Enterprise Information Security Plan Scope
Our oil and gas refinery located in Baytown, Texas is one of the central hubs in the oil industry. The Andrews Refinery contains four units for refining crude oil into more refined petroleum products. Although we are a small refinery, we have the potential to be very profitable due to the ability to exploit automated technologies that will make the refinery run as efficiently as possible. Industrial Control Systems (ICS) is becoming more acceptable because of the advancement of Information Technology (IT). The better our automation control technologies are, the higher our quality can be.
However, as we begin to connect our ICS to the network, they will be exposed to all of the threats that current IT networks are exposed to. To protect the companies’ networks and control systems, we will implement a robust IT security management plan.
This plan will implement security in a series of phases that will ensure the Confidentiality, Availability, and Integrity (C-I-A) of the industrial control systems. In the typical IT network, the legs of the C-I-A triad are listed in order of priority (Scali, 2016). Meaning that the preference for an IT network is the Confidentiality of the data. In ICS networks the C-I-A triad is reversed. The Availability of the systems is the priority. This difference is because ICS networks are usually considered high-availability networks and consider availability more critical than the confidentiality and integrity. Each phase will add layers of security that, as a whole, will be greater than the sum of its parts. This plan is based on phases and not time. Each phase will be completed before proceeding to the next phase. This plan will apply to all information systems located at the Andrews Refinery and all employees, vendors, and contract employees working at the refinery plant.
Impact of Security attacks on ICS Networks
In today’s world, the environment of industrial control systems (ICS) are as dynamic as ever. Galina Antova, the Co-founder and Chief Business Development Officer at Claroty, has stated that the state of security in ICS is a least a decade away from the rest of the IT world (Antova, 2017). The ICS world is behind because of two critical reasons. The first reason is that it has only recently become a reality that these networks were under any threat other than human error. In 2010 the first known case of a cyber-attack to have caused physical damage to an ICS network was the Stuxnet attack (Zetter, 2014). The Stuxnet attack exploited a vulnerability in the Siemens S7 Programming Logic Controllers (PLC) to cause Iran’s nuclear refinement technologies to speed up and slow down to cause damage and ultimately destroy themselves (Zetter, 2014). More recently Ukraine has had several attacks on their electric grid that have destroyed some of their electrical transformers (Lee, 2016).
The second reason that ICS networks are behind in security is that of the priorities of the control system engineers. The control system engineers only focus is the uptime of their equipment or the ability for their systems to operate no matter what happens around them (Peoples, 2017). A good analogy to explain why this focus is essential is to explain what a pilot would prefer when they are flying a passenger plane. If you were about to land the airliner and the engine control systems found a fault would you want the engines to shut down for the safety of the engines or would you want the engines to run until you could land the plane? This emphasis on security and safety have caused a delay in the implementation of newer more secure networks.
Common ICS Network Attacks
Unfortunately, with some of the more massive attacks being in the news more hackers are starting to take notice of ICS networks are attacks are beginning to occur more often (Baraniuk, 2016). Some of the same attacks in tradition IT networks also apply to ICS networks. Rootkits are some of the more damaging types of malware currently being used. In fact, the recent attack on Ukraine was a rootkit called BlackEnergy (Bodungen, 2017). BlackEnergy has been attacked networks across the U.S. for several years now. The first attacks were designed to steal information from the computers that they were installed on, but now they are targeting Supervisory Control and Data Acquisition (SCADA) systems and are causing physical damage (Bodungen, 2017). Viruses, Worms, and adware/spyware are also common and can be found on the networks. The issue with this malware is that even though they can be a nuisance, they can affect ICS systems because some ICS networks are made up of legacy systems that can be older than ten years. Ransomware is also widespread and will have an even more significant impact on ICS networks because of the safety concern (Bodungen, 2017). Lastly, because many companies are using web applications, all of the common vulnerabilities for web applications apply here too.
Network Segmentation and Defense in Depth
One effective strategy to help secure networks is to apply the defense in depth strategy (Fabro, 2016). The defense in depth strategy works by applying security controls in multiple layers so that if one layer fails, there are several other layers that can still secure the network. Our plan will use a top-to-bottom approach to secure the networks and to have more control over the changes during the implementation of the new security plan (Mullens, 2014). Network segmentation will be applied top-to-bottom and use the Purdue model for segmenting ICS networks (Bodungen, 2017). Our end goal will be to have a more robust and resilient ICS network that can maintain operations in most business environments.
Network Segmentation
To provide the best security for the ICS network of the refinery, the network should be divided into several segments that are all logically separated with the communication between the segments explicitly defined and restricted to only the required communications. A Demilitarized Zone will be used to separate the Enterprise Networks of levels 4 and level 5 from the Manufacturing and Control Zones of level 3 thru level 0 (Bodungen, 2017).
Purdue Model
The architectural model that the Andrews Refinery will transition to will be based on the Purdue Enterprise Reference Architecture (Purdue Model) that was adopted by ISA/IEC 62443 standard (Bodungen, 2017). This model is based on five different levels of segmentation that started at Level 5 with the enterprise networks and works its way down to Level 0 with the equipment under control and the safety systems.
