Security Ranch Security Ranch

February 15, 2021

Navigating the Digital Landscape: Understanding and Defending against DDoS attacks

Filed under: Uncategorized — Tags: , — Ken @ 8:14 pm

Navigating the Digital Landscape: Understanding and Defending Against DDoS Attacks

In the ever-evolving realm of cyber threats, the past year has witnessed a surge in attacks on major U.S. corporations. From Target to Home Depot and JP Morgan, these incidents underscore the need for robust cybersecurity measures. The recent Sony cyber attack, starting as a DDoS assault and escalating into a ransomware nightmare, exemplifies the escalating threats faced by businesses.

The Surge of DDoS Attacks and Their Economic Impact

Over the past year, Distributed Denial of Service (DDoS) attacks have become a prevalent and cost-effective weapon in the digital arsenal, constituting 11.7% of reported attacks in November 2014. As online transactions proliferate, businesses face an increasing risk of disruption. Understanding the anatomy of DDoS attacks is crucial in fortifying digital defenses.

Unmasking DDoS: The Digital Assault Explained

At its core, a DDoS attack aims to deny access to networks or computers, rendering them unusable for legitimate users. Orchestrated by a botnet—a network of compromised computers—these attacks employ bots infected by malware, such as worms or viruses, acting as the foot soldiers in the digital theater.

The World of Malware: Worms, Viruses, and Trojan Horses in Focus

Worms and viruses, akin to digital parasites, infiltrate computers using various tactics. Viruses infect files and replicate, spreading through shared drives, USB devices, or email attachments. Trojan horse attacks disguise as legitimate programs, waiting to strike when executed, infecting unwitting systems.

Defending Against the Digital Onslaught: Tips for Users

For individuals, defending against becoming an unwitting bot involves using robust antivirus software regularly updated to fend off evolving threats. Vigilance in email interactions and cautiousness with attachments are crucial shields against infiltration. Recognizing the signs of a compromised computer—unexplained high CPU usage or unauthorized email activity—is paramount for personal cybersecurity.

Breaking Down DDoS: Crash and Flood Tactics Demystified

DDoS attacks fall into two main categories: Crash/Logic attacks and Flood attacks. Crash attacks exploit vulnerabilities in operating systems or configurations, attempting to bring the system down. Flood attacks inundate servers with meticulously designed requests, overwhelming their resources.

Layers of Assault: From ICMP to HTTPS in the DDoS Landscape

ICMP attacks at Layer 3 overload networks with erroneous messages, exploiting vulnerabilities to cripple systems. Smurf attacks amplify their impact by causing every device on a misconfigured network to repeat the attack. Reflective attacks, like a cyber echo, exponentially increase the number of packets sent to the target, further inundating the victim.

HTTP and HTTPS GET Flood attacks, operating at Layer 7 (Application), flood servers with file or picture requests, consuming resources. SYN Flood attacks, at Layer 5 (Session), exploit half-open connections, bogging down systems by never completing the three-way session synchronization.

Mitigating the Storm: Defense Strategies and the Economic Impacts

Mitigating DDoS attacks demands advanced strategies, often beyond the reach of the average user. For individuals, installing reputable antivirus software and keeping it updated, along with firewall activation on routers, form the first line of defense. Large corporations, however, must deploy custom-built firewalls, capable of thwarting attacks across multiple layers of the OSI and TCP/IP models.

The economic fallout from DDoS attacks is staggering, with network downtime costing an average of $22,000 per minute, soaring up to $100,000. Large e-commerce sites can face daily losses exceeding $30 million. The aftermath extends beyond financial loss to reputational damage, potential litigation, and regulatory fines.

Sony’s Catastrophe: Lessons from an Advanced Persistent Threat

The recent assault on Sony by the enigmatic Guardians of Peace exemplifies an advanced persistent threat. Hacking into Sony’s servers, stealing sensitive data, and holding it hostage for ransom showcased a level of sophistication and malicious intent that transcends typical DDoS attacks. The fallout, from leaked emails to reputational damage, underscores the severity of such orchestrated campaigns.

The Ongoing Battle: Building Resilience for the Future

As society becomes increasingly reliant on the internet, the frequency and sophistication of DDoS attacks are set to rise. Building resilience against these attacks becomes imperative, ensuring that businesses can weather the storm and continue operations even in the face of digital onslaughts.

In the evolving landscape of cyberspace, one thing is certain: the battle against DDoS attacks is not a matter of if, but when. Fortifying our defenses and implementing robust business continuity and disaster recovery plans will be essential in navigating the digital frontier, where the only constant is change.

What is Cyber Threat Intelligence

Filed under: Uncategorized — Tags: , — Ken @ 8:13 pm

What is Cyber Threat Intelligence

            When one thinks of intelligence, they usually think about the military and intelligence agencies like the CIA or the Marine Corps.  If it sounds militant, you are not too far off.  Cyber intelligence or Threat Intelligence uses some of the same methods and procedures to defend networks as the intelligence agencies use to defend our country.  The driver for the recent popularity of cyber threat intelligence is the increase in advanced persistent threats (APT).  APT can loosely be defined as a category of attacks where a group or person is specifically targeting business.  These attacks can combine different methods to gain access to a business’ networks.  “Script kiddies” or simple hacks are usually simple attacks to use a single method to do one or two things on a network.  Vandalizing a website or DoS’ing a network can fall in this category.

Today, threats from hackers on the internet are growing in complexity, scale, and number.  The defenses that we used to protect our computers and networks in the past usually started by countering an already existing threat.  The standard model for defending against cyber-attacks is the monitor and respond strategy.  This usually entails collecting as much information as possible from as many resources as possible to create best configurations as possible to beat the threat.  The problem with this strategy is that it is reactive.  By the time that the IT staff discover that their configurations were ineffective the attack has already happened.  Once the attack happens, an investigation will be conducted to come up with a new configuration or ACL that will hopefully stop that type of attack from occurring again.  That reactionary method of developing defenses is inadequate for networks today.  Developers and engineers just cannot keep up with the evolving threat coming from hackers.  Even using the standard risk analysis can fall short because it can only conduct assessments on known vulnerabilities.  How can you defend your networks against an attack that you have not seen yet?  The answer is cyber threat intelligence.

So, what is cyber threat intelligence?  To answer that we first have to define intelligence.  Intelligence can be defined as the product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations (Joint Pub 2-0).  This definition works well, and with a little imagination, one can understand what cyber intelligence would be.  Foreign nations could be nation/state sponsors cyber-attacks.  Hostile forces or elements could be hackers.

In 2002, Donald Rumsfeld gave a Department of Defense (DoD) briefing introducing the concept of “knowns.”  There are essentially three types of “knowns” that you could have about something.  There are known knowns, known unknowns, and unknown unknowns.  (Rumsfeld 2002).  Known knows are things that we know that we know.  An example is what a cyber-attack is and how to defend against it.  There are known unknowns such as the assume breach concept.  We know that we are eventually going to get hacked, we just don’t know when or how.  Lastly, there are unknown unknowns.  These unknowns are where we do not know what types of attacks are out there and we do not know when or how they will happen.  A good example for this is zero day attacks.  We do not know what is an attack is or how and when it is going to happen.  Think back to most of the significant data breaches in the past.  Most of those attacks happened over the course of months, and the victims never knew that they were even hacked.  Cyber Threat Intelligence acts to move as many unknown unknowns into the known unknown’s category.  To do this, cyber threat intelligence fills the defense gap by analyzing and sharing information.

One way cyber threat intelligence attempts to solve the unknown unknowns by the exchange of information.  Thinking back to traditional intelligence agencies, the spies usually try to sneak around to find out information to give back to their country.  That country uses the information in a variety of ways, but mainly it is to clear the “fog of war” or unknown unknowns, to be able to make better decisions.  This analogy works the same way in the cyber world.  The problem to ask yourself in the realm of cyber security is who are my adversaries and what information do they likely want.  By asking this question, you can start to narrow down and focus your efforts.  Most businesses do not have an infinite amount of money and time to secure their networks.

When sharing information with other organizations, it is important to establish and maintain a consistent format.  By doing this, an organization can more easily find what they are looking for.  Different threat information types should be formatted in a way that makes it easy for a user to take action on.  There are five main data types.  These are Indicators, Tactics, techniques and procedures (TTPs), Security Alerts, Threat intelligence reports, and Tool configurations (Johnson, 2016).

Two reasons why companies may choose not to share information are that they do not believe that they have any information that would be considered valuable to other businesses.  The second reason is that some firms do not want to assist or help their potential competition (Chismon, 2015).

Threat indicators or Indicators are technical data that can suggest an attack can happen or is already going on (Johnson, 2016).  These indications can be anything from known harmful or malicious IP addresses to suspicious URLs that can indicate malicious activity.  By sharing this type of information on Threat Intelligence clearing houses a company can help other business by sharing what they know.

TTPs are the actions that a hacker usually takes on a network (Johnson, 2016).  Tactics are the high-level behaviors that hackers take.  Techniques are the specific steps that hackers do on a network to gain unauthorized access.  An example of this is using Metasploit to drop malware onto a target.  Procedures are the actual steps used to conduct the attack.

Security Alerts are advisories or notifications about specific vulnerabilities, exploits, or other security concerns given by organizations to the general public (Johnson, 2016).  One of the first organizations to provide security alerts to the public is the United States Computer Emergency Readiness Team (US-CERT).  This organization was created after the Morris Worm wreaked havoc on the internet in the US.  Other important organizations are the National Vulnerability Database (NVD), or Microsoft Security Bulletins from Technet.

Threat Intelligence reports are reports that inform about TTPs, hackers, or case studies of attacks that can help inform a company on to secure its networks (Johnson, 2016).

Lastly are tool configurations.  These are reports that contain the software or equipment setting used to defend against attacks or what the configurations were when an attack occurred (Johnson, 2016).  This report could also be used to instructing someone in how to use AV software or how to remove malware once a computer is infected.

In the United States, Marine Corps (USMC) information is shared all of the time about field exercises or project.  The lessons learned are put in reports that get published in the USMC’s Center for Lessons Learned website.  These lessons provide anyone who is interested in what went right or wrong for different events.  The same applies to information sharing for cybersecurity.  When companies exchange information with other businesses, there is a shared awareness among them.  This awareness is for events like DDoS attacks or the after effects from a Business Continuity point of view.  Situational awareness can be very valuable information for companies that have not had to deal with network outages to learn from.  Information sharing can also increase the security posture if companies pay attention.  Just like a rising tide raises all boats sharing information can improve security.

A report by the SANS Institute indicated that companies that used threat intelligence saw a 28% better context, accuracy and speed in monitoring and incident handling (Shackleford, 2015).  A 51% faster and more accurate detection and response and a 48% reduction in incidents thru early prevention due to Cyber Threat Intelligence (CTI) (Shackleford, 2015).  Unsurprisingly, the top user of CTI is the U.S. Government.  At the federal level, cooperation between the military and the government have cross-pollinated experience, and both groups have benefited.

One potential weakness with CTI is being overwhelmed with information and not knowing how to use and integrate it.  To help with the understanding several different formats and frameworks have been created to help in identifying the information and putting it in a readable form.  According to the SANS report, the most popular format is the Open Threat Exchange (OTX) with 51% of companies responding that they use that framework.  OTX has almost 26,000 users in 46 groups.  Each report in the OTX shows over 929,000 indicators from bad IP addresses to malicious URLs.  The OTX can be accessed by going to the Alienvault website.

Another popular framework is the Open Indicators of Compromise (OpenIOC) framework.  OpenIOC is a framework created by Mandiant that contains tools to edit and create Indicators of Compromise (IOC).  These indicators are the artifacts that are left behind by an attack.  Companies that use the framework can create an XML document that put these indicators in a logical format that can be used to adjust the configurations of firewalls, IDS/IPS, and other investigative tools.  The standard life cycle of creating IOCs begin with an initial lead or evidence.  This could come from a notification from law enforcement or from an anomaly that was detected by a network device.  After the initial discovery, IT personnel create the IOC from their existing evidence and the environment of the network.  Once the IOC is created, it is deployed to the network.  Deploying the IOC can cause changes to the networks ACLs, blacklisted URLs or IP addresses, or other signatures that can alter the IDS/IPSs.  After deploying the IOC on the network additional information and indicators can be included if anything new was discovered during the investigation.  When the new evidence is included in the IOC, the evidence can be further analyzed to refine, enhance, or create additional IOCs.

There are two ways that companies can begin to add CTI to their network security practices.  The first way is to build and grow an intelligence cell from scratch.  The benefits to companies creating their CTI cell are that they can stay at the leading edge of the security threats.  Because it takes some time to investigate and create intelligence after an attack, companies would likely alter their networks before finalizing any IOCs to publish.  One major drawback from creating a CTI cell are the cost.  Cost can be significant depending on the size and experience of the intelligence unit.  For most smaller businesses, this would be unrealistic despite the need.  An alternative to starting their CTI cell would be to subscribe to a managed security service that provides reports and intelligence.  This can be a more cost-effective way for small and medium companies to leverage the experience of a larger company.  FireEye, Dell SecureWorks, and Symantec are three companies that can provide managed CTI.  These businesses can all provide feeds of information that are constantly being updated.  The prices for this service can vary from $2000 to $3000 per month for a single feed to $100,000 for a 12-month subscription for 1 to 2500 computers (Tittel, 2015).  Companies that are thinking about either one of these options should conduct and risk assessment and analysis what the return on investment would be to make sure that the price is worth it.

In a large enterprise, cyber threat intelligence will usually fall in a Network Operations Center (NOC) or Security Operations Center (SOC).  These teams serve two different purposes, but sometimes they can be combined depending on the size and budget of the organization.  Larger organizations like government entities usually have separate teams because of the potential for a conflict of interest.  You would not want the same system administrators that are responsible for keeping the network running also responsible for auditing the logs for example.  Threat intelligence will normally fall within the SOC teams’ responsibility.  A SOC team can be responsible for tasks that include risk analysis, IDS/IPS analysis, and threat intelligence.  Because there are so many different threats in cyberspace and only so much money to go around risk analysis is the process of discovering all of the vulnerabilities that lie on a network and prioritizes them from the most severe to the least severe.  The budget should prioritize to reduce the most severe risks so that the business can get the most “bang for the buck” that they can.  If these risks are not prioritized correctly, the company could be wasting money trying to reduce a risk that would have no real impact on the security of their network.  This is where threat intelligence can help prioritize the risk.  By sharing information with others, each business can use the information about the controls that other companies took and analysis how their effects.  If the controls that were implemented were affected and there was a significant reduction in attacks, then that information could be used to help security the network.  If the controls were ineffective that company could still learn what controls were least efficient and find an alternative control.  Each time companies share information on attacks, controls, or investigations everyone can benefit from the shared knowledge.  By using threat, intelligence information sharing makes the risk analysis or effective and efficient.

