PureLand Wastewater Compliance Audit
Objective
This assignment requires the students to answer questions as might be encountered while
undergoing a compliance audit regarding Department of Homeland Security Chemical Facility
Anti-Terrorism Standards (CFATS) regulations. The students will play the role of a Cyber Security
consultant being audited by a DHS compliance inspector.
Instructions for assignment
1. Find your assigned question from the table below
Student Name
Assigned Question
Name 1
2.1
Name 2
2.2
Name 3
2.3
Name 4
2.4
Name 5
2.5
Name 6
2.6
Name 7
2.7
2. Using the Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards
document for reference, research and write an answer for one of the following questions (assigned
to you based on a random draw) from a DHS inspector conducting a site inspection. Consult your
team members if you need help. After the team has compiled all their answers, get ready to be
audited by the instructor. You’ll have 20 minutes to research and write your answer.
2.1. What systems listed on your PureLand Network Diagram do you consider to be the most critical
systems? Why did you pick these systems as most critical?
2.2. What do you feel are the most important elements of a successful change management
process? How will you ensure that changes made to the Cyber systems at PureLand
Wastewater won’t lead to Cyber Security Incidents?
2.3. Is there currently any segregation of systems at PureLand based on criticality of the systems? If
yes, please explain the segregation strategy. If not, please explain what plans are being
developed to segregate assets on the network based on risk.
2.4. What methods are used or planned for implementation to manage passwords? Is there any
differentiation in how end user and privileged (e.g., system administrator) accounts are
managed?
2.5. Is there currently any Cyber Security awareness and training program in place at PureLand? If
yes, please explain the frequency and method of documenting completion. If not, please
explain what topics will be included in your awareness program and how you plan to document
and track compliance.
2.6. What kinds of technical controls are being used at PureLand to prevent malware attacks? What
additional controls are planned for implementation within the next 24 months?
2.7. If PureLand was aware of a Cyber Security incident taking place at their facility, what is the
protocol for responding to and reporting the incident?
2.8. What measures does PureLand take (or plan to take) to secure Safety Instrumented Systems to
prevent Cyber Security incidents from causing a catastrophic event?
2.9. Does PureLand have an up to date inventory of hardware connected to their network? What is
included in the inventory? Is PureLand aware of new devices being added to the network?
What technology is used to gain awareness of what devices are connected to the network?
2.10.What do you feel is the greater risk driver for PureLand Chemical theft or diversion or release
of the Chemical of Interest and why?
2.11.Provide some examples of areas you feel have physical security concerns related to cyber
assets along with brief explanations of why they have higher risk.
2.12.What are the requirements you will have for the person who will manage your cyber security
program?
2.13.Does PureLand use shared accounts for accessing computer systems? What are the risks
associated with use of shared accounts and how might you mitigate these risks?
2.14.Does PureLand use separation of duties as a security practice? What duties are separated or
planned to be separated and why?
2.15.What kinds of controls are in place to ensure access to devices or information is managed
appropriately? What processes are used or planned to manage changes to the workforce?
2.16.If PureLand had a Cyber Security Incident take place (for example, an APT penetration), who
would PureLand IT folks report the incident to internally and externally? How would they notify
the Department of Homeland Security?
PureLand Wastewater Treatment
Cyber Security Case Study
Company Summary
PureLand Wastewater Treatment Inc. (est. 2001) is a company providing years of experience in
all aspects of Wastewater Treatment with special emphasis on the Chemical Manufacturing and
Biological Fermentation industries. We are a flexible, responsive organization with a network of
resources to handle any size project. Each project is approached by utilizing our strong
sterilization and engineering skills while drawing on our background in Operations, Service,
Validation, and Quality to provide solutions for all of your Wastewater Treatment needs. We
provide personal attention to ensure customer satisfaction in all services and equipment we
supply.
Security Concerns
PureLand has special security concerns due to the highly toxic nature of some of the chemicals
they use to sterilize and treat wastewater streams for their customers. Although Physical Security
has always been on their radar and relatively strong, Cyber Security has not been something that
they were particularly concerned about. After all, the chemicals they use to do their work were
not proprietary so they had little concern about theft of intellectual property or trade secrets
being compromised.
