Oil & Gas Industry Towards Global Security. A Holistic Security Risk Management Approach.
|
|
- Eustace Bradford
- 8 years ago
- Views:
Transcription
1 Oil & Gas Industry Towards Global Security A Holistic Security Risk Management Approach
2
3 Oil & Gas Industry Towards Global Security This white paper discusses current security issues in oil and gas industry and suggests a holistic security risk management approach to manage security risks to an acceptable level whilst optimizing financial investment. Threats In The Oil And Gas Field Safe and reliable energy is a vital link in the nation s critical infrastructure. Oil and gas products play an important role in national economy, national security and are integral to the way of life. As such, security has always been and continues to be a priority across the oil and gas industry. Reports from many international government agencies confirm that various terrorism groups target the oil and gas industry. The petroleum industry is in all probability generally subject to these threats due to several factors: The physical and chemical properties of the materials processed, stored and handled at these facilities may create attractive targets for an adversary to cause malicious release with the intent to harm a neighboring population. The critical importance of the products produced by companies, to the domestic and international infrastructures and to other businesses and individuals, may make disruption of operations of the petroleum industry an attractive option. The risks from terrorist attacks to the energy supply vary by segment of the industry, which is broadly defined as exploration and production, refining, pipeline transportation (liquids), marine transportation, products distribution and marketing. Nowadays, with the emergence of new kind of conflicts, asymmetric threats using unconventional warfare tactics are the primary threats to critical infrastructures. This is especially true for oil and gas industry now involved in asymmetric conflicts. Oil and gas private security forces are facing now new unconventional opponents such as terrorists (international and national), activists, pressure groups, single issue zealots, disgruntled employees, or criminals, whether white collar, cyber hackers, organized or opportunists. These threats may come from insider activity, external action, or insiders colluding with external adversaries. These opponents use different attacks including car suicide bombing, mortar rain, rocket propelled grenade, improvised explosive devices (IED), ambushes, hostages, hijacking, kidnapping, computer hacking, information warfare, and so on. The attacks can be complex and coordinated and can exploit a combination of physical, logical (information technology), environmental, organizational and human weaknesses. 3
4 > Oil And Gas Critical Infrastructures The potential threats are directed against the whole oil and gas infrastructures but could target their critical and strategic assets such as: Oil and gas specific segments: Reservoirs, wells, offshore production facilities, pipeline systems, mass storage facilities and oil refineries. Buildings: Administration offices, corporate offices, command and control rooms. Equipment: Process units and associated control systems, product storage tanks, surge vessels, boilers, turbines, process heaters, sewer systems. Support systems: Utilities such as natural gas lines, electrical power grid and facilities (including back-up power systems), water-supply systems, wastewater treatment facilities. Transportation interface: Railroad lines and railcars, product loading racks and vehicles, pipelines entering and leaving facility, marine vessels and dock area, off site storage areas. Cyber systems and information technology: SCADA systems, computer systems, networks, devices with remote maintenance ports, laptops, PDAs. Therefore, to protect those assets, the security measures should be inline with the threat level and adapted to the security risk level. Security Risks To address this issue the security needs to be evaluated in order to fully analyze the major security risks: a risk is a combination between the probability of the threat and the potential impact on a critical asset. This is a complex task and therefore a holistic security risk management methodology is required that enables all security risks levels to be identified, whilst also evaluating the existing technology (which should cover logical, physical and environmental issues), organization and human factors security solutions. The evaluation of the security risks starts with the identification of the threats, the critical assets and the vulnerabilities. Then for each security risk that needs to be mitigated security objectives are defined. Security solutions are then implemented. Loss of human life (killed, injured) Economic impact of destruction or disruption Business impact Political consequences on public confidence Potential for loss of energy supply to civilian areas Potential impacts for environment Extended time needed to repair Potential for interdependency effects 4
5 Security Risk Management The objective is to define a security program based on a collective effort that seeks to reduce the likelihood that industry personnel, their families, facilities and materials shall be subject to any kind of attack, and to prepare to respond to the consequences of such attacks should they occur. This section describes the security management process to mitigate the risks and to develop a security program. Based on interviews, site surveys and documentation, the following areas have to be addressed: Threat Assessment i.e. Define alert levels, identify the threats and evaluate probability. Criticality Assessment i.e. Identify critical assets and define asset criticality levels. Vulnerability Assessment i.e. identify vulnerabilities and evaluate criticality. This includes manpower and security force protection assessments. Risk Assessment i.e. identify and evaluate the risks based on previous assessments conclusions. Consequently for each risks identified, the management decides whether the risk should be controlled, ignored, insured or accepted. The first step is to set up the internal organization to pilot the risk management process and to define the scope and objectives of the Security Committee and the Security Working Groups. The organization should be based on: Security Committee, the SC includes top management that develops security strategy, provides guidance, direction and cooperation. Security Working Groups, the SWG take actions, provide inputs and feedbacks. They develop and recommend policy, prepare planning documents, conduct risk assessments. One of the SWG is the Threat WG, which consists on Counterintelligence representative, Law Enforcement representative, Information Operations representative and the Chemical, Biological, Radiological, Nuclear and High Yield Explosive (CBRNE) representative. Larger installations may include additional personnel as assigned by the SC. If the decision is to control the risk, security objectives are defined. Then the security solutions (based on technology, organization or human factors) should be provided (based on risk priority and objectives). Those solutions are categorized as prevention, detection, response and recovery. As a result, conclusions are formalized in the Security Master Plan (SMP). 5
6 > Implement Solutions Appropriate security solutions defined in the Security Master Plan should be implemented through a series of actions including: Prioritization of recommended security solutions. Planning implementation and funding of security solutions. The quality of this security management process is maintained using the PDCA model: Plan: Establish or update the Security Master Plan to improve security. Do: Implement and operate the actions defined in the SMP. Check: Monitor, review the actions and report the results to decision makers. Act: Maintain and improve the actions. The management of security risks includes evaluating risks, developing solutions, making decisions, implementing solutions, supervising, reviewing and improving security level. These are essential follow-through actions of the risk management process. After identifying and implementing additional countermeasures or mitigation efforts, it is essential to recalculate the risks. A risk management scorecard is appreciated. A yearly complete risk assessment is recommended. Best Practices In Security Management With decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses, Thales has identified some best practices of security management: Risk management: Integrate holistic security risk management into the corporate risk management process. Security organization: Create senior level security committee, Security Working Groups, corporate security risk manager and local security officers (IT, safety, facility, etc.). Coordination: Develop coordination with government and stakeholders (customers, suppliers, infrastructure providers). Security Master Plan: Define the security doctrine, the operational concept and the means to achieve an efficient level of security. Resilience management: As global security is impossible to achieve, resilient system designs and procedures should be adaptable to the unpredictable. Contingency plans (business continuity and emergency response and disaster plans) should be formalized, tested and updated for rapid recovery from disruptions. Interdependencies: Evaluate contingency plans from an infrastructure interdependencies perspectives and enhance coordination with other infrastructure providers (e.g. electric power, telecommunications, water, transportation). Human resource: Background investigations for new hires and periodic updates for current employees, define a hiring policy, implement structured security requirements for critical suppliers and partners. Formalized security policies and procedures. Raise employee awareness and education to be proactive on security matters. Physical security: Identify and restrict access to sensitive areas, implement access control list and badge program. Increase security checkpoints, manned facilities, video surveillance, badge identification, tracking of people and vehicles, escorted visitors and flyovers. Information System and Network architecture: Define LAN/WAN network perimeter, minimize external connections, keep up to date mapping of network, enhance security of mission critical systems, write and communicate an IT security policy. Enhance traffic filtering, authentication controls, encryption, and access controls, minimize or disable all unnecessary services and software, filter s, control viruses. The Scope of Work that is proposed in this white paper details the development of a security strategy, which includes those best practices. 6
7 Typical Thales Scope Of Work Thales can assist organizations in setting up a program to develop an efficient security risk management process. This program is scheduled in five steps, as described in the figure below: The original step is to define the scope of the Risk Management Program. Thales considers the following actions: Meet senior management. Understand the business objectives. Set up a Security Working Group. Define the scope of the System that will be concerned by the security risk management program i.e. one or more infrastructures. Outputs: Definition of the Security Working Group. Formalization of the scope of the System. Formalization of the planning of the security risk management program. The next step is to understand the organization and the System concerned by the scope. Thales considers the following actions: Understand the organization. Understand the relations with government agencies. Understand the System. Identify constraints such as business, industry, national and international regulations. Output: Understanding of the context. The next step is to analyze the security risks existing in the System. Thales considers the following actions: Visit the System. Undertake the threat assessment, the criticality assessment and the vulnerability assessment. Do the risk assessment. Select risks to accept, to ignore, to control or to insure. Propose security objectives. Recommend mitigation security solutions. Outputs: Security risk analysis results report. Based on the decisions of the Security Committee, a strategy is decided and a Security Master Plan is formalized to define the security doctrine and the operational concept. Thales considers the following actions: Define a security doctrine and an operational concept. Formalize the Security Master Plan. Plan implementation of security solutions. Calculate the