ICS Risk and Audit Methodology Project for Water Plant

User Generated

hapyrary2003

Writing

Description

Use the template attached to develop a Risk and Audit Methodology project for a Water Plant. Consider this plant as a Critical utility run by an Industrial Control System (ICS/SCADA) systems.

Unformatted Attachment Preview

Running Head: ICS Risk & Audit Methodology Project Template ICS Risk & Audit Methodology Project Template for Water Plant SEC6084 Your Name 1 Running Head: ICS Risk & Audit Methodology Project Template 2 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 3 Table of Contents Description of Industry ...................................................................................................................X Industrial Control System Processes Employed .............................................................................X Profile ICS Security Devices ..........................................................................................................X Create Diagrams of ICS Device Network ...........................................................................X Identify, Measure, and Manage Risks ……………………………………………………………X Identify Security Controls ...............................................................................................................X Apply ICS Security Best Practices .....................................................................................X Identify Vulnerability Continuous Monitoring Strategy.................................................................X Reference ........................................................................................................................................X Appendix ............................................................................................................................. X Example: Industrial Incident or Accident ...………………………………………………...X Example: Disaster Recovery and Incident Response…….. ……………………………...X Example: Test Outputs........................................................................................................X Example: Vulnerability Scan Reports .................................................................................X Example: Analysis Metrics from Tools ..............................................................................X Example: Presentations .......................................................................................................X Example: Screenshots of Systems ......................................................................................X ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 4 List of Tables and Figures Figure 1. Example: ICS System Documentation ............................................................................X Figure 2. Example: Security Solution Documentation ...................................................................X ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 5 Description of Industry 1. What type of industry is this? 2. What is the importance of this industry to society? Industrial Control System Processes Employed 1. List industrial control system processes specific to industry. 2. List the control systems that control those processes and how they control those processes. 3. Create a network diagram displaying the interconnections of the industrial control system devices listed in item 3. a. For example: Use ICS CERT CSET, Visio, Excel, Word, etc. Profile ICS Devices 1. For each ICS device document: a. Logical Ports For example, 80, 443, etc. http://www.digitalbond.com/tools/the-rack/control-system-port-list/ b. Protocols Running For example, SMTP, SNMP, DNP3, Modbus, Fieldbus, Ethernet, etc. c. Physical Connection Types For example, serial, RJ45, USB, parallel, etc. http://www.digitalbond.com/tools/the-rack/control-system-port-list/ d. Default Accounts: Research the manufacturer’s information on the device. Look for default account information to login with. Check “Default Password List” for an entry: http://www.defaultpassword.com/ e. Services Research manufacturer’s information on the device and document services running. f. Authentication ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 6 Research manufacturer’s website for the device and locate information on how the device authenticates users. g. Use of Encryption Research manufacturer’s website for the device and locate information about encryption. For example, does the device use encrypted connections? Is the back-end database encrypted? What type of encryption does it use? Is public/private key encryption like RSA? h. Logging Capability Research manufacturer’s website for the device and locate information about logging. Answer questions like is logging enabled? Are logs stored locally or remotely? i. Other Security Documentation Does the manufacturer have any security related documentation not provided above that would be of use? Identify, Measure, and Manage Risks 1. Identify risks: Risk is a function of M, AV, T, and V: R = f (M, AV, T, V) R – risk, M – mission importance, AV – asset values, T – threats, V – vulnerabilities 2. “What”: what is the problem/challenge in managing risks and auditing the ICS? Explain how you might measure “Why”: why do you need and want to solve the problem? “How”: how do you economically solve it? Identify Security Controls 1. Select security controls based on results from “Industrial Control System Processes Employed” and “Profile ICS Devices”: Reference either ICS CERT CSET or NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Apply ICS Security Best Practices ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 1. NIST 800-82, Industrial Control System Security, http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf 2. Identify unremediated risks and choose risk strategy: Accept risk, avoid risk, mitigate risk, share risk, transfer risk, combination. Reference: NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Identify Vulnerability Continuous Monitoring Strategy 1. Examples: a. Nessus - Bandolier modules. b. Metasploit – ICS exploits. c. Snort d. Nmap – Identify ICS “friendly” scans. 2. Are these IA certified tools? How so? a. For example: i. NIAP: https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm ii. Common Criteria: https://www.commoncriteriaportal.org/products/ b. For example: Are these tools SCAP-compliant? 3. Create script rules for baselining each ICS system. a. For example scripts rules should audit: i. Installed programs. ii. Users, groups. iii. Shares. iv. Services. v. Processes. vi. Etc. 7 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE Reference 8 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE Appendix 9
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

please let me know if we need to address anything.

Running Head: DETRIOT WATER AND SEWAGE DEPARTMENT SCADA SYSTEM

Detroit Water and Sewerage Department (DWSD) SCADA System
Your Name
Professors Name
SEC6084
Submission Date

1

Detroit Water and Sewerage Department (DWSD) SCADA System

2

Table of Contents
Description of Industry ................................................................................................................... 3
Industrial Control System Processes Employed ............................................................................. 3
Profile ICS Devices......................................................................................................................... 4
Identify, Measure, and Manage Risks............................................................................................. 6
Identify Security Controls ............................................................................................................... 6
Apply ICS Security Best Practices ................................................................................................. 7
Identify Vulnerability Continuous Monitoring Strategy................................................................. 8
Summarized Conclusion ................................................................................................................. 8
References ....................................................................................................................................... 9

Detroit Water and Sewerage Department (DWSD) SCADA System

3

Description of Industry
Wastewater and water treatment plants operate within the United States water industry,
considered the largest diversified public/private utility company, sustains a 3% annual growth
and contributes $2.7 billion to the US economy. The process of the operating a water plant
allows society to establish a process for extract, eliminating and removing wastewater pollutants
and contaminants. The water industry defines operational governance over water utilities
companies and wastewater treatment plants. The process by which water becomes recycled,
reusable and resold requires an information technology infrastructure that incorporates national
standards within the networking connectivity.
Industrial Control System Processes Employed
The city of Michigan has upgraded monitoring and analytical capabilities of outdated
information technology processes and equipment Detroit Water and Sewerage Department
The following is a list of industrial control system processes specific to US water industry


water treatment equipment



infrastructure and delivery equipment



contract operations



instruments and information systems



analytical services



consulting and design engineering services



operational and maintenance services
The following list outlines the technological controls used within the pr...


Anonymous
Really great stuff, couldn't ask for more.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags