The Four-Step Guide to Understanding Cyber Risk

Similar documents
Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Defending Against Data Beaches: Internal Controls for Cybersecurity

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

24/7 Visibility into Advanced Malware on Networks and Endpoints

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

THE TOP 4 CONTROLS.

SANS Top 20 Critical Controls for Effective Cyber Defense

AVeS Cloud Security powered by SYMANTEC TM

A Case for Managed Security

Information Security and Risk Management

Perspectives on Cybersecurity in Healthcare June 2015

WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

The Value of Vulnerability Management*

Critical Security Controls

Things To Do After You ve Been Hacked

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

End-user Security Analytics Strengthens Protection with ArcSight

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Internet threats: steps to security for your small business

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Defending Against Cyber Attacks with SessionLevel Network Security

Breaking down silos of protection: An integrated approach to managing application security

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Cisco IPS Tuning Overview

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

YOUR DATA UNDER SIEGE: GUARD THE GAPS WITH PATCH MANAGEMENT. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Application Security in the Software Development Lifecycle

AUTOMATED PENETRATION TESTING PRODUCTS

Avoiding the Top 5 Vulnerability Management Mistakes

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Tata Communications Security Outsourcing. A Must-have for Entry into the Global Economy.

Data Management Policies. Sage ERP Online

Is Your Network a Sitting Duck? 3 Secrets to Securing Your Information Systems. Presenter: Matt Harkrider. Founder, Alert Logic

Cybernetic Global Intelligence. Service Information Package

Employing Disinformation Security to Protect Corporate Networks with NetBait. A NetBait Whitepaper June 2003

Running A Fully Controlled Windows Desktop Environment with Application Whitelisting

Guide to Vulnerability Management for Small Companies

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Hacking the Industrial SCADA Network II The Latest Threats to Automated Production and Process Management Networks

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Understanding SCADA System Security Vulnerabilities

Cyber Security Metrics Dashboards & Analytics

Cyber Situational Awareness for Enterprise Security

Fighting Advanced Threats

PCI Compliance for Healthcare

Incident Response Plan for PCI-DSS Compliance

Open an attachment and bring down your network?

NERC CIP VERSION 5 COMPLIANCE

Beyond the Hype: Advanced Persistent Threats

How To Audit The Mint'S Information Technology

How To Secure Your System From Cyber Attacks

How To Protect Water Utilities From Cyber Attack

Seven Strategies to Defend ICSs

Cisco Security Optimization Service

Enterprise Cybersecurity: Building an Effective Defense

The Importance of Cybersecurity Monitoring for Utilities

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Looking at the SANS 20 Critical Security Controls

Top 10 Tips to Keep Your Small Business Safe

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Cybersecurity Awareness. Part 1

Gaining the upper hand in today s cyber security battle

Nine Steps to Smart Security for Small Businesses

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

KEY TRENDS AND DRIVERS OF SECURITY

FIVE PRACTICAL STEPS

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Carbon Black and Palo Alto Networks

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Vulnerability Management

Risk-based solutions for managing application security

Using Tofino to control the spread of Stuxnet Malware

Transcription:

Lifecycle Solutions & Services The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap

TABLE OF CONTENTS

Introduction: A Real Danger It is estimated that cyber risks costs the global economy up to $400 billion a year maybe even more. For industrial control systems (ICSs) however, the risks are even more acute. A successful attack is among the major risks worrying the U.S. government. As Michael Rogers, commander of U.S. Cyber Command testified to the US House of Representatives Intelligence Committee: We have seen instances where we are observing intrusions into industrial control systems. What concerns us is that access... can be used by nation states, groups or individuals to take down [their] capability, he said. ICSs are a growth area of vulnerability, he added. It s among the things that concern me the most. A poll of 1,642 experts by the Pew Research Centre shows 61% predict a major cyber attack will cause widespread harm to a nation s security and capacity to defend itself and its people in the next ten years. By widespread harm we mean significant loss of life or property losses/damage/theft at the levels of tens of billions of dollars, Pew clarified. LINK 3

