Expert answer:project template

Solved by verified expert:Description of Industry1. What type of industry is this?2. What is the importance of this industry to society?Industrial Control System Processes Employed1. List industrial control system processes specific to industry.2. List the control systems that control those processes and how they control those processes.3. Create a network diagram displaying the interconnections of the industrial control system devices listed in item 3. a. For example: Use ICS CERT CSET, Visio, Excel, Word, etc.
sec6084_ics_risk___audit_methodology_project_template__1_.docx

scada_diagram.pdf

Unformatted Attachment Preview

Running Head: ICS Risk & Audit Methodology Project Template
ICS Risk & Audit Methodology Project Template for Water Plant
SEC6084
Your Name
1
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
2
Table of Contents
Description of Industry …………………………………………………………………………………………………….X
Industrial Control System Processes Employed …………………………………………………………………..X
Profile ICS Security Devices …………………………………………………………………………………………….X
Create Diagrams of ICS Device Network …………………………………………………………………X
Identify, Measure, and Manage Risks ……………………………………………………………X
Identify Security Controls …………………………………………………………………………………………………X
Apply ICS Security Best Practices ………………………………………………………………………….X
Identify Vulnerability Continuous Monitoring Strategy………………………………………………………..X
Reference ……………………………………………………………………………………………………………………….X
Appendix …………………………………………………………………………………………………………….. X
Example: Industrial Incident or Accident ……………………………………………………X
Example: Disaster Recovery and Incident Response…….. ………………………………X
Example: Test Outputs…………………………………………………………………………………………..X
Example: Vulnerability Scan Reports ………………………………………………………………………X
Example: Analysis Metrics from Tools ……………………………………………………………………X
Example: Presentations ………………………………………………………………………………………….X
Example: Screenshots of Systems …………………………………………………………………………..X
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
3
List of Tables and Figures
Figure 1. Example: ICS System Documentation ………………………………………………………………….X
Figure 2. Example: Security Solution Documentation ………………………………………………………….X
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
4
Description of Industry
1. What type of industry is this?
2. What is the importance of this industry to society?
Industrial Control System Processes Employed
1. List industrial control system processes specific to industry.
2. List the control systems that control those processes and how they control those
processes.
3. Create a network diagram displaying the interconnections of the industrial control
system devices listed in item 3.
a. For example: Use ICS CERT CSET, Visio, Excel, Word, etc.
Profile ICS Devices
1. For each ICS device document:
a. Logical Ports
For example, 80, 443, etc.
http://www.digitalbond.com/tools/the-rack/control-system-port-list/
b. Protocols Running
For example, SMTP, SNMP, DNP3, Modbus, Fieldbus, Ethernet, etc.
c. Physical Connection Types
For example, serial, RJ45, USB, parallel, etc.
http://www.digitalbond.com/tools/the-rack/control-system-port-list/
d. Default Accounts:
Research the manufacturer’s information on the device. Look for default
account information to login with.
Check “Default Password List” for an entry:
http://www.defaultpassword.com/
e. Services
Research manufacturer’s information on the device and document services
running.
f. Authentication
Research manufacturer’s website for the device and locate information on
how the device authenticates users.
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
5
g. Use of Encryption
Research manufacturer’s website for the device and locate information
about encryption. For example, does the device use encrypted
connections? Is the back-end database encrypted? What type of
encryption does it use? Is public/private key encryption like RSA?
h. Logging Capability
Research manufacturer’s website for the device and locate information
about logging. Answer questions like is logging enabled? Are logs stored
locally or remotely?
i. Other Security Documentation
Does the manufacturer have any security related documentation not
provided above that would be of use?
Identify, Measure, and Manage Risks
1.
Identify risks:
Risk is a function of M, AV, T, and V:
R = f (M, AV, T, V)
R – risk, M – mission importance, AV – asset values, T – threats, V –
vulnerabilities
2.
“What”: what is the problem/challenge in managing risks and auditing the ICS?
Explain how you might measure
“Why”: why do you need and want to solve the problem?
“How”: how do you economically solve it?