Level 5 is the Enterprise Zone and is where the corporate offices are located. The departments that are located in the enterprise zone are the Human Resource Department (HR), the Engineering Department (Eng), the Supply and Logistics Department (Log), the Operations Department (Ops), and the Information Technology Department (IT). All assets about business operations and the various departments will also be located in the Enterprise Zone.
Level 4 is the business planning and logistics zone (Mintchell, 2016). Level 4 is located on-site of the Andrews Refinery and includes the Eng Department, the Ops Department, and the IT Department. The Level 4 zone takes orders from Level 5, or the corporate headquarters, and monitors the performance of the lower levels (Budungen, 2017).
Level 3 is the Site Manufacturing and Operations Control Zone (Budungen, 2017). This zone is where the Industrial Demilitarized Zone (IDMZ) is located as it is the intersection of where the Information Technology (IT) and Operational Technology (OT) meets. This zone contains the IT, Eng, and Ops departments as well as most of the industrial control systems servers and workstations. Engineer and Operator Workstations, Historians, Authentication, Authorization, and Accounting (AAA) servers, Distributed Control Systems (DCS) primary, backup servers, and application servers are all located in this zone but not behind the IDMZ. Remote Access servers, Historian Access Servers, Patch Servers, and Application servers are located behind the IDMZ.
Level 2 is the area supervisory control zone and contains the control room workstations and Human-Machine Interface (HMI) workstations. Some ICS equipment is located here, but this zone is mostly for interacting with Levels 1 and 0 (Bodungen, 2017).
Level 1 is the Basic Control Zone (Bodungen, 2017). This zone contains most of the Programmable Logic Controllers (PLC), Basic Process Control Systems (BPCS), and Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). The BPCS contains most of the sensors and actuators that interact with Level 0. SCADA and DCS systems are used to feed information to the higher levels (Bodungen, 2017).
Level 0 is the Process Control Zone. The Process Control Zone is the zone that contains the process control equipment that does the actual manufacturing and is being controlled by the Level 1 Basic Control Zone (Bodungen, 2017). Level 0 is considered the most critical level to protect because this zone is where the equipment is manipulated and interacts with the forces of physics (Bodungen, 2017). Ensuring that Level 1 is isolated and restricted to only those employees that need access is vital to the security of the ICS network.
Also located on Level 0 are the safety systems that help control the processing equipment (Bodungen, 2017). The purpose of the safety systems is to ensure that the processing equipment is running correctly regardless of what type of interruption the higher levels may have. Depending on how the safety control systems are set up processing equipment can either continue operations or safely shut down until the disruption is remediated (Stouffer, 2015).
Network Firewalls
All network zones will be separated by firewalls. At Levels 5 thru Level 3, networks will be divided by firewalls capable of stateful inspection of packets (Stouffer, 2015). At Levels 3 to Level 0 only packet filtering firewalls will be used. This is to reduce any latency on network traffic due to legacy systems (Stouffer, 2011).
Host Firewalls
Any servers or workstations in the DMZ or the enterprise networks will have a host firewall installed (ICS-CERT, 2013). In the case of application servers, a web application firewall will be used and configured specially for that web application. Workstations will use a centrally managed firewall to reduce the cost and workload of maintaining the rules of the firewall.
Network-Based Intrusion Detection Systems (NIPS)/ Host-Based Intrusion Detection Systems (HIPS)
Each zone will have a NIPS installed after the firewall to detect any unauthorized traffic or any unusual activity. All application servers will have a Host-based Intrusion Detection that will scan for unauthorized traffic (Stouffer, 2015). The goal of using an IDS over an IPS is to prevent any network packets from being denied or dropped due to false positives (Stouffer, 2011) and to maintain the availability of the network.
Network-Based Intrusion Prevention Systems (NIPS)
NIPS will be installed at the edge of the network at Level 5 and the edge of the IDMZ (Scarfone, 2015). Only authorized traffic or users will be allowed to pass based on what protocols the user is using (Stouffer, 2011). All unauthorized attempts to gain access will be logged in.
Enterprise Risk Assessment Plan
One of the unique things about the Industrial Control Systems (ICS) within the oil and gas industry is that there is no direct cyberlaw or regulation (Sorebo, 2014). One reason for this is because ICS networks are so diverse and unique that it would be next to impossible to create a standard and regulation that could cover every type of ICS network (Bodungen, 2017). Within the petroleum industry, an organization called the American Petroleum Institute (API) is the only organization that represents the industry as a whole (API, n.d.). The API advocates for the industry and supports various standards, training, and regulations to help improve the industry. One area that the API endorses, and supports is cybersecurity. Specifically, API supports the National Institute of Standards and Technology (NIST), Cybersecurity Framework (API, 2017). API states that it is, “the pre-eminent standard for companies’ cybersecurity programs and policy making” (API, 2017).
The Risk Assessment Standards the Andrews Refinery will use will come from NIST. These documents will include NIST SP 800-30 Guide for Conducting Risk Assessments (NIST, 2012), NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems (NIST, 2010). For the guidance on applying controls to the ICS network NIST SP 800-82 r2 Guide to Industrial Control Systems (ICS) Security (Stouffer, 2011).