return on security investment (ROSI). Propose a planning to implement the security solutions. Outputs: Security Risk Management Methodology document (adapted to the organization). Security Master Plan document. Security doctrine and operational concept document. Implementation plan report. Return on security investment report. The last step is the design and the implementation of the actions described in the Security Master Plan. Thales considers the following actions: Define a new security organization including the Security Committee and one or more Security Working Groups. Develop operational security procedures including crisis management, incident and antiterrorism responses. Design security control rooms. Define a training policy and develop a training program i.e. operational and technical. Implement physical security i.e. barriers, video surveillance, intrusion detection systems, access controls, etc. Implement information technology security i.e. LAN and WAN network, Information system architecture, server hardening, etc. Implement communications security i.e. confidentiality, anti-jamming, resilience, etc. Implement individual protective measures including personal protection for personnel and family members. Develop specific software to produce daily scorecard of the risk situation (option: with geographic information system support). Develop resilience solutions based on technology and organization. Maintain the solutions participating in the Do-Check-Act process. Outputs: Implementation and maintenance of the security solutions. To support this SOW, Thales has developed a specific software CASRIM i.e. Critical Asset Security RIsk Management. CASRIM helps Thales engineers to analyze the situation and produces graphical outputs of the risk analysis. 7
8 > Benefits Determining the risk is essential since the management must understand the threats, what assets are most important to protect, and which of those important assets are most vulnerable. Assessing security risk provides the value of an asset in relation to the threats and the vulnerabilities associated with it. This aids the management in balancing threats to vulnerabilities and the degree of risk that the management is willing to accept by not correcting, or perhaps being unable to correct, a vulnerability. For any vulnerability, the management shall manage risk by developing a strategy to deter incidents, employ countermeasures, mitigate the effects of an incident, and recover from an incident. The result of using a holistic methodology of this type ensures that minimum appropriate investments are directed into security solutions to reduce identified risks. In addition as there is integration between the security technology, the organizations objectives and processes, efficiencies can be gained whilst still remaining secure. Security features that have been factored into initial infrastructure facility design are more likely to be cost-effective, better integrated and more operationally useful than those superimposed on existing structures through add-ons or change orders. Likewise, security features which have been coordinated early in the planning and design process with the architects and other concerned regulatory bodies, as well as with end-users (employees, clients, law enforcement, public safety and regulatory agencies, and operations and maintenance personnel) are more likely to be well received and accepted, and thus more widely used and successful. 8
9 Oil & Gas Industry Towards Global Security Conclusion By implementing a holistic security risk management methodology, security solutions can be adapted to the changes in threats and security risks, and the levels of investment can be adjusted in accordance to the protection required. The oil and gas cycle from initial field exploration through production, transport and consumer retail operations is highly complex, with countless potential weak links that are subject to security breakdowns. The security should reflect the risk status and financial resources of the infrastructure. Smaller infrastructures have limited funding and have to plan their security projects with an eye toward simplicity and manageable cost. The methodology developed in this white paper is scalable and can cover from a single infrastructure to the entire oil and gas chain starting with exploration, development and production, then on through pipeline transport to refineries and processing plants to storage facilities and then on to distribution of refined products by land or sea, finishing at the retail outlets. Philippe Bouvier Security Consulting Thales - Security Solutions & Services Division Organizations from around the world are already benefiting from the use of this methodology including military organizations, national airport authorities, energy and water companies, financial institutions and transportation companies. Thales brings together decades of experience in the oil and gas industry and significant depth of knowledge of security systems from its core competencies in defense and civil businesses. Thales is an unrivalled systems integrator of physical and IT security solutions for the oil and gas industry. If your organization would also like to reduce overall security costs, improve the efficiency of security investment and measurably reduce security risks then please contact your local THALES representative for more information. 9
10 Thales Security Solutions & Services Division Security Systems rue Grange Dame Rose CS Vélizy Cedex - France Tel: +33 (0) November Photos: Thales, GettyImages
Oil and Gas Industry A Comprehensive Security Risk Management Approach. www.riskwatch.com
Oil and Gas Industry A Comprehensive Security Risk Management Approach www.riskwatch.com Introduction This white paper explores the key security challenges facing the oil and gas industry and suggests
More informationAirport Infrastructure Security Towards Global Security. A Holistic Security Risk Management Approach. www.thalesgroup.com/security-services
Airport Infrastructure Security Towards Global Security A Holistic Security Risk Management Approach www.thalesgroup.com/security-services Airport Infrastructure Security Towards Global Security This
More informationTEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS
TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).
