1. Sri Lanka Institute of Information Technology
Master of Science (Information Management) Degree Program
Information Security Risk Management and Audit
Assignment 1
W.M.J.H. Fernando
MS18901290
2. Scenario 01
Allegro - Worksheet 10 INFORMATION ASSET RISK WORKSHEET
InformationAssetRisk
Threat
Information
Asset
Manufacturing Execution System (MES)
Area of
Concern
A DDoS attack occurs targeting the manufacturing operation. The gateway
crashes exposing the workstations to other forms of malicious attack.
(1) Actor
Who would exploit the area of concern or
threat?
The employee with access to that network or
hacker
(2) Means
How would the actor do it? What would they
do?
Using that network and botnet to do distribute
DDoS attack
(3) Motive
What is the actor’s reason for doing it?
The illegal access and change or crash the system
(4) Outcome
What would be the resulting effect on the
information asset?
❑ Disclosure
❑ Modification
Destruction
Interruption
(5) Security Requirements
How would the information asset’s security
requirements be breached?
Only the approved employees can control and
change the System
(6) Probability
What is the likelihood that this threat
scenario could occur?
High
75%
❑ Medium
50%
❑ Low
25%
(7) Consequences
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
(8) Severity
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area Value Score
To the Manufacturing Execution System DDoS attack will
highly affected and lead to more attacks to system.
Reputation &
Customer
Confidence
Low (1) 0.75
Financial Low (1) 0.75
To the Manufacturing Execution System DDoS attack will
reason in most of days or hours.
Productivity High (3) 2.25
Safety & Health High (3) 2.25
There are payments can be expected form clients. Fines & Legal
Penalties
Low (1) 0.75
User Defined
Impact Area
- -
Relative Risk Score 6.75
3. (9) Risk Mitigation
Based on the total score for this risk, what action will you take?
❑ Accept ❑ Defer Mitigate ❑ Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
Network:
Gateway
• Install the IDS to there are network
• Evaluate network traffic and distrustful IP communication through there are
network.
• It is practically enough bandwidth form ISP to endure the attack.
4. Scenario 02
Allegro - Worksheet 10 INFORMATION ASSET RISK WORKSHEET
InformationAssetRisk
Threat
Information
Asset
Manufacturing Execution System (MES)
Area of
Concern
A malicious software is attack process of workstation. There are functions are
inaccessible to the designation users.
(1) Actor
Who would exploit the area of concern or
threat?
The employee with access to that network or hacker
(2) Means
How would the actor do it? What would
they do?
This malicious software will connect with intranet or
it installed to one of the workstation operations.
(3) Motive
What is the actor’s reason for doing it?
The illegal access and change or crash the system or
the workstation operating system.
(4) Outcome
What would be the resulting effect on the
information asset?
❑ Disclosure
❑ Modification
Destruction
Interruption
(5) Security Requirements
How would the information asset’s security
requirements be breached?
Only the approved employees can control and
change the System. Data should be disclosure for
outside companies.
(6) Probability
What is the likelihood that this threat
scenario could occur?
High
75%
Medium
50%
❑ Low
25%
(7) Consequences
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
(8) Severity
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area Value Score
A malware can hypothetically have long lasting things until it can
be recognized and appropriately removed.
Reputation &
Customer
Confidence
Low (1) 0.5
Financial Medium (2) 1
Malware aiming the severely disrupt the process of the
Manufacturing Execution System
Productivity High (3) 1.5
Safety & Health High (3) 1.5
Some fines can be expected from business and commercial
customers
Fines & Legal
Penalties
Low (1) 0.5
User Defined
Impact Area
- -
Relative Risk Score 5
5. (9) Risk Mitigation
Based on the total score for this risk, what action will you take?
❑ Accept ❑ Defer Mitigate ❑ Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
Network:
Gateway
• Install the IDS to there are network
• Evaluate network traffic and distrustful IP communication through there are
network.
6. Scenario 03
Allegro - Worksheet 10 INFORMATION ASSET RISK WORKSHEET
InformationAssetRisk
Threat
Information
Asset
Manufacturing Execution System (MES)
Area of
Concern
Scanning of the workstations of the MES for open ports or ports used by
SIEMENS WinCC for additional activity
(1) Actor
Who would exploit the area of concern or
threat?
The employee with access to that network or hacker
(2) Means
How would the actor do it? What would they
do?
Using the internet to do port scanning, an
information gathering method
(3) Motive
What is the actor’s reason for doing it?
The illegal access and identify the vulnerabilities
(4) Outcome
What would be the resulting effect on the
information asset?
❑ Disclosure
❑ Modification
Destruction
Interruption
(5) Security Requirements
How would the information asset’s security
requirements be breached?
Only the approved employees can control and
change the System
(6) Probability
What is the likelihood that this threat
scenario could occur?
