Cyber Risk Assessment
A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network.
A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network. Once identified, problems and vulnerabilities can be resolved before exploitation by hackers or others with malicious or non-malicious intent. This is especially important in critical infrastructure process control systems, as the consequence of a cyber incident may not only result in an economic or social impact to a company and community, but can have a major negative physical impact. A cyber security breach in a critical infrastructure process control or SCADA system environment may result in personal injury, downtime, property loss, or even loss of life in a worst-case scenario.
Each layer in a network should have its own protection, and protect more critical inner layers.
The objective in any risk assessment is to find potential vulnerabilities before they become incidents. The assessment process helps identify ways to maximize operational reliability and availability of the process control and SCADA environment. Creating a successful strategy requires in-depth knowledge of the security layers that play a role in protecting control systems. Each security layer of a defense in depth plan represents a category of system components that must be secured and hardened to the highest level so that each system can compensate for any inherent deficiencies in the layers below it.
The risk assessment process exposes vulnerabilities in these systems and exploits weaknesses in current defenses to show how an attack could impact a process control or SCADA network.
Start with analysis
The first step in building a defense in depth security strategy is to conduct an audit and determine the number of existing systems and integration points that exist, including a thorough review of the network architecture. Begin by asking yourself some basic questions:
Is the perimeter digitally or physically isolated?
Are corporate IT and plant control networks connected?
Are all open ports and firewall rules documented?
Are all remote and VPN access points documented?
Has an audit of all network devices been completed?
Have all switch and router configurations been audited?
Have all Ethernet and serial connected devices been audited?
Where are all of the protection points located on your process control network?
Is the Internet accessible from the plant network?
When complete, this review should include:
Network topology and connectivity points;
Software and hardware components; and,
Protocols, policies and procedures that manage the security features of the network environment.
This environment should be documented in a logical network diagram based on interviews with key staff on-site and by referencing existing network maps and diagrams. Your documentation should include security zones for each unique environment, along with the cyber security access control strategy in the process control and SCADA networks:
Network architecture—firewalls, VPNs, switches, and routers;
Host security—operating systems, servers, and workstations;
Application security—SCADA, emergency management systems (EMS), database, Internet; and,
Field devices—programmable logic controllers (PLCs), remote telemetry units (RTUs), intelligent electronic devices (IEDs), and other plant equipment.
The next step is to conduct a vulnerability assessment to assist in understanding the current vulnerabilities in the physical, IT, process control and SCADA environment. The objective is to understand all potential threats and associated risks of a cybersecurity event. Understanding all critical systems and the potential impact of cyber security events provides the basis for determining the investment required to protect this environment.
The only way to know for sure if a hacker or intruder can actually gain access into your network and/or facility is to test the vulnerabilities found in an assessment with a technique called penetration testing. This is, in effect, trying to hack into your own system. The purpose of this exercise is to use penetration tools and techniques to identify network vulnerabilities that might easily be exploited by a malicious attacker. Penetration testing activities may vary depending on the process control and SCADA network environment, but should include identifying all access points that connect to the network system, including communication interfaces, network connections, routers, switches, and any other external connection. Discovery of all vulnerabilities, including successful penetrations, should be identified.
Following the vulnerability assessment and penetration testing a summary report of the penetration test should be created that outlines the results of the attempted network infiltration.
Finish with analysis
Finally, conduct a detailed gap analysis with all parties involved to determine the impact of unauthorized access to a process control or SCADA network environment. The objective is to help to assess and compare the current level of cyber security protection against the recommended cyber security posture in the given process control or SCADA network environment. It is important to document all relevant deficiencies along with a recommendation for mitigating actions to meet all identified requirements. (An organization such as Industrial Defender can assist with the assessment process and help formulate appropriate security goals and objectives.) Each day operating with an unhardened network allows time for cyber criminals to find and exploit weaknesses.
Todd Nicholson is chief marketing officer, Industrial Defender Inc. Reach him at firstname.lastname@example.org .