All this changed recently when PureLand executives and operations folks were contacted by the
Department of Homeland Security (DHS) in regard to a particularly toxic chemical they use to
sanitize Wastewater in biologically hazardous processes-Chlorine Dioxide. DHS officials were
aware of their use of the chemical because of publicly available waste treatment permits
provided to PureLand by the EPA. As it turns out, Chlorine Dioxide is on the DHS Chemical
Facility Anti-Terrorism Standards (CFATS) list of chemicals of interest because of the risks
associated with chemical release or sabotage using this chemical. PureLand was aware Chlorine
Dioxide was a very dangerous chemical, but they had never considered Cyber Terrorism or theft
of the chemical for sabotage when completing prior risk assessments. The implications of this
were quite serious for PureLand, as they now are required by Federal law to comply with both
Physical and Cyber Security regulations related to their use of this chemical of interest. DHS
officials made PureLand aware of their obligations and informed them that they would be subject
to an audit by DHS within eighteen months that would assess their compliance with CFATS
regulations. If compliance was not achieved within 12 months of the initial audit, PureLand
would be subject to huge fines and penalties that could include closure of their facility.
PureLand Reaction
The PureLand Executives were quite alarmed by the news and immediately formed an internal
team to create a Cyber Security improvement and compliance plan. The team researched the
issue and reviewed the information provided by DHS around security standards. The first
objective was to use a tool provided by DHS to perform a Cyber Security Self Evaluation on
their computing systems. The hope was that by using this free tool, they could get some insight
on the most critical Cyber Security gaps that existed and potentially provide a road map on
where to focus their security improvement plan. A team of system administrators, security
professionals, and management representatives worked on the Cyber Security Self Evaluation
over a period of two days.
Cyber Security Self Evaluation Results
The results of the Self Evaluation were very disturbing for the entire team. The evaluation
reported varying levels of compliance from 0% to 100%, but it was very clear that they had their
work cut out for them. The leadership team met with the IT staff and their IT Security Analyst,
and it was decided that they didn’t have the internal staffing or appropriate skillset to implement
the needed security improvements within one year. The decision was made to hire an outside
consultant to help devise and implement a Cyber Security improvement plan that would achieve
these critical objectives:
1. Reduce their risk from Cyber Security incidents to an acceptable level
2. Achieve compliance with CFATS regulations
3. Minimize negative impacts to production and safety
Path Forward
As the outside consultant, it’s your job to lead the effort to create the Cyber Security
improvement plan per the objectives laid out in the accompanying document: Developing Cyber
Security Improvement Plan for Industrial Control System - Case Study.
You’ll focus your efforts by studying the PureLand Cyber Security Assessment which includes
various tables and charts indicating the areas of most concern. PureLand has contracted you to
provide two major deliverables for this contract:
1. Industrial Control System Cyber Security Improvement Plan (Detailed requirements
included in document – ICS security improvement case description)
2. Presentation to key stakeholders one week prior to formal plan presentation
PureLand Chemical Network Diagram
Business LAN
Supervisory Network
Endpoints
SCADA
Historian
Database
Historian
Email
Business Services
TCPIP Protocol
TCPIP Protocol
Other Facility
Web Server
ICCP Master
Historian
HMI
ICCP
Protocol
Internet
TCPIP Protocol
IED/PLC
IED/PLC
IED/PLC
IED/PLC
MTU
Process Control
Vendor Support
IED/PLC
IED/PLC
IED/PLC
Sanitizer
Feed Tank
(COI)
IED/PLC
MTU
Control System
IED/PLC
IED/PLC
MTU
Field System
Wastewater
Treatment
PureLand Cyber Secrity Assessment
1/1/2014
Assessor: Luke Reissman
Disclaimer
This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not
provide any warranties of any kind regarding any information contained within. In no event shall the United States
Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect,
special or consequential damages and including damages based on any negligence of the United States Government or
its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not
based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of,
or reliance upon the report.
