Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach.

Size: px
Start display at page:

Download "Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services"

Transcription

1 Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach

2

3 Oil & Gas Industry Towards Global Security This white paper discusses current security issues in oil and gas industry and suggests a holistic security risk management approach to manage security risks to an acceptable level whilst optimizing financial investment. Threats In The Oil And Gas Field Safe and reliable energy is a vital link in the nation s critical infrastructure. Oil and gas products play an important role in national economy, national security and are integral to the way of life. As such, security has always been and continues to be a priority across the oil and gas industry. Reports from many international government agencies confirm that various terrorism groups target the oil and gas industry. The petroleum industry is in all probability generally subject to these threats due to several factors: The physical and chemical properties of the materials processed, stored and handled at these facilities may create attractive targets for an adversary to cause malicious release with the intent to harm a neighboring population. The critical importance of the products produced by companies, to the domestic and international infrastructures and to other businesses and individuals, may make disruption of operations of the petroleum industry an attractive option. The risks from terrorist attacks to the energy supply vary by segment of the industry, which is broadly defined as exploration and production, refining, pipeline transportation (liquids), marine transportation, products distribution and marketing. Nowadays, with the emergence of new kind of conflicts, asymmetric threats using unconventional warfare tactics are the primary threats to critical infrastructures. This is especially true for oil and gas industry now involved in asymmetric conflicts. Oil and gas private security forces are facing now new unconventional opponents such as terrorists (international and national), activists, pressure groups, single issue zealots, disgruntled employees, or criminals, whether white collar, cyber hackers, organized or opportunists. These threats may come from insider activity, external action, or insiders colluding with external adversaries. These opponents use different attacks including car suicide bombing, mortar rain, rocket propelled grenade, improvised explosive devices (IED), ambushes, hostages, hijacking, kidnapping, computer hacking, information warfare, and so on. The attacks can be complex and coordinated and can exploit a combination of physical, logical (information technology), environmental, organizational and human weaknesses. 3

4 > Oil And Gas Critical Infrastructures The potential threats are directed against the whole oil and gas infrastructures but could target their critical and strategic assets such as: Oil and gas specific segments: Reservoirs, wells, offshore production facilities, pipeline systems, mass storage facilities and oil refineries. Buildings: Administration offices, corporate offices, command and control rooms. Equipment: Process units and associated control systems, product storage tanks, surge vessels, boilers, turbines, process heaters, sewer systems. Support systems: Utilities such as natural gas lines, electrical power grid and facilities (including back-up power systems), water-supply systems, wastewater treatment facilities. Transportation interface: Railroad lines and railcars, product loading racks and vehicles, pipelines entering and leaving facility, marine vessels and dock area, off site storage areas. Cyber systems and information technology: SCADA systems, computer systems, networks, devices with remote maintenance ports, laptops, PDAs. Therefore, to protect those assets, the security measures should be inline with the threat level and adapted to the security risk level. Security Risks To address this issue the security needs to be evaluated in order to fully analyze the major security risks: a risk is a combination between the probability of the threat and the potential impact on a critical asset. This is a complex task and therefore a holistic security risk management methodology is required that enables all security risks levels to be identified, whilst also evaluating the existing technology (which should cover logical, physical and environmental issues), organization and human factors security solutions. The evaluation of the security risks starts with the identification of the threats, the critical assets and the vulnerabilities. Then for each security risk that needs to be mitigated security objectives are defined. Security solutions are then implemented. Loss of human life (killed, injured) Economic impact of destruction or disruption Business impact Political consequences on public confidence Potential for loss of energy supply to civilian areas Potential impacts for environment Extended time needed to repair Potential for interdependency effects 4