High
75%
❑ Medium
50%
❑ Low
25%
(7) Consequences
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
(8) Severity
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area Value Score
The port scanning used to detect vulnerability in OS and the service
running on the OS of the MES
Reputation &
Customer
Confidence
Low (1) 0.75
Financial Low (1) 0.75
Such activities could be illegal remote access to infect with
malware
Productivity Low (1) 0.75
Safety & Health Low (1) 0.75
Some fines can be expected from business and commercial
customers
Fines & Legal
Penalties
Low (1) 0.75
User Defined
Impact Area
- -
Relative Risk Score 3.75
7. (9) Risk Mitigation
Based on the total score for this risk, what action will you take?
❑ Accept ❑ Defer Mitigate ❑ Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
Network:
Gateway
• Install the IDS to there are network
• Evaluate network traffic and distrustful IP communication through there are
network.
E.g.: Broad rang of connection needs on another port by a single IP
8. Scenario 04
Allegro - Worksheet 10 INFORMATION ASSET RISK WORKSHEET
InformationAssetRisk
Threat
Information
Asset
Manufacturing Execution System (MES)
Area of
Concern
A hardware defect on the workstation of MES occurs
(1) Actor
Who would exploit the area of concern or
threat?
The employee with access to that network or hacker
(2) Means
How would the actor do it? What would they
do?
Using a virus or remote exploit, after a DDoS attack
has occurred, an interested party could cause a
hardware defect.
(3) Motive
What is the actor’s reason for doing it?
Gain unauthorized access and damage one of the one
of the workstations
(4) Outcome
What would be the resulting effect on the
information asset?
❑ Disclosure
❑ Modification
Destruction
Interruption
(5) Security Requirements
How would the information asset’s security
requirements be breached?
The workstation of the MES must available to
provide 24/7/365 activities
(6) Probability
What is the likelihood that this threat
scenario could occur?
❑ High
75%
❑ Medium
50%
Low
25%
(7) Consequences
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
(8) Severity
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area Value Score
A hardware fault can have high financial costs due to the cost of
repair and inaccessibility of the infrastructure
Reputation &
Customer
Confidence
High (3) 0.75
Financial Medium (2) 0.5
A hardware fault could delay production for an indefinite amount
of time depending on the fault.
Productivity High (3) 0.75
Safety & Health High (3) 0.75
Some fines can be expected from business and commercial
customers
Fines & Legal
Penalties
Low (1) 0.25
User Defined
Impact Area
- -
Relative Risk Score 3
9. (9) Risk Mitigation
Based on the total score for this risk, what action will you take?
❑ Accept ❑ Defer Mitigate ❑ Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
Technical:
Workstation
• Keep the backup system (BCP) up to date and arranged to go live within
maximum one hour.
• Crack to remove the problem at it source, perhaps virus.
10. Scenario 05
Allegro - Worksheet 10 INFORMATION ASSET RISK WORKSHEET
InformationAssetRisk
Threat
Information
Asset
Manufacturing Execution System (MES)
Area of
Concern
A software fault on the Microsoft Windows OS or the Siemens WinCC software
is exploited to crash or change the software. Workstations are not repaired to
the newest updates.
(1) Actor
Who would exploit the area of concern or
threat?
The employee with access to that network or hacker
(2) Means
How would the actor do it? What would they
do?
Via a virus or remote access after a DDoS or port
scanning attack has happened
(3) Motive
What is the actor’s reason for doing it?
The illegal access to & do the modification or the
crash the Siemens Simatic software or the operating
system of the workstation.
(4) Outcome
What would be the resulting effect on the
information asset?
❑ Disclosure
❑ Modification
Destruction
Interruption
(5) Security Requirements
How would the information asset’s security
requirements be breached?
Only the approved employees can control and
change the System
(6) Probability
What is the likelihood that this threat
scenario could occur?
High
75%
❑ Medium
50%
❑ Low
25%
(7) Consequences
What are the consequences to the organization or the information asset
owner as a result of the outcome and breach of security requirements?
(8) Severity
How severe are these consequences to the
organization or asset owner by impact area?
Impact Area Value Score
A software crash on the Simatic or OS it could lead to miss on
readings about malfunctions of the infrastructure or cause them. It
would hinder productivity possibly to a halt affecting distribution.
Some financial loss is expected
Reputation &
Customer
Confidence
Low (1) 0.75
Financial Medium (2) 1.5
A software crash on the Simatic or OS it could lead to miss on
readings about malfunctions of the infrastructure or cause them. It
would hinder productivity possibly to a halt and put at risk the
health & safety of the personnel
Productivity High (3) 2.25
Safety & Health High (3) 2.25
Some fines can be expected from business and commercial
customers
Fines & Legal
Penalties
Low (1) 0.75
User Defined
Impact Area
- -
Relative Risk Score 7.5
11. (9) Risk Mitigation
Based on the total score for this risk, what action will you take?
❑ Accept ❑ Defer Mitigate ❑ Transfer
For the risks that you decide to mitigate, perform the following:
On what container would
you apply controls?
What administrative, technical, and physical controls would you apply on this container? What residual risk
would still be accepted by the organization?
Simatic Be in contact with Siemens to apply patches for known vulnerabilities
MS windows OS Be in contact with Microsoft to apply patches for known vulnerabilities
Developer System Carefully test these against the bring copy of the MES