How To Manage Risk On A Scada System



Similar documents
Attachment G.18. SAPN_PUBLIC_IT Enterprise Information Security Business Case Step Change. 03 July, 2015

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

PORTABLE DATA STORAGE SECURITY INFORMATION FOR CIOs/CSOs Best Before November

Audit summary of Security of Infrastructure Control Systems for Water and Transport

Generic SCADA Risk Management Framework For Australian Critical Infrastructure Developed by the IT Security Expert Advisory Group (ITSEAG)

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

CIO, CISO and Practitioner Guidance IT Security Governance

Cyber security Building confidence in your digital future

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

National Cyber Security Policy -2013

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

ESKISP Conduct security testing, under supervision

Rethinking Cyber Security for Industrial Control Systems (ICS)

Mitigating and managing cyber risk: ten issues to consider

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Security Controls What Works. Southside Virginia Community College: Security Awareness

KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Italy. EY s Global Information Security Survey 2013

Building Security In:

E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

AISA NATIONAL CONFERENCE 2015 TRUST IN INFORMATION SECURITY. 14 October 2015 OPENING ADDRESS LYNWEN CONNICK

State Governments at Risk: The Data Breach Reality

Addressing Cyber Risk Building robust cyber governance

Control Systems Security: Australian Government Activities. Dr. Jason Smith Asst. Director, Operations CERT Australia Attorney-General s Department

Cyber Security: Confronting the Threat

Ongoing N/A TBC. Baseline

Cyber security in an organization-transcending way

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

A HELPING HAND TO PROTECT YOUR REPUTATION

The Dow Chemical Company. statement for the record. David E. Kepler. before

A Review of the ICT Act

Managing IT Security When Outsourcing to an IT Service Provider: Guide for Owners and Operators of Critical Infrastructure

CIO, CISO and Practitioner Guidance IT Security Governance

Protecting Malaysia in the Connected world

A GOOD PRACTICE GUIDE FOR EMPLOYERS

Managing Denial of Service (DoS) Attacks

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers)

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Information Security Managing The Risk

Cyber Security and Privacy - Program 183

External Supplier Control Requirements

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS

CYBER SECURITY Audit, Test & Compliance

Help for the Developers of Control System Cyber Security Standards

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

ESKISP Assist security testing, under supervision

Navigating Cyber Risk Exposure and Insurance. Stephen Wares EMEA Cyber Risk Practice Leader Marsh

CYBER SECURITY GUIDANCE

Cyber Security Evolved

Information security controls. Briefing for clients on Experian information security controls

SECURING THE INTERNET OF THINGS:

Cyber Security key emerging risk Q3 2015

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Procuring Penetration Testing Services

Information Security Guideline for NSW Government Part 1 Information Security Risk Management

HMG Security Policy Framework

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Roadmaps to Securing Industrial Control Systems

RUAG Cyber Security. More security for your data

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

Cyber Security - What Would a Breach Really Mean for your Business?

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

Cyber-safety for Senior Australians. Inquiry Submission

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Intelligent. Buildings: Understanding and managing the security risks

Risk Management Policy and Framework

Information Technology Strategy

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY GUIDE 1. UNDERSTAND THE BUSINESS RISK

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September Co-Chair s Summary Report

Crime Statistics Data Security Standards. Office of the Commissioner for Privacy and Data Protection

Sytorus Information Security Assessment Overview

Connect Smart for Business SME TOOLKIT

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

This is a preview - click here to buy the full publication

Into the cybersecurity breach

Version Adoption by Council: 2013 Resolution Number: 2013/177 Current Version: V1.0 Administered by: Governance Coordinator

REPORT. Next steps in cyber security

Guidance for Addressing Cybersecurity in the Chemical Sector. Version 2.0 December 2004

Business Continuity & Disaster Recovery

Cyber Security Recommendations October 29, 2002

Business Continuity Management Framework

A NEW APPROACH TO CYBER SECURITY

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

SCOPE. September 25, 2014, 0930 EDT

Cyber Risks and Insurance Solutions Malaysia, November 2013

An Information Security and Privacy Perspective for Procurement Services Projects

Cyber security Building confidence in your digital future

Securing Critical Information Assets: A Business Case for Managed Security Services

future data and infrastructure

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

Secure by design: taking a strategic approach to cybersecurity

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Developing a robust cyber security governance framework 16 April 2015

Cyber Security solutions

Transcription:

Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document is provided without any liability or warranty. Accordingly it is to be used only for the purposes specified and the reliability of any assessment or evaluation arising from it are matters for the independent judgement of users. This document is intended as a general guide only and users should seek professional advice as to their specific risks and needs.