As with business and the military, they both operate on three different levels.  The bottom level is the tactical level.  For IT roles, this level is responsible for monitoring the network and managing the users and upgrades and patches.  At this level, one of the problems is the number of tasks that need to be completed.  It is often difficult to test and manage patches while simultaneously scanning logs and ensuring that the normal users have access to their accounts.  CTI can help at this level by contributing to prioritize the efforts of the IT staff to make sure that their efforts will have the most benefit on the networks (Friedman, 2015).

The next level is the operational level and includes the incident response teams and the forensic teams.  A problem at this level is that it can be time-consuming and difficult to investigate and attack and to contain the damages of further breaches.  CTI can again help prioritize the efforts of the investigating staff and provide case studies and indicators that they can use to speed up their processes (Friedman, 2015).

The top level for businesses is the strategic level.  This is the level that the Chief Information Security Officer (CISO) and other C-suite executives work at.  One of their problems with IT security is that they often lack a technical understanding of the issues and with that lack of understanding have a difficult time prioritizing funding for investment in new or expanded technologies and tools.  CTI can help these executives prioritized their money on the most likely threats and gave the company the most bang for their buck in stopping the most dangerous and likely attacks (Friedman, 2015).

The future is most likely pretty bright for Cyber Threat Intelligence.  It should begin to play an even larger role as Artificial Intelligence (AI), and machine learning starts to expand into more industries.  The usual methods of adding more hardware to the network are starting to have less of an impact in keeping the networks secure.  Cyber Threat Intelligence plays a role in filling the defense gap by sharing information and analyzing previous attacks to help prevent more attacks from occurring.

References

Shackleford, Dave.  (February 2015).  Who’s Using Cyberthreats Intelligence and How?  Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767

Lord, Nate.  (October 2016).  What is Threat Intelligence?  Finding the Right Threat Intelligence Sources for Your Organization.  Retrieved from https://digitalguardian.com/blog/what-threat-intelligence-finding-right-threat-intelligence-sources-your-organization

Rumsfeld, Donald.  (February 2002).  DoD News Briefing – Secretary Rumsfeld and Gen. Myers.  Retrieved from U.S. Department of Defense Web site: http://archive.defense.gov/Transcripts/Transcript.aspx?TranscriptID=2636

Department of Defense. (2013).  Joint Publication 2-0 Joint Intelligence.  Washington D.C. USDOD.

Johnson, Chris. Badger, Lee.  Walternire, David.  Snyder, Julie.  Skorupka, Clem.  (October 2016).  Guide to Cyber Threat Information Sharing.  Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

Shackleford, Dave.  (February 2015).  Who’s Using Cyberthreat Intelligence and How?.  Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767

Chismon, David.  Ruks, Martyn.  (2015).  Threat Intelligence:  Collecting, Analysing, Evaluating.    Retrieved from https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/MWR_Threat_Intelligence_whitepaper-2015.pdf

Friedman, Jon. Bouchard, Mark.  (2015).  Definitive Guide to Cyber Threat Intelligence.  Retrieved from https://cryptome.org/2015/09/cti-guide.pdf

Tittel, Ed.  (April 2015).  Comparing the top threat intelligence services.  Retrieved from http://searchsecurity.techtarget.com/feature/Comparing-the-top-threat-intelligence-services

Enterprise Security Plan

Filed under: Uncategorized — Tags: — Ken @ 7:57 pm

Enterprise Information Security Plan Scope

            Our oil and gas refinery located in Baytown, Texas is one of the central hubs in the oil industry.  The Andrews Refinery contains four units for refining crude oil into more refined petroleum products.  Although we are a small refinery, we have the potential to be very profitable due to the ability to exploit automated technologies that will make the refinery run as efficiently as possible.  Industrial Control Systems (ICS) is becoming more acceptable because of the advancement of Information Technology (IT).  The better our automation control technologies are, the higher our quality can be.

However, as we begin to connect our ICS to the network, they will be exposed to all of the threats that current IT networks are exposed to.  To protect the companies’ networks and control systems, we will implement a robust IT security management plan.

This plan will implement security in a series of phases that will ensure the Confidentiality, Availability, and Integrity (C-I-A) of the industrial control systems.  In the typical IT network, the legs of the C-I-A triad are listed in order of priority (Scali, 2016).  Meaning that the preference for an IT network is the Confidentiality of the data.  In ICS networks the C-I-A triad is reversed.  The Availability of the systems is the priority.  This difference is because ICS networks are usually considered high-availability networks and consider availability more critical than the confidentiality and integrity.  Each phase will add layers of security that, as a whole, will be greater than the sum of its parts.  This plan is based on phases and not time.  Each phase will be completed before proceeding to the next phase.  This plan will apply to all information systems located at the Andrews Refinery and all employees, vendors, and contract employees working at the refinery plant.

Impact of Security attacks on ICS Networks

In today’s world, the environment of industrial control systems (ICS) are as dynamic as ever.  Galina Antova, the Co-founder and Chief Business Development Officer at Claroty, has stated that the state of security in ICS is a least a decade away from the rest of the IT world (Antova, 2017).  The ICS world is behind because of two critical reasons.  The first reason is that it has only recently become a reality that these networks were under any threat other than human error.  In 2010 the first known case of a cyber-attack to have caused physical damage to an ICS network was the Stuxnet attack (Zetter, 2014).  The Stuxnet attack exploited a vulnerability in the Siemens S7 Programming Logic Controllers (PLC) to cause Iran’s nuclear refinement technologies to speed up and slow down to cause damage and ultimately destroy themselves (Zetter, 2014).  More recently Ukraine has had several attacks on their electric grid that have destroyed some of their electrical transformers (Lee, 2016).

The second reason that ICS networks are behind in security is that of the priorities of the control system engineers.  The control system engineers only focus is the uptime of their equipment or the ability for their systems to operate no matter what happens around them (Peoples, 2017).  A good analogy to explain why this focus is essential is to explain what a pilot would prefer when they are flying a passenger plane.  If you were about to land the airliner and the engine control systems found a fault would you want the engines to shut down for the safety of the engines or would you want the engines to run until you could land the plane?  This emphasis on security and safety have caused a delay in the implementation of newer more secure networks.

Common ICS Network Attacks

Unfortunately, with some of the more massive attacks being in the news more hackers are starting to take notice of ICS networks are attacks are beginning to occur more often (Baraniuk, 2016).  Some of the same attacks in tradition IT networks also apply to ICS networks.  Rootkits are some of the more damaging types of malware currently being used.  In fact, the recent attack on Ukraine was a rootkit called BlackEnergy (Bodungen, 2017).  BlackEnergy has been attacked networks across the U.S. for several years now.  The first attacks were designed to steal information from the computers that they were installed on, but now they are targeting Supervisory Control and Data Acquisition (SCADA) systems and are causing physical damage (Bodungen, 2017).  Viruses, Worms, and adware/spyware are also common and can be found on the networks.  The issue with this malware is that even though they can be a nuisance, they can affect ICS systems because some ICS networks are made up of legacy systems that can be older than ten years.  Ransomware is also widespread and will have an even more significant impact on ICS networks because of the safety concern (Bodungen, 2017).  Lastly, because many companies are using web applications, all of the common vulnerabilities for web applications apply here too.

