deltav security - don’t let your business be caught without it
DESCRIPTION
SavanTRANSCRIPT
DeltaV SecurityDeltaV Security
Don’t Let Your Business Be Caught Without It
SRR-MS-2011-00057
PresentersPresenters
Randy Pratt
Greg Stephens
IntroductionIntroduction
Randy Emerson Process Management – Austin, TX Travels the world providing expertise to customers
IntroductionIntroduction
Greg Where is the Savannah River Site? What goes on there?
IntroductionIntroduction
Cybersecurity risks change rapidly
Nearly everyone knows they need to be secure
Few really know how to assess and address well
The key - strive for strategy and effective actions
Communication of risks in business terms is crucial
The LandscapeThe Landscape
Not the way to appear
in the newspaper…
IntroductionIntroduction
Provide basic tools – you will need to do more
Demonstrate and discuss use of the tools
Work through strategy definition
Discuss and suggest plans to address risks
Help you look at the issues from other perspectives
FactsFacts
There is notably a lot of Fear, Uncertainty and Doubt (FUD) propagated about automation system cyber security.
Step back and take a look at the things you know for certain:– Your process automation system is a productivity tool and
likely determines whether you can profitably make your product or not.
– A lot of your company’s intellectual property is embodied in your automation system, perhaps to the point of trade secrets, etc.
FactsFacts
ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons.
Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered.
FactsFacts
More than any other country, the US Military relies heavily on private business for products and services. Attacking those private businesses could hamper military efforts.
In some parts of the world, cyber crime can be a physical threat. Imagine having to pay a ransom to get regain full control of your system.
Current US government will to regulate cyber security is low. Current business lobbying efforts to minimize government regulations is high.
FactsFacts
Bottom line, a lot of reasons you should consider protecting your systems, no matter how mundane or critical your product is. But don’t wait for government regulation to force you into it.
Since you are attending this session, you probably don’t need to be sold on the idea of protecting your system. But the above points might help sell it to your management if they aren’t on board.
The Simple FactsThe Simple Facts
Where do I Start?Where do I Start?
There are a number of standards, though most are short on explicit steps to take. If you are subject to a regulatory agency, then you
probably know what you have to do, but not how.
3rd parties offer helpful services, but there are certain things that you’ll have to do yourself regardless. They are in it for a profit. Not necessarily a bad thing,
but unless you take a hands on approach they might sell you something you don’t need.
Model the effort on something you already know.
Basic Tools & TermsBasic Tools & Terms
Cybersecurity Risk Assessment – Terminology
Vulnerability – Flaw or Weakness that may lead to an undesired consequence
Risk – Characterization of the likelihood and severity of consequence
Risk Assessment identifies and characterizes
The ModelThe Model
Assess
Perform Risk Assessment
& Gap Analysis
Establish Areas and Vectors
Determine Targets
Change
Align Areas and Vectors
to Acceptable Levels
Confirm results
New Security Level
Maintain
Periodically Assess
Update
Stay Current
The Model – Likelihood vs ConsequenceThe Model – Likelihood vs Consequence
Moderate
Risk
High
Risk
Low
Risk
Moderate
Risk
Lik
elih
oo
d
Consequence
The Model – Probability vs ImpactThe Model – Probability vs Impact
Probability Impact 4 = Very Likely 4 = Severe Impact3 = Likely 3 = Major Impact2 = Not Likely 2 = Minor Impact1 = Beyond Unlikely 1 = No Impact
The Model – Probability vs ImpactThe Model – Probability vs Impact
Vector Probability Internet, Wireless (Open) 4 = Very LikelyInternet, Wireless (Password) 3 = LikelyInternet, Wireless (Authenticated) 2 = Not LikelyNo Outside Connection 1 = Beyond Unlikely
The Model – Probability vs ImpactThe Model – Probability vs Impact
Impact 1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact Public View Ok Tarnished Recoverable Lost ConfidenceEnvironmental Ok Damaged Broken Destroyed
Personnel OkFirst Aid, Medical
Treatment Hospitalization FatalityProduction No Loss Minor Loss Moderate Loss Major Loss
The Model – Risk MatrixThe Model – Risk Matrix
Participant InteractionParticipant Interaction
Risk Matrix Construction
Business Considerations
Management Attention
Avoid the Urge to Overplay the Risk
Business Results AchievedBusiness Results Achieved
Cybersecurity Risk Assessment – Part of Business Model
Better understanding of risks
Control system is hardened against cyber attacks
More likely to get attention if using disciplined approach
SummarySummary
We have provided a framework for Assessments
Each business has to count the cost – all are different
Feedback from participants
Anything we did not cover or you would like to ask
Where To Get More InformationWhere To Get More Information
Department of Homeland Security – www.us-cert.gov
Emerson Process Management
Your Local Business Partner
Consulting services
Other Exchange Sessions