Red Trident offers ICS cyber security services for SCADA and other Industrial Control Systems. Supervisory Control and Data Acquisition (SCADA) networks perform many key functions in providing many services to us Americans that we sometimes take for granted. Unfortunately, SCADA and other ICS networks are vulnerable to disruption of service or manipulation of operational data. The cybersecurity threats to ICS networks remain high and therefore a need to secure this infrastructure is critical.
ICS Cyber Security is one of those things that you may not want to think about, but you must be smart and you must be prepared. Surprisingly as many as 75 percent of breaches go undiscovered for weeks and sometimes months. According to a survey on Computer World, 90% of the nearly 600 businesses surveyed responded that their organizations’ computers had been breached by hackers within the past 12 months.
Fundamentally, can you answer these questions?
Understanding where you are and where you want to be as an organization is critical to success. Without a clear plan and target state, project budgets are not easily aligned and disparate application of security across the enterprise and out of control costs are a natural consequence. Executives need to be able to answer quickly these three questions:
Cyber Vulnerability Assessments (CVA) – Scanning infrastructure components for vulnerabilities both known and unknown. Different types of scanners are available, and which one is best is determined during initial discussions between the customer and the people doing the assessment. There are multiple types of vulnerability assessments that may be performed, using both passive and active techniques to ensure a solid balance between generating vulnerability information and limiting risk to production:
Penetration Testing – An extension to CVA, a classic penetration test may involve simply leveraging a vulnerability assessment. The list of results is then taken, each entry is tested to see how far into the network any respective vulnerability would permit an attacker to go. Additionally, penetration tests may be performed against applications, firmware, chipsets, network cards, or other devices. RTI penetration tests extend this basic concept to understand how and why OT environments may be compromised through three attacker profiles:
Social Engineering – Social engineering assessments consist of several types.
A GAP Analysis is a description of what security controls are in place for any given framework(s) vs what controls are missing to either align fully to the framework(s) or to provide adequate security. Both, aligning fully to a framework(s) and adequate security controls may both be moving targets. This ‘moving targets’ concept implies that the gap may be under control ‘today’, but then increase again as changes are made to the infrastructure.
Two things need to be understood to adequately perform a GAP Analysis.
Once this information has been obtained, any controls in placed are documented against what the agreed upon frameworks controls lists are. The gaps are then determined and documented. Further, the team performing the analysis will also provide feedback on what controls may be required that go above and beyond the framework GAP Analysis.
It is important to understand that frameworks are a ‘low level bar’ for compliance and security and are not always enough to adequately protection network and information traversing those networks.
The Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership effort that was established to improve electricity sub-sector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The C2M2 helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities.
Implementation of or evaluation against an existing C2M2 Program will leverage three Cybersecurity Capability Maturity Models:
Our team may assist in performing GAP Analysis Assessments against one or more of these capability and maturity models or assist with engineering and implementing a complete compliance program for your IT and or OT networks.
RTI can assist in creating Red Team programs for organizations that can run continuously or for a pre-determined duration. Traditionally Red Teaming extends anywhere from 6 to 18 months, and includes physical security testing, social engineering, penetration testing, assessments, and a variety of other agreed upon activities to accomplish a specific goal. For example, successfully gain access to an executive’s office to plant a network attack device. This may provide controls testing, configuration management testing and stress testing for infrastructure.
Red team events may also aid in training and practice for SOC teams, HIRT teams, and function as demonstrations for engineers so they may gain a better understanding of what an attack on the infrastructure they are building may look like and to what length attackers may go to infiltrate applications and systems.
RTI can assist with understanding how a business’s infrastructure may respond to a significant cyber-attack. Further, it may be prudent to have a third party evaluate what kind of a response plan is in place and how adequately it is, as well as how adequately it is performed during high stress events.
A comprehensive security program includes not only preventative security architectures, but also robust detective and reactive controls. All of these work in concert to provide total system protection.
Incident Response Preparedness includes:
BCP plan evaluations are performed in a similar manor as the GAP Analysis Assessments. The baseline of ‘what is in place’, should be fully understood and all of the components evaluated from the BCP documentation. This includes the overall BCP and DR plans. The following are areas of focus when evaluating the documentation:
Once the documentation is thoroughly understood the RTI team can determine if the information contained within it is still up to date and accurate (e.g., analyzing inventories for accuracy, analyzing components listed in the plan to assure they are ‘as described’ in their current state). The team will then go about making sure no other gaps exist in the current plan and assure that whatever plans are in place will still be able to obtain the business objectives as they are listed in the documentation and that those objectives still appear to make sense. These types of evaluations may require attention from management teams, board members, network engineers, and process engineers.