DeltaV SecurityDeltaV Security

Don’t Let Your Business Be Caught Without It

SRR-MS-2011-00057

PresentersPresenters

Randy Pratt

Greg Stephens

IntroductionIntroduction

Randy Emerson Process Management – Austin, TX Travels the world providing expertise to customers

IntroductionIntroduction

Greg Where is the Savannah River Site? What goes on there?

IntroductionIntroduction

Cybersecurity risks change rapidly

Nearly everyone knows they need to be secure

Few really know how to assess and address well

The key - strive for strategy and effective actions

Communication of risks in business terms is crucial

The LandscapeThe Landscape

Not the way to appear

in the newspaper…

IntroductionIntroduction

Provide basic tools – you will need to do more

Demonstrate and discuss use of the tools

Work through strategy definition

Discuss and suggest plans to address risks

Help you look at the issues from other perspectives

FactsFacts

There is notably a lot of Fear, Uncertainty and Doubt (FUD) propagated about automation system cyber security.

Step back and take a look at the things you know for certain:– Your process automation system is a productivity tool and

likely determines whether you can profitably make your product or not.

– A lot of your company’s intellectual property is embodied in your automation system, perhaps to the point of trade secrets, etc.

FactsFacts

ICS (Industrial Control System) as a cyber target is not an abstract “we’ll worry about it when it happens thing” any more (and maybe never was). Stuxnet, Night Dragon, etc. are harsh indicators that the ICS has been realized to be a high value target for either industrial and business or strategic political reasons.

Because of the United States’ extensive reliance on control systems and connectivity, a bad actor might see the opportunity to economically attack whereas a military attack wouldn’t be considered.

FactsFacts

More than any other country, the US Military relies heavily on private business for products and services. Attacking those private businesses could hamper military efforts.

In some parts of the world, cyber crime can be a physical threat. Imagine having to pay a ransom to get regain full control of your system.

Current US government will to regulate cyber security is low. Current business lobbying efforts to minimize government regulations is high.

FactsFacts

Bottom line, a lot of reasons you should consider protecting your systems, no matter how mundane or critical your product is. But don’t wait for government regulation to force you into it.

Since you are attending this session, you probably don’t need to be sold on the idea of protecting your system. But the above points might help sell it to your management if they aren’t on board.

The Simple FactsThe Simple Facts

Where do I Start?Where do I Start?

There are a number of standards, though most are short on explicit steps to take. If you are subject to a regulatory agency, then you

probably know what you have to do, but not how.

3rd parties offer helpful services, but there are certain things that you’ll have to do yourself regardless. They are in it for a profit. Not necessarily a bad thing,

but unless you take a hands on approach they might sell you something you don’t need.

Model the effort on something you already know.

Basic Tools & TermsBasic Tools & Terms

Cybersecurity Risk Assessment – Terminology

Vulnerability – Flaw or Weakness that may lead to an undesired consequence

Risk – Characterization of the likelihood and severity of consequence

Risk Assessment identifies and characterizes

The ModelThe Model

Assess

Perform Risk Assessment

& Gap Analysis

Establish Areas and Vectors

Determine Targets

Change

Align Areas and Vectors

to Acceptable Levels

Confirm results

New Security Level

Maintain

Periodically Assess

Update

Stay Current

The Model – Likelihood vs ConsequenceThe Model – Likelihood vs Consequence

Moderate

Risk

High

Risk

Low

Risk

Moderate

Risk

Lik

elih

oo

d

Consequence

The Model – Probability vs ImpactThe Model – Probability vs Impact

Probability   Impact   4 = Very Likely 4 = Severe Impact3 = Likely 3 = Major Impact2 = Not Likely 2 = Minor Impact1 = Beyond Unlikely   1 = No Impact

The Model – Probability vs ImpactThe Model – Probability vs Impact

Vector   Probability   Internet, Wireless (Open) 4 = Very LikelyInternet, Wireless (Password) 3 = LikelyInternet, Wireless (Authenticated) 2 = Not LikelyNo Outside Connection   1 = Beyond Unlikely

The Model – Probability vs ImpactThe Model – Probability vs Impact

Impact   1 = No Impact 2 = Minor Impact 3 = Major Impact 4 = Severe Impact   Public View Ok Tarnished Recoverable Lost ConfidenceEnvironmental Ok Damaged Broken Destroyed

Personnel OkFirst Aid, Medical

Treatment Hospitalization FatalityProduction   No Loss Minor Loss Moderate Loss Major Loss

The Model – Risk MatrixThe Model – Risk Matrix

Participant InteractionParticipant Interaction

Risk Matrix Construction

Business Considerations

Management Attention

Avoid the Urge to Overplay the Risk

Business Results AchievedBusiness Results Achieved

Cybersecurity Risk Assessment – Part of Business Model

Better understanding of risks

Control system is hardened against cyber attacks

More likely to get attention if using disciplined approach

SummarySummary

We have provided a framework for Assessments

Each business has to count the cost – all are different

Feedback from participants

Anything we did not cover or you would like to ask

Where To Get More InformationWhere To Get More Information

Department of Homeland Security – www.us-cert.gov

Emerson Process Management

Your Local Business Partner

Consulting services

Other Exchange Sessions