Your SlideShare is downloading. ×
0
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Risk Assessment Methodologies
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Risk Assessment Methodologies

360

Published on

Risk Assessment in SCADA environments

Risk Assessment in SCADA environments

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
360
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Datenschutzbeauftragter ist Matthias Lohmann Bestellung ist bei Ihnen gesetzl. vorgeschrieben Aufgaben des BDSG: Überwachung …. Schulung Ziel doppelte Sensibilisierung:1. als Mitar beiter in einem Unternehmen, das mit pbD von Kunden arbeitet; 2. als sog. Betroffener von Datenverarbeitung im Rahmen des Arbeitsverhältnis o.a. zivilrechtlicher Verh.
  • Zu DSchutz DSicherheit : Geschützt werden personenbezogene Daten (persönl. und sachl. Informationen) natürlicher Personen
  • Zu DSchutz DSicherheit : Geschützt werden personenbezogene Daten (persönl. und sachl. Informationen) natürlicher Personen
  • Zu DSchutz DSicherheit : Geschützt werden personenbezogene Daten (persönl. und sachl. Informationen) natürlicher Personen
  • Transcript

    • 1. Security services: Risk Assessment Methodologies ESCoRTS SAB Bruxelles, Mai 2009 Philippe A. R. Schaeffer Chief Security Analyst TÜV Rheinland Secure iT GmbH
    • 2. Precisely Right. Safe and sound. And a clear competitive edge. <ul><li>We : </li></ul><ul><li>Advise. </li></ul><ul><li>Develop. </li></ul><ul><li>Facilitate. </li></ul><ul><li>Inspect. </li></ul><ul><li>Certify. </li></ul><ul><li>Precisely Right. </li></ul><ul><li>For you. </li></ul>79 associated companies overseas. At 360 locations in 62 countries around the world. Wherever your market is: we are already there. And ready to help you with advice and assistance.
    • 3. Overview of Topics <ul><li>A Systematic Approach to Risk Assessment </li></ul><ul><li>Risk Assessment in SCADA Environments </li></ul><ul><li>Focus on some Findings </li></ul>
    • 4. Systematic Approach to Risk Assessment and the Treatment of Risks <ul><li>Infrastructure Analysis What (assets) do we have? </li></ul><ul><li>Security Requirement Analysis How important are these? </li></ul><ul><li>Threat Analysis What could happen to them? </li></ul><ul><li>Risk Analysis How probable is that and how expensive would that be? => How high is the risk? </li></ul><ul><li>Risk Treatment Plan What can I do about it, how and when? </li></ul><ul><li>Operations How do I apply the measures and use them in operation ? </li></ul><ul><li>Verification How and when must I verify if the measures are effective? </li></ul>
    • 5. Infrastructure Analysis What (assets) do we have? <ul><li>Complete plan of supporting IT infrastructure, e.g.: </li></ul><ul><ul><li>IT applications </li></ul></ul><ul><ul><li>IT systems </li></ul></ul><ul><ul><li>Networks </li></ul></ul><ul><ul><li>Rooms and buildings </li></ul></ul><ul><ul><li>Connections </li></ul></ul><ul><li>The compiled information shall ensured that: </li></ul><ul><ul><li>potentially vulnerabilities can be identified easier, </li></ul></ul><ul><ul><li>required security measures can be applied area-wide, </li></ul></ul><ul><ul><li>special security measures can be taken for objects that deserve to be particularly secured. </li></ul></ul>
    • 6. Security Requirement Analysis How important are these? <ul><li>The amount of protection a system component needs in order to be able to reduce, avoid and/or compensate disturbances or breakdowns </li></ul><ul><li>Determined with reference to: </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><li>Prerequisites : </li></ul><ul><ul><li>Identification of “external” requirements: </li></ul></ul><ul><ul><ul><li>business requirements </li></ul></ul></ul><ul><ul><ul><li>legal or regulatory requirements </li></ul></ul></ul><ul><ul><ul><li>contractual security obligations </li></ul></ul></ul><ul><ul><li>Method of how to evaluate security requirements </li></ul></ul><ul><ul><ul><li>provide valid and repeatable results </li></ul></ul></ul>
    • 7. Threat Analysis What could happen to them? <ul><li>The main goal is to identify all possible threats for assets with relevant security requirements </li></ul><ul><li>A systematic approach to identify all possible threats: </li></ul><ul><ul><li>Threat Modeling </li></ul></ul><ul><li>Threats are rated based on the determined security requirements </li></ul>
    • 8. Risk Analysis How probable is that and how expensive would that be? <ul><li>Product of the possible damages and their probability resulting from the established threats </li></ul><ul><li>The maximum amount of potential damage depends on the according business processes, i.e.: </li></ul><ul><ul><li>costs for the breakdown of production processes, </li></ul></ul><ul><ul><li>claims for compensation, </li></ul></ul><ul><ul><li>criminal prosecution, </li></ul></ul><ul><ul><li>damaged assets, </li></ul></ul><ul><ul><li>damaged image, </li></ul></ul><ul><ul><li>lost business volume </li></ul></ul><ul><li>Prerequisites : </li></ul><ul><ul><li>Method of how to evaluate security requirements </li></ul></ul><ul><ul><ul><li>provide valid and repeatable results </li></ul></ul></ul><ul><ul><ul><li>criteria for the acceptance of risks </li></ul></ul></ul><ul><ul><ul><li>acceptable risk levels </li></ul></ul></ul>
    • 9. Risk Treatment Plan What can I do about it, how and when? <ul><li>Strategy for evaluating the results of the risk analysis: </li></ul><ul><ul><li>Minimising risks (by organisational and technical measures) </li></ul></ul><ul><ul><li>or taking alternative actions (e.g. redundancy, SLAs or insurances) </li></ul></ul><ul><ul><li>and accepting the remaining risk. </li></ul></ul><ul><li>Business decision, which actions are taken => Security Policy </li></ul><ul><li>Particular measures may be turned into projects </li></ul>
    • 10. Operations How do I apply the measures and use them in operation ? <ul><li>Implementation of measures during operation </li></ul><ul><li>After formal completion of measures switch to “secure operations” </li></ul><ul><li>Supervision and monitoring of “secure operations” by responsible individuals </li></ul>
    • 11. Verification How and when must I verify if the measures are effective? <ul><li>Regular tasks: </li></ul><ul><ul><li>Supervising errors, security events and security issues, </li></ul></ul><ul><ul><li>Ensuring that all security tasks work as scheduled, </li></ul></ul><ul><ul><li>Ensuring that security issues are treated efficiently, </li></ul></ul><ul><ul><li>Carrying out regular checks on efficiency and adequacy of the required key tasks, </li></ul></ul><ul><ul><li>Implementation of the identified improvements, </li></ul></ul><ul><ul><li>Controlling the efficiency of the improvements. </li></ul></ul><ul><li>Security Assessments </li></ul><ul><ul><li>Organisational Assessments </li></ul></ul><ul><ul><li>Technical Assessments </li></ul></ul>
    • 12. Overview of Topics <ul><li>A Systematic Approach to Risk Assessment </li></ul><ul><li>Risk Assessment in SCADA Environments </li></ul><ul><li>Focus on some Findings </li></ul>
    • 13. Overview Organisational Assessment <ul><li>Assessment of basic organisational issues: </li></ul><ul><ul><li>Security policy </li></ul></ul><ul><ul><li>Allocation of responsibilities </li></ul></ul><ul><ul><li>Asset management </li></ul></ul><ul><ul><li>Human resources security </li></ul></ul><ul><ul><li>Physical and environmental security </li></ul></ul><ul><ul><li>Communications and operations management </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><li>Systems acquisition, development and maintenance </li></ul></ul><ul><ul><li>Security incident management </li></ul></ul><ul><ul><li>Business continuity management </li></ul></ul><ul><ul><li>Compliance </li></ul></ul>
    • 14. Special Requirements of SCADA Environments (The Assessment Point of View) <ul><li>The usual suspects: </li></ul><ul><ul><li>Long life cycles of systems </li></ul></ul><ul><ul><li>Different impact of security incidents </li></ul></ul><ul><ul><li>New interconnections between old infrastructures </li></ul></ul><ul><ul><li>Remote access for service technicians </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Specific issues during (technical) assessments: </li></ul><ul><ul><li>Fear of security tests in live environments </li></ul></ul><ul><ul><li>Proprietary hardware, software, and protocols </li></ul></ul><ul><ul><li>„Hidden“ networks </li></ul></ul><ul><ul><li>„Black Box“ systems </li></ul></ul>
    • 15. Special Requirements of SCADA Environments Technical Assessment <ul><li>Assessments must be adapted to the requirements: </li></ul><ul><ul><li>Different rating of vulnerabilities </li></ul></ul><ul><ul><ul><li>Different probabilities and impact of threats must be considered </li></ul></ul></ul><ul><ul><ul><li>„ Security in Depth“ on different layers </li></ul></ul></ul><ul><ul><ul><li>More technical vulnerabilities may be solved organisationally </li></ul></ul></ul><ul><ul><li>Manual testing </li></ul></ul><ul><ul><li>Manual selection of single targets </li></ul></ul><ul><ul><li>Profund knowledge of hardware, software, and protocols </li></ul></ul><ul><ul><li>Configuration analysis </li></ul></ul><ul><ul><li>Focus on network infrastructures and interconnections between networks </li></ul></ul><ul><ul><li>Close cooperation with the responsible „administrators“ </li></ul></ul>
    • 16. Overview Technical Assessment <ul><li>IT Infrastructure e.g. access control, redundancies, physical protection, emergency plans </li></ul><ul><li>Networks e.g. network architecture and management, firewalls, routers, third party networks and systems, remote access, wireless connections </li></ul><ul><li>Systems e.g. servers, workstations and terminals, mobile terminals, hardening, engineering stations, test and release management, storage </li></ul><ul><li>Administration e.g. patch management, antivirus, backup, monitoring, Policies </li></ul>
    • 17. Overview of Topics <ul><li>A Systematic Approach to Risk Assessment </li></ul><ul><li>Risk Assessment in SCADA Environments </li></ul><ul><li>Focus on some Findings </li></ul>
    • 18. Focus on some examples Access from not trustworthy networks <ul><ul><li>No or weak firewalls </li></ul></ul><ul><ul><ul><ul><li>Insufficient access controls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Too much communication allowed </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Generic sources and destinations </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Unnecessary ports </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Forgotten protocols (e.g. IPX) </li></ul></ul></ul></ul></ul><ul><ul><li>Explicitly allowed communication </li></ul></ul><ul><ul><ul><ul><li>Web applications </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Used to display information in office networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Used as interface to corporate, partner or regulatory authority networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Tunnels or jumping into other networks </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Resolution of public DNS records, ICMP </li></ul></ul></ul></ul></ul>
    • 19. Focus on some examples Insecure protocols <ul><ul><li>Serial or analog protocols ported to IP </li></ul></ul><ul><ul><li>Proprietary protocols without authentication and encryption </li></ul></ul><ul><ul><ul><ul><li>Even in new standards: IEC 61850 </li></ul></ul></ul></ul><ul><ul><li>Insecure data transfer protocols </li></ul></ul><ul><ul><ul><ul><li>http, ftp, nfs, SMTP (mail), syslog, SNMP, … </li></ul></ul></ul></ul><ul><ul><li>Insecure remote control protocols </li></ul></ul><ul><ul><ul><ul><li>SNMP, telnet, X11, SSH, … </li></ul></ul></ul></ul><ul><ul><li>Ineffective encryption </li></ul></ul><ul><ul><li>Radio communications </li></ul></ul><ul><ul><ul><ul><li>Wireless LAN, Bluetooth, ZigBee, … </li></ul></ul></ul></ul>
    • 20. Focus on some examples Physical access <ul><ul><li>External & internal service technicians </li></ul></ul><ul><ul><ul><ul><li>Service laptops </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Direct access to SCADA networks </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Insufficient policies </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Mobile storage </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>USB U3 flash drives </li></ul></ul></ul></ul></ul><ul><ul><li>Interfaces in the field </li></ul></ul><ul><ul><ul><ul><li>Easy access to sensors or field busses </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Security vulnerabilities in processing software </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Easy access to IP networks </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Routers in remote stations </li></ul></ul></ul></ul></ul><ul><ul><li>Access to the facilities </li></ul></ul>
    • 21. What it all comes down to: Organization, procedures and processes <ul><ul><li>High awareness for safety but little or no awareness for security </li></ul></ul><ul><ul><ul><ul><li>Threats are neither known nor dealt with </li></ul></ul></ul></ul><ul><ul><ul><ul><li>People hardly know that IT is involved </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Frequent excuse: “Border security” </li></ul></ul></ul></ul><ul><ul><li>Insufficient processes and policies </li></ul></ul><ul><ul><ul><ul><li>Undefined responsibilities </li></ul></ul></ul></ul><ul><ul><ul><ul><li>No security management </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Policies apply to office communications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Processes are not adapted to special needs </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Policies are not in line with other “traditional” policies </li></ul></ul></ul></ul><ul><ul><li>No consistent, internationally acknowledged standard </li></ul></ul>
    • 22. “Other ways to do it” <ul><li>The presented approach is “top down” </li></ul><ul><ul><li>Other top down approaches may have a different order, naming and emphasis </li></ul></ul><ul><ul><li>But basic concepts and addressed issues are the same </li></ul></ul><ul><li>There are many guidelines for a bottom up approach </li></ul><ul><ul><li>Focus on technical issues </li></ul></ul><ul><ul><li>E.g. “21 Steps to Improve Cyber Security of SCADA Networks” by the US Department of Energy </li></ul></ul><ul><ul><li>From our experience: Bears the risk of incompleteness (e.g. no complete Threat Analysis, no definition of Security Requirements) </li></ul></ul>
    • 23. Risk Assessment Methodologies <ul><li>Thank you for your attention! </li></ul><ul><li>Do you have questions? </li></ul>Philippe A. R. Schaeffer Chief Security Analyst TÜV Rheinland Secure iT GmbH Phone +49 221 806 2485 Email [email_address]

    ×