Status Review SCADA Cyber SelfAssessment SCySAG Working Group

1
Status ReviewSCADA Cyber Self-Assessment
(SCySAG) Working Group

• Brian Isle
• March 6, 2007
• Brian.isle_at_adventiumlabs.org
• https//www.pcsforum.org/groups/68

2
Workshop Agenda

• Review of the SCySAG activities and results
• Status of requirements gap analysis for SCADA
  cyber security self assessment tools/methods
• Gather input on priority of requirements gaps

3
Why SCySAG?

• Pressing need to understand our SCADA cyber
  security readiness
• What is the complete list of SCADA cyber security
  assessment requirements?
• Which requirements are relevant to my sector?
• How do IT and SCADA cyber security assessment
  differ?
• What SCADA assessment requirements are unmet by
  existing tools and methodologies?

4
SCySAG Objective

• Enable the development and use of the best
  possible next generation of self administered
  tools and methodologies for the assessment of the
  cyber security readiness of the process control
  systems.

By the term SCADA, we mean .. encompassing all
types of manufacturing plants and facilities, as
well as other processing operations such as
utilities, pipelines and transportation systems
or other industries which use automated or
remotely controlled assets.
5
SCySAG Core Team

• Garill ColesPacific Northwest National
  Laboratory Garill.Coles_at_pnl.gov
• Mark C. Morgen3M - Optical Systems Division
  mark.morgen_at_mmm.com
• Carol MuehrckeCyber Defense Agency,
  LLCcmuehrcke_at_cyberdefenseagency.com
• Matt EarleyDecisive Analytics Corporationmatt.ea
  rley_at_dac.us

• Ron MeltonDecisive Analytics Corporationron.melt
  on_at_dac.us
• Candace SandsEMAcsands_at_ema-inc.com
• Brian IsleAdventium Labsbrian.isle_at_adventiumlabs
  .org
• Cliff GlantzPacific Northwest National
  Laboratory cliff.glantz_at_pnl.gov

6
SCySAG Approach

• Identify SCADA/PCS-unique characteristics
  Identify the set of SCADA-unique characteristics
  that one would expect to be addressed by tools or
  methodologies for cyber self assessment for these
  types of systems.
• Select tools/methodologies Compiled a set of
  cyber security self-assessment tools/methodologies
  that we will consider as representative of the
  best available.
• Identify Requirement Gaps Compare coverage by
  the tools/methodologies identified in Step 2 to
  Step 1 to identify gaps
• Work to Fill Gaps Prioritize and fill the high
  priority requirement gaps

7
SCySAG Expected Impact

• The results of this effort can be used by
• Tool and methodology vendors to develop, deploy,
  and maintain an assessment solution
• SCADA/PCS system vendors to create more secure
  systems
• Standards bodies and groups
• Owner/operators developing/validating their
  internal policies and procedures

8
Resources Reports

• List of Source Material
• See VA_Tool_list_v4.0.xls
• SCySAG interim report
• See Summary of SCADA Cyber Self-Assessment
  Methods and Tools Survey
• Tool Methodology summary reports
• See 9 summary reports
• Tool Methodology coverage matrix
• See Methodology-Tools_analysis_V01.xls
• Ten reasons IT is different then PCS
• See Top 10 list of the differences between IT.doc

https//www.pcsforum.org/groups/68/library/
9
List of Source Material

• 100 entries (a pretty good list, but not
  comprehensive)
• Tools
• Methodologies
• Standards
• Reports
• Guidelines
• See VA_Tool_list_v4.0.xls
• https//www.pcsforum.org/groups/68/library/

10
Sources of SCADA/PCS Unique Characteristics
11
Tools/Methodologies Summarized
12
Tool/Methodology Analysis Summary

• Tools/methodologies are reviewed per SCADA/PCS
  Unique characteristics
• Findings are documented in a summary format
• Developed a Template for tools methodology
  review
• 15 general questions
• 19 Cyber specific questions
• Technical coverage of SCADA/PCS unique elements
• Planning external review by tool authors

13
Analysis Covers 15 General Questions

• Overview

• Assessment Process Features
• Data Collection Approach
• Detailed Operator Guidance
• Results
• Support for Ongoing Assessment Program

• Applicability
• Target Organization
• Scope of Assessment
• Coverage of Cyber Security
• Target Audience for Results

• Deployment Considerations
• Learning curve
• Cost
• Schedule
• Technical requirements
• Installed base
• Vendor support

14
Analysis Covers 19 SCADA/PCS-Cyber Topics
15
Example of Technical Coverage Summary VSAT
16
Summary Matrix Format
17
CS2SAT Initial Impressions

• Intuitive to use (for IT tool experts)
• Broadly applicable, including manufacturing
• Requires multi-disciplinary assessment team (this
  is good)
• Includes mitigation recommendations, references
  the standards
• Self contained on CD
• Able to select appropriate standards
• Reports can be customized

18
CS2SAT Initial Impressions (continued)

• Component level view point
• Lacks system view
• Questions can become repetitive
• Consequences are at global level
• Side note Consequences for cyber are difficult
  to assess
• Doesnt provide comparison over time
• Threat (i.e. adversaries) is not addressed
• Less coverage for policy and planning
• Risk Management and Implementation
• Incident Planning and Response
• Currently covers 3 standards

19
Gather input on priority of requirements gaps
20
Process Objective Desired Outcome

• Objective
• Identify the 3 to 5 highest priority cyber
  security assessment requirement gaps for each
  sector
• water and waste water,
• chemicals,
• refining petrochemical,
• oil gas,
• cross-sector.
• Capture the reasoning behind the prioritization

SCySAG will use the results to prioritize next
steps
21
Process -Steps

• Five tables water and waste water, chemicals,
  refining petrochemical, oil gas, and
  cross-sector.
• Each table has
• Facilitator
• Copies of the matrix with white, gray, and green
  spaces denoted
• Large colored stickies
• Black markers
• Each table will
• Discuss and prioritize the un-met requirements
  for their sector
• Capture the reasoning behind the prioritization
• Summarize the results
• A spokes person for each table will
• Briefly describe the priorities
• Briefly describe reasoning for prioritization
• Update the master chart with priorities

22
Process Each Table

• Review the white gray spaces for your sector
  (10 min.)
• Discuss and prioritize the white gray spaces
  (20 min.)
• Which would be the most valuable to your sector
  to have covered with tools and support?
  Suggested criteria
• 1) Perceived threat
• 2) Impact if exploited
• Identify the top 3 to 5 areas for your sector
• Capture the reasoning behind the prioritization
  (20 min.)
• Why are the top 3 to 5 the most valuable
• Write 2-3 reasons for each on big stickies
• A spokes person for each table will (25 min.)
• Briefly describe the priorities and reasoning
• Update the master chart with priorities
• Observations, feedback, and wrap-up (5 min.)

23
Contact Information

• Brian Isle, WG ChairAdventium Labsbrian.isle_at_adv
  entiumlabs.org
• Tel 612-716-5604
• Carol Muehrcke, co-ChairCyber Defense Agency,
  LLCcmuehrcke_at_cyberdefenseagency.com
• Tel 651-770-6736