Network Segmentation and Defense in Depth

One effective strategy to help secure networks is to apply the defense in depth strategy (Fabro, 2016).  The defense in depth strategy works by applying security controls in multiple layers so that if one layer fails, there are several other layers that can still secure the network.  Our plan will use a top-to-bottom approach to secure the networks and to have more control over the changes during the implementation of the new security plan (Mullens, 2014).  Network segmentation will be applied top-to-bottom and use the Purdue model for segmenting ICS networks (Bodungen, 2017).  Our end goal will be to have a more robust and resilient ICS network that can maintain operations in most business environments.

Network Segmentation

To provide the best security for the ICS network of the refinery, the network should be divided into several segments that are all logically separated with the communication between the segments explicitly defined and restricted to only the required communications.  A Demilitarized Zone will be used to separate the Enterprise Networks of levels 4 and level 5 from the Manufacturing and Control Zones of level 3 thru level 0 (Bodungen, 2017).

Purdue Model

The architectural model that the Andrews Refinery will transition to will be based on the Purdue Enterprise Reference Architecture (Purdue Model) that was adopted by ISA/IEC 62443 standard (Bodungen, 2017).  This model is based on five different levels of segmentation that started at Level 5 with the enterprise networks and works its way down to Level 0 with the equipment under control and the safety systems.

Level 5 is the Enterprise Zone and is where the corporate offices are located.  The departments that are located in the enterprise zone are the Human Resource Department (HR), the Engineering Department (Eng), the Supply and Logistics Department (Log), the Operations Department (Ops), and the Information Technology Department (IT).  All assets about business operations and the various departments will also be located in the Enterprise Zone.

Level 4 is the business planning and logistics zone (Mintchell, 2016).  Level 4 is located on-site of the Andrews Refinery and includes the Eng Department, the Ops Department, and the IT Department.  The Level 4 zone takes orders from Level 5, or the corporate headquarters, and monitors the performance of the lower levels (Budungen, 2017).

Level 3 is the Site Manufacturing and Operations Control Zone (Budungen, 2017).  This zone is where the Industrial Demilitarized Zone (IDMZ) is located as it is the intersection of where the Information Technology (IT) and Operational Technology (OT) meets.  This zone contains the IT, Eng, and Ops departments as well as most of the industrial control systems servers and workstations.  Engineer and Operator Workstations, Historians, Authentication, Authorization, and Accounting (AAA) servers, Distributed Control Systems (DCS) primary, backup servers, and application servers are all located in this zone but not behind the IDMZ.  Remote Access servers, Historian Access Servers, Patch Servers, and Application servers are located behind the IDMZ.

Level 2 is the area supervisory control zone and contains the control room workstations and Human-Machine Interface (HMI) workstations.  Some ICS equipment is located here, but this zone is mostly for interacting with Levels 1 and 0 (Bodungen, 2017).

Level 1 is the Basic Control Zone (Bodungen, 2017).  This zone contains most of the Programmable Logic Controllers (PLC), Basic Process Control Systems (BPCS), and Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).  The BPCS contains most of the sensors and actuators that interact with Level 0.  SCADA and DCS systems are used to feed information to the higher levels (Bodungen, 2017).

Level 0 is the Process Control Zone.  The Process Control Zone is the zone that contains the process control equipment that does the actual manufacturing and is being controlled by the Level 1 Basic Control Zone (Bodungen, 2017).  Level 0 is considered the most critical level to protect because this zone is where the equipment is manipulated and interacts with the forces of physics (Bodungen, 2017).  Ensuring that Level 1 is isolated and restricted to only those employees that need access is vital to the security of the ICS network.

Also located on Level 0 are the safety systems that help control the processing equipment (Bodungen, 2017).  The purpose of the safety systems is to ensure that the processing equipment is running correctly regardless of what type of interruption the higher levels may have.  Depending on how the safety control systems are set up processing equipment can either continue operations or safely shut down until the disruption is remediated (Stouffer, 2015).

Network Firewalls

All network zones will be separated by firewalls.  At Levels 5 thru Level 3, networks will be divided by firewalls capable of stateful inspection of packets (Stouffer, 2015).  At Levels 3 to Level 0 only packet filtering firewalls will be used. This is to reduce any latency on network traffic due to legacy systems (Stouffer, 2011).

Host Firewalls

Any servers or workstations in the DMZ or the enterprise networks will have a host firewall installed (ICS-CERT, 2013).  In the case of application servers, a web application firewall will be used and configured specially for that web application.  Workstations will use a centrally managed firewall to reduce the cost and workload of maintaining the rules of the firewall.

Network-Based Intrusion Detection Systems (NIPS)/ Host-Based Intrusion Detection Systems (HIPS)

Each zone will have a NIPS installed after the firewall to detect any unauthorized traffic or any unusual activity.  All application servers will have a Host-based Intrusion Detection that will scan for unauthorized traffic (Stouffer, 2015).  The goal of using an IDS over an IPS is to prevent any network packets from being denied or dropped due to false positives (Stouffer, 2011) and to maintain the availability of the network.

Network-Based Intrusion Prevention Systems (NIPS)

NIPS will be installed at the edge of the network at Level 5 and the edge of the IDMZ (Scarfone, 2015).  Only authorized traffic or users will be allowed to pass based on what protocols the user is using (Stouffer, 2011).  All unauthorized attempts to gain access will be logged in.

Enterprise Risk Assessment Plan

One of the unique things about the Industrial Control Systems (ICS) within the oil and gas industry is that there is no direct cyberlaw or regulation (Sorebo, 2014).  One reason for this is because ICS networks are so diverse and unique that it would be next to impossible to create a standard and regulation that could cover every type of ICS network (Bodungen, 2017).  Within the petroleum industry, an organization called the American Petroleum Institute (API) is the only organization that represents the industry as a whole (API, n.d.).  The API advocates for the industry and supports various standards, training, and regulations to help improve the industry.  One area that the API endorses, and supports is cybersecurity.  Specifically, API supports the National Institute of Standards and Technology (NIST), Cybersecurity Framework (API, 2017).  API states that it is, “the pre-eminent standard for companies’ cybersecurity programs and policy making” (API, 2017).

The Risk Assessment Standards the Andrews Refinery will use will come from NIST.  These documents will include NIST SP 800-30 Guide for Conducting Risk Assessments (NIST, 2012), NIST SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems (NIST, 2010).  For the guidance on applying controls to the ICS network NIST SP 800-82 r2 Guide to Industrial Control Systems (ICS) Security (Stouffer, 2011).

One of the unique challenges for conducting risk assessments in an ICS network is that, at the lower levels of the Purdue Model, the ICS specific equipment may react in a way that is not anticipated and create a safety issue just by running a vulnerability scan or ping sweeping with a network scanning tool such as Nmap.  The older ICS equipment was not designed to be used with the security tools in use today.  Therefore, when possible all vulnerability scanning or testing of equipment will be conducted on test equipment that is configured the same way on the production network.  The vulnerability scanning tools that will be authorized on the network is Nessus and Nexpose.  The advantage of using these tools over others is that Nessus and Nexpose have worked with the Department of Energy to develop a set of baseline security configurations on several ICS components (Bodungen, 2017).  This advantage gives these tools the ability to be used to scan the control equipment at the levels of the ICS network below the Industrial Demilitarized Zone (IDMZ).  Special considerations must be met when working with the control systems with safety being the primary consideration (Bodungen, 2017).