5 Security Risk Management The objective is to define a security program based on a collective effort that seeks to reduce the likelihood that industry personnel, their families, facilities and materials shall be subject to any kind of attack, and to prepare to respond to the consequences of such attacks should they occur. This section describes the security management process to mitigate the risks and to develop a security program. Based on interviews, site surveys and documentation, the following areas have to be addressed: Threat Assessment i.e. Define alert levels, identify the threats and evaluate probability. Criticality Assessment i.e. Identify critical assets and define asset criticality levels. Vulnerability Assessment i.e. identify vulnerabilities and evaluate criticality. This includes manpower and security force protection assessments. Risk Assessment i.e. identify and evaluate the risks based on previous assessments conclusions. Consequently for each risks identified, the management decides whether the risk should be controlled, ignored, insured or accepted. The first step is to set up the internal organization to pilot the risk management process and to define the scope and objectives of the Security Committee and the Security Working Groups. The organization should be based on: Security Committee, the SC includes top management that develops security strategy, provides guidance, direction and cooperation. Security Working Groups, the SWG take actions, provide inputs and feedbacks. They develop and recommend policy, prepare planning documents, conduct risk assessments. One of the SWG is the Threat WG, which consists on Counterintelligence representative, Law Enforcement representative, Information Operations representative and the Chemical, Biological, Radiological, Nuclear and High Yield Explosive (CBRNE) representative. Larger installations may include additional personnel as assigned by the SC. If the decision is to control the risk, security objectives are defined. Then the security solutions (based on technology, organization or human factors) should be provided (based on risk priority and objectives). Those solutions are categorized as prevention, detection, response and recovery. As a result, conclusions are formalized in the Security Master Plan (SMP). 5

6 > Implement Solutions Appropriate security solutions defined in the Security Master Plan should be implemented through a series of actions including: Prioritization of recommended security solutions. Planning implementation and funding of security solutions. The quality of this security management process is maintained using the PDCA model: Plan: Establish or update the Security Master Plan to improve security. Do: Implement and operate the actions defined in the SMP. Check: Monitor, review the actions and report the results to decision makers. Act: Maintain and improve the actions. The management of security risks includes evaluating risks, developing solutions, making decisions, implementing solutions, supervising, reviewing and improving security level. These are essential follow-through actions of the risk management process. After identifying and implementing additional countermeasures or mitigation efforts, it is essential to recalculate the risks. A risk management scorecard is appreciated. A yearly complete risk assessment is recommended. Best Practices In Security Management With decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses, Thales has identified some best practices of security management: Risk management: Integrate holistic security risk management into the corporate risk management process. Security organization: Create senior level security committee, Security Working Groups, corporate security risk manager and local security officers (IT, safety, facility, etc.). Coordination: Develop coordination with government and stakeholders (customers, suppliers, infrastructure providers). Security Master Plan: Define the security doctrine, the operational concept and the means to achieve an efficient level of security. Resilience management: As global security is impossible to achieve, resilient system designs and procedures should be adaptable to the unpredictable. Contingency plans (business continuity and emergency response and disaster plans) should be formalized, tested and updated for rapid recovery from disruptions. Interdependencies: Evaluate contingency plans from an infrastructure interdependencies perspectives and enhance coordination with other infrastructure providers (e.g. electric power, telecommunications, water, transportation). Human resource: Background investigations for new hires and periodic updates for current employees, define a hiring policy, implement structured security requirements for critical suppliers and partners. Formalized security policies and procedures. Raise employee awareness and education to be proactive on security matters. Physical security: Identify and restrict access to sensitive areas, implement access control list and badge program. Increase security checkpoints, manned facilities, video surveillance, badge identification, tracking of people and vehicles, escorted visitors and flyovers. Information System and Network architecture: Define LAN/WAN network perimeter, minimize external connections, keep up to date mapping of network, enhance security of mission critical systems, write and communicate an IT security policy. Enhance traffic filtering, authentication controls, encryption, and access controls, minimize or disable all unnecessary services and software, filter s, control viruses. The Scope of Work that is proposed in this white paper details the development of a security strategy, which includes those best practices. 6