More informationSecurity Guidelines. for the Petroleum Industry. Third Edition. Petroleum Refineries. Liquid Petroleum Pipelines
Third Edition Petroleum Refineries Liquid Petroleum Pipelines Security Guidelines for the Petroleum Industry Petroleum Products Distribution and Marketing Oil and Natural Gas Production Operations Marine
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationMAJOR PROJECTS CONSTRUCTION SAFETY STANDARD HS-09 Revision 0
MAJOR PROJECTS CONSTRUCTION SAFETY SECURITY MANAGEMENT PROGRAM STANDARD HS-09 Document Owner(s) Tom Munro Project/Organization Role Supervisor, Major Projects Safety & Security (Canada) Version Control:
More informationSolutions and IT services for Oil-Gas & Energy markets
Solutions and IT services for The context Companies operating in the Oil-Gas & Energy sectors are facing radical changes that have a significant impact on their business processes. In this context, compliance
More informationv. 03/03/2015 Page ii
The Trident University International (Trident) catalog consists of two parts: Policy Handbook and Academic Programs, which reflect current academic policies, procedures, program and degree offerings, course
More informationSoftware & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes
Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes Joe Jarzombek, PMP, CSSLP Director for Software & Supply Chain Assurance Stakeholder
More informationSecurity Vulnerability Assessment
Security Vulnerability Assessment Deter, Detect, Delay, Respond the elements for minimizing your operational risk. A detailed SVA assists you to understand how best to do so. Security Vulnerability Assessment
More informationProtecting Organizations from Cyber Attack
Protecting Organizations from Cyber Attack Cliff Glantz and Guy Landine Pacific Northwest National Laboratory (PNNL) PO Box 999 Richland, WA 99352 cliff.glantz@pnnl.gov guy.landine@pnnl.gov 1 Key Topics
More informationAUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005
AUDITOR GENERAL S REPORT Protection of Critical Infrastructure Control Systems Report 5 August 2005 Serving the Public Interest Serving the Public Interest THE SPEAKER LEGISLATIVE ASSEMBLY THE PRESIDENT
More informationU.S. DoD Physical Security Market
U.S. DoD Physical Security Market Technologies Used for DoD Applications June 2011 Table of Contents Executive Summary 7 Introduction 8 Definitions and Scope 9-11 Percentage of FY 2010 Total Budget Request
More informationCRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE
1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP 2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million
More informationNATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY
NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY JANUARY 2012 Table of Contents Executive Summary 1 Introduction 2 Our Strategic Goals 2 Our Strategic Approach 3 The Path Forward 5 Conclusion 6 Executive
More informationCritical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION
Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION ALBERTO AL HERNANDEZ, ARMY RESERVE OFFICER, SOFTWARE ENGINEER PH.D. CANDIDATE, SYSTEMS ENGINEERING PRESENTATION
More informationRisk Management Handbook
Risk Management Handbook 1999 Introduction Risk management is the process of selecting and implementing countermeasures to achieve an acceptable level of risk at an acceptable cost. The analytical risk
More informationFinal Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative
Final Draft/Pre-Decisional/Do Not Cite Forging a Common Understanding for Critical Infrastructure Shared Narrative March 2014 1 Forging a Common Understanding for Critical Infrastructure The following
More informationOracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0
Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0 Unless otherwise stated, these Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies
More informationSubject: Critical Infrastructure Identification, Prioritization, and Protection
For Immediate Release Office of the Press Secretary The White House December 17, 2003 Homeland Security Presidential Directive / HSPD-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationU.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO
U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and
More informationDecember 17, 2003 Homeland Security Presidential Directive/Hspd-7
For Immediate Release Office of the Press Secretary December 17, 2003 December 17, 2003 Homeland Security Presidential Directive/Hspd-7 Subject: Critical Infrastructure Identification, Prioritization,
More informationWater Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary
Water Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan Executive Summary May 2007 Environmental Protection Agency Executive Summary
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationPerforms the Federal coordination role for supporting the energy requirements associated with National Special Security Events.
ESF Coordinator: Energy Primary Agency: Energy Support Agencies: Agriculture Commerce Defense Homeland Security the Interior Labor State Transportation Environmental Protection Agency Nuclear Regulatory
More informationCybersecurity Converged Resilience :
Cybersecurity Converged Resilience : The cybersecurity of critical infrastructure 2 AECOM Port Authority of New York and New Jersey (PANYNJ), New York, New York, United States. AECOM, working with the
More informationREQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES
REQUIREMENTS RESPECTING THE SECURITY OF OFFSHORE FACILITIES Definitions 1. In these requirements: C-NLOPB means the Canada-Newfoundland and Labrador Offshore Petroleum Board; Chief Safety Officer means
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationSCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP
SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations
More informationCYBER SECURITY GUIDANCE
CYBER SECURITY GUIDANCE With the pervasiveness of information technology (IT) and cyber networks systems in nearly every aspect of society, effectively securing the Nation s critical infrastructure requires
More informationVULNERABILITY ASSESSMENT AND SURVEY PROGRAM. Overview of Assessment Methodology. U.S. Department of Energy Office of Energy Assurance
VULNERABILITY ASSESSMENT AND SURVEY PROGRAM Overview of Assessment Methodology U.S. Department of Energy Office of Energy Assurance September 28, 2001 CONTENTS 1 Introduction... 1 2 Assessment Methodology...
More informationThe Strategic Importance, Causes and Consequences of Terrorism
The Strategic Importance, Causes and Consequences of Terrorism How Terrorism Research Can Inform Policy Responses Todd Stewart, Ph.D. Major General, United States Air Force (Retired) Director, Program
More informationSCOPE. September 25, 2014, 0930 EDT
National Protection and Programs Directorate Office of Cyber and Infrastructure Analysis (OCIA) Critical Infrastructure Security and Resilience Note Critical Infrastructure Security and Resilience Note:
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationBuilding more resilient and secure solutions for Water/Wastewater Industry
Building more resilient and secure solutions for Water/Wastewater Industry Steve Liebrecht Rockwell Automation Detroit W/WW Team Leader Copyright 2010 Rockwell Automation, Inc. All rights reserved. 1 Governmental
More informationi-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors
March 25-27, 2014 Steven A. Kunsman i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors ABB Inc. March 26, 2015 Slide 1 Cyber Security for Substation
More informationBUILDING DESIGN FOR HOMELAND SECURITY. Unit I Building Design for Homeland Security
BUILDING DESIGN FOR HOMELAND SECURITY Unit I Building Design for Homeland Security Participant Introductions Name Affiliation Area of Concentration BUILDING DESIGN FOR HOMELAND SECURITY Unit I-2 Course
More informationDEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA
DEVELOPMENT OF A RISK ASSESSMENT PROGRAM AGAINST TERRORISM IN REPUBLIC KOREA Younghee Lee, Jinkyung Kim and Il Moon Department of Chemical Engineering, Yonsei University, 134 Sinchon-dong, Seodaemun-gu,
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationPreparedness in the Southwest
Preparedness in the Southwest Risk Assessment and Hazard Vulnerability Developed by The Arizona Center for Public Health Preparedness Cover Art www.azcphp.publichealth.arizona.edu Chapter 1 Importance
More informationCOJUMA s. Legal Considerations for Defense Support to Civil Authorities. U.S. Southern Command Miami, Florida Draft
COJUMA s Legal Considerations for Defense Support to Civil Authorities U.S. Southern Command 28 Miami, Florida Miami, Florida Draft Table of Contents Legal Considerations for Defense Support to Civil Authorities.....10
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationCommon Threats and Vulnerabilities of Critical Infrastructures
International Journal of Control and Automation 17 Common Threats and Vulnerabilities of Critical Infrastructures Rosslin John Robles 1, Min-kyu Choi 1, Eun-suk Cho 1, Seok-soo Kim 1, Gil-cheol Park 1,
More informationKeynote: FBI Wednesday, February 4 noon 1:10 p.m.
Keynote: FBI Wednesday, February 4 noon 1:10 p.m. Speaker: Leo Taddeo Special Agent in Change, Cyber/Special Operations Division Federal Bureau of Investigation Biography: Leo Taddeo Leo Taddeo is the
More informationRelationship to National Response Plan Emergency Support Function (ESF)/Annex
RISK MANAGEMENT Capability Definition Risk Management is defined by the Government Accountability Office (GAO) as A continuous process of managing through a series of mitigating actions that permeate an
More informationOCR LEVEL 3 CAMBRIDGE TECHNICAL
Cambridge TECHNICALS OCR LEVEL 3 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT NETWORKED SYSTEMS SECURITY J/601/7332 LEVEL 3 UNIT 28 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10 NETWORKED SYSTEMS SECURITY
More informationWhite Paper. Information Security -- Network Assessment
Network Assessment White Paper Information Security -- Network Assessment Disclaimer This is one of a series of articles detailing information security procedures as followed by the INFOSEC group of Computer
More informationSecurity Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries. May 2003
Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries May 2003 May 2003 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries
More informationPrepared by Rod Davis, ABCP, MCSA November, 2011
Prepared by Rod Davis, ABCP, MCSA November, 2011 Disaster an event, which causes the loss of an essential service, or part of it, for a length of time which imperils mission achievement. (Andrew Hiles,
More informationNational Infrastructure Protection Center
National Infrastructure Protection Center Risk Management: An Essential Guide to Protecting Critical Assets November 2002 Summary As organizations increase security measures and attempt to identify vulnerabilities
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationFaculdade de Direito, Lisboa, 02-Jul-2014. The Competitive Advantage of Cybersecurity
Faculdade de Direito, Lisboa, 02-Jul-2014 The Competitive Advantage of Cybersecurity Thales Key highlights (I) A global company with 65,000 employees and 14,2 billion in revenues, R&D 2,5 billion * We
More informationSecurity Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions
Kevin Staggs, Honeywell Process Solutions Table of Contents Introduction...3 Nerc Standards and Implications...3 How to Meet the New Requirements...4 Protecting Your System...4 Cyber Security...5 A Sample
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationOctober 2004. Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition
October 2004 Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, Second Edition October 2004 Security Vulnerability Assessment Methodology for the Petroleum and
More informationDesigning & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012
Designing & Implementing Enterprise Security Programs MBA Bank Expo 2012 April 11, 2012 Session Purpose G R O U P Premise: Security is institutionalized, but the enterprise is evolving. the enterprise
More informationU.S. Cyber Security Readiness
U.S. Cyber Security Readiness Anthony V. Teelucksingh Senior Counsel United States Department of Justice John Chris Dowd Special Agent Federal Bureau of Investigation Overview U.S. National Plan National
More informationCornell University PREVENTION AND MITIGATION PLAN
Cornell University PREVENTION AND MITIGATION PLAN Table of Contents Table of Contents Section 1 Prevention-Mitigation Introduction...2 Section 2 Risk Assessment...2 2.1 Risk Assessment Components...2 2.2
More informationCyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationEnterprise Risk Management taking on new dimensions
Enterprise Risk Management taking on new dimensions October 2006 The practice of Enterprise Risk Management (ERM) is becoming more critical and complex every day. There is a growing need for organizations
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationInternet Safety and Security: Strategies for Building an Internet Safety Wall
Internet Safety and Security: Strategies for Building an Internet Safety Wall Sylvanus A. EHIKIOYA, PhD Director, New Media & Information Security Nigerian Communications Commission Abuja, NIGERIA Internet
More informationSecure networks are crucial for IT systems and their
ISSA The Global Voice of Information Security Network Security Architecture By Mariusz Stawowski ISSA member, Poland Chapter Secure networks are crucial for IT systems and their proper operation. Essential
More informationHow Secure is Your SCADA System?
