How Do I Address the Current Environment? Part 1

How Do I Address the Current Environment? Part 1

The most comprehensive way to address each of these issues is with a Holistic Lifecycle approach that spans across compliance, security and operations. The Holistic Lifecycle Model for Security and Compliance consists of proven methodologies aimed specifically at Critical Infrastructure and Industrial environments. It is designed to assist operators with maximizing security and achieving regulatory compliance, while minimizing liability from legal action and broad auditor interpretation. The model is a complete and thorough set of processes that go far beyond just the typical SVA (Security Vulnerability Assessment), gap analysis, or self assessment (which are all actually smaller pieces of an entire compliance process).

Each phase of the model builds on the other as an integral part of a complete lifecycle, creating a seamless set of security methods and solutions supported by solid due diligence for compliance. The model spans across all aspects of compliance, security and operations by including methods for proper standards/guidelines/best practices selection, security assessments (physical, facility, cyber, and operational), gap analyses, risk analyses, organizational threat modeling, mitigation/remediation strategies and integration, legal support, and management/maintenance programs.

How it works
The following section will address the basic flow for each phase of the model. Much of the technical detail for this section goes beyond the scope of this article and is highly dependent on direct interaction with each individual operator’s environment.

Phase 1 – Assessment

Whether you are using a self assessment tool such as CS2SAT, or a 3rd party consultant to perform an SVA or Gap analysis, the goal of an assessment is to identify vulnerabilities and/or gaps in your current environment. An SVA or gap analysis alone, however, will not ensure that your organization is secure or compliant. In fact, if done improperly, they can actually create liability for your organization. Many organizations are not aware that there are many necessary steps to a proper assessment, which are all part of a larger lifecycle that help build solid due diligence. A complete assessment phase consists of the following steps:

1. Standards Identification and Selection – The first step in achieving security and compliance is to initiate an exhaustive search of all the regulatory requirements, industry standards, guidelines, and best practices that may fall within your industry vertical. Even if some of the standards, guidelines and best practices were originally intended for another industry vertical, it is recommended that you review and/or include them in the list of potential requirements to achieve compliance. For example, a petroleum company may fall under CFATS if they transport certain chemicals. This list can then be narrowed down to the hand full of documents that you believe provides the best set of requirements matching your organizations infrastructure. The idea is that you can show you have performed due diligence in your research and exclusions to achieve compliance, in the event an auditor or attorney doesn’t see a specific document referenced. All of these documents must now be put into a matrix, identifying a comprehensive list of categories, cross referenced to the relevant sections in each document.

2. Policies and Procedures Analysis – Once you have created the regulatory requirements, industry standards and best practices matrix, your organizations internal policies and procedures must be added to ensure compliance with Corporate mandates. A policies and procedures analysis should be performed. Personnel interviews should be added as well for improved accuracy. This will give you a clear picture of how well your current written policies and procedures cover the regulatory requirements, industry standards and best practices contained in the matrix.

3. Critical Asset Identification and Classification – Certain industry verticals such as Electric Utility and Chemical, for example, require identification of critical assets by quantifying certain attributes. This should be done according to the standards for that particular industry vertical, with the understanding that this process may be governed by specific regulations regarding confidentiality and management of information.

4. Security Vulnerability Assessment (Cyber, Physical, and Operational) – The majority of standards, from all industry verticals, prescribe at least some version of a vulnerability assessment (SVA – Security Vulnerability Assessment). These assessments typically focus on cyber elements, leaving gaps in compliance and security. Even if, in your current role, you are only concerned with the cyber aspects of compliance and security, you are still leaving vulnerabilities in your cyber security, as the physical, operational, and human elements can provide an attack vector to your cyber systems. As a result, it is highly recommended that, in addition to your SVA, you also perform additional tests to include a physical SVA and/or a “Red Team” test. These tests will help evaluate all aspects of your cyber, physical, operational, and “human factor” security.

(TECHNICAL NOTE: Only proper, SCADA or process control system (PCS) approved assessment methods should be used to assess these environments. Such methods should only be performed by individuals with extensive experience in assessing and testing SCADA and PCS environments. For example, all tests should be run on a backup system, in a test lab or another form of non-production environment of like systems and configurations. Only very specific true passive tests that have been proven safe on non-production systems should be performed on production environments).

(LEGAL NOTE: It is critical how an operator documents and communicates the results of any security vulnerability assessment. Failure to manage the documentation may result in the assessment simply serving as a road map for attorneys or agencies to attack security programs. Such misuse can happen even if such attacks take the necessary self-critical analysis involved out of context and fail to consider that the company based security decisions on a risk matrix that carefully considered probability and consequences to address the most viable and serious threats).

5. Assessment Validation – All analysis and SVA results must be validated. This can be accomplished by a combination of results analysis, penetration testing and interviews. For Cyber assessments, simply running vulnerability assessment tools such as Nessus and reconnaissance tools such as NMap will not achieve a complete and proper vulnerability assessment. In addition to leaving gaps in security, these tools can produce false positives as well as false negatives.

(TECHNICAL NOTE: It is critical that proper SCADA or process control system approved testing methods should be used to test these environments.)

6. Risk Analysis – All of the data that has been gathered thus far in this phase must be analyzed to provide a clear picture of the current levels of security, compliance and risk. Any risk formulas and threat models used, should be specific to your industry and customized for your organization. This can be a complex step, requiring an experienced professional versed in risk analysis formulas and threat modeling.

SCADA, SCADA security

More SCADA Articles

Related Post