One of the unique challenges for conducting risk assessments in an ICS network is that, at the lower levels of the Purdue Model, the ICS specific equipment may react in a way that is not anticipated and create a safety issue just by running a vulnerability scan or ping sweeping with a network scanning tool such as Nmap. The older ICS equipment was not designed to be used with the security tools in use today. Therefore, when possible all vulnerability scanning or testing of equipment will be conducted on test equipment that is configured the same way on the production network. The vulnerability scanning tools that will be authorized on the network is Nessus and Nexpose. The advantage of using these tools over others is that Nessus and Nexpose have worked with the Department of Energy to develop a set of baseline security configurations on several ICS components (Bodungen, 2017). This advantage gives these tools the ability to be used to scan the control equipment at the levels of the ICS network below the Industrial Demilitarized Zone (IDMZ). Special considerations must be met when working with the control systems with safety being the primary consideration (Bodungen, 2017).
Another tool that will be used for both Risk Assessment and Auditing is the Cyber Security Evaluation Tool (CSET) from Industrial Control Systems-Computer Emergency Response Team (ICS-CERT). The CSET tool is one of the most common risk assessment tools used in ICS networks because of the logical step-by-step process when evaluating security controls (Bodungen, 2017). The tool starts by asking questions based on the framework, industry, and standards used. The tool is also mapped to the NIST Cybersecurity Framework and can be used with the ISO/IEC 31000 Risk Management standard.
Enterprise Policy for Auditing Plan
Audits will be based on the NIST Cyber Security Framework using the guides mentioned above. The NIST Cyber Security Framework is based on Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity.” (NIST, 2014, page 3). The CSET tool will be used to conduct the internal audits. An external audit will be contracted out to a third-party auditor.
The NIST Cybersecurity Framework contains three components: The Framework Core, Framework Profile, and Framework Implementation Tiers (Solomon, 2016). The Core of the framework includes five functional areas that all have their own categories and sub-categories (NIST, 2014). While audits are very similar to risk and vulnerability assessments, they do differ. Risk and vulnerability assessments are more for internal use where it there is an issue where the network is vulnerable the IT staff can immediately take corrective actions. Audits are more external and more about informing the public and regulating governing bodies that our networks meet and exceed a certain standard (Solomon, 2016).
Cyberlaw Policy Plan
The IT and Engineering staff will team up with the Andrews Refinery Legal Department to ensure that all matters about Intellectual Property (IP) issues are supported. These issues include Patent Law, Copyright Law, Trademark Law and Trade secrets, Technology Transfer, and International Intellectual Property Law.
There are gaps in regulations and law (Sorebo, 2014). ICS networks in the petroleum industry do not have any direct legislation or regulations that deal specifically with the petroleum industry. Oil and gas refineries do not deal with individual customers, children, or healthcare data. Refineries deal more with the contracts between businesses and environmental issues that exceed the scope of this security plan. However, being a publicly traded company, the Andrews Refinery needs to comply with the Sarbanes-Oxley Act of 2002 (SOX). The IT staff will work with the legal department to create and maintain a data retention program that complies with all SOX regulations (Myerson, 2014). All contracts dealing with Internet Service Providers (ISP), or contracts with third-party vendors in either physical equipment or software licensing will be approved before finalizing the deal.
Occasionally, IT staff or engineers may go to conferences or make public statements as part of a social media campaign or public outreach programs. When these situations occur all materials, information, or presentations will be approved by both the Public Relations (PR) and Legal Departments.
Enterprise Business Continuity and Disaster Recovery Strategy Plan
Refineries operate twenty-four hours a day, 365 days a year. The Andrews Refinery is no different and processes 120,000 barrels of crude oil per day. Each barrel of crude oil that is processed can make 20 gallons of gasoline and 11 gallons of diesel fuel (EIA, 2017). The average prices of gasoline and diesel on January 29, 2018, are $2.72 for gasoline and $3.07 for diesel fuel (EIA, 2018). Based on the prices of January 29, 2018, the Andrews Refinery can make $88.17 per barrel for a total of $10,580,400 per day. Broken down per hour the refinery produces $440,850 per hour. These figures will be used when developing the Business Impact Analysis (BIA).
One of the unique things about petroleum refineries is that the processing units must undergo a controlled shutdown called a Turnaround to conduct any preventative maintenance and upgrades (Griffith, 2017). Because of the amount of money produced by each processing unit the Turnaround process must be carefully coordinated to keep the downtime as little as possible. When a turnaround occurs, employees will work around the clock in shifts until the processing unit is back up and running to normal operations.
An excellent way to think about Turnaround is to look at them as you would for your automobile (EPMC PSP, 2016). If you used your car or truck as part of a job that car would help, make you a certain amount of money per day or hour. Generally, everyone knows that a car needs maintenance, whether that is oil changes or filters or even tires. If you did not do any maintenance on your vehicle, it would eventually cause more expensive damages later. If you did not do any oil changes you may need to replace the engine which would create a more significant loss of time and money, then if you just replaced the oil. So, there is a cost-benefit of conducting routine maintenance on your vehicle.
