Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova.

Slides:

Advertisements

Similar presentations

Managers and Management

Advertisements

Managing Hardware and Software Assets

1. International Module – 503 Noise: Measurement & Its Effects Day 5.

Chapter 1: The Database Environment

Chapter 24 Quality Management.

1 of 21 Information Strategy Developing an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy Developing.

1 of 14 Information Access Management Interventions © FAO 2005 IMARK Investing in Information for Development Information Access Management Interventions.

1 of 15 Information Access Internal Information © FAO 2005 IMARK Investing in Information for Development Information Access Internal Information.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

WECC Board of Directors April 21-23, 2004 Seattle, Washington WECC Procedure for Reporting of System Events Disturbance Reports Rod Maslowski OC Vice Chairperson.

1 National Center for the Training of Bank Personnel of Ukraine.

Modern Systems Analyst and as a Project Manager

Making the System Operational

NERC Reliability Readiness The Next Steps Mitch Needham NERC Readiness Evaluator September 24, 2007.

Condition Monitoring Roles in Asset Reliability and Regulatory Compliance Dave Haerle, Los Angeles Department of Water and Power Scott Kunze, DataSplice.

Lessons Learned from Financial Management Reviews May 15, 2008 Bruce Robinson FTA Office of Research, Demonstration and Innovation.

Software change management

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

Introduction to Homeless Management Information Systems (HMIS)

Strategies for Implementing Outcomes in Practice Carolyn Baum, PhD, OTR, FAOTA.

NIMS Communications and Information Management IS-700.A – January 2009 Visual 4.1 NIMS Resource Management Unit 4.

1 OSHA LEAD STANDARDS. 2 GENERAL INDUSTRY LEAD STANDARD 29 CFR u SCOPE AND APPLICATION l Applies to all occupational exposure to lead except:

Major Accident Prevention Policy (MAPP) and Safety Management System (SMS) in the Context of the Seveso II Directive.

1 Vince Galotti Chief/ATMICAO 27 March 2007 REGULATING THROUGH SAFETY PERFORMANCE TARGETS.

SHIFTING INFORMATION SECURITY LANDSCAPE FROM C&AS TO CONTINUOUS MONITORING ANDREW PATCHAN JD, CISA ASSOCIATE IG FOR IT, FRB LOUIS C. KING, CPA, CISA, CMA,

Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.

Leaders in Asset Management Managing by Metrics Valerie Rovine Sunflower Systems.

NIMS Resource Management IS-700.A – January 2009 Visual 5.1 NIMS Resource Management Unit 5.

LMI Enterprise Architecture and Information Assurance Integration Approach A Case Study.

Database Administration

1 Developing EPA’s Peer Review Program Joint JIFSAN/SRA/RAC Symposium Dorothy E. Patton, Ph.D., J.D. September 30, 2003.

© Prentice Hall CHAPTER 11 Facilitating User Computing.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Environmental Management Systems An Overview With Practical Applications.

Security Controls – What Works

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Computer Security: Principles and Practice

Secure Systems Research Group - FAU 1 SCADA Software Architecture Meha Garg Dept. of Computer Science and Engineering Florida Atlantic University Boca.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

Continuity of Operations Planning COOP Overview for Leadership (Date)

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

Chapter Three IT Risks and Controls.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

ClientSpace Best Practices User Adoption. Agenda Adoption Success Facts & Figures Culture of Change Executive Support & System Evangelist Baby Steps Accountability.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Engineering Essential Characteristics Security Engineering Process Overview.

Project Management Methodology Development Stage.

Kathy Corbiere Service Delivery and Performance Commission

Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Information Technology Assessment Findings Presented to the colleges of the State Center Community College District.

Revision N° 11ICAO Safety Management Systems (SMS) Course01/01/08 Module N° 9 – SMS operation.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Database Approach Muhammad Nasir

US Department of State Jay Coplon. My Commitment You will get a sense for how we do C&A You will find value in being here All of your questions will be.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Principles of Information Systems Eighth Edition

IS4550 Security Policies and Implementation

I have many checklists: how do I get started with cyber security?

Continuity of Operations Planning

Introduction to the PACS Security

Presentation transcript:

Security metrics in SCADA system Master of Computer and Information Science Student: Nguyen Duc Nam Supervisor: Elena Sitnikova

2 Introduction Thesis question SCADA system  Structure  Challenges Security metrics  Definition  Broad classes of metrics  Security metrics in SCADA Conclusion

3 Thesis question How can the security of SCADA systems be measured?  Definition of SCADA system  Why we concern about security in SCADA system?  How?

SCADA system Supervisory control and data acquisition (SCADA) system SCADA system are widely used in:  Monitor and control industrial systems  Oil and gas  Air traffic and railways  Power generation and transmission  Water management  Manufacturing  Production plants 4

5 SCADA Structure Figure 1: SCADA System General Layout (Stouffer et al. 2008)

Challenges of SCADA system Number of attacks on SCADA increasing  330 reported attacks on oil and gas in 30 countries from 1990 to  70% of their clients had at least one major attack in the first six months of 2002 and it is 57% in the last six months of 2001 (Riptech)  Attack on Maroochy Shire Council’s sewage control system 2000  Slammer worm 2003  Zotob 2005  Center of Strategic and International Studies: 2009 less than 50% respondents > 2010 more than 80% 6

Security metrics “metrics” describes a broad category of tools used by decision makers to evaluate data in many different areas of an organization.  No more than 1% untrained Security metrics cannot always be applied directly to systems  Use strong user passwords with limited lifetime and account lockout >< during critical event make confusion 7

Three broad classes of metrics Organizational metrics: describe and track the effectiveness of organizational programs and processes Operational metrics: describe and manage risks to operational environments including as-used systems and operating practices Technical metrics: describe and compare technical objects such as algorithms, specifications, architectures and alternative designs, products and implemented systems. 8

Organizational metrics Assessing the adequacy of the standards, policies and procedures adopted by the organization to enhance security  Answer:  Has an industry standard for security been adopted by the organization?  Is there a policy that calls for an annual cyber security?  Is there a policy that requires operators and maintenance personnel to receive periodic cyber security training?  Is there a procedure that needs to be followed? 9

Operational metrics Assessing how well the organization’s formal policies and procedures are implemented by the responsible staff member Answer:  Are cyber security inspections conducted by personnel who have received specialized training in cyber security?  If so, was the certified training course meets industry standards?  Is each inspection carried out by personnel who are independent of technical group that is responsible for day to day operations?  Are the results of each inspection documented and saved into an inspection database? 10

Technical metrics Assessing the adequacy of security being imposed to protect specific components of system. Answer:  How many attempts have been made this week to access the system from internet? Does this represent a 50% increase above the normal usage level?  What is the ratio between the number of unsuccessful and successful attempts to access the system? Does this ratio exceed the criteria for concern?  Is the modem cable (link system and verdors) kept disconnected and stored the appropriate distance away from the modem when not in actual and approved use? 11

Technical metrics (continued) Antivirus and antispyware software installed on machines Updated machines Vulnerabilities per machines Host uptime Downtime Application vulnerability Number of attacks Probability of attacks Shortest length of attacks 12

Recommendations for developing metrics Bottom up versus top down  Bottom up: identifying existing data as starting point  Top down: starting with the goals and questions of the end user Product and system design metrics Return on investment Metrics based on compliance with security standards or best practices Real-time monitoring metrics 13

14 Conclusion Big overview of SCADA system and security metrics Metrics are used in many industries but the metrics for evaluation and analysis of security are not widely available due to lack of focus on cyber security and limited security technologies specifically designed for PC Number of security metrics tools are growing but some of them can applied directly to SCADA system Out next step is based on this thesis, develop a metric that meet the needs of a specific industry. We highly encourage industry supports and feedback on future work

Thanks 15