Another tool that will be used for both Risk Assessment and Auditing is the Cyber Security Evaluation Tool (CSET) from Industrial Control Systems-Computer Emergency Response Team (ICS-CERT).  The CSET tool is one of the most common risk assessment tools used in ICS networks because of the logical step-by-step process when evaluating security controls (Bodungen, 2017).  The tool starts by asking questions based on the framework, industry, and standards used.  The tool is also mapped to the NIST Cybersecurity Framework and can be used with the ISO/IEC 31000 Risk Management standard.

Enterprise Policy for Auditing Plan

Audits will be based on the NIST Cyber Security Framework using the guides mentioned above.  The NIST Cyber Security Framework is based on Executive Order (EO) 13636 “Improving Critical Infrastructure Cybersecurity.”  (NIST, 2014, page 3).  The CSET tool will be used to conduct the internal audits.  An external audit will be contracted out to a third-party auditor.

The NIST Cybersecurity Framework contains three components: The Framework Core, Framework Profile, and Framework Implementation Tiers (Solomon, 2016).  The Core of the framework includes five functional areas that all have their own categories and sub-categories (NIST, 2014).  While audits are very similar to risk and vulnerability assessments, they do differ.  Risk and vulnerability assessments are more for internal use where it there is an issue where the network is vulnerable the IT staff can immediately take corrective actions.  Audits are more external and more about informing the public and regulating governing bodies that our networks meet and exceed a certain standard (Solomon, 2016).

Cyberlaw Policy Plan

The IT and Engineering staff will team up with the Andrews Refinery Legal Department to ensure that all matters about Intellectual Property (IP) issues are supported.  These issues include Patent Law, Copyright Law, Trademark Law and Trade secrets, Technology Transfer, and International Intellectual Property Law.

There are gaps in regulations and law (Sorebo, 2014).  ICS networks in the petroleum industry do not have any direct legislation or regulations that deal specifically with the petroleum industry.  Oil and gas refineries do not deal with individual customers, children, or healthcare data.  Refineries deal more with the contracts between businesses and environmental issues that exceed the scope of this security plan.  However, being a publicly traded company, the Andrews Refinery needs to comply with the Sarbanes-Oxley Act of 2002 (SOX).  The IT staff will work with the legal department to create and maintain a data retention program that complies with all SOX regulations (Myerson, 2014).  All contracts dealing with Internet Service Providers (ISP), or contracts with third-party vendors in either physical equipment or software licensing will be approved before finalizing the deal.

Occasionally, IT staff or engineers may go to conferences or make public statements as part of a social media campaign or public outreach programs.  When these situations occur all materials, information, or presentations will be approved by both the Public Relations (PR) and Legal Departments.

Enterprise Business Continuity and Disaster Recovery Strategy Plan

Refineries operate twenty-four hours a day, 365 days a year.  The Andrews Refinery is no different and processes 120,000 barrels of crude oil per day.  Each barrel of crude oil that is processed can make 20 gallons of gasoline and 11 gallons of diesel fuel (EIA, 2017).  The average prices of gasoline and diesel on January 29, 2018, are $2.72 for gasoline and $3.07 for diesel fuel (EIA, 2018).  Based on the prices of January 29, 2018, the Andrews Refinery can make $88.17 per barrel for a total of $10,580,400 per day.  Broken down per hour the refinery produces $440,850 per hour.  These figures will be used when developing the Business Impact Analysis (BIA).

One of the unique things about petroleum refineries is that the processing units must undergo a controlled shutdown called a Turnaround to conduct any preventative maintenance and upgrades (Griffith, 2017).  Because of the amount of money produced by each processing unit the Turnaround process must be carefully coordinated to keep the downtime as little as possible.  When a turnaround occurs, employees will work around the clock in shifts until the processing unit is back up and running to normal operations.

An excellent way to think about Turnaround is to look at them as you would for your automobile (EPMC PSP, 2016).  If you used your car or truck as part of a job that car would help, make you a certain amount of money per day or hour.  Generally, everyone knows that a car needs maintenance, whether that is oil changes or filters or even tires.  If you did not do any maintenance on your vehicle, it would eventually cause more expensive damages later.  If you did not do any oil changes you may need to replace the engine which would create a more significant loss of time and money, then if you just replaced the oil.  So, there is a cost-benefit of conducting routine maintenance on your vehicle.

Business Impact Analysis

Using the figures above we can begin to develop the Andrews Refineries’ BIA from the Risk management assessment.  Two values that need to be identified during the BIA are the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO).  The RTO defines the maximum time required to recover the communication links and processing capabilities (Stouffer, 2015).  The RPO determines the longest point of time that a network or process unit can be down and tolerated before adverse or unacceptable conditions start occurring (Stouffer, 2015).

Business Continuity Planning

To keep the scope of the BCP in check, I will only focus on the IT network and related equipment (NIST, 2014).  Once the BIA, RTO, and RPO are identified and defined the BCP process can begin.  Before the planning of the BCP begins a team must be put together that has at least one member from each of the departments.  This representative will ideally be the most experienced person from each department so that the information used and analyzed is up to date and accurate (Tombros, 2008).  The executive staff will appoint the BCP manager and will be responsible for organizing the BCP team meetings, project management, and coordinating with the executive department.  When the team is assembled, an administrative plan will be created.  This plan will contain reference information that will be common to all smaller more specific plans that will be built later.  The administrative plan will also include all the information on the vendors, third party contractors, a contact list for all of the departments and the representative from that department, the risk assessment analysis, and the BIA (Wallace, 2010).  The administrative plan will be the go-to document to find information about the BCP and the overall recovery strategy.

After the administration plan is complete the BCP team will make an inclement weather plan, mass casualty/ terrorism plan, communication/ public relations plan, pandemic plan, and a disaster recovery plan (Wallace, 2017).  When plans require the participation of outside agencies or local governments those parties should be invited as often as necessary to ensure the recovery plans are updated with the latest contact information and procedures from those agencies.

Once the BCP plans are completed they should be tested using a crawl, walk, run method (Wallace, 2017).  The crawl, walk, run method means that each department will test and validate each plan of the overall BCP and report to the BCP team leader if there are any changes that need to be made (Wallace, 2017).  The next type of testing will be table-top exercises.  These table-top exercises will be used to validate individual plans based on the threat models used during the risk assessment.  Finally, full exercises will be used to test and validate the entire BCP plan.  The full exercise will incorporate the local law enforcement and other outside local governments.

Disaster Recovery Planning

In the case of the Disaster Recovery Plan (DRP) redundancy will be our greatest asset (Wallace, 2017).  Luckily oil and gas refineries have operated and are capable of being operated with being connected to the internet.  In the case of a lack of the internet, the Andrews Refinery will operate manually until the internet connections can be reestablished.  This will require a greater number of employees working on the operational equipment and the use of radios or mobile phones for communications.

In the event of a shutdown due to expected inclement weather all equipment, buildings, and refinery infrastructure will have to be recertified by electricians and other engineers before restarting operations.  This is due to the damage that building could have sustained during the storm.  The damage to building or the operational equipment could lead to electrical or chemical hazards if equipment is turned on before inspecting for damages

The BCP and DRP will need to be updated and validated at least yearly, or anytime there is a significant change to the network architecture, business function, or network upgrades (Wallace, 2017).  Daily backups will be made of data on any application servers, data historians, authentication servers, and any other valuable data.  Backup servers will be located locally at the corporate headquarters and in third-party cloud services (Nnorchiri, 2017).  The data center for the cloud backup services will be located in another geographical location that will be in another part of the country that will not be affected by the same naturally occurring threats such as severe weather or flooding.

Identity Management Plan

Identity management is a critical element of the Andrews Refinery security plan (Martin, 2018).  Identity management will allow the Information Technology (IT) department to control access to the hardware and software that is used at the refinery.  The more control the IT department has over identity management, the better able the department will be able to keep the network and the control systems secure (Martin, 2018).

To enhance the ability of the IT department to control access to the Andrews Refinery Smart cards will be introduced (Hall, 2017).  These smart cards will be used to identify, authorize, and grant permissions and privileges to the users.  These smart cards will also enhance the security of the network by allowing the use of dual-factor or two-factor authentication.  The two factors used are something you know and something you have (Gibson, 2015).  These smart cards will also include a photo of the employee to provide physical access control into different employee offices and access to the refinery itself.  The authentication protocol used will be Kerberos and will use Microsoft Active Directory (AD) for identification and authentication (Gibson, 2015).  Where applicable Single Sign-On (SSO) will be used to authenticate employees using web applications.  SSO will help reduce the number of username and passwords an employee will need to remember (Vacca, 2014).  SSO can also reduce the number of times the employee will need to sign into the web applications.

The move to smart cards for identity management will start in phases with the IT department being first.  Once the IT department has completed the transition to smart card and worked out any problems, all managers of each department can begin.  This top-down approach will allow each manager to learn the process and how to transition to the smart cards for their departments.  Allowing the managers of each department to go first will help gain buy-in for the transition.  During the transition both the username/password and smart card access modes will be enabled.  However, once the entire company has transitioned to smart cards, the username/password mode will be disabled, and employees will only be able to access the IT systems through the use of smart cards.

During the process of moving to smart cards employees will need to fill out System Authorization Access Request (SAAR) form (Babar, 2017).  These SAAR forms will be used by each employee to identify themselves, identify their roles and departments, and identify what access they need to do their jobs.  Once the form is filled out, they will email the document to their immediate supervisors who will then validate their employee’s request and digitally sign the pdf document with their smart card.  The first-line supervisors will send the SAAR form to the department managers who will validate it, digitally sign the form, and forward the SAAR form to the IT security manager.  Once the IT security manager digitally signs the document, he/she will task out the IT staff to create a new account for the employee and enable any access or permissions required.

Role-Base Access Control (RBAC) will be the primary method for granting employees permissions and access to system resources (Conklin, 2015).  Rule-Base Access Control will be used to prevent employees from having access to some company resources such as Human Resource (HR) files after hours when there is no specific need for those files (Conklin, 2015).

During this transition, the IT staff will audit all employees accounts to ensure that the principals of least privilege and need to know are being used (Gibson, 2015).  If employees change department, change roles, or require more permissions the employee will need to submit a new SAAR form.

Security Awareness Training

Making the transition to smart cards may be the first indicators to employees that the company is making changes.  To reduce confusion and to educate the employees a security awareness training (SAT) program will also begin.  This training will start in-house and be based on threats identified from the risk assessment and violations of the companies’ security policy.  Initially, the SAT program will introduce what changes are occurring at the refinery and how it affects the employees.  Later, after the transition to smart cards is complete the IT staff will begin training the employees one department at a time on an annual basis or as needed to correct any deficiencies or violations in the security policies.  Training will also be used on a case by case basis when any changes to the hardware or software are required (Vacca, 2014).

In addition to the training that employees will receive while changing to the smart card authentication system employees will be required to read and sign an updated Acceptable Use Policy (AUP).  This AUP will define what the proper use of system resources (Gibson, 2015), include privacy statements, and explain how the employee will be monitored while using system resources.

Periodically, the IT staff will test the employees by sending phishing emails or by using other social engineering tactics (Lindros, 2014).  These tests will collect data that when combined with log data will help determine how effective the SAT training is.  No employees will be adversely affected if they fail to take the corrective action.  Instead, employees will be given positive reinforcement and potentially other benefits when they make the correct response.  For remediation of security policies and the AUP, education triggers will be employed (.  The first violation will result in a trigger that will inform the employee on what the policies are and how that employee violated the policy.  Acknowledging the violation will be required before the employee can continue their work.  The second trigger will require watching a short video before unlocking their account.  A third violation will require watching a 15-minute video as well as a written counseling from their supervisor.  SAT will not be a replacement for poor security policies or practices.  SAT training will only be used to help reduce the workload of the IT staff.  If there are trends in how the employees are using system resources, the IT staff will initiate training to correct those deficiencies.

Enterprise Incident Response, CSIRT, and Forensics Plan

The risk of a cyber-attack on an Industrial Control System (ICS) network has only increased since the famous Stuxnet attack on the Iranian nuclear centrifuges in 2010 (McMillen, 2016).  Attacks on oil and gas refineries can cause catastrophic results that would cost lives, have long-term negative impacts on the environment, cause severe fines from litigation and legislation, and may even put the company out of business (Kaspersky, 2017).  As oil and gas refineries are a designated critical infrastructure our industry will be scrutinized more heavily, and thus we will need to ensure that the Andrews Refinery is following all local, state, and federal regulations and closely work will law enforcement and agencies when an incident is detected.

Security Operations Center and Incident Response Teams

A famous slogan from SANS on cybersecurity is “prevention is ideal, but detection is a must” (Ashford, 2014).  The basis for this slogan is that cybersecurity incidents are easier to recover from if they are detected early versus trying to put things back together after a cyber attack.  To identify cybersecurity incidents early the Andrews Refinery will create a Security Operations Center (SOC) that will also fill the role as a Computer Security Incident Response Team (CSIRT) if cyber-attacks escalate to become more of a physical risk (Lord, 2018).

Traditionally, SOCs will be centralized and contain Subject Matter Experts (SMEs) in the IT field (Lee, 2017).  SOCs in an ICS environment would be more distributed and be made up of SMEs in more business processes then just IT.  Members of the ICS SOC will come from industrial, chemical, and control systems engineers as well as the IT department, legal department, and the public relations department (Lee, 2017).  The reason for the diversity of the member is all due to the numerous local, state, and federal regulations that the Andrews Refinery is exposed to as identified as critical infrastructure.

Incident Life Cycle

The NIST SP 800-61r2 provides the security incident response life cycle that the Andrews Refinery will follow for responding to security incidents.  The Incident Response Life Cycle contains four phases of Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident Activity (Cichonski, 2012).  The Preparation phase of Incident Response is highly integrated into the Business Continuity Plan (BCP), and in fact, most of the information used in the preparation phase comes from the BCP Administration Plan (Cichonski, 2012).  Part of the preparation phase is to monitor website from vendors and cyber threat intelligence sources as well as the Industrial Control Systems Computer Emergency Response Teams (ICS-CERT) for all update on the threat environment and security advisories of vulnerabilities in vendor software or hardware (Bodungen, 2017).  The Andrews Refinery will also develop close relations with the vendors that we used to stay ahead of the security update from the official sources.  Security Advisories will typically only be announced on official sources once the vendors can patch the vulnerability.  The vendors will often know of the vulnerabilities for weeks or months before they are patched and release to the public (Bodungen, 2017)

The Detection and Analysis phase is the second phase and is where detection must occur at the earliest possible time.  Incidents can be detected early by continuous monitoring of any irregularities of log files, system resources, or activities of visitors or employees (Vacca, 2014).  Log files, IDS/IPS, and firewalls should be mapped to threat vectors that were identified during the risk assessment and analysis (Cichonski, 2012).  When irregularities are identified, log files should be collected and analyzed to determine if the data is a real security incident, how severe the incident is and what systems are affected.  If the anomaly is identified as a security incident the data from log files, drives, and other sources of evidence must be collected using proper forensics procedures and create a chain-of-custody to ensure the integrity of the data to be used for any future investigations (Vacca, 2014).

