1 CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE Gavin McLintock P.Eng. CISSP PCIP
2 METCALFE POWER STATION 16 April 2013 Sophisticated physical attack 27 Days outage $15.4 million
3 MAROOCHY WATER DISTRICT 2000 Malicious insider hack attack 800,000 litres of raw sewage spilled > $1million
4 NEW ORLEANS 29 August 2005 Hurricane 1464 dead Major, continuing economic & social losses >$150 Billion est. cost
5 NORTHEASTERN NORTH AMERICA 14 August 2003 Power blackout cascading failure 2 days 11 deaths > 50 million people affected $6 Billion est. cost
6 FUKUSHIMA 11 March 2011 Earthquake & Tsunami 2 nd worst radiation release >300,000 evacuated
7
8
9
10 CRITICAL INFRASTRUCTURE PROTECTION The art & science of preparing an organization to be resilient in the face of catastrophe
11 Interdependencies 2005 2015, Critical Infrastructure Institute
12 Interdependencies
13 All Hazards
All Hazards THREAT SPECTRUM Tends Towards Criminal Threats Tends Towards Asymmetric Threats Hazards Tends Towards Military Threats
15 Resiliency
CIP ASSESSMENT PROGRAM Comprehensive evaluation of the current state of the organization s: Critical assets Threat/risk situation Event management and recovery capability Operational resilience
CIP ASSESSMENT PROGRAM OBJECTIVE Assist management with an assessment of local CIP and security activities Offer recommendations based on the likelihood of various threat/hazard scenarios
CIP ASSESSMENT TEAM
PROCESS METHODOLOGY
NATURAL GAS ELECTRICITY GENERATING PLANTS Putrajaya Malaysia 625 MW GTAA 112 MW
ENERGY FACILITY COMBINED CYCLE GAS TURBINE PLANT To Electricity Grid (Output) Transformer Natural Gas Supply (Input)
22 CIP ASSESSMENT METHODOLOGY No impact on normal operations No test or compromise of security systems
CIP RISK MANAGEMENT MODEL Measures & Controls to Safeguard Assets Mission Criticality Assessment Threat Assessment Vulnerability Assessment Risk Assessment R I S K M A N A G E M E N T Assets Personnel Materiel/ Objects Facilities & Infrastructure Information Activities I N C I D E N T Plan, Supervise and Review Conditions for Mission Success Consequence Management Incident Response Management Action Management Reaction 2005-2015, Critical Infrastructure Institute
DEFINE THE MISSION We aim to be an efficient and dynamic power generation facility that provides a quality product in the areas of safety, customer service, reliability, and shareholder value, while ensuring minimal environmental impact Via MISSION ANALYSIS PROCESS Tasks & Assets needed to accomplish the mission Page: 24
ASSESS CRITICALITY Why Criticality It is not possible to protect everything all of the time A CIP program needs to identify, evaluate and prioritize those assets that are most critical to mission success Criticality Assessment Identifies, evaluates and prioritizes those assets that are most critical to achieving mission success Methodologies such as CARVER, Business Impact Assessment (BIA) and Statement of Sensitivity provide a systematic way to determine and rank criticality
ASSESS CRITICALITY: CARVER TOOL Asset C A R V E R Total Comments Gas Turbines (x 3) 10 5 10 5 3 10 43 Starting Generator 8 5 8 8 3 7 39 Heat Exchangers (x 3) 7 5 8 5 3 9 37 Steam Turbine 7 7 8 5 3 7 37 Switch Relay Control Bldg 10 6 4 5 4 7 36 Gas Supply Lines 5 5 4 5 8 8 35 Central Control Bldg 2 5 7 5 5 6 30 Used to determine criticality of assets to services/operations Assess each criteria from 1-10, with 10 having most grave consequences
ASSESS THREATS AND HAZARDS Threat/Hazard A real or potential condition that has the ability to compromise the availability, integrity or confidentiality of an asset Condition may be Deliberate (Malicious) Environmental (Natural) Accidental
Situational Awareness Assessment Full Spectrum Threat Categories Criminal Cyber Natural Accidents Espionage Terrorism Medium Medium Low Low Low Low Fraud Hacking Snow/Ice Storm Str Collapse Industrial Bombing Theft Insert Malware Lightning Strike Fire Commercial Armed Attack Vandalism Denial of Svc Wind Storm Explosion Foreign Intel Intimidation Drug Use Disruption Flood Transportation Disease Sabotage Disturbance Government Subversion Low Negligible Negligible Negligible Negligible Pandemic Food Poisoning Full Spectrum Threat Categories Disgruntled Employee Single Issue Environmental Policy Supremacist Groups Demonstration Work Slow down Economic Policy Anarchists Stress Strike Regulation Environmental Chart shows likelihood of occurrence
ASSESS VULNERABILITY Vulnerability The characteristics of an asset s design, location, security posture, process, or operation that render it susceptible to destruction, incapacitation, or exploitation by mechanical failures, natural hazards, or malicious acts Vulnerability Assessment Identify areas of weakness that could result in consequences of concern, taking into account intrinsic structural weaknesses, protective measures, resiliency, and redundancies
VULNERABILITY ASSESSMENT - FORMAT FOR OBSERVATIONS Vulnerabilities, Concerns and Positives (Best Practices) from each Functional Specialist Vulnerability An inherent weakness, situation or circumstance that, if left unchanged, may result in loss of life or damage to missionessential resources Concern Noted deviation from best CIP practices that, if not addressed or monitored, could become a vulnerability if impacted by other factors Positive Best practice worth noting Page: 30