Identify Security Controls
1. Select security controls based on results from “Industrial Control System Processes
Employed” and “Profile ICS Devices”:
Reference either ICS CERT CSET or NIST 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Apply ICS Security Best Practices
1. NIST 800-82, Industrial Control System Security,
http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft.pdf
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
2. Identify unremediated risks and choose risk strategy: Accept risk, avoid risk, mitigate
risk, share risk, transfer risk, combination.
Reference: NIST 800-37, Guide for Applying the Risk Management Framework to
Federal Information Systems,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf
Identify Vulnerability Continuous Monitoring Strategy
1. Examples:
a. Nessus – Bandolier modules.
b. Metasploit – ICS exploits.
c. Snort
d. Nmap – Identify ICS “friendly” scans.
2. Are these IA certified tools? How so?
a. For example:
i. NIAP: https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm
ii. Common Criteria: https://www.commoncriteriaportal.org/products/
b. For example: Are these tools SCAP-compliant?
3. Create script rules for baselining each ICS system.
a. For example scripts rules should audit:
i. Installed programs.
ii. Users, groups.
iii. Shares.
iv. Services.
v. Processes.
vi. Etc.
6
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
Reference
7
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE
Appendix
8
Proceedings of the International Conference on Information Security and Cyber Forensics, Kuala Terengganu, Malaysia, 2014
Developing Cyber Forensics for SCADA Industrial Control Systems
Joe Stirland1, Kevin Jones1, Helge Janicke2, and Tina Wu
1
Airbus Group and 2De Montfort University
Joe.stirland@eads.com, kevin.jones@eads.com, heljanic@dmu.ac.uk
ABSTRACT
A large number of industries including: critical
national infrastructure (electricity, gas, water, etc.)
and manufacturing firms rely heavily on computer
systems, networks, control systems, and embedded
devices in order to provide safe and reliable
operations. These networks can be very complex
and are often bespoke to the types of product the
industries may provide. In recent years we have
seen a significant rise in malicious attacks against
such systems, ranging from sophisticated intelligent
attacks to simple tool based delivery mechanisms.
With the rise in the reliance on industrial control
networks and of course the increasing attacks, the
lack of security monitoring and post forensic
analysis of SCADA networks is becoming
increasingly apparent. SCADA systems forensics is
not like standard enterprise file-system forensics,
the forensic specialist often has to be an expert in
such systems/networks and SCADA related devices
in order to identify where potential Forensic
evidence could be located. This paper looks at the
SCADA/industrial control systems, typical attacks
and vulnerabilities, problems with forensic analysis
and
the
development
of
a
forensic
methodology/toolkit for such systems.
KEYWORDS
SCADA, ICS, Cyber Forensics, Cyber Security
1. INTRODUCTION
Industrial Control Systems (ICS) and
specifically Supervisory Control and Data
Acquisition (SCADA) are the underpinning
technologies that ensure the operation and
functionality of control systems used in many
industries
including
Critical
National
Infrastructure (CNI) for example; electricity
grids, water treatment facilities, hospitals, and
ISBN: 978-1-941968-01-7 ©2014 SDIWC
transport networks. In recent years there has
been an increasing number of attacks directly
targeting these systems [1] including the well
publicised Stuxnet APT [2], Flame [3], and
Havex [4]. Control systems used in businesses
have also been found as the entry point for
major security breaches as was the case with
Target [5] receiving malware through heating,
ventilating, and air conditioning (HVAC)
system. Therefore, there is a need to be able to
undertake post incident forensic analysis of
these systems to determine; if a breach has
occurred, the extent to which the system is
compromised, what functional operations and
assets are affected, how the breach or incident
occurred, and if possible work towards
attribution.
Unfortunately whilst ICS/SCADA systems do
contain elements of traditional IT systems they
also contain a number of bespoke control
devices and software. Such systems do not
necessarily contain all of the forensic
prerequisites of enterprise IT systems and
therefore new approaches are required.
As ICS/SCADA systems are safety critical,
have the requirement of integrity of
functionality during operation, and must ensure
availability of systems it is important to note
that engineers are trained to quickly respond to
functional changes in operation by replacing
components. Thus, any potential artefacts of
interest to determine if the event was caused by
a cyber attack or component failure are lost.
