risk management ebook npi lss

7232019 Risk Management eBook Npi Lss

httpslidepdfcomreaderfullrisk-management-ebook-npi-lss 114

copy2015 Hone

The Four-Step Guide toUnderstanding Cyber RiskIdentifying Cyber Risks and

Addressing the Cyber Security Gap

Lifecycle Solutionsamp Services



copy2015 Hone

The Four-Step Guide to Understanding Cyber Risk

TABLE OF CONTENTS

3 Introduction A Real Danger

4 In the Firing Line

5 The Cyber Arms Race

6 Assessing the Risk

8 Step 1 Knowing Your Vulnerabilities

9 Step 2 Identifying Threats

12 Step 3 Measuring ConsequencesndashThe Final Piece

13 Step 4 Bringing it TogetherndashMeasuring Risk

14 More About Cyber Security



3


copy2015 Hone

A poll of 1642 experts by the Pew

Centre shows 61 predict a majattack will cause ldquowidespread harm security and capacity to defend ipeoplerdquo in the next ten years

ldquoBy lsquowidespreadrsquo harm we meanloss of life or property lossesdamat the levels of tens of bi llions of Pew clarified

L I N K

A successful attack is among the major risks

worrying the US government As MichaelRogers commander of US Cyber Commandtestified to the US House of RepresentativesIntelligence Committee

ldquoWe have seen instances where we are

observing intrusions into industrial control

systems What concerns us is that access

can be used by nation states groups or

individuals to take down [their] capabil ityrdquo he

said ICSs are a growth area of vulnerabili ty he added ldquoItrsquos among the things that concern

me the mostrdquo

It is estimated thatcyber risks costs theglobal economy up to$400 billion a yearmdashmaybe even moreFor industrial controlsystems (ICSs)however the risks areeven more acute

Introduction A Real Danger



4


copy2015 Hone

The warning signs are already there Rogersrsquocomments came just weeks after a Departmentof Homeland Security alert said malware namedBlackEnergy had infiltrated companies runningmuch of the countryrsquos infrastructure Less thana month later a German government report

revealed ldquomassive damagerdquo from an infectedemail targeting a steel mill in the country

Like Stuxnet Havex and BlackEnergy theGerman attack was targeted specifically atindustrial control systems

In the Firing Line



5


copy2015 Hone

bull Attackersrsquo growing sophistication The German attackers had ldquoadvancedknow-how not only of conventionalIT security but also detailed technicalknowledge of the industrial controlsystems and production processesused in the plantrdquo the governmentreport noted

bull The industrialization of cyber crime with skilled attackers selling ldquocrime as aservicerdquo to others without technical skills

bull Growing vulnerabilities as up to 25 billionweb-connected systems and devices inthe ldquoInternet of thingsrdquo come online by2020 Publicly available tools like Shodanlet would-be attackers easily identify ICSsIn 2013 for instance Finnish researchersused the search engine to find nearly3000 unsecured Internet-facing SCADAsystems running the countryrsquos watersupply building automation and othersystems Project SHINE (SHODANInformation Extraction) a multi-yearresearch project aimed at identifyingindustrial control devices that weredirectly connected to the Internetfound millions of such devices

Against this cyber risk managemindustrial control systems is fallin

bull Tools and methods used by ITsecurity professionals for mannetwork risks are not fully adoICS engineering and operation

bull Worse those with legacy systignore best practices avoiding

and virus protection updates theyrsquoll jeopardize plant stability

The result is a growing gap betwcapabilities of attackers and thepitched against them

The Cyber Arms Race

The Threat is Driven by a Number of Factors



6


copy2015 Hone

What is RiskISO The potential that a given

threat will exploit vulnerabilities

of an asset or group of assets

and thereby cause harm to the

organizationNIST A function of the likelihood

of a given threat mdashsourcersquos

exercising a particular potential

vulnerability and the resulting

impact of that adverse event

on the organization

Fortunately organizations such as the International StanOrganization (ISO) and National Institute of Standards a

Technology (NIST) have developed definitions that are waccepted and used

In both cases risk is seen as a function of the vulnerabi

an asset the threat which is the likelihood an attack wiland the consequence of such an attack being successf