In the Firing Line The warning signs are already there. Rogers comments came just weeks after a Department of Homeland Security alert said malware named BlackEnergy had infiltrated companies running much of the country s infrastructure. Less than a month later, a German government report revealed massive damage from an infected email targeting a steel mill in the country. Like Stuxnet, Havex and BlackEnergy, the German attack was targeted specifically at industrial control systems. 4

The Cyber Arms Race The Threat is Driven by a Number of Factors Attackers growing sophistication. The German attackers had advanced know-how not only of conventional IT security, but also detailed technical knowledge of the industrial control systems and production processes used in the plant, the government report noted. The industrialization of cyber crime, with skilled attackers selling crime as a service to others without technical skills. Growing vulnerabilities as up to 25 billion web-connected systems and devices in the Internet of things come online by 2020. Publicly available tools like Shodan let would-be attackers easily identify ICSs. In 2013, for instance, Finnish researchers used the search engine to find nearly 3,000 unsecured Internet-facing SCADA systems running the country s water supply, building automation and other systems. Project SHINE (SHODAN Information Extraction), a multi-year research project aimed at identifying industrial control devices that were directly connected to the Internet, found millions of such devices. Against this, cyber risk management in industrial control systems is falling behind. Tools and methods used by IT cyber security professionals for managing network risks are not fully adopted in ICS engineering and operations teams. Worse, those with legacy systems may ignore best practices, avoiding patches and virus protection updates, for fear they ll jeopardize plant stability. The result is a growing gap between the capabilities of attackers and the defenses pitched against them. 5

Assessing the Risk To Understand the Risk, We Need a Definition. What is Risk? ISO: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. NIST: A function of the likelihood of a given threat source s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Fortunately, organizations such as the International Standards Organization (ISO) and National Institute of Standards and Technology (NIST) have developed definitions that are widely accepted and used. In both cases, risk is seen as a function of the vulnerability of an asset, the threat, which is the likelihood an attack will occur, and the consequence of such an attack being successful. (cont. next page) 6

Assessing the Risk (cont.) To Put it Another Way: Risk = Vulnerability 3 Threat 3 Consequence Through a function of vulnerability, threat and consequence, we are able to quantify risk. By assigning a value (whether between 0 and 1, 0-100 or any other consistent scale) to each element, users derive a metric that provides a consistent measure of risk and can be used throughout the organization. The ultimate aim, of course, is to manage the risk, and this will be considered in a forthcoming e-book. However, you cannot manage what you cannot measure. This e-book therefore focuses on evaluating the risk, and requires a thorough understanding of all the components in the equation above. It is, then, a four-stage process, looking at each element threats, vulnerabilities and consequences in turn before bringing them all together. 7

Step 1: Knowing Your Vulnerabilities A vulnerability is any quality of an asset that could allow it to be exploited. All digital assets have them. Some are known; some aren t. Some are easier to exploit than others. A common source of vulnerabilities is software bugs; 2014 s Heartbleed vulnerability affecting half a million websites, as well as thousands of connected devices, is just among the most high profile examples. There are numerous vulnerability assessment (VA) tools to track known vulnerabilities within applications and operating systems, but these have their limits. First, VA tools can probe aggressively to test for vulnerabilities across enterprises, which may be unsuitable, and unsafe, applied to network activity in an ICS. Second, vulnerabilities are frequently the result not of a particular device or software suite but poor practices or configurations weak passwords, group accounts with administrative privileges, failures to implement anti-virus programs and host firewalls, and so on. All of these can be exploited by attackers to leverage systems for unintended purposes. Finally, vulnerabilities must be looked at across operations and processes. Control systems are not just a collection of individual devices, but interconnected systems of devices. Poor access controls on an application running in a control room, for example, can make the whole process vulnerable, not just a single workstation. 8