Business Impact Analysis
Using the figures above we can begin to develop the Andrews Refineries’ BIA from the Risk management assessment. Two values that need to be identified during the BIA are the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). The RTO defines the maximum time required to recover the communication links and processing capabilities (Stouffer, 2015). The RPO determines the longest point of time that a network or process unit can be down and tolerated before adverse or unacceptable conditions start occurring (Stouffer, 2015).
Business Continuity Planning
To keep the scope of the BCP in check, I will only focus on the IT network and related equipment (NIST, 2014). Once the BIA, RTO, and RPO are identified and defined the BCP process can begin. Before the planning of the BCP begins a team must be put together that has at least one member from each of the departments. This representative will ideally be the most experienced person from each department so that the information used and analyzed is up to date and accurate (Tombros, 2008). The executive staff will appoint the BCP manager and will be responsible for organizing the BCP team meetings, project management, and coordinating with the executive department. When the team is assembled, an administrative plan will be created. This plan will contain reference information that will be common to all smaller more specific plans that will be built later. The administrative plan will also include all the information on the vendors, third party contractors, a contact list for all of the departments and the representative from that department, the risk assessment analysis, and the BIA (Wallace, 2010). The administrative plan will be the go-to document to find information about the BCP and the overall recovery strategy.
After the administration plan is complete the BCP team will make an inclement weather plan, mass casualty/ terrorism plan, communication/ public relations plan, pandemic plan, and a disaster recovery plan (Wallace, 2017). When plans require the participation of outside agencies or local governments those parties should be invited as often as necessary to ensure the recovery plans are updated with the latest contact information and procedures from those agencies.
Once the BCP plans are completed they should be tested using a crawl, walk, run method (Wallace, 2017). The crawl, walk, run method means that each department will test and validate each plan of the overall BCP and report to the BCP team leader if there are any changes that need to be made (Wallace, 2017). The next type of testing will be table-top exercises. These table-top exercises will be used to validate individual plans based on the threat models used during the risk assessment. Finally, full exercises will be used to test and validate the entire BCP plan. The full exercise will incorporate the local law enforcement and other outside local governments.
Disaster Recovery Planning
In the case of the Disaster Recovery Plan (DRP) redundancy will be our greatest asset (Wallace, 2017). Luckily oil and gas refineries have operated and are capable of being operated with being connected to the internet. In the case of a lack of the internet, the Andrews Refinery will operate manually until the internet connections can be reestablished. This will require a greater number of employees working on the operational equipment and the use of radios or mobile phones for communications.
In the event of a shutdown due to expected inclement weather all equipment, buildings, and refinery infrastructure will have to be recertified by electricians and other engineers before restarting operations. This is due to the damage that building could have sustained during the storm. The damage to building or the operational equipment could lead to electrical or chemical hazards if equipment is turned on before inspecting for damages
The BCP and DRP will need to be updated and validated at least yearly, or anytime there is a significant change to the network architecture, business function, or network upgrades (Wallace, 2017). Daily backups will be made of data on any application servers, data historians, authentication servers, and any other valuable data. Backup servers will be located locally at the corporate headquarters and in third-party cloud services (Nnorchiri, 2017). The data center for the cloud backup services will be located in another geographical location that will be in another part of the country that will not be affected by the same naturally occurring threats such as severe weather or flooding.
Identity Management Plan
Identity management is a critical element of the Andrews Refinery security plan (Martin, 2018). Identity management will allow the Information Technology (IT) department to control access to the hardware and software that is used at the refinery. The more control the IT department has over identity management, the better able the department will be able to keep the network and the control systems secure (Martin, 2018).
To enhance the ability of the IT department to control access to the Andrews Refinery Smart cards will be introduced (Hall, 2017). These smart cards will be used to identify, authorize, and grant permissions and privileges to the users. These smart cards will also enhance the security of the network by allowing the use of dual-factor or two-factor authentication. The two factors used are something you know and something you have (Gibson, 2015). These smart cards will also include a photo of the employee to provide physical access control into different employee offices and access to the refinery itself. The authentication protocol used will be Kerberos and will use Microsoft Active Directory (AD) for identification and authentication (Gibson, 2015). Where applicable Single Sign-On (SSO) will be used to authenticate employees using web applications. SSO will help reduce the number of username and passwords an employee will need to remember (Vacca, 2014). SSO can also reduce the number of times the employee will need to sign into the web applications.
The move to smart cards for identity management will start in phases with the IT department being first. Once the IT department has completed the transition to smart card and worked out any problems, all managers of each department can begin. This top-down approach will allow each manager to learn the process and how to transition to the smart cards for their departments. Allowing the managers of each department to go first will help gain buy-in for the transition. During the transition both the username/password and smart card access modes will be enabled. However, once the entire company has transitioned to smart cards, the username/password mode will be disabled, and employees will only be able to access the IT systems through the use of smart cards.