Introduction This paper provides guidance for Board Members, Chief Executive Officers (CEO), Senior Executives and Risk Managers on the development, the implementation and review of risk management for industrial control systems (ICS) / Supervisory Control and Data Acquisition (SCADA) used in the management and operation of critical infrastructure. Organisations are encouraged to be proactive in assessing and managing risks to these systems and their underlying business processes. Internationally, it is acknowledged that the cyber threat environment is escalating, with targeted attacks having the capability to physically damage infrastructure. To assist Australian organisations in addressing these risks, Australia s Trusted Information Sharing Network s (www.tisn.gov.au) IT Security Expert Advisory Group (ITSEAG) 1 and its working group, the SCADA CoI, 2 has revised its Generic Risk Management Framework (RMF). The RMF, developed in consultation with owners and operators, is a tool to assist organisations with SCADA systems in assessing their risk exposure and identifying measures to manage risk to an acceptable level. Why is SCADA risk management important? It is recognised internationally that, although SCADA systems are reliable, they are highly vulnerable and very difficult to secure. Senior executives need to have a clear understanding of the threats, vulnerabilities and associated risks to these systems. The challenges facing owners and operators, and the underlying reasons as to why SCADA systems are especially vulnerable, include issues surrounding increased connectivity, interdependencies/supply chains, complexity, continued use of legacy systems and devices and interconnectedness. The Cross-Sector Roadmap for Cyber Security of Control Systems, 30 September, 2011 paper, which was developed by the Industrial Control Systems Joint Working Group (ICSJWG), with facilitation by the US Department of Homeland Security s National Cyber security Division (NCSD) discusses these issues in detail. The failure or disruption of the day-to-day delivery of essential services to the community could cause a significant loss of brand, organisational reputation and involve judicial action and penalties for non-compliance with regulatory requirements. 1 The ITSEAG is one of two Expert Advisory Groups established within the Trusted Sharing Information Network (TISN) for Critical Infrastructure Resilience. The ITSEAG provides advice to the Critical Infrastructure Advisory Council (CIAC) and TISN Sector Groups (SGs) on IT security issues as they relate to critical infrastructure resilience. Members of the ITSEAG are information technology/e-security specialists from vendors and consultancy businesses, academic institutions and industry association(s). 2 The SCADA CoI is an industry-based Working Group of the ITSEAG and a forum for information sharing and collaboration for enhancing the resilience of SCADA systems which support critical infrastructure. Page 2 of 5

Business drivers for integration with enterprise management systems, has meant that SCADA systems have become interconnected with corporate networks and directly or indirectly with the internet. This high level of integration can extend to remote access by operational staff, suppliers and external organisations, further increasing the exposure of these systems to network vulnerabilities associated with internet threats. Recent incidents demonstrate that a targeted cyber attack can penetrate traditional corporate cyber defences and cause physical harm to critical infrastructure. Traditional threat sources have evolved and now include nation states, with the threats - such as industrial espionage becoming more sophisticated and covert. What is the Generic SCADA Risk Management Framework? The RMF is a high-level document that provides a structured and standards-based approach to identifying and assessing risks for owners and operators of SCADA and industrial control systems. It can be tailored to suit a particular sector or organisation, providing guidance on advice on how information security risks can be simplified and included within existing corporate risk management frameworks. The RMF utilises national standards such as AS/NZS ISO/IEC31000:2009 Risk Management Principles and Guidelines, ISO/IEC 27005:2011 Information Security Risk Management. As such, it is a tool for Senior Executives and Risk Managers to use to determine risk exposures for their enterprise, using a common language and terminology. The figure summarises the risk management process applied throughout the RMF. The scope of the Generic SCADA Risk Management Framework Page 3 of 5

Business planning includes management strategies for financial, competitive, strategic, global, reputation and legal and community risks. These arrangements may omit other risk categories such as people, management and control measures, information management, communication and computer network connectivity, SCADA software, hardware and field devices and interdependencies such as power/energy and water suppliers. These are also essential to the development of risk mitigation and the ongoing functioning of a business. The Framework provides broad guidance to owners and operators of SCADA systems for managing their risks and designed to be adaptable to the need of the different industry sectors. Use of the Framework by industry will contribute to improving the security of national critical infrastructure, with the potential of reducing costs. It identifies common enterprise level individual risk factors through a validated Threat and Risk Assessment and outlines a generic Risk Treatment Plan for mitigating identified risks. What is the advantage of this Framework and a common approach? The RMF is generic and, as such, is designed to be a useful tool for all owners and operators of critical infrastructure to utilise. The RMF clearly identifies consequences and major stakeholders responsible for common points of failure, whether they are malicious, accidental, natural or environmental to ensure the confidentiality, integrity and the availability of SCADA ICT systems and information they contain. These factors are stated in plain language and in such a way that Boards, CEOs and Senior Executives and technical and operational personnel can agree on documentation, decisions and actions for their SCADA and industrial control systems that are: standards based best practice; consistent with governance for: o corporate policies and practices, and o regulatory compliance, and cost effective. What questions can you ask? Board Members, CEOs, Senior Executives and Risk Managers should seek answers from Chief Information Officers (CIO), Chief Information Security Officers (CISO) and Engineering Managers to the following questions: Do we have a standards-based approach to managing enterprise risks associated with our SCADA systems? Do our overall enterprise security policies and practices include SCADA and other industrial control systems as part of the holistic approach to managing enterprise vulnerabilities to communications, IT and other security risks? Is there appropriate top down management for effective control and management of enterprise SCADA and industrial control systems within our security framework? Page 4 of 5

Do our security policies and practices take into account how our corporate IT and SCADA and industrial control systems, and our physical and personal security policies and practices overlap? Do we monitor all our corporate security and privacy practices for regulatory compliance and industry good practice? How often does our organisation undertake vulnerability assessments of key business processes and supporting IT infrastructure? Do our IT security incident/emergency management processes include SCADA specific handling and escalation process/procedures? Summary Risk management is a strategic element of a company s ongoing business planning. Good governance and regulatory compliance requires that Board Members, CEOs, Senior Executives and Risk Managers mitigate risks for these functions and the supporting ICT, ICS and SCADA systems. SCADA and industrial control systems along with the communication networks they use are the central nervous system for a vast array of sensors, alarms and switches that provide automated control and monitoring for these functions. These functions and systems are increasingly vulnerable to potential harm and require protection from malevolent cyber attack or accidents. The RMF contains specific risk management guidance for Executives, Risk Managers, CIOs and CISOs and is available from www.tisn.gov.au. For Further Information The Department of Broadband Communications and the Digital Economy provides Secretariat support to both the ITSEAG and the SCADA CoI. Enquiries regarding these groups and/or for more information on the SCADA Generic Risk Management Framework can be made by telephoning 02 6271 1595 or emailing itseag@dbcde.gov.au or scada@dbcde.gov.au. ********************************************** Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information