Sandra C Security Advisor Energy Dan B Security Advisor Water

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

Agenda COBIT 5 Product Family Information Security COBIT 5 content

Cyber Security and the Smart Grid George W. Arnold, Eng.Sc.D. National Institute of Standards and Technology (NIST) U.S. Department of Commerce

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

1 Telstra in Confidence Managing Security for our Mobile Technology.

Security Controls – What Works

Security+ Guide to Network Security Fundamentals

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

SEC835 Database and Web application security Information Security Architecture.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Lessons Learned in Smart Grid Cyber Security

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

IAEA International Atomic Energy Agency IAEA Nuclear Security Programme Enhancing cybersecurity in nuclear infrastructure TWG-NPPIC – IAEA May 09 – A.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Computer Security: Principles and Practice

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Chapter 6 of the Executive Guide manual Technology.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Matt Bancroft Tutis Industrial Monday, 19 October 2015 © Tutis Fructis Ltd 2012.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Role for Electric Sector in Critical Infrastructure Protection R&D Presented to NERC CIPC Washington D.C. June 9, 2005 Bill Muston Public Release.

Engineering Essential Characteristics Security Engineering Process Overview.

Note1 (Admi1) Overview of administering security.

ENISA efforts for securing European Internet Infrastructure

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

Corporate Governance Scorecard of SEC Nigeria

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

DriveSavers and the Shared Assessments Program Helping Set New Standards for the Data Recovery Industry Presented by: Lynda C. Martel, Director, Privacy.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

NATIONAL CYBER SECURITY GOVERNANCE & EMERGING CYBER SECURITY THREATS

IS3220 Information Technology Infrastructure Security

Homeland Security, First Edition © 2012 Pearson Education, Inc. All rights reserved. Overview of National Infrastructure Protection CHAPTER 3.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

Information Security tools for records managers Frank Rankin.

Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

A Layered Solution to Cybersecurity Dr. Erfan Ibrahim Cyber-Physical Systems Security & Resilience Center National Renewable Energy Laboratory.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

March 23, 2015 Missouri Public Service Commission | Jefferson City, MO.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Security and resilience for Smart Hospitals Key findings

Law Firm Data Security: What In-house Counsel Need to Know

Physical Security Governance Model

Cybersecurity - What’s Next? June 2017

JU September Stakeholder Engagement Conference Webinar #1

Third Party Risk Governance in a Diverse Environment

Current ‘Hot Topics’ in Information Security Governance Auditing

I have many checklists: how do I get started with cyber security?

Understanding Existing Standards:

Role for Electric Sector in Critical Infrastructure Protection R&D

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Brandon Traffanstedt Systems Engineer - Southeast

AMI Security Roadmap April 13, 2007.

Cybersecurity Threat Assessment

IT Management Services Infrastructure Services

Thames Valley Chamber / Claire Logic

Presentation transcript:

Sandra C Security Advisor Energy Dan B Security Advisor Water SCADA SAT (SSAT) - UK - One of 2 Security Advisers – Electronic attack vs Physical Security. - Personnel security covered by both Sandra C Security Advisor Energy Dan B Security Advisor Water

What is the SSAT? Personal experience of deploying the SSAT

Good Practice published - 2005 Are UK utilities using it? SSAT – self audit Good Practice published - 2005 Are UK utilities using it? Can we measure the % of Good Practice in the UK? SSAT first sent out 2008

Good Practice Guide: Process Control and SCADA Security Available on CPNI public website www.cpni.gov.uk search SCADA Guide 1. Understand the business risk Guide 2. Implement secure architecture Guide 3. Establish response capabilities Guide 4. Improve awareness and skills Guide 5. Manage third party risk Guide 6. Engage projects Guide 7. Establish ongoing governance Firewall Deployment for SCADA and Process Control Networks Plus Cyber Security Procurement Language for Control Systems CPNI Personnel Security Measures

SSAT Overview 99 questions Physical, Personnel and Electronic Based upon CPNI, Industry and International good practice “The SSAT seeks to provide a high level snap-shot of the information assurance of an organisation’s industrial control system(s) that are deemed to constitute (directly or indirectly) the UK critical national infrastructure. It is intended that the SSAT be completed on an annual basis by UK CNI companies across the relevant sectors to enable comparisons overtime and across industries. The SSAT links directly to the CPNI SCADA security good practice. “

SCADA Self Assessment Tool

High level understanding of level of protective for Why do we use it? High level understanding of level of protective for SCADA/ICS assets in the UK ‘Door opener’ for further discussion, and joint working to improve protective security

Companies report will contain their own scoring Scoring from the previous year Plus an average score from their sector A list of recommendations

Process – Now moving into 3rd year SSAT question set – v3.1 Outcomes Process – Now moving into 3rd year SSAT question set – v3.1 (question set reviewed by Industry) Improvement - average increase of performance – 40% (electricity sector) Well received by all companies and UK Government

What are the results used for Sector aggregated results reported to UK Government Benchmarking Shows areas of weakness/vulnerabilities Who should solve these? Industry Government CPNI Or all three

Use internally by UK Utilities Not for public release Future Use internally by UK Utilities Not for public release Never design for this Scoring not weighted Not robust enough Never the aim .

BUT If anyone would like to design a publically available Scada Self Assessment Tool, that links direct to SCADA Good Practice, Please do

Electronic Security Background Corporate / Government Systems SSAT - Benefits Electronic Security Background Corporate / Government Systems Heavily regulated Accreditation Incidents to ‘focus the mind’ Minimal experience of Control Systems

One year of working with SSAT Initial impressions of ICS Security were poor Existing guidance (passwords, group accounts) Impressions from research (Wikipedia) the lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces SCADA networks are secure because they are physically secured SCADA networks are secure because they are disconnected from the Internet 10 years behind the curve

But with experience and Time.. Meetings with Companies Availability rather than confidentiality Cost constraints Equipment lifecycle – 20 years + Threat Awareness Use of corporate technology but none of the security methods (AV, Intrusion Detection, lack of pen testers) Better understand Companies Mechanism for closer involvement

In average terms, an improvement in every area: SECTOR 2009 1) Understand the Business Risk (max=10)* Up 9% 1a) Understand the Vulnerabilities (max=10)* Up 27% 2) Establish Ongoing Governance (max = 5) Up 21% 3) Implementing Secure Architecture Perimeter Defence (max =26) Up 16% Malware Protection (max=16) Up 8% Insider Threat (max=9) Up 22% Security Management (max=3) Up 10% Backups and recovery (max=3) Up 7% Physical Security (max=6) Up 12% 4) Improve Awareness and Skills (max=5) Up 17% 5) Establish Response Capabilities (max=5) Up 2% 6) Manage Third Party Risk (max=16) Up 4% 7) Engage Projects (max=4) Up 20% 8) Procurement (max=5) N/A

In average terms, an improvement in every area: SECTOR 2009 1) Understand the Business Risk (max=10)* Up 9% 1a) Understand the Vulnerabilities (max=10)* Up 27% 2) Establish Ongoing Governance (max = 5) Up 21% 3) Implementing Secure Architecture Perimeter Defence (max =26) Up 16% Malware Protection (max=16) Up 8% Insider Threat (max=9) Up 22% Security Management (max=3) Up 10% Backups and recovery (max=3) Up 7% Physical Security (max=6) Up 12% 4) Improve Awareness and Skills (max=5) Up 17% 5) Establish Response Capabilities (max=5) Up 2% 6) Manage Third Party Risk (max=16) Up 4% 7) Engage Projects (max=4) Up 20% 8) Procurement (max=5) N/A

In average terms, an improvement in every area: SECTOR 2009 1) Understand the Business Risk (max=10)* Up 9% 1a) Understand the Vulnerabilities (max=10)* Up 27% 2) Establish Ongoing Governance (max = 5) Up 21% 3) Implementing Secure Architecture Perimeter Defence (max =26) Up 16% Malware Protection (max=16) Up 8% Insider Threat (max=9) Up 22% Security Management (max=3) Up 10% Backups and recovery (max=3) Up 7% Physical Security (max=6) Up 12% 4) Improve Awareness and Skills (max=5) Up 17% 5) Establish Response Capabilities (max=5) Up 2% 6) Manage Third Party Risk (max=16) Up 4% 7) Engage Projects (max=4) Up 20% 8) Procurement (max=5) N/A Personnel security work

SSAT will adapt/improve year by year Improvements still to be made Highlighted work to do SSAT will adapt/improve year by year Threats and technology change Improvements still to be made Thanks for the co operation of all participants

Thank you sandrac@cpni.gsi.gov.uk danba@cpni.gsi.gov.uk www.cpni.gov.uk