DeltaV Security - Don’t Let Your Business Be Caught Without It
Upcoming SlideShare
Loading in...5
×
 

DeltaV Security - Don’t Let Your Business Be Caught Without It

on

  • 1,286 views

Savan

Savan

Statistics

Views

Total Views
1,286
Views on SlideShare
985
Embed Views
301

Actions

Likes
0
Downloads
29
Comments
0

3 Embeds 301

http://www.emersonprocessxperts.com 298
http://172.19.56.7 2
http://prsync.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • 310 Square Mile site in southwest SC, on border of GA, along the Savannah River. Used to be major production site for nuclear weapons program. Now, mostly cleanup. Some limited life component processing (Tritium); looking forward to future missions for the site, like energy park, modular reactors, hydrogen fuels, etc…
  • A Vulnerability in human terms – example: a guy who does not exercise control over his desire to pursue women other than his wife The Risk here is that his wife will discover his actions and cause him irreparable harm; what is the likelihood (very likely) and severity (slow and painful death; or worse)

DeltaV Security - Don’t Let Your Business Be Caught Without It DeltaV Security - Don’t Let Your Business Be Caught Without It Presentation Transcript

  • DeltaV Security Don’t Let Your Business Be Caught Without It SRR-MS-2011-00057
  • Presenters
    • Randy Pratt
    • Greg Stephens
  • Introduction
    • Randy
    • Emerson Process Management – Austin, TX
    • Travels the world providing expertise to customers
  • Introduction
    • Greg
    • Where is the Savannah River Site?
    • What goes on there?
  • Introduction
    • Cybersecurity risks change rapidly
    • Nearly everyone knows they need to be secure
    • Few really know how to assess and address well
    • The key - strive for strategy and effective actions
    • Communication of risks in business terms is crucial
  • The Landscape
    • Not the way to appear
    • in the newspaper…
  • Introduction
    • Provide basic tools – you will need to do more
    • Demonstrate and discuss use of the tools
    • Work through strategy definition
    • Discuss and suggest plans to address risks
    • Help you look at the issues from other perspectives
  • Facts
    • There is notably a lot of Fear, Uncertainty and Doubt (FUD) propagated about automation system cyber security.
    • Step back and take a look at the things you know for certain:
      • Your process automation system is a productivity tool and likely determines whether you can profitably make your product or not.
      • A lot of your company’s intellectual property is embodied in your automation system, perhaps to the point of trade secrets, etc.
  • Facts
      • ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons.
    • Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered.
  • Facts
      • More than any other country, the US Military relies heavily on private business for products and services. Attacking those private businesses could hamper military efforts.
      • In some parts of the world, cyber crime can be a physical threat. Imagine having to pay a ransom to get regain full control of your system.
      • Current US government will to regulate cyber security is low. Current business lobbying efforts to minimize government regulations is high.
  • Facts
      • Bottom line, a lot of reasons you should consider protecting your systems, no matter how mundane or critical your product is. But don’t wait for government regulation to force you into it.
      • Since you are attending this session, you probably don’t need to be sold on the idea of protecting your system. But the above points might help sell it to your management if they aren’t on board.
  • The Simple Facts
  • Where do I Start?
      • There are a number of standards, though most are short on explicit steps to take.
        • If you are subject to a regulatory agency, then you probably know what you have to do, but not how.
      • 3rd parties offer helpful services, but there are certain things that you’ll have to do yourself regardless.
        • They are in it for a profit. Not necessarily a bad thing, but unless you take a hands on approach they might sell you something you don’t need.
      • Model the effort on something you already know.
  • Basic Tools & Terms
    • Cybersecurity Risk Assessment – Terminology
    • Vulnerability – Flaw or Weakness that may lead to an undesired consequence
    • Risk – Characterization of the likelihood and severity of consequence
    • Risk Assessment identifies and characterizes
  • The Model Assess Perform Risk Assessment & Gap Analysis Establish Areas and Vectors Determine Targets Change Align Areas and Vectors to Acceptable Levels Confirm results New Security Level Maintain Periodically Assess Update Stay Current
  • The Model – Likelihood vs Consequence Moderate Risk High Risk Low Risk Moderate Risk Likelihood Consequence
  • The Model – Probability vs Impact Probability   Impact     4 = Very Likely 4 = Severe Impact 3 = Likely 3 = Major Impact 2 = Not Likely 2 = Minor Impact 1 = Beyond Unlikely   1 = No Impact
  • The Model – Probability vs Impact Vector   Probability     Internet, Wireless (Open) 4 = Very Likely Internet, Wireless (Password) 3 = Likely Internet, Wireless (Authenticated) 2 = Not Likely No Outside Connection   1 = Beyond Unlikely
  • The Model – Probability vs Impact Impact   1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact     Public View Ok Tarnished Recoverable Lost Confidence Environmental Ok Damaged Broken Destroyed Personnel Ok First Aid, Medical Treatment Hospitalization Fatality Production   No Loss Minor Loss Moderate Loss Major Loss
  • The Model – Risk Matrix
  • Participant Interaction
    • Risk Matrix Construction
    • Business Considerations
    • Management Attention
    • Avoid the Urge to Overplay the Risk
  • Business Results Achieved
    • Cybersecurity Risk Assessment – Part of Business Model
    • Better understanding of risks
    • Control system is hardened against cyber attacks
    • More likely to get attention if using disciplined approach
  • Summary
    • We have provided a framework for Assessments
    • Each business has to count the cost – all are different
    • Feedback from participants
    • Anything we did not cover or you would like to ask
  • Where To Get More Information
    • Department of Homeland Security – www.us-cert.gov
    • Emerson Process Management
    • Your Local Business Partner
    • Consulting services
    • Other Exchange Sessions