In the remainder of this paper we introduce
ICS/SCADA systems design, discuss the field
of cyber forensics for ICS/SCADA, present a
98
Proceedings of the International Conference on Information Security and Cyber Forensics, Kuala Terengganu, Malaysia, 2014
framework by which to undertake cyber
forensics in such systems, and make
recommendations for a forensics toolkit to
support
investigation
within
control
environments.
1. INTRODUCING INDUSTRIAL
CONTROL SYSTEMS / SCADA
ICS and SCADA are specialised computer
networks and devices that work in sync to
monitor and control key processes involved in
the management of machinery, equipment and
facilities. SCADA systems communicate with
the control system using proprietary protocols
such as DNP3 and MODBUS. An Industrial
Control System monitors and controls physical
processes and machinery. Such systems are
often distributed over a large geographic
location and sometimes even through a country
meaning the ability to remotely monitor and
manage these is critical to their operation and
efficiency.
In order to facilitate control,
management information, and reports, SCADA
systems
often include
the following
components:
Human Machine Interface (HMI)
Programmable Logic Controllers (PLC) and
Remote Terminal Units (RTU) used to
convert the signals from process sensors to
digital data and relay them to supervisory
systems.
Engineer workstations and servers
An example SCADA environment is shown in
Figure 1 inclusive of control devices, sensors,
management consoles and links to the corporate
network.
ISBN: 978-1-941968-01-7 ©2014 SDIWC
2.1. Vulnerabilities in SCADA Systems
When SCADA systems were originally
designed they were isolated from the network
and engineers focused on providing availability
of data and operations rather than
confidentiality and integrity. This isolation is
commonly referred to as an “air-gap”., and
while originally designed as a complete
physical separation, this increasingly has
become to mean technological separation by the
means of configurable firewalls or similar
mechanism. Originally these systems often used
bespoke and manufacturer independent
protocols and architectures and were therefore
very difficult to understand and affect without
physical access.
More recent SCADA systems however, have
moved to more interoperability and open
standards for cost efficiency and integration
into management IT systems. For example,
communication is now common over Ethernet
TCP-IP including more standardised control
protocols and applications. Thus, SCADA
systems are now susceptible to external attacks
and IT based vulnerabilities.
Many SCADA systems are safety critical and
must be operational for a large proportion of
time, as they provide services that are vital to
the economy and well-being of citizens.
Downtime is managed carefully and scheduled
maintenance periods are often irregular and
infrequent.
Therefore, many critical
infrastructures are still running legacy
components and systems including amongst
others; Windows 95, XP, and 2000. Access to
these systems for patching is a problem and
therefore many IT vulnerabilities still remain
that are considered resolved in the more mainstream Business IT environments.
99
Proceedings of the International Conference on Information Security and Cyber Forensics, Kuala Terengganu, Malaysia, 2014
Figure 1: Industrial Control System with SCADA Network Architecture
SCADA components such as PLCs and RTUs
are designed purely for functionally and are
limited by their processing capability and
therefore do not contain many of the
authentication and access control specifications
that are common in corporate IT infrastructures.
Specific vulnerabilities of control devices is
beyond the scope of this paper but are well
documented [6,7,8,9,10,1].
As SCADA control systems become
increasingly complex and distributed, the
number of potential attack vectors also
increases including via; the internet, enterprise
network, and direct connections to the control
networks and field devices. Some of the most
common types of attack vectors against
SCADA are:
Backdoors and holes in the network
perimeter. Especially in the configuration
of “Air Gaps” or links to corporate
enterprise IT infrastructure
ISBN: 978-1-941968-01-7 ©2014 SDIWC
Vulnerabilities in common control system
protocols
Attacks on field devices
Database attacks
Communications hijacking and man-in the
middle attacks
Cinderella attack [11] on time provision and
synchronisation.
