© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Slides:

Advertisements

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

Agenda COBIT 5 Product Family Information Security COBIT 5 content

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network security policy: best practices

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Implementing the New Reliability Standards Status of Draft Cyber Security Standards CIP through CIP Larry Bugh ECAR Standard Drafting Team.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 6 of the Executive Guide manual Technology.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Appendix C: Designing an Operations Framework to Manage Security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Note1 (Admi1) Overview of administering security.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Chapter 2 Securing Network Server and User Workstations.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Information Security tools for records managers Frank Rankin.

The NIST Special Publications for Security Management By: Waylon Coulter.

CBIZ RISK & ADVISORY SERVICES BUSINESS CONTINUITY PLANNING Developing a Readiness Strategy that Mitigates Risk and is Actionable and Easy to Implement.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Managed IT Services JND Consulting Group LLC

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Figure 1. Current Threat Landscape Sentiment From: ESG Research Report: Cyber Supply Chain Security Revisited. Source: Enterprise Strategy Group, 2015.

Figure 1. Current Threat Landscape Sentiment

CS457 Introduction to Information Security Systems

Understanding The Cloud

Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Joe, Larry, Josh, Susan, Mary, & Ken

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

I have many checklists: how do I get started with cyber security?

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

Larry Bugh ECAR Standard Drafting Team Chair June 1, 2005

Security week 1 Introductions Class website Syllabus review

Presentation transcript:

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive property of their original owner. Securing SCADA Networks from Cyber Attacks -A Vendor Perspective Presented by Shawn A. Sabo, National Sales Manager, QEI Inc.

The Need Loss of service Cost of countermeasures Customer confidence factor

Vendors have many of the Same Security Concerns as Utilities 1.Networks 2.Information 3.Personnel 4.Access and tools.

- Extending the network to the substation and beyond The Changing Nature of SCADA Systems - Incorporation of SCADA into the Enterprise Network - Implementation of “Open Systems” - Remote access to monitoring and control - Put SCADA data on every applicable desktop - “Control your SCADA system from your cell phone”

Extended Enterprise Network

1.Identify all connections to SCADA networks. 2.Disconnect unnecessary connections to the SCADA network. 3.Evaluate and strengthen the security of any remaining connections to the SCADA network. 4.Harden SCADA networks by removing or disabling unnecessary services. 5.Do not rely on proprietary protocols to protect your system. 6.Implement the security features provided by device and system vendors. 7.Establish strong controls over any medium that is used as a backdoor into the SCADA network. 8.Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring. 9.Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns. 10.Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security. 11.Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios. 12.Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users. 13.Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection. 14.Establish a rigorous, ongoing risk management process. 15.Establish a network protection strategy based on the principle of defense-in-depth. 16.Clearly identify cyber security requirements. 17.Establish effective configuration management processes. 18.Conduct routine self-assessments. 19.Establish system backups and disaster recovery plans. 20.Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. 21.Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls. Twenty One Steps to Improve Cyber Security of SCADA Networks SOURCE: Office of Energy Assurance, U.S. Department of Energy.

4. Take a fresh look Twenty One Steps fall into Four Categories 1. Control access 2. Get rid of the unnecessary and harden what’s left 3. Know and use the tools you have available

Control Access Look to designs with security in mind. Deal with vendors who protect their product and documentation. Restrict vendor access for maintenance purposes. Don’t keep compromises a secret from a vendor (if applicable) and expect the same.

Get Rid of the Unnecessary (and Harden what’s Left) Have your Vendor deliver systems with unnecessary server services and ports disabled. (DCOM, UPnP, Automatic update, Messenger,etc.) Have vendor incorporate security aspects into your training. Expect a vigorous patch policy from vendors to include testing. Receive vendor guidance on third party protective software (antivirus, spyware, etc.).

Get Rid of the Unnecessary (and Harden what’s Left) Make sure your vendor has the ability to partner with your IT department’s security scheme. Take active control of your security (Password control, SCADA system defaults, etc.). Sort out your problems with speed and expect the same from your vendor.

Know and Use the Tools You Have (or Should Have) Available Use Vendor resources for your own testing. (Red team concept) Request your vendor offer system manager courses which include auditing and monitoring tools. Monitor intrusion detection tools. Work with your vendor’s users group for pooling of risk. (stockpiles spares, CPUs, etc.). Encourage user group addressing of security concerns.

Take a Fresh Look Monitor the industry concerning items beyond your particular SCADA applications package. (hardware platform, operating system, etc.) Become familiar with the industry security resources (DOD-CERT, ESISAC, etc.) Examine the various failure modes and plan accordingly. Enlist your vendor in formulating bypass, manual operation and backup contingencies. Test all contingency plans before they have to work (Vendor 24/7 support, offsite backup, recovery plans, etc.)

Put your Security Requirements into your System Specifications Deal with Vendors who take Security as Seriously as you

Now that we are all Sufficiently Concerned….. All industries seem to think they are behind others when it comes to Cyber-Security.

1.Control access 2.Get rid of the unnecessary and harden what’s left 3. Know and use the tools you have available 4. Take a fresh look Four Categories

Questions ?