Managing The Security Risks Of Your Scada System, Ahmad Alanazy, 2012
1.
2. Agenda
• Risk Management
• Challenges In Deploying Technical Risk
Treatment Controls For SCADA System
• Developing Incidents Response And
Remediation Plans
• Best Practice Strategies To Prevent Worm And
Virus Threats
Managing the Security Risks of Your SCADA
3/21/2012 2
System
3. Risk Management
• Risk Management in general
• Before we can do risk assessment we have to
understand Risk
• We have to know some definitions first
• What is the relation between these definitions?
• Risk management concept
• The two Risk assessment methodologies
• Basic risk management requirements
• Example from ISO27001
Managing the Security Risks of Your SCADA
3/21/2012 3
System
4. Risk Management in General
• Risk management is a proven framework that
does the following
1. Schedule risk assessments during the year
2. Defines risk assessment methodology
– Defines Risk Evaluation Criteria
– Defines Risk Acceptance criteria
3. Defines a process for closing risk assessment
findings.
Managing the Security Risks of Your SCADA
3/21/2012 4
System
5. Some Definitions Related to Risk
• What is risk? Risk is the likelihood of an action on a
weakness resulting an impact
• Threat is a potential danger
• Vulnerability is a known weakness
• Exposure is the opportunity for a threat to cause impact
• Controls are administrative, technical, or physical measures
taken to mitigate a risk
• Safeguards are controls applied before the fact (prevent,
detect, Deterrent, Directive)
• Counter Measures are controls applied after the fact
(Corrective, Recovery, Compensating)
Managing the Security Risks of Your SCADA
3/21/2012 5
System
6. What is the relation between these
definitions?
Risk
Weakness/ Counter Technical Business
Threat Source Vulnerability Safeguards Assets
Measures Impact Impact
Threat Agent
Attack / Exploit Exposure Compromised
Asset Controls
Threat Based OWSAP Model
Managing the Security Risks of Your SCADA
3/21/2012 6
System
7. Risk management concept
CC Risk Management Concept Flow
Managing the Security Risks of Your SCADA
3/21/2012 7
System
8. The two Risk assessment
Methodologies
• Two ways to calculate the Risk, Consequences
Qualitative and Quantitative risk
Catastrophic
Insignificant
analysis
Moderate
• Qualitative Risk analysis: We predict
Minor
Major
the level of risk
• We use this approach when we are Likelihood 1 2 3 4 5
unable to accurately calculate asset A (almost certain) H H E E E
value B (likely) M H H E E
• Example: we define a scenario where C (possible) L M H E E
it is possible that a hacker can gain D (unlikely) L L M H E
access from the internet to a database E (rare) L L M H H
• Asset = database E Extreme Risk, immediate action
• Likelihood = 2 High Risk, action should be taken to
H
• Impact/consequences = 5 compensate
Moderate Risk, action should be
M
taken to monitor
Managing the Security Risks of Your SCADA
3/21/2012
System L Low Risk, routine acceptance of risk8
9. The two Risk assessment
methodologies cont.
• Quantitative Risk analysis: is the calculation of ALE
Annual Loss Expectancy = Annual Rate of Occurrence X
(Asset Value X Percent of Loss)
• Example: probability = 3, asset value = 1,478,390 , 60%
• ALE = 3 x (1,478,390 x 60% ) = 3 x 887,034 = 2,661,102
• ROI = ALE – security control cost
• ROI is the return on security investment, the amount of
money that will be saves from loss
Managing the Security Risks of Your SCADA
3/21/2012 9
System
10. Basic management requirements
• The board of directors need to agree on the following
– The scope of the risks that are going to be managed
– The type of risks such as financial risks, operational risks, technical and security risks, or
business risks related to the market, but in our case we are concerned about technical
and security risks
– Risk Assessment Methodology: OCTAVE (IT Risk), AS/NZ 4360, NIST, ISO27005, each one
of these methodologies certain steps for assessing risk.
• Risk Evaluation Criteria: either we go with quantitative or qualitative risk evaluation
or mix of both.