1.1 Typical Attacks Against SCADA Systems
In order to undertake any forensic investigation
we must first understand the types of attacks
that are facing the systems and environments so
as to inform the forensic process. To guide the
development of a forensics framework we
classify attacks against SCADA systems into 3
categories; the communication stack, hardware
and software:
Communication stack:
o Attacks can occur on the network layer
for example through a diagnostic server
100
Proceedings of the International Conference on Information Security and Cyber Forensics, Kuala Terengganu, Malaysia, 2014
on the UDP port. Attacks can occur on
the transport layer such as a SYN flood
attack saturating resources by sending
TCP connection requests faster than the
machine can process them.
o At application layer many of the
protocols used on a SCADA system have
little security considerations.
For
example DNS forgery and packet replay
are common.
Hardware:
o Attackers gain unauthenticated remote
access to devices and change data set
points that may cause the devices to fail
at low threshold or an alarm not to go
off.
o Lack of authentication for administrative
tasks on the hardware mean an attacker
can reprogram the logic or values and
affect the functional behaviour of the
device.
Software: SCADA systems use a variety of
software to provide functionality from
traditional IT applications to bespoke
embedded device applications and more
custom HMI or Historian control
applications.
o There is no privilege separation in
embedded OS for example VxWorks
embedded OS used in field devices
provides minimum memory protection.
o Buffer overflow attacks are possible in
bespoke applications mainly through
workstations similar to standard IT
systems or in industrial control
automation software such as historian
servers.
In addition, field devices
themselves that rely on real time
operating systems (RTOS), are more
susceptible to memory challenges by
exploiting the fixed memory allocation
time requirement in RTOS system.
o SCADA components especially in
legacy networks are subject to
ISBN: 978-1-941968-01-7 ©2014 SDIWC
accumulated memory fragmentation
which can lead to programs stalling.
o Structured Query Language (SQL) is
widely used to store sensor information
in historians and other databases thus, if
not designed properly at application
level the systems are susceptible to SQL
injection attacks [12].
Whilst these types of attacks are also prevalent
in enterprise IT systems, and indeed some of
the SCADA environments are inheriting the
vulnerabilities from enterprise applications it is
worth reiterating that the implementation in
these environments in very different. Thus, a
forensic framework for SCADA must consider
the requirements of this operating environment
carefully. We establish some of these particular
requirements in the following section.
2. CYBER FORENSICS IN
INDUSTRIAL CONTROL SYSTEMS
Computer forensics is the practice of collecting,
analysing and reporting on digital information
in a way that is legally admissible. It can be
used in the detection and prevention of crime
and in any dispute where evidence is stored
digitally [13]. “Traditional digital forensics is
performed through static analysis of data
preserved on permanent storage media. Not all
data needed to understand the state of [an]
examined system exists in non-volatile
memory. Live analysis uses [the] running
system to obtain volatile data for deeper
understanding of events going on” [14]. As
discussed the first problem in achieving cyber
forensics for SCADA systems is that such
systems are critical and cannot generally be
powered off for acquisition. Additionally it is
more likely that the information is generally
volatile and any forensic evidence would
potentially be lost if the device was powered off
or interrupted. This remainder of this section
looks at existing perspectives on SCADA
forensics as well as the main differences
between SCADA and enterprise forensics.
101
Proceedings of the International Conference on Information Security and Cyber Forensics, Kuala Terengganu, Malaysia, 2014
3.1. Existing Perspectives
SCADA and ICS forensics is slowly emerging
as a key forensic topic within the cyber world.
Although this has been a developing subject for
a number of years, the release of the Stuxnet
virus in 2010 seemed to have dramatically
increased the awareness of such critical systems
and their vulnerabilities, and quickly began to
make people aware of the issues surrounding
cyber security of ICS. It is apparent that much
more work and research needs to be completed
in order to secure such systems and to migrate
existing best forensic practices to ICS systems.
A number of key perspectives from cyber
security and forensics experts provide valued
understanding on the maturity and requirements
for SCADA forensics.
infrastructure of a country.” [16] This shows
that a major concern in the forensic analysis of
SCADA systems is the aspect of attribution
which means more emphasis is placed on the
identification of a perpetrator, rather than the
gathering of evidence in support of an already
established prosecution/defence case.
.
3.2 Traditional Digital Forensics V SCADA
Computer forensics analysis and acquisition
can generally be …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades