Running Head: ICS Risk & Audit Methodology Project Template ICS Risk & Audit Methodology Project Template for Water Plant SEC6084 Your Name 1 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 2 Table of Contents Description of Industry ...................................................................................................................X Industrial Control System Processes Employed .............................................................................X Profile ICS Security Devices ..........................................................................................................X Create Diagrams of ICS Device Network ...........................................................................X Identify, Measure, and Manage Risks ……………………………………………………………X Identify Security Controls ...............................................................................................................X Apply ICS Security Best Practices .....................................................................................X Identify Vulnerability Continuous Monitoring Strategy.................................................................X Reference ........................................................................................................................................X Appendix ............................................................................................................................. X Example: Industrial Incident or Accident ...………………………………………………...X Example: Disaster Recovery and Incident Response…….. ……………………………...X Example: Test Outputs........................................................................................................X Example: Vulnerability Scan Reports .................................................................................X Example: Analysis Metrics from Tools ..............................................................................X Example: Presentations .......................................................................................................X Example: Screenshots of Systems ......................................................................................X ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 3 List of Tables and Figures Figure 1. Example: ICS System Documentation ............................................................................X Figure 2. Example: Security Solution Documentation ...................................................................X ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 4 Description of Industry 1. What type of industry is this? 2. What is the importance of this industry to society? Industrial Control System Processes Employed 1. List industrial control system processes specific to industry. 2. List the control systems that control those processes and how they control those processes. 3. Create a network diagram displaying the interconnections of the industrial control system devices listed in item 3. a. For example: Use ICS CERT CSET, Visio, Excel, Word, etc. Profile ICS Devices 1. For each ICS device document: a. Logical Ports For example, 80, 443, etc. http://www.digitalbond.com/tools/the-rack/control-system-port-list/ b. Protocols Running For example, SMTP, SNMP, DNP3, Modbus, Fieldbus, Ethernet, etc. c. Physical Connection Types For example, serial, RJ45, USB, parallel, etc. http://www.digitalbond.com/tools/the-rack/control-system-port-list/ d. Default Accounts: Research the manufacturer’s information on the device. Look for default account information to login with. Check “Default Password List” for an entry: http://www.defaultpassword.com/ e. Services Research manufacturer’s information on the device and document services running. f. Authentication Research manufacturer’s website for the device and locate information on how the device authenticates users. ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 5 g. Use of Encryption Research manufacturer’s website for the device and locate information about encryption. For example, does the device use encrypted connections? Is the back-end database encrypted? What type of encryption does it use? Is public/private key encryption like RSA? h. Logging Capability Research manufacturer’s website for the device and locate information about logging. Answer questions like is logging enabled? Are logs stored locally or remotely? i. Other Security Documentation Does the manufacturer have any security related documentation not provided above that would be of use? Identify, Measure, and Manage Risks 1. Identify risks: Risk is a function of M, AV, T, and V: R = f (M, AV, T, V) R – risk, M – mission importance, AV – asset values, T – threats, V – vulnerabilities 2. “What”: what is the problem/challenge in managing risks and auditing the ICS? Explain how you might measure “Why”: why do you need and want to solve the problem? “How”: how do you economically solve it? Identify Security Controls 1. Select security controls based on results from “Industrial Control System Processes Employed” and “Profile ICS Devices”: Reference either ICS CERT CSET or NIST 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf Apply ICS Security Best Practices 1. NIST 800-82, Industrial Control System Security, http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 2. Identify unremediated risks and choose risk strategy: Accept risk, avoid risk, mitigate risk, share risk, transfer risk, combination. Reference: NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf Identify Vulnerability Continuous Monitoring Strategy 1. Examples: a. Nessus - Bandolier modules. b. Metasploit – ICS exploits. c. Snort d. Nmap – Identify ICS “friendly” scans. 2. Are these IA certified tools? How so? a. For example: i. NIAP: https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm ii. Common Criteria: https://www.commoncriteriaportal.org/products/ b. For example: Are these tools SCAP-compliant? 3. Create script rules for baselining each ICS system. a. For example scripts rules should audit: i. Installed programs. ii. Users, groups. iii. Shares. iv. Services. v. Processes. vi. Etc. 6 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE Reference 7 ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE Appendix 8 1 Running Head: WATER PLANT INDUSTRY Water Plant Industry Description of the industry The type of industry Water is a very vital resource in the world. It is not equally distributed; meaning that all human beings do not have equal access to water. Water plant industry refers to the industry that provides water for drinking; both for human and animal consumption, as well as waste water 2 Running Head: WATER PLANT INDUSTRY services which include the treatment of sewage water to industrial, residential and commercial sectors of the economy. This industry also includes waste water plant construction, water engineering, equipment supply, operations, specialist water treatment chemicals, waste water and water plant construction, among many others (Water industry, 2011). A largest percentage of industries rely largely on water industry for their operations and processes. Water industry has played a key role in ensuring that all the other industries achieve their goal. Food industry is a good example of those industries that rely on water industry for their operations. The food sector relies on water industry to produce beverages which include the bottled water. This is to mean that, all the suppliers and manufacturers of bottled water are also in water industry. Statistics show that in 2015, the consumption of bottled water per capita in the United States of America totaled to36.5 gallon. Water industry is the type of industry that is relied upon by all the living creatures. Various organizations and industries use water industry for most of their operations. Water is life and therefore ensures the continuity and sustainability of the other industries. Importance of water industry to the society As noted earlier, water is a very important factor in life. Without water, earth could not have been a comfortable place for both human beings and animals. Therefore, water industry has played a very vital role in promotion of life and to the society at large. It has been a great challenge for the industry to convince the public that wastewater can be treated and become useful once again. The industry has been of great importance to the society whereby it has gone ahead with the recycling of wastewater. This has greatly helped those regions that suffer from 3 Running Head: WATER PLANT INDUSTRY water scarcity. Once the waste water has been recycled, the problem of water scarcity in some parts of the country has been half-solved. With the availability of recycled water by the water industry, the use of external water sources has been minimized hence enhancing water savings. This has ensured that processes like food manufacturing does not stop due to lack of water (Water industry, 2011).. Water industry has also played a very important role by ensuring that the world’s economy keeps on increasing and moving forward. It is through this industry that activities such as fishing, irrigation, agriculture and transportation of goods and services have been made possible. By all that, ecosystem has been supported largely by this irrigation. Therefore in other words, this industry has greatly promoted life to the later. Apart from food manufacturing, this industry has also contributed greatly to the success of other industries such as the acids manufacturing industries. For these acids to be manufactured, water is a very key component that must feature in. For both the sulphuric and nitric acid to be produced, water is integral factor for the entire industrial process to be successful. This industry ensures that there is water availability needed for industrial process. Whenever these processes take place, a lot of heat is produced and therefore this water is useful in cooling the machines in industries and factories. Water is therefore used in industries for fabrication, lubrication, cleaning, smelting and cooling of machines. 4 Running Head: WATER PLANT INDUSTRY Water plant industries aid in treatment of sewage, water treatment, conservation and then distribution. It helps in distributing water to those places which do not receive adequate rainfall hence saving lives from drought and famine. As seen earlier, water industry aids in provision of water for drinking by enhancing its quality through the treatment of sewage. Alongside that, it provides wastewater services to various sectors of economy which include commercial, residential and industrial sectors. Sewage treatment also helps in controlling waste pollution in the society hence ensuring that the environment is safe and conducive for all the people and animals both living in the land and in the waters (Arceivala & Asolekar, 2007). 5 Running Head: WATER PLANT INDUSTRY Water industry has also played a very big role in the production of electricity. Electricity production relies greatly in water. Electricity is another important component which is equally important to water. It is actually used everywhere. Most of the processes require electricity in order to be successful. Through provision of water by this industry, sanitation has been improved in various communities whereby this industry has taken the initiative of creating awareness on proper hygiene to both the individuals and communities (Wintgens, Li & Kazner, 2013) Water plant industry has also developed new ways of collecting and storing rain water for example through the construction of dams. Additionally, it has formulated policies that govern the use and conservation of water in the society. Above all, it has created employment opportunities to people. Many jobless people have secured a job in this industry. This has helped in improving the standard of living among people through which the global standard of living has been attained. People of all specialization and specification have been employed in this industry to provide workforce and a successful running of the entire industry. Industrial control processes employed The control system processes specific to this industry This industry employs some Industrial Control Systems (ICS) which include the Supervisory Control and Data Acquisition (SCADA). These two technologies ensure that the functionality and operation of the control systems in this industry (Groves & Azagra, 2012). The control systems that control these processes and how they control them 6 Running Head: WATER PLANT INDUSTRY The industry has control systems such as ICS and SCADA which are used to monitor and control all the operations taking place in the industry. These control systems also ensure that the functionality of the whole industrial process is maintained. These systems also contain traditional IT elements which ensure the security of the whole process. It is there to provide protection and detect any cyber attacks that could make the whole process to collapse or not to function as intended. Distributed Control Systems (DCS) together with Programmable Logic Controllers (PLC) are also examples of control systems used in water industry. The DCSs ensure that the production systems are controlled within the industry while the PLCs aid in controlling specific applications and providing the regulatory control generally. A network diagram displaying the interconnections of the industrial control system devices The following diagram shows the interconnections of the industrial control system devices. The diagram clearly shows that this device has different levels. The levels include the field level, the direct control level, the plant supervisory level, the production level and the production scheduling level. 7 Running Head: WATER PLANT INDUSTRY 8 Running Head: WATER PLANT INDUSTRY References: Groves, D., & Azagra, E. (2012). Bridging the Gap between IT and SCADA Systems in the Water Sector. Journal - American Water Works Association, 104, 26-29. http://dx.doi.org/10.5942/jawwa.2012.104.0035 Water industry. (2011). Teddington, Richmond upon Thames [England]. Wintgens, T., Li, Y., & Kazner, C. (2013). Water Resources and Industry. Water Resources and Industry, 1-2, iv-v. http://dx.doi.org/10.1016/j.wri.2013.08.001 Arceivala, S., & Asolekar, S. (2007). Wastewater treatment for pollution control and reuse. New York, N.Y.: McGraw-Hill Education LLC.
Purchase answer to see full attachment