(con

Assessing the Risk

To Understand the Risk We Need a Definition



7


copy2015 Hone

Assessing the Risk (cont)

To Put it Another Way Risk = Vulnerability983091

Threat983091

Consequence Through a function of vulnerability threat andconsequence we are able to quantify risk By assigninga value (whether between 0 and 1 0-100 or any otherconsistent scale) to each element users derive ametric that provides a consistent measure of risk andcan be used throughout the organization

The ultimate aim of course is to manage thrisk and this will be considered in a forthcome-book However you cannot manage whatcannot measure

This e-book therefore focuses on evaluatingand requires a thorough understanding of al

components in the equation above It is thefour-stage process looking at each elementmdashvulnerabilities and consequencesmdashin turn bbringing them all together



8


copy2015 Hone

bull First VA tools can probe aggressively to testfor vulnerabilities across enterprises whichmay be unsuitable and unsafe applied tonetwork activity in an ICS

bull Second vulnerabilities are frequently theresult not of a particular device or softwaresuite but poor practices or configurationsmdashweak passwords group accounts withadministrative privileges failures to implementanti-virus programs and host firewalls and soon All of these can be exploited by attackersto leverage systems for unintended purposes

bull Finally vulnerabilities must be looked at operations and processes Control sysare not just a collection of individual debut interconnected systems of devicesaccess controls on an application runnin a control room for example can mawhole process vulnerable not just a siworkstation

A vulnerability is anyquality of an assetthat could allow it tobe exploited Alldigital assets havethem Some areknown some arenrsquotSome are easier toexploit than others

Step 1 Knowing Your Vulnerabilities

A common source of vulnerabilities is software bugs 2014rsquos Heartbleed vulneaffecting half a million websites as well as thousands of connected device

just among the most high profile examples

There are numerous vulnerability assessment (VA) tools to track known vulnerawithin applications and operating systems but these have their limits



9


copy2015 Hone

Threats may be coincidental oraccidental simple or complex andthe result of a wide range of motivesWhat they have in common is thatthey have ldquothe potential to harmassetseg unauthorized actionsphysical damage technical failuresrdquoas ISO270052011 puts it

They also exploit vulnerabilitiesand when specific vulnerabilitieknown it is possible to predict sof the early signs of threats agathese Each stage of a cyberattack typically consists of sevesteps and by scanning for thesattacks may be detected beforincident occurs

(cont ne

It is threats thatturn a vulnerabilityinto an incident

Step 2 Identifying Threats



10


copy2015 Hone

Both vulnerabilities and threats evolveover time This is most obvious withthreats with more than 200000 newvariants of malware (such as virusestrojans or worms) identified every dayBut itrsquos true of vulnerabilities too

First new devices and applications

bring with them new vulnerabilities

Second vulnerabilities are discovin areas previously believed tobe secure Again Heartbleedmdashthat was meant to increase securshowed that the security induststrongest assumptions can beoverthrown overnight It is impossto take anything for granted whit comes to cyber security

Since new vulnerabilities and themerge and are detected all the both must be continuously revie

(cont ne

Moving targetsthe importanceof regular review

Step 2 Identifying Threats (cont)



11


copy2015 Hone

When threats align with vulnerabilitiesthe risk of a cyber incident increasessignificantly Take the example of thevirus detected and quarantined byanti-virus software on a control roomserver again The threat (virus) findsno vulnerability because the anti-virussoftware worked But the episodestill shows malware is able to accessthe server which should be in aprotected network

This raises questions of exposuIf known malware has been foucould unknown (ldquozero dayrdquo)malware also be present How the malware introduced Coulddetected malware have also beintroduced to other systems Tthreat although unsuccessful sindicates the potential for infectand therefore contributes to theoverall level of risk

The relationship between threatand vulnerabilities is complex bwith the right tools can be both

understood and managed

Understandingthe relationshipbetween threatsand vulnerabilities




12


copy2015 Hone

By identifying assets and the impactof a potential attack on them you candetermine the degree to which youshould worry A vulnerability that couldtake a printer offline for exampleis likely to be less of a concern than asuccessful attack on a safety system

Measuring consequences is notstraightforward In many cases theymay correlate closely to costs typicallythrough lost production Howeverconsequences could be far widerencompassing risks to personal safetyenvironmental damage reputational

impacts legal liabilities or even aswersquove seen national security concerns

Furthermore interrelationships inplant must again be recognizedthe consequence of an incident cbe measured solely by the impacon the specific compromised de

A cyber attack may cause a devor server to fail but what if it obtcontrol of the device or server anuses it to cause far wider damag

The potential for impacts to spiral the immediate effect of an initial bris a vital part of any assessment consequences

Consequencesput these threatsand vulnerabilitiesinto perspective

Step 3 Measuring ConsequencesmdashThe Final Piece



13


copy2015 Hone

bull It will know the vulnerabilities tolook out for

bull It will have put in place elements ofthreat detection such as firewallson the network and connectedhosts and virus protection

bull And it will have identified its most

important assets and the potentialconsequences of an attack on them

A solution now available to assistongoing situational awareness Honeywellrsquos Industrial Cyber SecRisk Manager

Risk Managermdashthe first solutionto proactively monitor measure amanage industrial cyber security

risk providing users of all levels wreal time visibility understanding decision support required for actWith Risk Manager there is no neto be a cyber security expert Theeasy-to-use interface allows userto prioritize and focus efforts on

managing risks that matter most reliable plant operations

Understandingand addressing thepreceding elementsgives a plant whatit needs to beginto make a realisticassessment ofits risks

Step 4 Bringing it TogetherndashMeasuring Risk



14


copy2015 Hone

For industrial organizations identifyingrisks is the first stage of the journeyto a more secure system in the face ofincreasing attacks Wersquoll consider thesecond stage in our forthcoming e-bookon managing the risks

More about Cyber SecurityFor More Information

Meanwhile for more information about Cyber Sechere are some more resources to help you

bull The Essential Guide to Cyber Security Download thisabout the essentials of Industrial Cyber Security and how to ap

bull Honeywell Whitepapers Honeywell experts have publishedvarious whitepapers on various elements of Industrial Cyber Se

View the complete list

bull Case Studies Read and learn from our to knowother industrial customers are taking to tackle cyber attacks

bull Visit

e-boo

here

case studies

becybersecurecom



copy2015 Hone


TABLE OF CONTENTS

3 Introduction A Real Danger

4 In the Firing Line

5 The Cyber Arms Race

6 Assessing the Risk

8 Step 1 Knowing Your Vulnerabilities

9 Step 2 Identifying Threats

12 Step 3 Measuring ConsequencesndashThe Final Piece

13 Step 4 Bringing it TogetherndashMeasuring Risk

14 More About Cyber Security



3


copy2015 Hone




L I N K









me the mostrdquo





4


copy2015 Hone




In the Firing Line



5


copy2015 Hone









The Cyber Arms Race




6


copy2015 Hone










on the organization





(con

Assessing the Risk




7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



3


copy2015 Hone




L I N K









me the mostrdquo





4


copy2015 Hone




In the Firing Line



5


copy2015 Hone









The Cyber Arms Race




6


copy2015 Hone










on the organization





(con

Assessing the Risk




7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



4


copy2015 Hone




In the Firing Line



5


copy2015 Hone









The Cyber Arms Race




6


copy2015 Hone










on the organization





(con

Assessing the Risk




7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



5


copy2015 Hone









The Cyber Arms Race




6


copy2015 Hone










on the organization





(con

Assessing the Risk




7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



6


copy2015 Hone










on the organization





(con

Assessing the Risk




7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



7


copy2015 Hone



Threat983091







8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



8


copy2015 Hone











9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



9


copy2015 Hone



(cont ne





10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



10


copy2015 Hone






(cont ne





11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



11


copy2015 Hone









12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



12


copy2015 Hone











13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



13


copy2015 Hone













14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom



14


copy2015 Hone








bull Visit

e-boo

here

case studies

becybersecurecom

risk management ebook npi lss

Documents