Step 2: Identifying Threats It is threats that turn a vulnerability into an incident. Threats may be coincidental or accidental, simple or complex, and the result of a wide range of motives. What they have in common is that they have the potential to harm assets...e.g. unauthorized actions, physical damage, technical failures, as ISO27005:2011 puts it. They also exploit vulnerabilities, and when specific vulnerabilities are known, it is possible to predict some of the early signs of threats against these. Each stage of a cyber attack typically consists of several steps, and by scanning for these, attacks may be detected before an incident occurs. (cont. next page) 9

Step 2: Identifying Threats (cont.) Moving targets: the importance of regular review. Both vulnerabilities and threats evolve over time. This is most obvious with threats, with more than 200,000 new variants of malware (such as viruses, trojans or worms) identified every day. But it s true of vulnerabilities, too. First, new devices and applications bring with them new vulnerabilities. Second, vulnerabilities are discovered in areas previously believed to be secure: Again, Heartbleed code that was meant to increase security showed that the security industry s strongest assumptions can be overthrown overnight. It is impossible to take anything for granted when it comes to cyber security. Since new vulnerabilities and threats emerge and are detected all the time, both must be continuously reviewed. (cont. next page) 10

Step 2: Identifying Threats (cont.) Understanding the relationship between threats and vulnerabilities. When threats align with vulnerabilities, the risk of a cyber incident increases significantly. Take the example of the virus detected and quarantined by anti-virus software on a control room server, again. The threat (virus) finds no vulnerability because the anti-virus software worked. But the episode still shows malware is able to access the server, which should be in a protected network. This raises questions of exposure: If known malware has been found, could unknown ( zero day ) malware also be present? How was the malware introduced? Could the detected malware have also been introduced to other systems? The threat, although unsuccessful, still indicates the potential for infection and therefore contributes to the overall level of risk. The relationship between threats and vulnerabilities is complex, but with the right tools can be both understood and managed. 11

Step 3: Measuring Consequences The Final Piece Consequences put these threats and vulnerabilities into perspective. By identifying assets and the impact of a potential attack on them, you can determine the degree to which you should worry. A vulnerability that could take a printer offline, for example, is likely to be less of a concern than a successful attack on a safety system. Measuring consequences is not straightforward. In many cases, they may correlate closely to costs, typically through lost production. However, consequences could be far wider, encompassing risks to personal safety, environmental damage, reputational impacts, legal liabilities or even, as we ve seen, national security concerns. Furthermore, interrelationships in the plant must again be recognized: the consequence of an incident can t be measured solely by the impact on the specific, compromised device. A cyber attack may cause a device or server to fail, but what if it obtains control of the device or server and uses it to cause far wider damage? The potential for impacts to spiral from the immediate effect of an initial breach is a vital part of any assessment of consequences. 12

Step 4: Bringing it Together Measuring Risk Understanding and addressing the preceding elements gives a plant what it needs to begin to make a realistic assessment of its risks. 13 It will know the vulnerabilities to look out for It will have put in place elements of threat detection, such as firewalls on the network and connected hosts and virus protection And it will have identified its most important assets and the potential consequences of an attack on them. A solution now available to assist with ongoing situational awareness is Honeywell s Industrial Cyber Security Risk Manager. Risk Manager the first solution to proactively monitor, measure and manage industrial cyber security risk, providing users of all levels with real time visibility, understanding and decision support required for action. With Risk Manager there is no need to be a cyber security expert. The easy-to-use interface allows users to prioritize and focus efforts on managing risks that matter most for reliable plant operations.

More about Cyber Security For industrial organizations, identifying risks is the first stage of the journey to a more secure system in the face of increasing attacks. We ll consider the second stage in our forthcoming e-book on managing the risks. For More Information Meanwhile, for more information about Cyber Security, here are some more resources to help you: The Essential Guide to Cyber Security: Download this to learn about the essentials of Industrial Cyber Security and how to approach it. Honeywell Whitepapers: Honeywell experts have published various whitepapers on various elements of Industrial Cyber Security. View the complete list. Case Studies: Read and learn from our to know the steps other industrial customers are taking to tackle cyber attacks. Visit 14 May 2015

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information