During the process of moving to smart cards employees will need to fill out System Authorization Access Request (SAAR) form (Babar, 2017). These SAAR forms will be used by each employee to identify themselves, identify their roles and departments, and identify what access they need to do their jobs. Once the form is filled out, they will email the document to their immediate supervisors who will then validate their employee’s request and digitally sign the pdf document with their smart card. The first-line supervisors will send the SAAR form to the department managers who will validate it, digitally sign the form, and forward the SAAR form to the IT security manager. Once the IT security manager digitally signs the document, he/she will task out the IT staff to create a new account for the employee and enable any access or permissions required.
Role-Base Access Control (RBAC) will be the primary method for granting employees permissions and access to system resources (Conklin, 2015). Rule-Base Access Control will be used to prevent employees from having access to some company resources such as Human Resource (HR) files after hours when there is no specific need for those files (Conklin, 2015).
During this transition, the IT staff will audit all employees accounts to ensure that the principals of least privilege and need to know are being used (Gibson, 2015). If employees change department, change roles, or require more permissions the employee will need to submit a new SAAR form.
Security Awareness Training
Making the transition to smart cards may be the first indicators to employees that the company is making changes. To reduce confusion and to educate the employees a security awareness training (SAT) program will also begin. This training will start in-house and be based on threats identified from the risk assessment and violations of the companies’ security policy. Initially, the SAT program will introduce what changes are occurring at the refinery and how it affects the employees. Later, after the transition to smart cards is complete the IT staff will begin training the employees one department at a time on an annual basis or as needed to correct any deficiencies or violations in the security policies. Training will also be used on a case by case basis when any changes to the hardware or software are required (Vacca, 2014).
In addition to the training that employees will receive while changing to the smart card authentication system employees will be required to read and sign an updated Acceptable Use Policy (AUP). This AUP will define what the proper use of system resources (Gibson, 2015), include privacy statements, and explain how the employee will be monitored while using system resources.
Periodically, the IT staff will test the employees by sending phishing emails or by using other social engineering tactics (Lindros, 2014). These tests will collect data that when combined with log data will help determine how effective the SAT training is. No employees will be adversely affected if they fail to take the corrective action. Instead, employees will be given positive reinforcement and potentially other benefits when they make the correct response. For remediation of security policies and the AUP, education triggers will be employed (. The first violation will result in a trigger that will inform the employee on what the policies are and how that employee violated the policy. Acknowledging the violation will be required before the employee can continue their work. The second trigger will require watching a short video before unlocking their account. A third violation will require watching a 15-minute video as well as a written counseling from their supervisor. SAT will not be a replacement for poor security policies or practices. SAT training will only be used to help reduce the workload of the IT staff. If there are trends in how the employees are using system resources, the IT staff will initiate training to correct those deficiencies.
Enterprise Incident Response, CSIRT, and Forensics Plan
The risk of a cyber-attack on an Industrial Control System (ICS) network has only increased since the famous Stuxnet attack on the Iranian nuclear centrifuges in 2010 (McMillen, 2016). Attacks on oil and gas refineries can cause catastrophic results that would cost lives, have long-term negative impacts on the environment, cause severe fines from litigation and legislation, and may even put the company out of business (Kaspersky, 2017). As oil and gas refineries are a designated critical infrastructure our industry will be scrutinized more heavily, and thus we will need to ensure that the Andrews Refinery is following all local, state, and federal regulations and closely work will law enforcement and agencies when an incident is detected.
Security Operations Center and Incident Response Teams
A famous slogan from SANS on cybersecurity is “prevention is ideal, but detection is a must” (Ashford, 2014). The basis for this slogan is that cybersecurity incidents are easier to recover from if they are detected early versus trying to put things back together after a cyber attack. To identify cybersecurity incidents early the Andrews Refinery will create a Security Operations Center (SOC) that will also fill the role as a Computer Security Incident Response Team (CSIRT) if cyber-attacks escalate to become more of a physical risk (Lord, 2018).
Traditionally, SOCs will be centralized and contain Subject Matter Experts (SMEs) in the IT field (Lee, 2017). SOCs in an ICS environment would be more distributed and be made up of SMEs in more business processes then just IT. Members of the ICS SOC will come from industrial, chemical, and control systems engineers as well as the IT department, legal department, and the public relations department (Lee, 2017). The reason for the diversity of the member is all due to the numerous local, state, and federal regulations that the Andrews Refinery is exposed to as identified as critical infrastructure.
Incident Life Cycle
The NIST SP 800-61r2 provides the security incident response life cycle that the Andrews Refinery will follow for responding to security incidents. The Incident Response Life Cycle contains four phases of Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity (Cichonski, 2012). The Preparation phase of Incident Response is highly integrated into the Business Continuity Plan (BCP), and in fact, most of the information used in the preparation phase comes from the BCP Administration Plan (Cichonski, 2012). Part of the preparation phase is to monitor website from vendors and cyber threat intelligence sources as well as the Industrial Control Systems Computer Emergency Response Teams (ICS-CERT) for all update on the threat environment and security advisories of vulnerabilities in vendor software or hardware (Bodungen, 2017). The Andrews Refinery will also develop close relations with the vendors that we used to stay ahead of the security update from the official sources. Security Advisories will typically only be announced on official sources once the vendors can patch the vulnerability. The vendors will often know of the vulnerabilities for weeks or months before they are patched and release to the public (Bodungen, 2017)
The Detection and Analysis phase is the second phase and is where detection must occur at the earliest possible time. Incidents can be detected early by continuous monitoring of any irregularities of log files, system resources, or activities of visitors or employees (Vacca, 2014). Log files, IDS/IPS, and firewalls should be mapped to threat vectors that were identified during the risk assessment and analysis (Cichonski, 2012). When irregularities are identified, log files should be collected and analyzed to determine if the data is a real security incident, how severe the incident is and what systems are affected. If the anomaly is identified as a security incident the data from log files, drives, and other sources of evidence must be collected using proper forensics procedures and create a chain-of-custody to ensure the integrity of the data to be used for any future investigations (Vacca, 2014).
The third phase is Containment, Eradication, and Recovery. The type of security incident will determine what containment strategy to use (Cichonski, 2012). The action taken to contain a Denial of Service (DoS) attack will be different from a phishing attack in an email (Cichonski, 2012). Once the strategy is determined evidence will be gathered identifying all system information, time/ location, and the contact information of the person or persons affected by the incident. When the attacking system is identified, the systems will be replaced, restored from a clean backup image, or rebuilt from scratch to restore the systems to normal operations.
Post-Incident activities are the last phase where the data will be collected and investigated and put into a report to be used in the future for lessons learned and to share with vendors, ICS-CERT, cyber threat intelligence sources, and other interested parties. These reports can be used as a source for Indicators of Compromise (IOC) where other companies can use them to harden their systems.
Forensics Plan
The Forensics response plan for the Andrews refinery will be based on the best practices of digital forensics. Although digital forensics science is a specialized field, we will train the IT department and some employees from the engineering department to become familiar with basic forensics techniques. When the designated employees are trained they will be the only personnel authorized to secure workstations, servers, or other compromised devices and remove them from the network. The compromised devices will be sent to a third-party vendor that specialized in digital forensics science and may be used as a witness if there are any court proceedings later on.
ICS Penetration Testing
As briefed previously, ICS networks can react unexpectedly when modern tools and techniques are used on the older ICS network (Bodungen, 2017). Therefore, any penetration testing will only be white-box testing or gray-box testing (Bodungen, 2017). Black-box tested will not be authorized on the ICS networks due to the nature and safety of the equipment and personnel work on or near the production and refining equipment (Bodungen, 2017).
At a minimum, one employee from the IT department and another employee from the engineering department will be assigned to the penetration testing teams as a safeguard and a third-party witness to any activities on the network (Bodungen, 2017). If needed the assigned employees can be authorized to sign Non-Disclosure Agreements (NDA) if the penetration testing teams desire (Kassner, 2015).
Before starting any testing of the networks, the IT staff, engineering staff, and the legal department will meet the penetration testing team to define and develop the scope of the pen-test, what tools will be authorized, and what techniques will be used during the test (Bodungen, 2017). A contract will be developed by the legal department authorizing the names of the penetration team, the tools and techniques used, and the dates they are authorized to test the networks. The contract will also describe the actions that the Andrews Refinery will take if any actions are out of the scope of the contract or if there is any negative consequences or outcomes due to negligence.
Enterprise Information Security Implementation Plan Physical Security
The physical security is one of the more important aspects of security for an oil and gas refinery (Tyagi, 2016). Even though the Operational Technology (OT) is being more connected to the network than ever before it is still vulnerable to being physically manipulated or altered. To prevent unauthorized access to the physical plant the current physical security plan will be audited and updated as needed.
For the updating process, there will be a focus on improving the communication between the physical security officers, their offices, and their post. Closed Caption Television (CCTV) will also be audited to ensure that all access points and sensitive areas are covered and in view of the camera (Gibson, 2015). A cost analysis will determine which systems or actions are the best to accomplish these two tasks.
Authentication
Physical authentication will be required before entering the Andrews Refinery. Employees will need their Smart Card for access to the refinery work areas. Vendors and visitors will need to stop at the front gate to sign in and receive a temporary visitors badge. Authentication and access to IT/OT systems will require the use the employee’s Smart Card.
Network Security
The security of the networks will be filtered and monitored by multiple levels of firewalls, intrusion detection systems, and intrusion prevention systems (Bodungen, 2017). Data Loss Prevention (DLP) servers will help prevent the leakage of Personal Identification Information (PII) and Intellectual Property (IP).
Encryption
All data at rest or in transit will be encrypted were possible. The systems that are not capable of implementing encryption must stay behind the Industrial Demilitarized Zone (IDMZ). Remote access traffic will be encrypted thru the use of Virtual Private Networks (VPNs). Remote access will be highly restricted and only used by authorized employees and vendors.
Software Development
There will be little software development in-house. However, we will work closely with our partners and vendors to provide as much assistance to the development of the third-party vendor software. When needed the Andrews Refinery can assist and test the software with the test equipment used in our facility.
All company employees will be provided an email account when they sign up for their smart card. Messages for any company related news, training, or updates will be sent out via email. System Administrators and any employees with elevated permissions to critical business functions will have two separate accounts. The first account will be a standard user account with access to email and the internet. The second account will be restricted to only the rights and permissions needed to accomplish their jobs on the critical systems.
Internet Access
All employees will be given access to the internet and email on the as standard employee permission. Employee activity on the internet will be monitored by the use of DLP servers and Proxy servers. These systems will help prevent employees from violating any security policies.
Acceptable Use Policy
As part of the procedure for signing up for an employee Smart card and network user account, employees will be required to sign an Acceptable Use Policy (AUP) document describing in detail what the expectations are for employees in the use of the companies’ IT systems (Gibson, 2015).
Business Continuity Planning (BCP)
Our Business Continuity Plan focuses on the Andrews Refinery critical business function, producing refined oil and gas. All other business functions support that critical task (Swanson, 2010). The intent and goal of the BCP are to maintain the C-I-A triad of Information Systems Security to produce oil and gas most efficiently during any information security incidents (Swanson, 2010). To accomplish this, the BCP plan will be tested annually at a minimum. The testing will require participation from all departments that are affected. Any weaknesses or gaps that are identified will be remediated or updated and retested (Wallace, 2017). A review of the BCP will be conducted to validate and maintain the effectiveness of the plan every two years or if there have been any significant changes in software, hardware, or a critical business function (Wallace, 2017)
Disaster Recovery Plan (DRP)
The goal of the DRP is to recover from any incidents as quickly and efficiently as possible (Swanson, 2010). The best way for that to happen is to identify the critical business functions, model what threats could affect them, and analyze what needs to be done to bring those critical business functions up and running as quickly as possible (Wallace, 2017). Plan maintenance will occur in conjunction with the BCP review. Testing of the DRP plan will happen annually for at least one type of DRP plan (i.e., Pandemic Plan, Inclement Weather Plan)
Security Awareness Training
There will be changes in the upcoming months that will require that employees receive training in the use of their new Smart Cards and updated security policies. Any changes in the security policies that affect a single department can be trained in-house. Changes that affect the entire company will be taught company-wide thru various media and methods. Occasionally, employees will be tested thru email phishing campaigns or other social engineering attacks (Lindros, 2014). The goal of these tests is to train the employee thru repetition how to defend themselves from social engineering attacks.
Viruses/ Worms and malware
Employees will also be trained to understand the different types of malware, how each type works, and how to mitigate any risk from the malware. Antivirus (AV) software will also be configured to scan for any malware signatures that may appear on the network. Firewall, IPS/IDS software will be used to detect any unusual activity on the network thru heuristic-based analysis.
Conclusion
This paper covers all aspects of the security of the Andrews Refineries’ IT systems and OT systems. The Purdue model will be implemented that will help separate and compartmentalize the network as well as restrict how the information flows throughout the six different levels. The hardware and software needs of the new networks are addressed to cover the different types of firewall, IDS/IPS, and different monitoring software. Risk Management along with Contingency Planning reduces our companies risks as well as developing the strategies and plans to continue business operations during different security events. Security Awareness Training will be used to train employees on the updated security policies and practices. Lastly, penetration testing will be used to validate all of the actions that we have implemented to prove their effectiveness. Implementing this Enterprise Security Plan will allow the Andrews Refinery to become more resilient to attacks and to strengthen the Availability, Integrity, and Confidentiality of our IT and OT systems.
Resources
Antova, G. (August 2017). Overcoming the Lost Decade of Information Security in ICS Networks. Retrieved from http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks
Ashford, W. (April 2014). Cyber threat detection paramount, says SANS fellow. Retrieved from http://www.computerweekly.com/news/2240219589/Cyber-threat-detection-paramount-says-SANS-fellow
API. (2017). CYBERSECURITY. Retrieved from http://www.api.org/news-policy-and-issues/cybersecurity
API. (n.d.) About API. Retrieved from http://www.api.org/about
Babar, A. (August 2017). What is Web Access Management (WAM)? Retrieved from https://www.pingidentity.com/en/company/blog/2017/08/16/what_is_web_access_management_wam.html
Baraniuk, C. (November 2016). The next big hacking threat is already happening-you just can’t see it. Retrieved from https://qz.com/831332/the-next-big-hacking-threat-is-already-happening-you-just-cant-see-it/
Bodungen, C. Singer, B. Shbeeb, A. (2017). Hacking Exposed: ICS and SCADA Security Secrets & Solutions. McGraw Hill Education New York: NY
Cichonski, P. (August 2012). NIST SP 800-61 R2: Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Conklin, A. (2015). All-In-One CompTIA Security+ Exam SYO-401. McGraw Hill Education: New York, NY
EPCM PSP. (March 2016). What is a turnaround. Retrieved from https://www.youtube.com/watch?v=2gCk9yBBOUo
Fabro, M. Gorski, E. Spiers, N. (September 2016). Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. Retrieved from https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
