Title: Status Review SCADA Cyber SelfAssessment SCySAG Working Group
1Status ReviewSCADA Cyber Self-Assessment
(SCySAG) Working Group
- Brian Isle
- March 6, 2007
- Brian.isle_at_adventiumlabs.org
- https//www.pcsforum.org/groups/68
2Workshop Agenda
- Review of the SCySAG activities and results
- Status of requirements gap analysis for SCADA
cyber security self assessment tools/methods - Gather input on priority of requirements gaps
3Why SCySAG?
- Pressing need to understand our SCADA cyber
security readiness - What is the complete list of SCADA cyber security
assessment requirements? - Which requirements are relevant to my sector?
- How do IT and SCADA cyber security assessment
differ? - What SCADA assessment requirements are unmet by
existing tools and methodologies?
4SCySAG Objective
- Enable the development and use of the best
possible next generation of self administered
tools and methodologies for the assessment of the
cyber security readiness of the process control
systems.
By the term SCADA, we mean .. encompassing all
types of manufacturing plants and facilities, as
well as other processing operations such as
utilities, pipelines and transportation systems
or other industries which use automated or
remotely controlled assets.
5SCySAG Core Team
- Garill ColesPacific Northwest National
Laboratory Garill.Coles_at_pnl.gov - Mark C. Morgen3M - Optical Systems Division
mark.morgen_at_mmm.com - Carol MuehrckeCyber Defense Agency,
LLCcmuehrcke_at_cyberdefenseagency.com - Matt EarleyDecisive Analytics Corporationmatt.ea
rley_at_dac.us
- Ron MeltonDecisive Analytics Corporationron.melt
on_at_dac.us - Candace SandsEMAcsands_at_ema-inc.com
- Brian IsleAdventium Labsbrian.isle_at_adventiumlabs
.org - Cliff GlantzPacific Northwest National
Laboratory cliff.glantz_at_pnl.gov
6SCySAG Approach
- Identify SCADA/PCS-unique characteristics
Identify the set of SCADA-unique characteristics
that one would expect to be addressed by tools or
methodologies for cyber self assessment for these
types of systems. - Select tools/methodologies Compiled a set of
cyber security self-assessment tools/methodologies
that we will consider as representative of the
best available. - Identify Requirement Gaps Compare coverage by
the tools/methodologies identified in Step 2 to
Step 1 to identify gaps - Work to Fill Gaps Prioritize and fill the high
priority requirement gaps
7SCySAG Expected Impact
- The results of this effort can be used by
- Tool and methodology vendors to develop, deploy,
and maintain an assessment solution - SCADA/PCS system vendors to create more secure
systems - Standards bodies and groups
- Owner/operators developing/validating their
internal policies and procedures
8Resources Reports
- List of Source Material
- See VA_Tool_list_v4.0.xls
- SCySAG interim report
- See Summary of SCADA Cyber Self-Assessment
Methods and Tools Survey - Tool Methodology summary reports
- See 9 summary reports
- Tool Methodology coverage matrix
- See Methodology-Tools_analysis_V01.xls
- Ten reasons IT is different then PCS
- See Top 10 list of the differences between IT.doc
https//www.pcsforum.org/groups/68/library/
9List of Source Material
- 100 entries (a pretty good list, but not
comprehensive) - Tools
- Methodologies
- Standards
- Reports
- Guidelines
- See VA_Tool_list_v4.0.xls
- https//www.pcsforum.org/groups/68/library/
10Sources of SCADA/PCS Unique Characteristics
11 Tools/Methodologies Summarized
12Tool/Methodology Analysis Summary
- Tools/methodologies are reviewed per SCADA/PCS
Unique characteristics - Findings are documented in a summary format
- Developed a Template for tools methodology
review - 15 general questions
- 19 Cyber specific questions
- Technical coverage of SCADA/PCS unique elements
- Planning external review by tool authors
13Analysis Covers 15 General Questions
- Assessment Process Features
- Data Collection Approach
- Detailed Operator Guidance
- Results
- Support for Ongoing Assessment Program
- Applicability
- Target Organization
- Scope of Assessment
- Coverage of Cyber Security
- Target Audience for Results
- Deployment Considerations
- Learning curve
- Cost
- Schedule
- Technical requirements
- Installed base
- Vendor support
14Analysis Covers 19 SCADA/PCS-Cyber Topics
15Example of Technical Coverage Summary VSAT
16Summary Matrix Format
17CS2SAT Initial Impressions
- Intuitive to use (for IT tool experts)
- Broadly applicable, including manufacturing
- Requires multi-disciplinary assessment team (this
is good) - Includes mitigation recommendations, references
the standards - Self contained on CD
- Able to select appropriate standards
- Reports can be customized
18CS2SAT Initial Impressions (continued)
- Component level view point
- Lacks system view
- Questions can become repetitive
- Consequences are at global level
- Side note Consequences for cyber are difficult
to assess - Doesnt provide comparison over time
- Threat (i.e. adversaries) is not addressed
- Less coverage for policy and planning
- Risk Management and Implementation
- Incident Planning and Response
- Currently covers 3 standards
19Gather input on priority of requirements gaps
20Process Objective Desired Outcome
- Objective
- Identify the 3 to 5 highest priority cyber
security assessment requirement gaps for each
sector - water and waste water,
- chemicals,
- refining petrochemical,
- oil gas,
- cross-sector.
- Capture the reasoning behind the prioritization
SCySAG will use the results to prioritize next
steps
21Process -Steps
- Five tables water and waste water, chemicals,
refining petrochemical, oil gas, and
cross-sector. - Each table has
- Facilitator
- Copies of the matrix with white, gray, and green
spaces denoted - Large colored stickies
- Black markers
- Each table will
- Discuss and prioritize the un-met requirements
for their sector - Capture the reasoning behind the prioritization
- Summarize the results
- A spokes person for each table will
- Briefly describe the priorities
- Briefly describe reasoning for prioritization
- Update the master chart with priorities
22Process Each Table
- Review the white gray spaces for your sector
(10 min.) - Discuss and prioritize the white gray spaces
(20 min.) - Which would be the most valuable to your sector
to have covered with tools and support?
Suggested criteria - 1) Perceived threat
- 2) Impact if exploited
- Identify the top 3 to 5 areas for your sector
- Capture the reasoning behind the prioritization
(20 min.) - Why are the top 3 to 5 the most valuable
- Write 2-3 reasons for each on big stickies
- A spokes person for each table will (25 min.)
- Briefly describe the priorities and reasoning
- Update the master chart with priorities
- Observations, feedback, and wrap-up (5 min.)
23Contact Information
- Brian Isle, WG ChairAdventium Labsbrian.isle_at_adv
entiumlabs.org - Tel 612-716-5604
- Carol Muehrcke, co-ChairCyber Defense Agency,
LLCcmuehrcke_at_cyberdefenseagency.com - Tel 651-770-6736