific characteristics to allow early adopters of the IoT to mitigate many of the risks associated with this new technology. Objectives: Evaluate the target IoT solution for security architecture weaknesses, document resulting risks, and provide rating against CSA s list of recommended security controls. Provide guidance on how to avoid or mitigate vulnerabilities within each IoT architecture component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities and security architecture weaknesses before solutions go live Page 7 of 12

Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed. Deliverables: Provide a detailed report documenting the identified security architecture issues, vulnerabilities, the resulting risks, and rating against CSA s list of recommended security controls. Include a prioritised list of recommendations for addressing security architecture weaknesses. Constraints: As per the previously listed constraints for the High-level assessment service, extended review of all aspects of the IOT solution s application-layer, unless it is requested as an additional service focused on application security testing and design review. 2.1.3. Security Vulnerability Testing Service Scope: Perform an independent security testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution, in the context of an unauthenticated, anonymous user Where applicable, login with provided test user account with low privileges, to check for weak access restrictions to sensitive data, systems and management interfaces for authenticated users. Objectives: Identify and document any risks to the target IoT solution, posed by a potential attacker connected to any of the IoT solution components, and/or by an authenticated low-privilege user Provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefit: Identification and ensuing reduction of risks within designed and/or implemented IoT solution environment. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Page 8 of 12

Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. Denial of Service attacks, brute-force password guessing, etc.), due to potential impact on live environments. For any systems or components that are deemed too critical and potentially fragile, RIoT Solutions will work closely with the customer in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system(s) in a LAB environment. 2.2 ICS/SCADA Cyber Security Assessment RIoT Solutions offers the following two types of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique SCADA environment requiring a security review: Cyber Security Operations Review Security Vulnerability Assessment. The Cyber Security Operations Review service utilises passive, off-line review methods for ascertaining the security posture of the target SCADA system, and such poses no risk to systems and data in production environments. The Security Vulnerability Assessment service includes testing activities that utilise network level connections to nominated (and approved) parts of the target SCADA system. Whilst RIoT Solutions takes appropriate precautions and our customised testing methodology takes inherent risks of testing time-critical systems operations of ICS/SCADA into consideration, some risks cannot be completely eliminated. Therefore, whenever possible, active cyber security testing should be performed on a backup or offline systems. If there are any components of the target SCADA system deemed critical and potentially fragile (e.g. a legacy system with known performance and/or stability issues), RIoT Solutions will work closely with customers in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system in a LAB environment. 2.2.1. SCADA Cyber Security Operations Review Scope: Review the current state of the target SCADA systems cyber security operation against industry best practice guidelines RIoT Solutions proposes to utilise the following well established best practice framework that is appropriate for Industrial Control Systems / SCADA systems: NIST Framework for Improving Critical Infrastructure Cybersecurity Page 9 of 12

The National Institute of Standards and Technology (NIST) Framework is technology neutral and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. The Framework is a risk-based approach to managing cybersecurity risk, and its core consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond and Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. Objectives: Enable organisations to determine their current cyber security capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs. Identify and prioritize actions for reducing cyber security risk, and align policy, business, and technological approaches to managing that risk. Key benefits: Enable organisations to apply the principles and best practices of risk management to improving the security and resilience of their Operation Technology network(s). Deliverables: Provide a detailed report outlining how management of cyber security risks within the target SCADA system compares to best practice (NIST guidelines), and include recommendations for addressing any identified gaps. Constraints: A detailed compliance type audit, as this would have high cost and time implications, whilst providing limited benefits. 2.2.2. SCADA Security Vulnerability Assessment Scope: Perform an independent testing of nominated SCADA network segments, in the context of an unauthenticated, anonymous user. All testing is conditional on approval of an agreed testing plan and applicable restrictions and precautions, if any testing targets are in production environments. Login with provided test user account with low privileges, to check for weak access restrictions to SCADA management and monitoring systems for authenticated users (privilege escalation, overly permissive access to internal resources, etc.) Page 10 of 12

Objectives: Identify and document any risks to the target SCADA system, posed by an authenticated low-privilege user, and by a potential attacker connected to the SCADA network and/or identified external network connection entry points. Key benefit: Identification and ensuing reduction of risks within a SCADA environment Verification of restrictions applicable to configuration of role-based security controls, for non-administrative and non-privileged user accounts on the SCADA network. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Where SCADA components vulnerability confirmation testing was permitted, document the steps an attacker might take. Regarding evidence, ensure the approach does not put the target system at risk (e.g. use screen shots of accessible system administration interfaces, but do not alter any settings and/or data). Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. exhaustive network port scans, Denial of Service attacks, brute-force password guessing, etc.) due to potential impact on live environments. Page 11 of 12

3 Pricing The proposed services are offered at a fixed price, and can be consumed individually in any order that fits the organisation s requirements. Due to the unknown scale and complexity of the IoT or SCADA targets, the assessment effort estimates are based on our previous work on small to medium size sites. For example, SCADA Vulnerability Testing of one Control Centre and network connected devices on few remote field sites (where travel to sites was not required) usually takes a minimum of 7 days. 3.1.1. IoT Systems Service IoT Cyber Security Assessment (High-level) $ 8,250 IoT Cyber Security Assessment (Detailed) $ 11,550 IoT Security Vulnerability Testing $ 8,250 Table 4: Investment IoT Cyber Security Services 3.1.2. SCADA Systems Service SCADA Cyber Security Operations Review $ 8,250 SCADA Security Vulnerability Testing $ 11,550 Table 5: Investment SCADA Cyber Security Services Price (excl. GST) Price (excl. GST) Page 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback