Cyber Risk Assessment

A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network.

11/01/2007


A successful cyber security risk assessment begins with an approach that ultimately results in defense in depth security architecture. Completing a risk assessment can uncover cyber security vulnerabilities before they become disruptive to the real-time process control and supervisory control and data acquisition (SCADA) network. Once identified, problems and vulnerabilities can be resolved before exploitation by hackers or others with malicious or non-malicious intent. This is especially important in critical infrastructure process control systems, as the consequence of a cyber incident may not only result in an economic or social impact to a company and community, but can have a major negative physical impact. A cyber security breach in a critical infrastructure process control or SCADA system environment may result in personal injury, downtime, property loss, or even loss of life in a worst-case scenario.


Each layer in a network should have its own protection, and protect more critical inner layers.

The objective in any risk assessment is to find potential vulnerabilities before they become incidents. The assessment process helps identify ways to maximize operational reliability and availability of the process control and SCADA environment. Creating a successful strategy requires in-depth knowledge of the security layers that play a role in protecting control systems. Each security layer of a defense in depth plan represents a category of system components that must be secured and hardened to the highest level so that each system can compensate for any inherent deficiencies in the layers below it.

The risk assessment process exposes vulnerabilities in these systems and exploits weaknesses in current defenses to show how an attack could impact a process control or SCADA network.

Start with analysis

The first step in building a defense in depth security strategy is to conduct an audit and determine the number of existing systems and integration points that exist, including a thorough review of the network architecture. Begin by asking yourself some basic questions:

  • Is the perimeter digitally or physically isolated?

  • Are corporate IT and plant control networks connected?

  • Are all open ports and firewall rules documented?

  • Are all remote and VPN access points documented?

  • Has an audit of all network devices been completed?

  • Have all switch and router configurations been audited?

  • Have all Ethernet and serial connected devices been audited?

  • Where are all of the protection points located on your process control network?

  • Is the Internet accessible from the plant network?

When complete, this review should include:

  • Network topology and connectivity points;

  • Information assets;

  • Software and hardware components; and,

  • Protocols, policies and procedures that manage the security features of the network environment.

This environment should be documented in a logical network diagram based on interviews with key staff on-site and by referencing existing network maps and diagrams. Your documentation should include security zones for each unique environment, along with the cyber security access control strategy in the process control and SCADA networks:

  • Network architecture—firewalls, VPNs, switches, and routers;

  • Host security—operating systems, servers, and workstations;

  • Application security—SCADA, emergency management systems (EMS), database, Internet; and,

  • Field devices—programmable logic controllers (PLCs), remote telemetry units (RTUs), intelligent electronic devices (IEDs), and other plant equipment.

The next step is to conduct a vulnerability assessment to assist in understanding the current vulnerabilities in the physical, IT, process control and SCADA environment. The objective is to understand all potential threats and associated risks of a cybersecurity event. Understanding all critical systems and the potential impact of cyber security events provides the basis for determining the investment required to protect this environment.

The only way to know for sure if a hacker or intruder can actually gain access into your network and/or facility is to test the vulnerabilities found in an assessment with a technique called penetration testing. This is, in effect, trying to hack into your own system. The purpose of this exercise is to use penetration tools and techniques to identify network vulnerabilities that might easily be exploited by a malicious attacker. Penetration testing activities may vary depending on the process control and SCADA network environment, but should include identifying all access points that connect to the network system, including communication interfaces, network connections, routers, switches, and any other external connection. Discovery of all vulnerabilities, including successful penetrations, should be identified.

Following the vulnerability assessment and penetration testing a summary report of the penetration test should be created that outlines the results of the attempted network infiltration.

Finish with analysis

Finally, conduct a detailed gap analysis with all parties involved to determine the impact of unauthorized access to a process control or SCADA network environment. The objective is to help to assess and compare the current level of cyber security protection against the recommended cyber security posture in the given process control or SCADA network environment. It is important to document all relevant deficiencies along with a recommendation for mitigating actions to meet all identified requirements. (An organization such as Industrial Defender can assist with the assessment process and help formulate appropriate security goals and objectives.) Each day operating with an unhardened network allows time for cyber criminals to find and exploit weaknesses.



Author Information

Todd Nicholson is chief marketing officer, Industrial Defender Inc. Reach him at tnicholson@industrialdefender.com .




No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
Control Engineering Leaders Under 40 identifies and gives recognition to young engineers who...
Learn more about methods used to ensure that the integration between the safety system and the process control...
Adding industrial toughness and reliability to Ethernet eGuide
Technological advances like multiple-in-multiple-out (MIMO) transmitting and receiving
Virtualization advice: 4 ways splitting servers can help manufacturing; Efficient motion controls; Fill the brain drain; Learn from the HART Plant of the Year
Two sides to process safety: Combining human and technical factors in your program; Preparing HMI graphics for migrations; Mechatronics and safety; Engineers' Choice Awards
Detecting security breaches: Forensic invenstigations depend on knowing your networks inside and out; Wireless workers; Opening robotic control; Product exclusive: Robust encoders
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
News and comments from Control Engineering process industries editor, Peter Welander.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
Anthony Baker is a fictitious aggregation of experts from Callisto Integration, providing manufacturing consulting and systems integration.
Integrator Guide

Integrator Guide

Search the online Automation Integrator Guide
 

Create New Listing

Visit the System Integrators page to view past winners of Control Engineering's System Integrator of the Year Award and learn how to enter the competition. You will also find more information on system integrators and Control System Integrators Association.

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.