7 Typical Thales Scope Of Work Thales can assist organizations in setting up a program to develop an efficient security risk management process. This program is scheduled in five steps, as described in the figure below: The original step is to define the scope of the Risk Management Program. Thales considers the following actions: Meet senior management. Understand the business objectives. Set up a Security Working Group. Define the scope of the System that will be concerned by the security risk management program i.e. one or more infrastructures. Outputs: Definition of the Security Working Group. Formalization of the scope of the System. Formalization of the planning of the security risk management program. The next step is to understand the organization and the System concerned by the scope. Thales considers the following actions: Understand the organization. Understand the relations with government agencies. Understand the System. Identify constraints such as business, industry, national and international regulations. Output: Understanding of the context. The next step is to analyze the security risks existing in the System. Thales considers the following actions: Visit the System. Undertake the threat assessment, the criticality assessment and the vulnerability assessment. Do the risk assessment. Select risks to accept, to ignore, to control or to insure. Propose security objectives. Recommend mitigation security solutions. Outputs: Security risk analysis results report. Based on the decisions of the Security Committee, a strategy is decided and a Security Master Plan is formalized to define the security doctrine and the operational concept. Thales considers the following actions: Define a security doctrine and an operational concept. Formalize the Security Master Plan. Plan implementation of security solutions. Calculate the return on security investment (ROSI). Propose a planning to implement the security solutions. Outputs: Security Risk Management Methodology document (adapted to the organization). Security Master Plan document. Security doctrine and operational concept document. Implementation plan report. Return on security investment report. The last step is the design and the implementation of the actions described in the Security Master Plan. Thales considers the following actions: Define a new security organization including the Security Committee and one or more Security Working Groups. Develop operational security procedures including crisis management, incident and antiterrorism responses. Design security control rooms. Define a training policy and develop a training program i.e. operational and technical. Implement physical security i.e. barriers, video surveillance, intrusion detection systems, access controls, etc. Implement information technology security i.e. LAN and WAN network, Information system architecture, server hardening, etc. Implement communications security i.e. confidentiality, anti-jamming, resilience, etc. Implement individual protective measures including personal protection for personnel and family members. Develop specific software to produce daily scorecard of the risk situation (option: with geographic information system support). Develop resilience solutions based on technology and organization. Maintain the solutions participating in the Do-Check-Act process. Outputs: Implementation and maintenance of the security solutions. To support this SOW, Thales has developed a specific software CASRIM i.e. Critical Asset Security RIsk Management. CASRIM helps Thales engineers to analyze the situation and produces graphical outputs of the risk analysis. 7

8 > Benefits Determining the risk is essential since the management must understand the threats, what assets are most important to protect, and which of those important assets are most vulnerable. Assessing security risk provides the value of an asset in relation to the threats and the vulnerabilities associated with it. This aids the management in balancing threats to vulnerabilities and the degree of risk that the management is willing to accept by not correcting, or perhaps being unable to correct, a vulnerability. For any vulnerability, the management shall manage risk by developing a strategy to deter incidents, employ countermeasures, mitigate the effects of an incident, and recover from an incident. The result of using a holistic methodology of this type ensures that minimum appropriate investments are directed into security solutions to reduce identified risks. In addition as there is integration between the security technology, the organizations objectives and processes, efficiencies can be gained whilst still remaining secure. Security features that have been factored into initial infrastructure facility design are more likely to be cost-effective, better integrated and more operationally useful than those superimposed on existing structures through add-ons or change orders. Likewise, security features which have been coordinated early in the planning and design process with the architects and other concerned regulatory bodies, as well as with end-users (employees, clients, law enforcement, public safety and regulatory agencies, and operations and maintenance personnel) are more likely to be well received and accepted, and thus more widely used and successful. 8

9 Oil & Gas Industry Towards Global Security Conclusion By implementing a holistic security risk management methodology, security solutions can be adapted to the changes in threats and security risks, and the levels of investment can be adjusted in accordance to the protection required. The oil and gas cycle from initial field exploration through production, transport and consumer retail operations is highly complex, with countless potential weak links that are subject to security breakdowns. The security should reflect the risk status and financial resources of the infrastructure. Smaller infrastructures have limited funding and have to plan their security projects with an eye toward simplicity and manageable cost. The methodology developed in this white paper is scalable and can cover from a single infrastructure to the entire oil and gas chain starting with exploration, development and production, then on through pipeline transport to refineries and processing plants to storage facilities and then on to distribution of refined products by land or sea, finishing at the retail outlets. Philippe Bouvier Security Consulting Thales - Security Solutions & Services Division Organizations from around the world are already benefiting from the use of this methodology including military organizations, national airport authorities, energy and water companies, financial institutions and transportation companies. Thales brings together decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses. Thales is an unrivalled systems integrator of physical and IT security solutions for the oil and gas industry. If your organization would also like to reduce overall security costs, improve the efficiency of security investment and measurably reduce security risks then please contact your local THALES representative for more information. 9

10 Thales Security Solutions & Services Division Security Systems rue Grange Dame Rose CS Vélizy Cedex - France Tel: +33 (0) November Photos: Thales, GettyImages

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com

Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com Oil and Gas Industry A Comprehensive Security Risk Management Approach www.riskwatch.com Introduction This white paper explores the key security challenges facing the oil and gas industry and suggests

More information

Airport Infrastructure Security Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services

Airport Infrastructure Security Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services Airport Infrastructure Security Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Airport Infrastructure Security Towards Global Security This

More information

TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS

TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).

More information

Security Guidelines. for the Petroleum Industry. Third Edition. Petroleum Refineries. Liquid Petroleum Pipelines

Security Guidelines. for the Petroleum Industry. Third Edition. Petroleum Refineries. Liquid Petroleum Pipelines Third Edition Petroleum Refineries Liquid Petroleum Pipelines Security Guidelines for the Petroleum Industry Petroleum Products Distribution and Marketing Oil and Natural Gas Production Operations Marine

More information

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project

EEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies

More information

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0

MAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0 MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:

More information

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder

More information

Solutions and IT services for Oil-Gas & Energy markets

Solutions and IT services for Oil-Gas & Energy markets Solutions and IT services for The context Companies operating in the Oil-Gas & Energy sectors are facing radical changes that have a significant impact on their business processes. In this context, compliance

More information

v. 03/03/2015 Page ii

v. 03/03/2015 Page ii The Trident University International (Trident) catalog consists of two parts: Policy Handbook and Academic Programs, which reflect current academic policies, procedures, program and degree offerings, course

More information

Security Vulnerability Assessment

Security Vulnerability Assessment Security Vulnerability Assessment Deter, Detect, Delay, Respond the elements for minimizing your operational risk. A detailed SVA assists you to understand how best to do so. Security Vulnerability Assessment

More information

Protecting Organizations from Cyber Attack

Protecting Organizations from Cyber Attack Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 cliff.glantz@pnnl.gov guy.landine@pnnl.gov 1 Key Topics

More information

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION ALBERTO AL HERNANDEZ, ARMY RESERVE OFFICER, SOFTWARE ENGINEER PH.D. CANDIDATE, SYSTEMS ENGINEERING PRESENTATION

More information

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE 1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million

More information

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005 AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT

More information

U.S. DoD Physical Security Market

U.S. DoD Physical Security Market U.S. DoD Physical Security Market Technologies Used for DoD Applications June 2011 Table of Contents Executive Summary 7 Introduction 8 Definitions and Scope 9-11 Percentage of FY 2010 Total Budget Request

More information

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive

More information

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies

More information

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES

REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES Definitions 1. In these requirements: C-NLOPB means the Canada-Newfoundland and Labrador Offshore Petroleum Board; Chief Safety Officer means

More information

Risk Management Handbook

Risk Management Handbook Risk Management Handbook 1999 Introduction Risk management is the process of selecting and implementing countermeasures to achieve an acceptable level of risk at an acceptable cost. The analytical risk

More information

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and

More information

Subject: Critical Infrastructure Identification, Prioritization, and Protection

Subject: Critical Infrastructure Identification, Prioritization, and Protection For Immediate Release Office of the Press Secretary The White House December 17, 2003 Homeland Security Presidential Directive / HSPD-7 Subject: Critical Infrastructure Identification, Prioritization,

More information

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations

More information

December 17, 2003 Homeland Security Presidential Directive/Hspd-7

December 17, 2003 Homeland Security Presidential Directive/Hspd-7 For Immediate Release Office of the Press Secretary December 17, 2003 December 17, 2003 Homeland Security Presidential Directive/Hspd-7 Subject: Critical Infrastructure Identification, Prioritization,

More information

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary

Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary

More information

VULNERABILITY ASSESSMENT AND SURVEY PROGRAM. Overview of Assessment Methodology. U.S. Department of Energy Office of Energy Assurance

VULNERABILITY ASSESSMENT AND SURVEY PROGRAM. Overview of Assessment Methodology. U.S. Department of Energy Office of Energy Assurance VULNERABILITY ASSESSMENT AND SURVEY PROGRAM Overview of Assessment Methodology U.S. Department of Energy Office of Energy Assurance September 28, 2001 CONTENTS 1 Introduction... 1 2 Assessment Methodology...

More information

Performs the Federal coordination role for supporting the energy requirements associated with National Special Security Events.

Performs the Federal coordination role for supporting the energy requirements associated with National Special Security Events. ESF Coordinator: Energy Primary Agency: Energy Support Agencies: Agriculture Commerce Defense Homeland Security the Interior Labor State Transportation Environmental Protection Agency Nuclear Regulatory

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

Cybersecurity Converged Resilience :

Cybersecurity Converged Resilience : Cybersecurity Converged Resilience : The cybersecurity of critical infrastructure 2 AECOM Port Authority of New York and New Jersey (PANYNJ), New York, New York, United States. AECOM, working with the

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

CYBER SECURITY GUIDANCE

CYBER SECURITY GUIDANCE CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires

More information

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative Final Draft/Pre-Decisional/Do Not Cite Forging a Common Understanding for Critical Infrastructure Shared Narrative March 2014 1 Forging a Common Understanding for Critical Infrastructure The following

More information

SCOPE. September 25, 2014, 0930 EDT

SCOPE. September 25, 2014, 0930 EDT National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Building more resilient and secure solutions for Water/Wastewater Industry

Building more resilient and secure solutions for Water/Wastewater Industry Building more resilient and secure solutions for Water/Wastewater Industry Steve Liebrecht Rockwell Automation Detroit W/WW Team Leader Copyright 2010 Rockwell Automation, Inc. All rights reserved. 1 Governmental

More information

The Strategic Importance, Causes and Consequences of Terrorism

The Strategic Importance, Causes and Consequences of Terrorism The Strategic Importance, Causes and Consequences of Terrorism How Terrorism Research Can Inform Policy Responses Todd Stewart, Ph.D. Major General, United States Air Force (Retired) Director, Program

More information

DEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA

DEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA DEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA Younghee Lee, Jinkyung Kim and Il Moon Department of Chemical Engineering, Yonsei University, 134 Sinchon-dong, Seodaemun-gu,

More information

BUILDING DESIGN FOR HOMELAND SECURITY. Unit I Building Design for Homeland Security

BUILDING DESIGN FOR HOMELAND SECURITY. Unit I Building Design for Homeland Security BUILDING DESIGN FOR HOMELAND SECURITY Unit I Building Design for Homeland Security Participant Introductions Name Affiliation Area of Concentration BUILDING DESIGN FOR HOMELAND SECURITY Unit I-2 Course

More information

COJUMA s. Legal Considerations for Defense Support to Civil Authorities. U.S. Southern Command Miami, Florida Draft

COJUMA s. Legal Considerations for Defense Support to Civil Authorities. U.S. Southern Command Miami, Florida Draft COJUMA s Legal Considerations for Defense Support to Civil Authorities U.S. Southern Command 28 Miami, Florida Miami, Florida Draft Table of Contents Legal Considerations for Defense Support to Civil Authorities.....10

More information

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation

More information

Defending Against Data Beaches: Internal Controls for Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity

More information

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012 Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise

More information

Preparedness in the Southwest

Preparedness in the Southwest Preparedness in the Southwest Risk Assessment and Hazard Vulnerability Developed by The Arizona Center for Public Health Preparedness Cover Art www.azcphp.publichealth.arizona.edu Chapter 1 Importance

More information

October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition

October 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition October 2004 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition October 2004 Security Vulnerability Assessment Methodology for the Petroleum and

More information

Common Threats and Vulnerabilities of Critical Infrastructures

Common Threats and Vulnerabilities of Critical Infrastructures International Journal of Control and Automation 17 Common Threats and Vulnerabilities of Critical Infrastructures Rosslin John Robles 1, Min-kyu Choi 1, Eun-suk Cho 1, Seok-soo Kim 1, Gil-cheol Park 1,

More information

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc. JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President

More information

Cyber Security and Privacy - Program 183

Cyber Security and Privacy - Program 183 Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