• Risk treatment criteria: we define the conditions under which we chose one of the
treatment strategy
– We accept the risk if it under the risk acceptance level and otherwise we :
– Transfer the risk to an assurance company or outsource from a managed
service provider
– Mitigate the risk by deploying controls
– Avoid the risk by canceling the whole business
Managing the Security Risks of Your SCADA
3/21/2012 10
System
11. ISO27001 Risk Management Example
• ISO27001 provides a generic way to manage risk:
1. Identify Assets
2. Identify threats to assets
3. Identify vulnerabilities that might be exploited by the
threats
4. Identify the impacts on the assets
5. Analyze and evaluate the risks.
6. Identify the treatment of risks (accept, transfer, avoid,
mitigate)
7. Select control objectives and controls
8. Follow PDCA cycle.
Managing the Security Risks of Your SCADA
3/21/2012 11
System
12. Challenges In Deploying Technical Risk
Treatment Controls For SCADA System
• We assume that a risk assessment had been done and
security controls objectives have been selected,
• Part of the challenges we might face:
– Choosing a security control compatible with SCADA and able to
understand its traffic, a security control should protect the service
without impacting it
– The geographical distance impacts support, maintenance, and
operation
– Solve the communication bandwidth problem, because we need in
real time monitoring and control
Managing the Security Risks of Your SCADA
3/21/2012 12
System
13. Developing Incidents Response And
Remediation Plans
• Why do we need a plan for response
– Because we need to be prepared to effectively solve
different kinds of problem in the shortest time possible in
order to reduce the impact and prevent disturbance.
• The NIST Special Publication 800-61 “Computer
Security Incident Handling Guide”
• first the definitions then we are going to look into
policy, plan, and process.
• Security incident is a violation of policy. Virus infection,
password brut-force
• An event is any observable occurrence in a system or
network, example failed authentication.
Managing the Security Risks of Your SCADA
3/21/2012 13
System
14. Developing Incidents Response And
Remediation Plans
• In order to build an effective incident respond we have to
define the policy, plan, and procedure
• The policy should
– Define the scope of incidents that are going to be handled
– Define what will be considered security incident and its impact
on the company
– Define response and remediation requirements
– Defines roles and responsibilities and level of authority given to
the response team in case of each incident kind
– Defines incident severity rating
– Defines response and remediation KPI
– Defines the escalation procedure for each kind of incident
– Defines incident alerting and reporting requirements
Managing the Security Risks of Your SCADA
3/21/2012 14
System
15. Developing Incidents Response And
Remediation Plans, Cont.
• The incident response plan should :
– Define the approach for incident response
– Implement the capabilities need to provide incident response service
to the company and per its requirements defined in the policy.
– Define the resources and management support needed to enable the
capabilities
– Defines how the KPI are measured
– Implement incident reporting and alerting and escalation capability
– Define how the incident response capabilities are coordinated and
communicated inside the company
– Define an incident response and remediation procedure for each kind
of incident and the procedure should consider the severity of the
incident
Managing the Security Risks of Your SCADA
3/21/2012 15
System
16. Developing Incidents Response And
Remediation Plans, Cont.
• The incident response and remediation
procedure should:
– React based on the severity of the incident.
– Reliable and effective and efficient
– Detailed and supported with checklists
Managing the Security Risks of Your SCADA
3/21/2012 16
System
17. Developing Incidents Response And
Remediation Plans, Cont.
• Incident response lifecycle
1. Preparation
1. Preparing the team by training and drills.
2. Providing the needed tools and logistics to carryout response capabilities.
2. Detection and analysis
1. Accurate detection by filtering out false positives and false negatives
2. Incident categorization, identifying the category leads to choosing the right response procedure
3. Incident analysis, finding the root cause, related and impacted assets
4. Incident documentation involves recording of all facts in a secure system that will help us keeping
track of incident developments
5. Incident prioritization, simply prioritizing incidents based on their severity
6. Incident notification involves alerting related persons in the company to take action
3. Response action:
1. Choosing a containment strategy in order to stop it from spreading to other assets
2. Gather evidence for forensics investigations, tag them and bag them
3. solve the problem, and recover the system if needed
4. Post-incident activity
1. Lesson learned documentation and meeting
Managing the Security Risks of Your SCADA
3/21/2012 17
System
18. Best Practice Strategies To Prevent
Malicious code
• Defense in depth
– Choosing the right antivirus
– Antivirus infrastructure design and support
– Network security, firewall (risky ports) and IPS
– Email antivirus and spam protection
– Web content filtering and scan
– End point protection (new antivirus trend)
– Limiting user privileges
– Continuously patching the system and 3rd party software
– Force file integrity check
– Blocking USP, CDROM
– Hardening the system
– Dividing the network (security zones)
– Prevent user from installing software.
– NAC
Managing the Security Risks of Your SCADA
3/21/2012 18
System