The DHS does not endorse any commercial product or service, including the subject of the assessment or evaluation in
this report. Any reference to specific commercial products, processes, or services by trademark, manufacturer, or
otherwise, does not constitute or imply its endorsement, recommendation, or favoring by DHS.
The display of the DHS official seal or other DHS visual identities on this report shall not be interpreted to provide the
recipient organization authorization to use the official seal, insignia or other visual identities of the Department of
Homeland Security. The DHS seal, insignia, or other visual identities shall not be used in any manner to imply
endorsement of any commercial product or activity by DHS or the United States Government. Use of the DHS seal
without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DHS’s policies
governing usage of the seal.
The report is prepared and intended for internal use by the organization that made the request. The contents of this
report may be subject to government or private intellectual property rights. To request distribution of this report outside
the organization for which it was prepared, contact the CSET® Program Office. The contents of this report may be
reproduced or incorporated into other reports, but may not be modified without the prior express written permission of the
CSET® Program Office.
PureLand Cyber Secrity
Assessment
Page 2
Advisory
CSET is only one component of the overall cyber security picture and should be complemented with a robust cyber security program
within the organization. A self-assessment with CSET cannot reveal all types of security weaknesses, and should not be the sole
means of determining an organization’s security posture.
The tool will not provide an architectural analysis of the network or a detailed network hardware/software configuration review. It is not a
risk analysis tool so it will not generate a complex risk assessment. CSET is not intended as a substitute for in depth analysis of control
system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a
holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should
also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production
systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety.
CSET assessments cannot be completed effectively by any one individual. A cross-functional team consisting of representatives from
operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject
matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to
effectively answer all the questions.
Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to
their sensitivity.
PureLand Cyber Secrity
Assessment
Page 3
TABLE OF CONTENTS
Table Of Contents .................................................................................................................. 4
Assessment Information ......................................................................................................... 5
Description Of Assessment .................................................................................................... 6
Executive Summary ............................................................................................................... 6
Standards Compliance .......................................................................................................... 7
Network Diagram ................................................................................................................... 8
Ranked Subject Areas ........................................................................................................... 9
PureLand Cyber Secrity
Assessment
Page 4
ASSESSMENT INFORMATION
Assessment Name:
PureLand Cyber Secrity Assessment
Assessment Date, (MM/DD/YYYY):
1/1/2014
Facility Name:
PureLand Wastewater Treatment Plant
City or Site Name:
Kalamazoo
State, Province or Region:
MI
Principal Assessor Name:
Luke Reissman
Assessor E-mail:
luke.x.reissman@wilmu.edu
Assessor Telephone:
302-555-1212
Additional Notes and Comments:
Contact(s):
PureLand Cyber Secrity
Assessment
Page 5
DESCRIPTION OF ASSESSMENT
Ficticious Cyber Security Self Evaluation
EXECUTIVE SUMMARY
Cyber terrorism is a real and growing threat. Standards and guides have been developed, vetted, and widely accepted to assist with
protection from cyber attacks. The Cyber Security Evaluation Tool (CSET) includes a selectable array of these standards for a tailored
assessment of cyber vulnerabilities. Once the standards were selected and the resulting question sets answered, the CSET created a
compliance summary, compiled variance statistics, ranked top areas of concern, and generated security recommendations.
PureLand Cyber Secrity
Assessment
Page 6
STANDARDS COMPLIANCE
PureLand Cyber Secrity
Assessment
Page 7
NETWORK DIAGRAM
PureLand Cyber Secrity
Assessment
Page 8
RANKED SUBJECT AREAS
This chart shows subject areas needing the most attention. Each bar represents the labeled subject area’s weighted contribution so
that the combined total always equals 100%. The weighted contribution includes the importance of both the question and the subject
area, as well as the percentage of missed questions in that subject area.
PureLand Cyber Secrity
Assessment
Page 9
PureLand Cyber Secrity
Assessment
Page 10
Purchase answer to see full
attachment