How Secure is Your SCADA System? Charles Drobny GlobaLogix, Inc. Houston, TX, USA Our Industry is a Target 40% of cyber attacks on Critical Infrastructure targets are aimed at the Energy Industry The potential
More informationISACA rudens konference
ISACA rudens konference 8 Novembris 2012 Procesa kontroles sistēmu drošība Andris Lauciņš Ievads Kāpēc tēma par procesa kontroles sistēmām? Statistics on incidents Reality of the environment of industrial
More informationEMERGENCY PREPAREDNESS PLAN Business Continuity Plan
EMERGENCY PREPAREDNESS PLAN Business Continuity Plan GIS Bankers Insurance Group Powered by DISASTER PREPAREDNESS Implementation Small Business Guide to Business Continuity Planning Surviving a Catastrophic
More informationSection A: Introduction, Definitions and Principles of Infrastructure Resilience
Section A: Introduction, Definitions and Principles of Infrastructure Resilience A1. This section introduces infrastructure resilience, sets out the background and provides definitions. Introduction Purpose
More informationCritical Infrastructure Security and Resilience
U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International
More informationMicrosoft s cybersecurity commitment
Microsoft s cybersecurity commitment Published January 2015 At Microsoft, we take the security and privacy of our customers data seriously. This focus has been core to our culture for more than a decade
More informationUpdate On Smart Grid Cyber Security
Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats
More informationBUSINESS CONTINUITY PLANNING
Policy 8.3.2 Business Responsible Party: President s Office BUSINESS CONTINUITY PLANNING Overview The UT Health Science Center at San Antonio (Health Science Center) is committed to its employees, students,
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationCyber Security for SCADA/ICS Networks
Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com Increasing Cyber Attacks on SCADA / ICS Systems 2 What is SCADA Supervisory Control And
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationAgenda. Introduction to SCADA. Importance of SCADA security. Recommended steps
Agenda Introduction to SCADA Importance of SCADA security Recommended steps SCADA systems are usually highly complex and SCADA systems are used to control complex industries Yet.SCADA systems are actually
More informationBuilding Economic Resilience to Disasters: Developing a Business Continuity Plan
Building Economic Resilience to Disasters: Developing a Business Continuity Plan Buffalo Niagara Region February 26, 2014 Gail Moraton, CBCP Business Resiliency Manager Business Resiliency one important
More informationAIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE
AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE THE CHALLENGE: SECURE THE OPEN AIR Wirelesss communication lets you take your business wherever your customers,
More informationPAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA
Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand
More informationThe introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.
1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood
More information(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
More informationIndustrial Security for Process Automation
Industrial Security for Process Automation SPACe 2012 Siemens Process Automation Conference Why is Industrial Security so important? Industrial security is all about protecting automation systems and critical
More informationA New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager
A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks Alex Leemon, Sr. Manager 1 The New Cyber Battleground: Inside Your Network Over 90% of organizations have been breached
More informationSecurity Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013
Security Architecture: From Start to Sustainment Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013 Security Architecture Topics Introduction Reverse Engineering the Threat Operational
More informationNational Surface Transport Security Strategy. September 2013. Transport and Infrastructure Senior Officials Committee. Transport Security Committee
National Surface Transport Security Strategy September 2013 Transport and Infrastructure Senior Officials Committee Transport Security Committee 1 National Surface Transport Security Strategy (NSTSS) Foreword
More informationSWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationInformation Security Policy
Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current
More informationTen Tips for Completing a Site Security Plan
TRANSPORTATION LOGISTICS PETROCHEMICal Commercial Industrial Retail Federal Systems Banking Ten Tips for Completing a Site Security Plan Introduction The Chemical Facility Anti-Terrorism Standards (CFATS)
More informationSafety and security are simply good business.
THE BUSINESS ASE FOR YBER SEURITY What s this about in a nutshell? The importance of cyber security for manufacturing and computer control systems has only recently been recognized and therefore has not
More informationIncreasing the city s attractiveness
www.thalesgroup.com URBAN SECURITY Increasing the city s attractiveness Thales Communications & Security 20-22 rue Grange Dame Rose - 78141 Vélizy-Villacoublay - France - Tel: +33(0)1 73 32 00 00 10/2013
More informationBusiness Continuity Management Framework 2014 2017
Business Continuity Management Framework 2014 2017 Blackpool Council Business Continuity Framework V3.0 Page 1 of 13 CONTENTS 1.0 Forward 03 2.0 Administration 04 3.0 Policy 05 4.0 Business Continuity
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationAudit Report. Management and Security of Office of Budget and Program Analysis Information Technology Resources. U.S. Department of Agriculture
U.S. Department of Agriculture Office of Inspector General Southeast Region Audit Report Management and Security of Office of Budget and Program Analysis Information Technology Resources Report No. 39099-1-AT
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationSytorus Information Security Assessment Overview
Sytorus Information Assessment Overview Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM)
More informationCyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013
Cyber Security and Information Assurance Controls Prevention and Reaction 1 About Enterprise Risk Management Capabilities Cyber Security Risk Management Information Assurance Strategic Governance Regulatory
More information