The third phase is Containment, Eradication, and Recovery.  The type of security incident will determine what containment strategy to use (Cichonski, 2012).  The action taken to contain a Denial of Service (DoS) attack will be different from a phishing attack in an email (Cichonski, 2012).  Once the strategy is determined evidence will be gathered identifying all system information, time/ location, and the contact information of the person or persons affected by the incident.  When the attacking system is identified, the systems will be replaced, restored from a clean backup image, or rebuilt from scratch to restore the systems to normal operations.

Post-Incident activities are the last phase where the data will be collected and investigated and put into a report to be used in the future for lessons learned and to share with vendors, ICS-CERT, cyber threat intelligence sources, and other interested parties.  These reports can be used as a source for Indicators of Compromise (IOC) where other companies can use them to harden their systems.

Forensics Plan

The Forensics response plan for the Andrews refinery will be based on the best practices of digital forensics.  Although digital forensics science is a specialized field, we will train the IT department and some employees from the engineering department to become familiar with basic forensics techniques.  When the designated employees are trained they will be the only personnel authorized to secure workstations, servers, or other compromised devices and remove them from the network.  The compromised devices will be sent to a third-party vendor that specialized in digital forensics science and may be used as a witness if there are any court proceedings later on.

ICS Penetration Testing

As briefed previously, ICS networks can react unexpectedly when modern tools and techniques are used on the older ICS network (Bodungen, 2017).  Therefore, any penetration testing will only be white-box testing or gray-box testing (Bodungen, 2017).  Black-box tested will not be authorized on the ICS networks due to the nature and safety of the equipment and personnel work on or near the production and refining equipment (Bodungen, 2017).

At a minimum, one employee from the IT department and another employee from the engineering department will be assigned to the penetration testing teams as a safeguard and a third-party witness to any activities on the network (Bodungen, 2017).  If needed the assigned employees can be authorized to sign Non-Disclosure Agreements (NDA) if the penetration testing teams desire (Kassner, 2015).

Before starting any testing of the networks, the IT staff, engineering staff, and the legal department will meet the penetration testing team to define and develop the scope of the pen-test, what tools will be authorized, and what techniques will be used during the test (Bodungen, 2017).  A contract will be developed by the legal department authorizing the names of the penetration team, the tools and techniques used, and the dates they are authorized to test the networks.  The contract will also describe the actions that the Andrews Refinery will take if any actions are out of the scope of the contract or if there is any negative consequences or outcomes due to negligence.

Enterprise Information Security Implementation Plan Physical Security

The physical security is one of the more important aspects of security for an oil and gas refinery (Tyagi, 2016).  Even though the Operational Technology (OT) is being more connected to the network than ever before it is still vulnerable to being physically manipulated or altered.  To prevent unauthorized access to the physical plant the current physical security plan will be audited and updated as needed.

For the updating process, there will be a focus on improving the communication between the physical security officers, their offices, and their post.  Closed Caption Television (CCTV) will also be audited to ensure that all access points and sensitive areas are covered and in view of the camera (Gibson, 2015).  A cost analysis will determine which systems or actions are the best to accomplish these two tasks.

Authentication

Physical authentication will be required before entering the Andrews Refinery.  Employees will need their Smart Card for access to the refinery work areas.  Vendors and visitors will need to stop at the front gate to sign in and receive a temporary visitors badge.  Authentication and access to IT/OT systems will require the use the employee’s Smart Card.

Network Security

The security of the networks will be filtered and monitored by multiple levels of firewalls, intrusion detection systems, and intrusion prevention systems (Bodungen, 2017).  Data Loss Prevention (DLP) servers will help prevent the leakage of Personal Identification Information (PII) and Intellectual Property (IP).

Encryption

All data at rest or in transit will be encrypted were possible.  The systems that are not capable of implementing encryption must stay behind the Industrial Demilitarized Zone (IDMZ).  Remote access traffic will be encrypted thru the use of Virtual Private Networks (VPNs).  Remote access will be highly restricted and only used by authorized employees and vendors.

Software Development

There will be little software development in-house. However, we will work closely with our partners and vendors to provide as much assistance to the development of the third-party vendor software.  When needed the Andrews Refinery can assist and test the software with the test equipment used in our facility.

Email

All company employees will be provided an email account when they sign up for their smart card.  Messages for any company related news, training, or updates will be sent out via email.  System Administrators and any employees with elevated permissions to critical business functions will have two separate accounts.  The first account will be a standard user account with access to email and the internet.  The second account will be restricted to only the rights and permissions needed to accomplish their jobs on the critical systems.

Internet Access

All employees will be given access to the internet and email on the as standard employee permission.  Employee activity on the internet will be monitored by the use of DLP servers and Proxy servers.  These systems will help prevent employees from violating any security policies.

Acceptable Use Policy

As part of the procedure for signing up for an employee Smart card and network user account, employees will be required to sign an Acceptable Use Policy (AUP) document describing in detail what the expectations are for employees in the use of the companies’ IT systems (Gibson, 2015).

Business Continuity Planning (BCP)

Our Business Continuity Plan focuses on the Andrews Refinery critical business function, producing refined oil and gas.  All other business functions support that critical task (Swanson, 2010).  The intent and goal of the BCP are to maintain the C-I-A triad of Information Systems Security to produce oil and gas most efficiently during any information security incidents (Swanson, 2010).  To accomplish this, the BCP plan will be tested annually at a minimum.  The testing will require participation from all departments that are affected.  Any weaknesses or gaps that are identified will be remediated or updated and retested (Wallace, 2017).  A review of the BCP will be conducted to validate and maintain the effectiveness of the plan every two years or if there have been any significant changes in software, hardware, or a critical business function (Wallace, 2017)

Disaster Recovery Plan (DRP)

The goal of the DRP is to recover from any incidents as quickly and efficiently as possible (Swanson, 2010).  The best way for that to happen is to identify the critical business functions, model what threats could affect them, and analyze what needs to be done to bring those critical business functions up and running as quickly as possible (Wallace, 2017).  Plan maintenance will occur in conjunction with the BCP review.  Testing of the DRP plan will happen annually for at least one type of DRP plan (i.e., Pandemic Plan, Inclement Weather Plan)

Security Awareness Training

There will be changes in the upcoming months that will require that employees receive training in the use of their new Smart Cards and updated security policies.  Any changes in the security policies that affect a single department can be trained in-house.  Changes that affect the entire company will be taught company-wide thru various media and methods.  Occasionally, employees will be tested thru email phishing campaigns or other social engineering attacks (Lindros, 2014).  The goal of these tests is to train the employee thru repetition how to defend themselves from social engineering attacks.

Viruses/ Worms and malware

Employees will also be trained to understand the different types of malware, how each type works, and how to mitigate any risk from the malware.  Antivirus (AV) software will also be configured to scan for any malware signatures that may appear on the network.  Firewall, IPS/IDS software will be used to detect any unusual activity on the network thru heuristic-based analysis.

