Understanding where you are and where you want to be as an organization is critical to success. Without a clear plan and target state, project budgets are not easily aligned and disparate application of security across the enterprise and out of control costs are a natural consequence. Executives need to be able to answer quickly these three questions:

• Where are we currently as an organization against regulatory obligations, industry recognized standards and guidance, and our own organizational defined values (ODV)?
• What strategy do we implement to ensure a consistent rollout of security at most efficient cost?
• Does our organization have the right people, process, and technology to adequately prevent, detect, and respond to rapidly evolving cyber threats?

Cyber Vulnerability Assessments (CVA) – Scanning infrastructure components for vulnerabilities both known and unknown. Different types of scanners are available, and which one is best is determined during initial discussions between the customer and the people doing the assessment. There are multiple types of vulnerability assessments that may be performed, using both passive and active techniques to ensure a solid balance between generating vulnerability information and limiting risk to production:

• System Scanning – where network gear is scanned (FWs, Servers, Endpoints, IoT devices, OT devices, etc).
• Application Scanning – where applications running on the network are tested for specific types of well-known vulnerabilities. Typically, these would involve ports 80 and 443 but may involve other ports that the applications are known to be using.
  • SAST – Static Application Security Testing is performed while an application or system is not running. This means the code itself or firmware itself is thoroughly analyzed.
  • DAST – Dynamic Application Security Testing is performed while an application or system is running. The system is exercised, and weaknesses are noted.
  • IAST – Interactive Application Security Testing consists of some combination of SAST and DAST strategies.
• ICS Protocol Assessment – are OT devices susceptible to harmful manipulation by using native ICS protocols launched from unauthorized locations?

Penetration Testing – An extension to CVA, a classic penetration test may involve simply leveraging a vulnerability assessment. The list of results is then taken, each entry is tested to see how far into the network any respective vulnerability would permit an attacker to go. Additionally, penetration tests may be performed against applications, firmware, chipsets, network cards, or other devices. RTI penetration tests extend this basic concept to understand how and why OT environments may be compromised through three attacker profiles:

• External Attacker – Attackers from the Internet with no prior system knowledge. How do they gain insight, what can they learn, and what can they accomplish based on your attack surface?
  Client Side Attack – How most attacks today initiate. How susceptible are you to threats including social engineering, malware, rootkits, botnets, browser hijacking, or ransomware?
  Insider Threat – Insider threats stretch even the best defenses. How are your internal systems prepared to prevent, detect, and respond to insider threats?

Social Engineering – Social engineering assessments consist of several types.

• Vishing – Where an assessor makes phone calls to the pre-determined list of targets and attempts to extract key information or access to the victims devices.
• Phishing – Where an assessor emails a pre-determined list of targets and attempts to extract key information or get the victim to run an application.
• Physical – Where a team of assessors physically attempt to enter a facility and gain access to a list of pre-determined targets or flags.

A GAP Analysis is a description of what security controls are in place for any given framework(s) vs what controls are missing to either align fully to the framework(s) or to provide adequate security. Both, aligning fully to a framework(s) and adequate security controls may both be moving targets. This ‘moving targets’ concept implies that the gap may be under control ‘today’, but then increase again as changes are made to the infrastructure.

Two things need to be understood to adequately perform a GAP Analysis.

1. The first thing is a thorough understanding of what information security frameworks the organization is trying to or is required to adhere too. This information may be supplied for review or our team may go out and discuss what the network engineers have been doing to address security to determine which frameworks may best fit the organization.
2. The second is a thorough understanding of what information security controls are in place throughout the infrastructure. Many types of processes are available to help gather or produce this information. In OT environments it may not be prudent to make connections to the network. Thus, a walkdown approach is performed. The infrastructure if visually reviewed with minimal hands on keyboard testing to verify what is being stated or has been stated by the infrastructure management team. In IT environments performing assessments may be appropriate. This would exercise the controls in place and also validate their configurations, to validate proper functionality. functioning.

Once this information has been obtained, any controls in placed are documented against what the agreed upon frameworks controls lists are. The gaps are then determined and documented. Further, the team performing the analysis will also provide feedback on what controls may be required that go above and beyond the framework GAP Analysis.

It is important to understand that frameworks are a ‘low level bar’ for compliance and security and are not always enough to adequately protection network and information traversing those networks.

The Cybersecurity Capability Maturity Model (C2M2) program is a public-private partnership effort that was established to improve electricity sub-sector cybersecurity capabilities, and to understand the cybersecurity posture of the grid. The C2M2 helps organizations—regardless of size, type, or industry—evaluate, prioritize, and improve their own cybersecurity capabilities.

Implementation of or evaluation against an existing C2M2 Program will leverage three Cybersecurity Capability Maturity Models:

• Cybersecurity Capability Maturity Model (C2M2) (Energy Sector)
• Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)(Energy)
• Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2)

Our team may assist in performing GAP Analysis Assessments against one or more of these capability and maturity models or assist with engineering and implementing a complete compliance program for your IT and or OT networks.

RTI can assist in creating Red Team programs for organizations that can run continuously or for a pre-determined duration. Traditionally Red Teaming extends anywhere from six (6) to 18 months, and includes physical security testing, social engineering, penetration testing, assessments, and a variety of other agreed upon activities to accomplish a specific goal. For example, successfully gain access to an executive’s office to plant a network attack devices. This may provide controls testing, configuration management testing and stress testing for infrastructure.

Red team events may also aid in training and practice for SOC teams, HIRT teams, and function as demonstrations for engineers so they may gain a better understanding of what an attack on the infrastructure they are building may look like and to what length attackers may go to infiltrate applications and systems.

RTI can assist with understanding how a business’s infrastructure may respond to a significant cyber-attack. Further, it may be prudent to have a third party evaluate what kind of a response plan is in place and how adequately it is, as well as how adequately it is performed during high stress events.

A comprehensive security program includes not only preventative security architectures, but also robust detective and reactive controls. All of these work in concert to provide total system protection.

Incident Response Preparedness includes:

• Penetration Testing and Red Teaming to evaluate the ability to correctly detect security events
• Tabletop exercises and drills to evaluate and inventory skill gaps in security operations centers
• Evaluate overall effectiveness and capability of people, processes, and technology to respond to cyber events
• Alignment of Business Continuity Plans to respond effectively to cyber events

BCP plan evaluations are performed in a similar manor as the GAP Analysis Assessments. The baseline of ‘what is in place’, should be fully understood and all of the components evaluated from the BCP documentation. This includes the overall BCP and DR plans. The following are areas of focus when evaluating the documentation:

• Personnel
• Communications
• Technology Issues
• Facilities
• Electronic Payment systems
• Liquidity Concerns
• Financial Disbursement
• Manual Operations
• Data Recovery
• Backups
• and business tolerance for each of these areas

Once the documentation is thoroughly understood the RTI team can determine if the information contained within it is still up to date and accurate. e.g. Analyzing inventories for accuracy, analyzing components listed in the plan to assure they are ‘as described’ in their current state(s). The team will then go about making sure no other gaps exist in the current plan and assure that whatever plans are in place will still be able to obtain the business objectives as they are listed in the documentation and that those objectives still appear to make sense. These types of evaluations may require attention from management teams, board members, network engineers, and process engineers.