More information

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Keynote: FBI Wednesday, February 4 noon 1:10 p.m. Keynote: FBI Wednesday, February 4 noon 1:10 p.m. Speaker: Leo Taddeo Special Agent in Change, Cyber/Special Operations Division Federal Bureau of Investigation Biography: Leo Taddeo Leo Taddeo is the

More information

Secure networks are crucial for IT systems and their

Secure networks are crucial for IT systems and their ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential

More information

White Paper. Information Security -- Network Assessment

White Paper. Information Security -- Network Assessment Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer

More information

ISACA rudens konference

ISACA rudens konference ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial

More information

OCR LEVEL 3 CAMBRIDGE TECHNICAL

OCR LEVEL 3 CAMBRIDGE TECHNICAL Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY

More information

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually

More information

Relationship to National Response Plan Emergency Support Function (ESF)/Annex

Relationship to National Response Plan Emergency Support Function (ESF)/Annex RISK MANAGEMENT Capability Definition Risk Management is defined by the Government Accountability Office (GAO) as A continuous process of managing through a series of mitigating actions that permeate an

More information

Prepared by Rod Davis, ABCP, MCSA November, 2011

Prepared by Rod Davis, ABCP, MCSA November, 2011 Prepared by Rod Davis, ABCP, MCSA November, 2011 Disaster an event, which causes the loss of an essential service, or part of it, for a length of time which imperils mission achievement. (Andrew Hiles,

More information

Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. May 2003

Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. May 2003 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries May 2003 May 2003 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries

More information

National Infrastructure Protection Center

National Infrastructure Protection Center National Infrastructure Protection Center Risk Management: An Essential Guide to Protecting Critical Assets November 2002 Summary As organizations increase security measures and attempt to identify vulnerabilities

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

SECURITY. Risk & Compliance Services

SECURITY. Risk & Compliance Services SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize

More information

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample

More information

Faculdade de Direito, Lisboa, 02-Jul-2014. The Competitive Advantage of Cybersecurity

Faculdade de Direito, Lisboa, 02-Jul-2014. The Competitive Advantage of Cybersecurity Faculdade de Direito, Lisboa, 02-Jul-2014 The Competitive Advantage of Cybersecurity Thales Key highlights (I) A global company with 65,000 employees and 14,2 billion in revenues, R&D 2,5 billion * We

More information

Cornell University PREVENTION AND MITIGATION PLAN

Cornell University PREVENTION AND MITIGATION PLAN Cornell University PREVENTION AND MITIGATION PLAN Table of Contents Table of Contents Section 1 Prevention-Mitigation Introduction...2 Section 2 Risk Assessment...2 2.1 Risk Assessment Components...2 2.2

More information

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013 Security Architecture: From Start to Sustainment Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013 Security Architecture Topics Introduction Reverse Engineering the Threat Operational

More information

U.S. Cyber Security Readiness

U.S. Cyber Security Readiness U.S. Cyber Security Readiness Anthony V. Teelucksingh Senior Counsel United States Department of Justice John Chris Dowd Special Agent Federal Bureau of Investigation Overview U.S. National Plan National

More information

Five keys to a more secure data environment

Five keys to a more secure data environment Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational

More information

How Secure is Your SCADA System?

How Secure is Your SCADA System? How Secure is Your SCADA System? Charles Drobny GlobaLogix, Inc. Houston, TX, USA Our Industry is a Target 40% of cyber attacks on Critical Infrastructure targets are aimed at the Energy Industry The potential

More information

Enterprise Risk Management taking on new dimensions

Enterprise Risk Management taking on new dimensions Enterprise Risk Management taking on new dimensions October 2006 The practice of Enterprise Risk Management (ERM) is becoming more critical and complex every day. There is a growing need for organizations

More information

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Internet Safety and Security: Strategies for Building an Internet Safety Wall Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet

More information

Critical Infrastructure Security and Resilience

Critical Infrastructure Security and Resilience U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International

More information

Update On Smart Grid Cyber Security

Update On Smart Grid Cyber Security Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats

More information

Microsoft s cybersecurity commitment

Microsoft s cybersecurity commitment Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade

More information

Better secure IT equipment and systems

Better secure IT equipment and systems Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government

More information

Section A: Introduction, Definitions and Principles of Infrastructure Resilience

Section A: Introduction, Definitions and Principles of Infrastructure Resilience Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose

More information

Enterprise Security Tactical Plan

Enterprise Security Tactical Plan Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise

More information

Cyber Security for SCADA/ICS Networks

Cyber Security for SCADA/ICS Networks Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And

More information

Considerations for Hybrid Communications Network Technology for Pipeline Monitoring

Considerations for Hybrid Communications Network Technology for Pipeline Monitoring Considerations for Hybrid Communications Network Technology for Pipeline Monitoring Craig Held White Paper April 2012 Abstract The concept of automation (and its corresponding technologies) is a primary

More information

BUSINESS CONTINUITY PLANNING

BUSINESS CONTINUITY PLANNING Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

Building Economic Resilience to Disasters: Developing a Business Continuity Plan

Building Economic Resilience to Disasters: Developing a Business Continuity Plan Building Economic Resilience to Disasters: Developing a Business Continuity Plan Buffalo Niagara Region February 26, 2014 Gail Moraton, CBCP Business Resiliency Manager Business Resiliency one important

More information

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Best Practices in ICS Security for System Operators. A Wurldtech White Paper Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

More information

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

(Instructor-led; 3 Days)

(Instructor-led; 3 Days) Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of

More information

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks Alex Leemon, Sr. Manager 1 The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached

More information

Michigan State Police Emergency Management & Homeland Security. Infrastructure Analysis & Response Section. Sgt. Bruce E. Payne

Michigan State Police Emergency Management & Homeland Security. Infrastructure Analysis & Response Section. Sgt. Bruce E. Payne Michigan State Police Emergency Management & Homeland Security Infrastructure Analysis & Response Section Sgt. Bruce E. Payne Presidential Directive On December 17, 2003, President Bush issued Homeland

More information

Industrial Security for Process Automation

Industrial Security for Process Automation Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical

More information

National Surface Transport Security Strategy. September 2013. Transport and Infrastructure Senior Officials Committee. Transport Security Committee

National Surface Transport Security Strategy. September 2013. Transport and Infrastructure Senior Officials Committee. Transport Security Committee National Surface Transport Security Strategy September 2013 Transport and Infrastructure Senior Officials Committee Transport Security Committee 1 National Surface Transport Security Strategy (NSTSS) Foreword

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

DeltaV System Cyber-Security

DeltaV System Cyber-Security January 2013 Page 1 This paper describes the system philosophy and guidelines for keeping your DeltaV System secure from Cyber attacks. www.deltav.com January 2013 Page 2 Table of Contents Introduction...

More information

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems. 1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

Supplier Security Assessment Questionnaire

Supplier Security Assessment Questionnaire HALKYN CONSULTING LTD Supplier Security Assessment Questionnaire Security Self-Assessment and Reporting This questionnaire is provided to assist organisations in conducting supplier security assessments.

More information

Ten Tips for Completing a Site Security Plan

Ten Tips for Completing a Site Security Plan TRANSPORTATION LOGISTICS PETROCHEMICal Commercial Industrial Retail Federal Systems Banking Ten Tips for Completing a Site Security Plan Introduction The Chemical Facility Anti-Terrorism Standards (CFATS)

More information

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge

Targeted Intrusion Remediation: Lessons From The Front Lines. Jim Aldridge Targeted Intrusion Remediation: Lessons From The Front Lines Jim Aldridge All information is derived from MANDIANT observations in non-classified environments. Information has beensanitized where necessary

More information

Information Security Policy

Information Security Policy Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current

More information

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS)

Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS) Office of Emergency Communications (OEC) Mobile Applications for Public Safety (MAPS) PSCR Public Safety Broadband Stakeholder Conference June 4 th, 2014 Alex Kreilein Technology Policy Strategist Office

More information

Increasing the city s attractiveness

Increasing the city s attractiveness www.thalesgroup.com URBAN SECURITY Increasing the city s attractiveness Thales Communications & Security 20-22 rue Grange Dame Rose - 78141 Vélizy-Villacoublay - France - Tel: +33(0)1 73 32 00 00 10/2013

More information