CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

Transcription

1 1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP

2 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million

3 3 MAROOCHY WATER DISTRICT 2000 Malicious insider hack attack 800,000 litres of raw sewage spilled > $1million

4 4 NEW ORLEANS 29 August 2005 Hurricane 1464 dead Major, continuing economic & social losses >$150 Billion est. cost

5 5 NORTHEASTERN NORTH AMERICA 14 August 2003 Power blackout cascading failure 2 days 11 deaths > 50 million people affected $6 Billion est. cost

6 6 FUKUSHIMA 11 March 2011 Earthquake & Tsunami 2 nd worst radiation release >300,000 evacuated

7 7

8 8

9 9

10 10 CRITICAL INFRASTRUCTURE PROTECTION The art & science of preparing an organization to be resilient in the face of catastrophe

11 11 Interdependencies , Critical Infrastructure Institute

12 12 Interdependencies

13 13 All Hazards

14 All Hazards THREAT SPECTRUM Tends Towards Criminal Threats Tends Towards Asymmetric Threats Hazards Tends Towards Military Threats

15 15 Resiliency

16 CIP ASSESSMENT PROGRAM Comprehensive evaluation of the current state of the organization s: Critical assets Threat/risk situation Event management and recovery capability Operational resilience

17 CIP ASSESSMENT PROGRAM OBJECTIVE Assist management with an assessment of local CIP and security activities Offer recommendations based on the likelihood of various threat/hazard scenarios

18 CIP ASSESSMENT TEAM

19 PROCESS METHODOLOGY

20 NATURAL GAS ELECTRICITY GENERATING PLANTS Putrajaya Malaysia 625 MW GTAA 112 MW

21 ENERGY FACILITY COMBINED CYCLE GAS TURBINE PLANT To Electricity Grid (Output) Transformer Natural Gas Supply (Input)

22 22 CIP ASSESSMENT METHODOLOGY No impact on normal operations No test or compromise of security systems

23 CIP RISK MANAGEMENT MODEL Measures & Controls to Safeguard Assets Mission Criticality Assessment Threat Assessment Vulnerability Assessment Risk Assessment R I S K M A N A G E M E N T Assets Personnel Materiel/ Objects Facilities & Infrastructure Information Activities I N C I D E N T Plan, Supervise and Review Conditions for Mission Success Consequence Management Incident Response Management Action Management Reaction , Critical Infrastructure Institute

24 DEFINE THE MISSION We aim to be an efficient and dynamic power generation facility that provides a quality product in the areas of safety, customer service, reliability, and shareholder value, while ensuring minimal environmental impact Via MISSION ANALYSIS PROCESS Tasks & Assets needed to accomplish the mission Page: 24

25 ASSESS CRITICALITY Why Criticality It is not possible to protect everything all of the time A CIP program needs to identify, evaluate and prioritize those assets that are most critical to mission success Criticality Assessment Identifies, evaluates and prioritizes those assets that are most critical to achieving mission success Methodologies such as CARVER, Business Impact Assessment (BIA) and Statement of Sensitivity provide a systematic way to determine and rank criticality

26 ASSESS CRITICALITY: CARVER TOOL Asset C A R V E R Total Comments Gas Turbines (x 3) Starting Generator Heat Exchangers (x 3) Steam Turbine Switch Relay Control Bldg Gas Supply Lines Central Control Bldg Used to determine criticality of assets to services/operations Assess each criteria from 1-10, with 10 having most grave consequences

27 ASSESS THREATS AND HAZARDS Threat/Hazard A real or potential condition that has the ability to compromise the availability, integrity or confidentiality of an asset Condition may be Deliberate (Malicious) Environmental (Natural) Accidental

28 Situational Awareness Assessment Full Spectrum Threat Categories Criminal Cyber Natural Accidents Espionage Terrorism Medium Medium Low Low Low Low Fraud Hacking Snow/Ice Storm Str Collapse Industrial Bombing Theft Insert Malware Lightning Strike Fire Commercial Armed Attack Vandalism Denial of Svc Wind Storm Explosion Foreign Intel Intimidation Drug Use Disruption Flood Transportation Disease Sabotage Disturbance Government Subversion Low Negligible Negligible Negligible Negligible Pandemic Food Poisoning Full Spectrum Threat Categories Disgruntled Employee Single Issue Environmental Policy Supremacist Groups Demonstration Work Slow down Economic Policy Anarchists Stress Strike Regulation Environmental Chart shows likelihood of occurrence

29 ASSESS VULNERABILITY Vulnerability The characteristics of an asset s design, location, security posture, process, or operation that render it susceptible to destruction, incapacitation, or exploitation by mechanical failures, natural hazards, or malicious acts Vulnerability Assessment Identify areas of weakness that could result in consequences of concern, taking into account intrinsic structural weaknesses, protective measures, resiliency, and redundancies

30 VULNERABILITY ASSESSMENT - FORMAT FOR OBSERVATIONS Vulnerabilities, Concerns and Positives (Best Practices) from each Functional Specialist Vulnerability An inherent weakness, situation or circumstance that, if left unchanged, may result in loss of life or damage to missionessential resources Concern Noted deviation from best CIP practices that, if not addressed or monitored, could become a vulnerability if impacted by other factors Positive Best practice worth noting Page: 30

31 VULNERABILITIES OBSERVED Situational Awareness Poor top-down communication of potential hazards and threats to employees Lack of enforcement of restrictions on photography Physical Security Failure to enforce access control policy ( tail gating ) Lack of a lock down plan Insufficient security force for higher threat levels Lack of liaison with local law enforcement agencies Engineering Congestion in vehicle inspection area at front gate Lack of a barrier plan Insecure diesel fuel tank for start up generator Inconsistent monitoring of fuel quality

32 VULNERABILITIES OBSERVED Information Technology Security No specific security policy and procedures for SCADA Outdated cyber defences for Enterprise System Inadequate Disaster Recovery Plan for Enterprise System Enterprise System and SCADA passwords and User Identification shared by all production staff OHS and HAZMAT Lack of a pandemic plan Incomplete listing of HAZMAT storage Emergency Response Failure to coordinate security, fire and Emergency Response plans

33 ASSESS RISK Risk Refers to the uncertainty that surrounds future events and outcomes - GoC Integrated Risk Management Framework Attributes of Risk Risk results from a combination of an asset, a threat/hazard, and a vulnerability All three elements must be present If any element is missing, there is no risk RISK VULNERABILITY

34 RISK IMPACT & PROBABILITY TABLE Risk is a factor of Impact and Probability. In this example, impact and probability is measured by assigning numbers. The higher the number, the higher the risk

35 Risk Assessment Consolidated Criticality, Threat, Vulnerability and Risk Table

36 RECOMMEND RISK MANAGEMENT OPTIONS Risk Management The process of selecting and implementing decisions that will minimize the adverse effects of losses due to destruction, disruption or injury, to achieve an acceptable level of risk at an acceptable cost Risk Controls or Safeguards Actions taken to mitigate risks, normally by reducing their probability or impact. They include actions to detect, deny, deter, distract, delay, prevent, protect, respond, destroy, repair, recover and restore

37 RISK MANAGEMENT CONTROLS Engineering Vulnerability: Insecure diesel fuel tank for start up generator Description: Fuel tank has no additional security features other than installation outer security fence. Should fuel tank or fuel supply be tampered with, cold start will not be possible Risk Management Options: Construct back-up fuel tank Construct concrete barrier around tank (s) Install security fence around tank (s) with access controls Install additional lighting Fit locks to filler caps Install intrusion detection system Recommendation: All of the above Page: 37

38 RISK MANAGEMENT CONTROLS Information Technology Security Vulnerability: No specific security policy and procedures for Supervisory Controls and Data Acquisition (SCADA) System in Central Control Building Description: Although there is a Security Policy for IT Enterprise network, there is no specific Security Policy and Procedures on installation SCADA System that provides process control to all systems Risk Management Options: Establish SCADA Security Policy and Procedures Establish Security Awareness and Training plan Recommendation: Develop and implement/disseminate SCADA Security Policy and Procedures Develop and implement SCADA Security awareness and training Page: 38

39 EVALUATE EMERGENCY MANAGEMENT Evaluate plans for Incident Response (Response) Efforts to contain, alleviate or terminate an apprehended incident, to identify and bring to account the threat agents, and to gather information and preserve evidence to that end - PSC Consequence Management (Recovery) Coordination and implementation of measures intended to mitigate the damage, loss, hardship and suffering caused by acts of violence or natural disasters, including measures to restore service, to protect health and safety, and to provide emergency relief - PSC

40 OUT BRIEF - AGENDA Purpose Briefing format Critical Assets Situational Awareness Key observations from Specialists on: Situational Awareness Security Engineering Information Protection Occupational Health/Safety/HAZMAT Emergency Management Sample Threat/Hazard Scenario (s) Summary

41 OUT BRIEF - CIP ASSESSMENT DASHBOARD Installation CIP Readiness CIP Vulnerability Assessment Components Ready Ready w/minor Limitations Ready w/major Limitations Not Ready A. Situational Awareness B. Security C. Engineering D. Information Technology Protection E. Occupational Health & Safety F. HAZMAT Response G. Emergency Management

42 DELIVERABLES CIP Assessment Out-brief Assessment team will offer procedural and/or resource-based solutions Draft Executive Summary and Annexes from functional specialists Final Report (30 Days after Assessment) , Critical Infrastructure Institute

43 43 SUMMARY Every organization has critical infrastructure Understanding your CI and the risks you face increases operational resilience A comprehensive CIP assessment can contribute Sometimes the findings are surprising!

44 44 FURTHER INFORMATION Gavin McLintock McLintock Consulting Peter Johnston President Lansdowne Technologies Inc