Gibson, D. (2015). CompTIA Security+: Get Certified Get Ahead SYO-401 Study Guide. YCDA LLC: Middletown, DE
Griffith, S. (June 2017). Refinery turnaround requires all hands on deck. Retrieved from http://news.marathonpetroleum.com/refinery-turnaround-requires-all-hands-on-deck/
Hall, J. (April 2017). Smart Card Architecture. Retrieved from https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-architecture
ICS-CERT. (February 2013). Targeted Cyber Intrusion Detection and Mitigation Strategies (Update B). Retrieved from https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
Kaspersky. (n.d.) The State of Industrial Cybersecurity 2017. Retrieved from https://go.kaspersky.com/rs/802-IJN-240/images/ICS%20WHITE%20PAPER.pdf
Kassner, M. (October 2015). Don’t let a penetration test land you in legal hot water. Retrieved from https://www.techrepublic.com/article/dont-let-a-penetration-test-land-you-in-legal-hot-water/
Lee, R. Assante, M. Conway, T. (March 2016). TLP: White. Analysis of the Cyber Attack on the Ukrainian Power Grid. Retrieved from https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Lee, R. (March 2017). Insight into ICS SOC. Retrieved from https://dragos.com/media/Dragos-Insights-into-Building-an-ICS-Security-Operations-Center.pdf
Lindros, K. (February 2014). How to Test the Security Savvy of Your Staff. Retrieved from https://www.cio.com/article/2378559/data-breach/how-to-test-the-security-savvy-of-your-staff.html
Lohrmann, D. (June 2017). The Trouble if Security Awareness Training Is Mainly a Punishment. Retrieved from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-trouble-if-security-awareness-training-is-only-a-penalty.html
Lord, N. (January 2018). What is a Security Operations Center (SOC). Retrieved from https://digitalguardian.com/blog/what-security-operations-center-soc
Martin, J., Waters, J. (January 2018). What is identity management? IAM definition, user, and solutions. Retrieved from https://www.csoonline.com/article/2120384/identity-management/what-is-identity-management-iam-definition-uses-and-solutions.html
McMillen, D. (December 2016). Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent. Retrieved from https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/
Mintchell, G. (March 2016). Purdue Enterprise Reference Architecture Meets IIOT. Retrieved from https://themanufacturingconnection.com/2016/03/purdue-enterprise-reference-architecture-meets-iiot/
Mullens, P. (November 2014). Information Governance- The top-down approach. Retrieved from https://blog.barracuda.com/2014/11/05/information-governance-the-top-down-approach/
Myerson, J. (June 2014). Four steps to consolidate SOX data retention and deletion processes. Retrieved from http://searchcompliance.techtarget.com/tip/Four-steps-to-consolidate-SOX-data-retention-and-deletion-processes
NIPP. (2013). NIPP 2013: Partnering for Critical Infrastructure Security and Resilience. Retrieved from https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013-508.pdf
NIST. (February 2014). Framework for Improving Critical Infrastructure Cybersecurity, Version 1. Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
NIST. (September 2012). NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
NIST. (September 2017). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft
Nnorchiri, D. (October 2017). Backup Strategies For Data Centers. Retrieved from https://www.poweradmin.com/blog/backup-strategies-for-data-centers/
Peoples, R. (September 2017). How Vulnerable is Your Industrial Control System (ICS)? Retrieved from https://www.crossco.com/blog/how-vulnerable-your-industrial-control-system-ics
Scali, D. (August 2016). Developing a Security Strategy to Cover ICS Assets. Retrieved from https://www.fireeye.com/blog/executive-perspective/2016/08/developing_a_securit.html
Scarfone, K. (October 2015). Enterprise benefits of network intrusion prevention systems. Retrieved from http://searchsecurity.techtarget.com/feature/Enterprise-benefits-of-network-intrusion-prevention-systems
Solomon, M. Weiss, M. (2016). Auditing IT Infrastructures for Compliance, 2nd Edition. Jones & Bartlett: Burlington, MA
Sorebo, G. (March 2014). The Oil and Gas Industry: A Surge in Cybersecurity Vigilance? Retrieved from https://www.rsaconference.com/blogs/the-oil-and-gas-industry-a-surge-in-cybersecurity-vigilance
Stouffer, K. (June 2011). Guide to Industrial Control Systems (ICS) Security Revision 2. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Swanson, M. (May 2010). NIST SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf
Tombros, V. (July 2008). Case Study: Implementing Business Continuity in the Upstream and Midstream Energy Sector (Petrochemicals and Refineries). Retrieved from http://www.continuitycentral.com/feature0594.html
Tyagi, S. (January 2016). The Global Threat of Terrorism Targeting Oil and Gas Industries. Retrieved from https://www.linkedin.com/pulse/global-threat-terrorism-targeting-oil-gas-industries-sb
U.S. Energy Information Administration (EIA). (January 2018). Weekly Retail Gasoline and Diesel Prices. Retrieved from https://www.eia.gov/dnav/pet/PET_PRI_GND_DCUS_NUS_W.htm
U.S. Energy Information Administration (EIA). (May 2017). Faq: How many gallons of gasoline and diesel fuel are made from one barrel of oil? Retrieved from https://www.eia.gov/tools/faqs/faq.php?id=327&t=9
Vacca, J. (2014). Managing Information Security 2nd Ed. Syngress: New York, NY.
Wallace, M. Webber, L. (2017). The Disaster Recovery Handbook: A Step-By-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets, Third Edition. AMACOM: New York, New York.
Zetter, K. (2014). Countdown To Zero Day. Broadway Books: New York