DeltaV Security - Don’t Let Your Business Be Caught Without It


Published on


Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 310 Square Mile site in southwest SC, on border of GA, along the Savannah River. Used to be major production site for nuclear weapons program. Now, mostly cleanup. Some limited life component processing (Tritium); looking forward to future missions for the site, like energy park, modular reactors, hydrogen fuels, etc…
  • A Vulnerability in human terms – example: a guy who does not exercise control over his desire to pursue women other than his wife The Risk here is that his wife will discover his actions and cause him irreparable harm; what is the likelihood (very likely) and severity (slow and painful death; or worse)
  • DeltaV Security - Don’t Let Your Business Be Caught Without It

    1. 1. DeltaV Security Don’t Let Your Business Be Caught Without It SRR-MS-2011-00057
    2. 2. Presenters <ul><li>Randy Pratt </li></ul><ul><li>Greg Stephens </li></ul>
    3. 3. Introduction <ul><li>Randy </li></ul><ul><li>Emerson Process Management – Austin, TX </li></ul><ul><li>Travels the world providing expertise to customers </li></ul>
    4. 4. Introduction <ul><li>Greg </li></ul><ul><li>Where is the Savannah River Site? </li></ul><ul><li>What goes on there? </li></ul>
    5. 5. Introduction <ul><li>Cybersecurity risks change rapidly </li></ul><ul><li>Nearly everyone knows they need to be secure </li></ul><ul><li>Few really know how to assess and address well </li></ul><ul><li>The key - strive for strategy and effective actions </li></ul><ul><li>Communication of risks in business terms is crucial </li></ul>
    6. 6. The Landscape <ul><li>Not the way to appear </li></ul><ul><li>in the newspaper… </li></ul>
    7. 7. Introduction <ul><li>Provide basic tools – you will need to do more </li></ul><ul><li>Demonstrate and discuss use of the tools </li></ul><ul><li>Work through strategy definition </li></ul><ul><li>Discuss and suggest plans to address risks </li></ul><ul><li>Help you look at the issues from other perspectives </li></ul>
    8. 8. Facts <ul><li>There is notably a lot of Fear, Uncertainty and Doubt (FUD) propagated about automation system cyber security. </li></ul><ul><li>Step back and take a look at the things you know for certain: </li></ul><ul><ul><li>Your process automation system is a productivity tool and likely determines whether you can profitably make your product or not. </li></ul></ul><ul><ul><li>A lot of your company’s intellectual property is embodied in your automation system, perhaps to the point of trade secrets, etc. </li></ul></ul>
    9. 9. Facts <ul><ul><li>ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons. </li></ul></ul><ul><li>Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered. </li></ul>
    10. 10. Facts <ul><ul><li>More than any other country, the US Military relies heavily on private business for products and services. Attacking those private businesses could hamper military efforts. </li></ul></ul><ul><ul><li>In some parts of the world, cyber crime can be a physical threat. Imagine having to pay a ransom to get regain full control of your system. </li></ul></ul><ul><ul><li>Current US government will to regulate cyber security is low. Current business lobbying efforts to minimize government regulations is high. </li></ul></ul>
    11. 11. Facts <ul><ul><li>Bottom line, a lot of reasons you should consider protecting your systems, no matter how mundane or critical your product is. But don’t wait for government regulation to force you into it. </li></ul></ul><ul><ul><li>Since you are attending this session, you probably don’t need to be sold on the idea of protecting your system. But the above points might help sell it to your management if they aren’t on board. </li></ul></ul>
    12. 12. The Simple Facts
    13. 13. Where do I Start? <ul><ul><li>There are a number of standards, though most are short on explicit steps to take. </li></ul></ul><ul><ul><ul><li>If you are subject to a regulatory agency, then you probably know what you have to do, but not how. </li></ul></ul></ul><ul><ul><li>3rd parties offer helpful services, but there are certain things that you’ll have to do yourself regardless. </li></ul></ul><ul><ul><ul><li>They are in it for a profit. Not necessarily a bad thing, but unless you take a hands on approach they might sell you something you don’t need. </li></ul></ul></ul><ul><ul><li>Model the effort on something you already know. </li></ul></ul>
    14. 14. Basic Tools & Terms <ul><li>Cybersecurity Risk Assessment – Terminology </li></ul><ul><li>Vulnerability – Flaw or Weakness that may lead to an undesired consequence </li></ul><ul><li>Risk – Characterization of the likelihood and severity of consequence </li></ul><ul><li>Risk Assessment identifies and characterizes </li></ul>
    15. 15. The Model Assess Perform Risk Assessment & Gap Analysis Establish Areas and Vectors Determine Targets Change Align Areas and Vectors to Acceptable Levels Confirm results New Security Level Maintain Periodically Assess Update Stay Current
    16. 16. The Model – Likelihood vs Consequence Moderate Risk High Risk Low Risk Moderate Risk Likelihood Consequence
    17. 17. The Model – Probability vs Impact Probability   Impact     4 = Very Likely 4 = Severe Impact 3 = Likely 3 = Major Impact 2 = Not Likely 2 = Minor Impact 1 = Beyond Unlikely   1 = No Impact
    18. 18. The Model – Probability vs Impact Vector   Probability     Internet, Wireless (Open) 4 = Very Likely Internet, Wireless (Password) 3 = Likely Internet, Wireless (Authenticated) 2 = Not Likely No Outside Connection   1 = Beyond Unlikely
    19. 19. The Model – Probability vs Impact Impact   1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact     Public View Ok Tarnished Recoverable Lost Confidence Environmental Ok Damaged Broken Destroyed Personnel Ok First Aid, Medical Treatment Hospitalization Fatality Production   No Loss Minor Loss Moderate Loss Major Loss
    20. 20. The Model – Risk Matrix
    21. 21. Participant Interaction <ul><li>Risk Matrix Construction </li></ul><ul><li>Business Considerations </li></ul><ul><li>Management Attention </li></ul><ul><li>Avoid the Urge to Overplay the Risk </li></ul>
    22. 22. Business Results Achieved <ul><li>Cybersecurity Risk Assessment – Part of Business Model </li></ul><ul><li>Better understanding of risks </li></ul><ul><li>Control system is hardened against cyber attacks </li></ul><ul><li>More likely to get attention if using disciplined approach </li></ul>
    23. 23. Summary <ul><li>We have provided a framework for Assessments </li></ul><ul><li>Each business has to count the cost – all are different </li></ul><ul><li>Feedback from participants </li></ul><ul><li>Anything we did not cover or you would like to ask </li></ul>
    24. 24. Where To Get More Information <ul><li>Department of Homeland Security – </li></ul><ul><li>Emerson Process Management </li></ul><ul><li>Your Local Business Partner </li></ul><ul><li>Consulting services </li></ul><ul><li>Other Exchange Sessions </li></ul>