VULNERABILITIES OBSERVED Situational Awareness Poor top-down communication of potential hazards and threats to employees Lack of enforcement of restrictions on photography Physical Security Failure to enforce access control policy ( tail gating ) Lack of a lock down plan Insufficient security force for higher threat levels Lack of liaison with local law enforcement agencies Engineering Congestion in vehicle inspection area at front gate Lack of a barrier plan Insecure diesel fuel tank for start up generator Inconsistent monitoring of fuel quality
VULNERABILITIES OBSERVED Information Technology Security No specific security policy and procedures for SCADA Outdated cyber defences for Enterprise System Inadequate Disaster Recovery Plan for Enterprise System Enterprise System and SCADA passwords and User Identification shared by all production staff OHS and HAZMAT Lack of a pandemic plan Incomplete listing of HAZMAT storage Emergency Response Failure to coordinate security, fire and Emergency Response plans
ASSESS RISK Risk Refers to the uncertainty that surrounds future events and outcomes - GoC Integrated Risk Management Framework Attributes of Risk Risk results from a combination of an asset, a threat/hazard, and a vulnerability All three elements must be present If any element is missing, there is no risk RISK VULNERABILITY
RISK IMPACT & PROBABILITY TABLE Risk is a factor of Impact and Probability. In this example, impact and probability is measured by assigning numbers. The higher the number, the higher the risk
Risk Assessment Consolidated Criticality, Threat, Vulnerability and Risk Table
RECOMMEND RISK MANAGEMENT OPTIONS Risk Management The process of selecting and implementing decisions that will minimize the adverse effects of losses due to destruction, disruption or injury, to achieve an acceptable level of risk at an acceptable cost Risk Controls or Safeguards Actions taken to mitigate risks, normally by reducing their probability or impact. They include actions to detect, deny, deter, distract, delay, prevent, protect, respond, destroy, repair, recover and restore
RISK MANAGEMENT CONTROLS Engineering Vulnerability: Insecure diesel fuel tank for start up generator Description: Fuel tank has no additional security features other than installation outer security fence. Should fuel tank or fuel supply be tampered with, cold start will not be possible Risk Management Options: Construct back-up fuel tank Construct concrete barrier around tank (s) Install security fence around tank (s) with access controls Install additional lighting Fit locks to filler caps Install intrusion detection system Recommendation: All of the above Page: 37
RISK MANAGEMENT CONTROLS Information Technology Security Vulnerability: No specific security policy and procedures for Supervisory Controls and Data Acquisition (SCADA) System in Central Control Building Description: Although there is a Security Policy for IT Enterprise network, there is no specific Security Policy and Procedures on installation SCADA System that provides process control to all systems Risk Management Options: Establish SCADA Security Policy and Procedures Establish Security Awareness and Training plan Recommendation: Develop and implement/disseminate SCADA Security Policy and Procedures Develop and implement SCADA Security awareness and training Page: 38
EVALUATE EMERGENCY MANAGEMENT Evaluate plans for Incident Response (Response) Efforts to contain, alleviate or terminate an apprehended incident, to identify and bring to account the threat agents, and to gather information and preserve evidence to that end - PSC Consequence Management (Recovery) Coordination and implementation of measures intended to mitigate the damage, loss, hardship and suffering caused by acts of violence or natural disasters, including measures to restore service, to protect health and safety, and to provide emergency relief - PSC
OUT BRIEF - AGENDA Purpose Briefing format Critical Assets Situational Awareness Key observations from Specialists on: Situational Awareness Security Engineering Information Protection Occupational Health/Safety/HAZMAT Emergency Management Sample Threat/Hazard Scenario (s) Summary
OUT BRIEF - CIP ASSESSMENT DASHBOARD Installation CIP Readiness CIP Vulnerability Assessment Components Ready Ready w/minor Limitations Ready w/major Limitations Not Ready A. Situational Awareness B. Security C. Engineering D. Information Technology Protection E. Occupational Health & Safety F. HAZMAT Response G. Emergency Management
DELIVERABLES CIP Assessment Out-brief Assessment team will offer procedural and/or resource-based solutions Draft Executive Summary and Annexes from functional specialists Final Report (30 Days after Assessment) 2005-2015, Critical Infrastructure Institute
43 SUMMARY Every organization has critical infrastructure Understanding your CI and the risks you face increases operational resilience A comprehensive CIP assessment can contribute Sometimes the findings are surprising!
44 FURTHER INFORMATION Gavin McLintock McLintock Consulting 613-521-9834 gavin@mclintock.com Peter Johnston President Lansdowne Technologies Inc. 613-236-3333 p.johnston@lansdowne.com