Calculating Cybersecurity Risk and Selecting Mitigations in Power
11/04/2020
01 Operational Technology Threats
02 Assessment Roadmap
03 Mitigations / Cyber Maturity
04 Q&A / FAQs
AGENDA
01 Operational Technology Threat Landscape
Threats, Vulnerabilities & Risk
A THREATis a circumstance or
event with the potential to adversely impact
organizational operations
A VULNERABILITY is a weakness in the OT system that can be
exploited
A RISKis the potential for an unwanted outcome
resulting from an event
OT vs. IT Systems
Information TechnologyØ User CentricØ Managed by IT ExpertsØ Sensitive Corporate DataØ Sensitive Client DataØ Unpredictable Behavior
CIA TriadConfi
denti
ality Integrity
Availability
Operational TechnologyØ Machine-to-MachineØ Maintained by Facility OperationsØ Critical Building FunctionsØ Critical Process FunctionsØ Predictable Device Behavior
Elimination of all risk is Not Possible
Source: Accenture 2019 Cost of Cybersecurity Crime Report
So What?
Consequences…ØReputationØSafetyØRegulatoryØEnvironmentalØLegalØFinancial
Who is the adversary?General Classifications
Ø Insider Threat / Outsider ThreatØ Motivated vs. Non-MotivatedØ Skilled vs. UnskilledØ Malicious vs. Accidental
Outside GroupsØ Nation StatesØ Ransomware as a Service (RaaS)Ø Hacking GroupsØ Activists, disgruntled individualsØ Anyone looking to cause harm…
Cybersecurity & Infrastructure Security Agency (CISA) Current Nation States Threats
Ø June 2019 – US Launches Cyber Attack on Russian GridØ July 2019 – Western US (undefined) monitoring and control
blind spots for 10 hoursØ September 2019 - Nuclear Power Plant Corporation of India
(NPCI) Malware In Control SystemØ December 2016 – Ukraine Power Grid Shutdown (1 hour)Ø December 2015 – Ukraine Power Grid Shutdown
(225,000 w/o Power)Ø 2017-2019: Triconex Safety System Attacks (multiple)
Ø 2014: Smart Meter Attacks (5 Cities)
Ø 2013: Bowman Ave Dam, NY
Ø 2012: IL Municipal Water (From Russia w/Love)
Ø 2010: STUXNET
Successful Attacks
“In 2019, OT targeting increased 2000% over one year with more attacks on ICS and OT infrastructure than any of the prior three years. Most observed attacks involved a combination of known vulnerabilities within SCADA and ICS hardware as well as password-spraying.”
-- IBM X-Force, 2020
02 Assessment Roadmap
Risk Management
ØMitigation of Cybersecurity Risk in system(s) / organizations is a/the practice of Risk Management
ØRisk Management assumes you cannot eliminate Risk but you can mitigate Risk
ØMitigating your Risk requires that you know your Risk
ØKnowing your Risk requires Risk Assessment
High Level Risk AssessmentØStarting point for any level of assessment
Ø Identifies “low hanging fruit”
ØMethodologyØUse Case / SurveyØSubjective evaluation ØRisk = Security control not fully achieved
ØLimitationsØDoes not address configurationØDoes not consider ROI, risk tolerance, financial
capability, consequence or resilience
What value does this provide when your system has been compromised?
Source: ISA 62443-2-1 (Figure B.3)
Vulnerability / Detailed Risk Assessment
Source: ISA 62443-2-1 (Figure B.4)
ØMethodologyØSystematic approach ØNetwork Data Captures (PCAP)ØConfiguration Capture/Scans
ØDocumentation OutcomesØComprehensive Network InventoryØDevelop Purdue Model Network
Diagram with Data Flows
Ø Identify VulnerabilitiesØNational Vulnerability Database
(NVD)Ø ICS-CERT AdvisoriesØOEM Vendor Alerts
Vulnerability / Detailed Risk AssessmentØRisk/Consequence Calculations
ØLimitationsØ Requires hands-on access to systemsØ Increased costs & timeØ Resource availability
ØOutcomesØ Master Plan Level Project Scope and FeeØ Grouping of risks/vulnerabilities into
prioritized projectsØ Specific device level vulnerabilities /
mitigations
Penetration Testing
ØUtilize when risk tolerance is low and cyber maturity is at pro-active state
ØPut your best face on first
ØLimitationsØ Should only be performed on non-production
networksØ Risk of adverse or unexpected reactions to
attackØ Potential consequences include damaging or
disabling equipmentØ Backup all systems prior to test and restore all
systems to known good state after test
Source: SANS
Disaster Recovery, Emergency Response & Business Continuity
• Define:• Recovery Time Objective (RTO)• Recovery Point Objective (RPO)
• Document:• Procedures• Resources• Communications• Dependencies
A disaster recovery plan (DRP) is a
documented process or set of procedures to execute an
organization's disaster recovery processes.
Emergency Response focuses on the safety and
protection of life, assets, and the environment.
Business Continuity focuses on continuing the operations of the business until it can return back to
normal.
• Maintain:• Scheduled Updates• Lessons Learned
• Train:• Table Top Exercises• Manual Operations Days
Common Results
ØUndefined Risk Tolerance
ØDocumentation, Policies and Procedures
ØThe Human . . . Always
ØControl System Maintenance & Aged Equipment
ØBackups & Backup Testing
ØDesign Deficiencies
ØDisaster Recovery / ERP does not include control systems
ØPhysical Security and Monitoring
ØSignificant Configuration Issues
03 Mitigations & Cybersecurity Maturity
Myths & Misconceptions
Ø“Air Gapped” = Safe
ØWe don’t need patching/updates
ØToo small to be hacked
ØOur Systems Integrator…
ØOur IT staff…
ØWe know our staff would never…
Where to start?ØDefine Organization’s Cybersecurity
Risk Tolerance
ØYou cannot protect what you do not know… network diagrams, asset inventories
ØMaintain and Test Backups
ØDisaster Recovery – have a plan
ØDefense in DepthØPeopleØProcesses (Policies and
Procedures)ØTechnologiesØReference Architecture
Source: ISA 62443
Governance: PEOPLE, Processes & TechnologiesPEOPLEØRisk Management Leadership Team
ØRecognize Cybersecurity as a RiskØAssign responsibility for oversightØDefine acceptable levels of risk
ØEstablish or Adopt a Risk Management FrameworkØ Identify best practices and Industry Standards for Adoption
ØNIST 800-53 (IT Systems)ØNIST 800-82 (OT Systems)Ø ISA-62443 (OT Systems)ØNERC/FERC Requirements
ØTrain staff on role specific cybersecurityØEstablish roles and responsibilities through processes, procedures
and job functionsØ Incident Response Planning and Simulations
Source: NIST
Governance: People, PROCESSES & Technologies
PROCESSES & POLICIESØDevelop Cybersecurity Policies
ØOrganizational (IT Systems)ØSpecial Risk Systems
ØOperational TechnologiesØCritical Operations SystemsØLife Safety Systems
ØChange ManagementØMany others
ØDevelop Procedures for Role Based Interactions with Systems
ØUpdate Emergency Response Plans and Disaster Recovery for Cyber Attacks
ØComplete Risk Assessments at frequency defined by policy
Governance: People, Processes & TECHNOLOGIES
TECHNOLOGIESØSecure existing infrastructure by following a standardØLeverage technology to:
ØProtect against human errorØEnforce policies through auditingØAide in proceduresØLimit accessibilityØDetect anomaliesØRecover from attacksØProvide staff the tools for success
ØConnected devices (and data flows) must have a business purpose approved by a governance team
ØLeast functionality & least privilege
Mitigation Prioritization & SelectionØOwner must define risk tolerance and
priorities
ØMitigation PrioritizationØ Balance: Convenience vs. RiskØ Balance: Likelihood & Consequence vs.
Costs
ØConsiderØ Staff capabilities and trainingØ Maintenance costsØ Monitoring
ØRisk management is a continuous lifecycle
04 Q&A / FAQs
Q&A / FAQsQuestion: Whom would ever hack a power utility?
• Response: Anyone looking to cause harm to the utility or public is a potential adversary.
Question: My system is “air gapped”, doesn’t this make me safe?
• Response: No, air gapped systems are: vulnerable to insider attack, rely on humans to control/restrict introduction of risk, have a tendency to be unmonitored and not patched
Question: I’m new to cyber, what are some good resources to increase my knowledge?
• Response: ICS-CERT Free Training (https://us-cert.cisa.gov/ics/Training-Available-Through-ICS-CERT)
Question: How to I fund cybersecurity?
• Response: • Integrate control systems into asset management planning
• Early engagement of cybersecurity in projects reduces costs and impact to operations
• Develop ROI metrics to justify cost of mitigations vs. potential impacts of an event
“You have to be right 100% of the time, the cyber criminals only have to be right once!”