Conclusion

This paper covers all aspects of the security of the Andrews Refineries’ IT systems and OT systems.  The Purdue model will be implemented that will help separate and compartmentalize the network as well as restrict how the information flows throughout the six different levels.  The hardware and software needs of the new networks are addressed to cover the different types of firewall, IDS/IPS, and different monitoring software.  Risk Management along with Contingency Planning reduces our companies risks as well as developing the strategies and plans to continue business operations during different security events.  Security Awareness Training will be used to train employees on the updated security policies and practices.  Lastly, penetration testing will be used to validate all of the actions that we have implemented to prove their effectiveness.  Implementing this Enterprise Security Plan will allow the Andrews Refinery to become more resilient to attacks and to strengthen the Availability, Integrity, and Confidentiality of our IT and OT systems.

Resources

Antova, G.  (August 2017).  Overcoming the Lost Decade of Information Security in ICS Networks.  Retrieved from http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks

Ashford, W. (April 2014).  Cyber threat detection paramount, says SANS fellow.  Retrieved from http://www.computerweekly.com/news/2240219589/Cyber-threat-detection-paramount-says-SANS-fellow

API. (2017).  CYBERSECURITY.  Retrieved from http://www.api.org/news-policy-and-issues/cybersecurity

API. (n.d.)  About API.  Retrieved from http://www.api.org/about

Babar, A.  (August 2017).  What is Web Access Management (WAM)?  Retrieved from https://www.pingidentity.com/en/company/blog/2017/08/16/what_is_web_access_management_wam.html

Baraniuk, C. (November 2016).  The next big hacking threat is already happening-you just can’t see it.  Retrieved from https://qz.com/831332/the-next-big-hacking-threat-is-already-happening-you-just-cant-see-it/

Bodungen, C. Singer, B. Shbeeb, A. (2017). Hacking Exposed: ICS and SCADA Security Secrets & Solutions.  McGraw Hill Education New York: NY

Cichonski, P. (August 2012).  NIST SP 800-61 R2: Computer Security Incident Handling Guide.  Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Conklin, A. (2015).  All-In-One CompTIA Security+ Exam SYO-401.  McGraw Hill Education: New York, NY

EPCM PSP. (March 2016).  What is a turnaround. Retrieved from https://www.youtube.com/watch?v=2gCk9yBBOUo

Fabro, M. Gorski, E. Spiers, N. (September 2016).  Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.  Retrieved from https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf

Gibson, D. (2015).  CompTIA Security+: Get Certified Get Ahead SYO-401 Study Guide.   YCDA LLC: Middletown, DE

Griffith, S. (June 2017).  Refinery turnaround requires all hands on deck.  Retrieved from http://news.marathonpetroleum.com/refinery-turnaround-requires-all-hands-on-deck/

Hall, J. (April 2017).  Smart Card Architecture.  Retrieved from https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-architecture

ICS-CERT.  (February 2013).  Targeted Cyber Intrusion Detection and Mitigation Strategies (Update B).  Retrieved from https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B

Kaspersky.  (n.d.)  The State of Industrial Cybersecurity 2017.  Retrieved from https://go.kaspersky.com/rs/802-IJN-240/images/ICS%20WHITE%20PAPER.pdf

Kassner, M. (October 2015).  Don’t let a penetration test land you in legal hot water.  Retrieved from https://www.techrepublic.com/article/dont-let-a-penetration-test-land-you-in-legal-hot-water/

Lee, R. Assante, M. Conway, T.  (March 2016).  TLP: White.  Analysis of the Cyber Attack on the Ukrainian Power Grid.  Retrieved from https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Lee, R. (March 2017).  Insight into ICS SOC.  Retrieved from https://dragos.com/media/Dragos-Insights-into-Building-an-ICS-Security-Operations-Center.pdf

Lindros, K.  (February 2014).  How to Test the Security Savvy of Your Staff.  Retrieved from https://www.cio.com/article/2378559/data-breach/how-to-test-the-security-savvy-of-your-staff.html

Lohrmann, D. (June 2017).  The Trouble if Security Awareness Training Is Mainly a Punishment.  Retrieved from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/the-trouble-if-security-awareness-training-is-only-a-penalty.html

Lord, N.  (January 2018).  What is a Security Operations Center (SOC).  Retrieved from https://digitalguardian.com/blog/what-security-operations-center-soc

Martin, J., Waters, J. (January 2018).  What is identity management?  IAM definition, user, and solutions.  Retrieved from https://www.csoonline.com/article/2120384/identity-management/what-is-identity-management-iam-definition-uses-and-solutions.html

McMillen, D. (December 2016).  Attacks Targeting Industrial Control Systems (ICS) Up 110 Percent.  Retrieved from https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/

Mintchell, G. (March 2016).  Purdue Enterprise Reference Architecture Meets IIOT.      Retrieved from https://themanufacturingconnection.com/2016/03/purdue-enterprise-reference-architecture-meets-iiot/

Mullens, P.  (November 2014).  Information Governance- The top-down approach.  Retrieved from https://blog.barracuda.com/2014/11/05/information-governance-the-top-down-approach/

Myerson, J. (June 2014).  Four steps to consolidate SOX data retention and deletion processes.  Retrieved from http://searchcompliance.techtarget.com/tip/Four-steps-to-consolidate-SOX-data-retention-and-deletion-processes

NIPP. (2013).  NIPP 2013: Partnering for Critical Infrastructure Security and Resilience.  Retrieved from https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013-508.pdf

NIST.  (February 2014).  Framework for Improving Critical Infrastructure Cybersecurity, Version 1.  Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

NIST. (September 2012).  NIST Special Publication 800-30 Revision 1: Guide for Conducting Risk Assessments. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

NIST. (September 2017).  Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft

Nnorchiri, D. (October 2017).  Backup Strategies For Data Centers.  Retrieved from https://www.poweradmin.com/blog/backup-strategies-for-data-centers/

Peoples, R. (September 2017).  How Vulnerable is Your Industrial Control System (ICS)?  Retrieved from https://www.crossco.com/blog/how-vulnerable-your-industrial-control-system-ics

Scali, D. (August 2016).  Developing a Security Strategy to Cover ICS Assets.  Retrieved from https://www.fireeye.com/blog/executive-perspective/2016/08/developing_a_securit.html

Scarfone, K. (October 2015).  Enterprise benefits of network intrusion prevention systems.  Retrieved from http://searchsecurity.techtarget.com/feature/Enterprise-benefits-of-network-intrusion-prevention-systems

Solomon, M. Weiss, M. (2016).  Auditing IT Infrastructures for Compliance, 2nd Edition.  Jones & Bartlett: Burlington, MA

Sorebo, G.  (March 2014).  The Oil and Gas Industry: A Surge in Cybersecurity Vigilance?  Retrieved from https://www.rsaconference.com/blogs/the-oil-and-gas-industry-a-surge-in-cybersecurity-vigilance

Stouffer, K. (June 2011).  Guide to Industrial Control Systems (ICS) Security Revision 2.  Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Swanson, M. (May 2010).  NIST SP 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems.  Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf

Tombros, V.  (July 2008).  Case Study:  Implementing Business Continuity in the Upstream and Midstream Energy Sector (Petrochemicals and Refineries).  Retrieved from http://www.continuitycentral.com/feature0594.html

Tyagi, S.  (January 2016).  The Global Threat of Terrorism Targeting Oil and Gas Industries.  Retrieved from https://www.linkedin.com/pulse/global-threat-terrorism-targeting-oil-gas-industries-sb

U.S. Energy Information Administration (EIA).  (January 2018).  Weekly Retail Gasoline and Diesel Prices.  Retrieved from https://www.eia.gov/dnav/pet/PET_PRI_GND_DCUS_NUS_W.htm

U.S. Energy Information Administration (EIA).  (May 2017).  Faq: How many gallons of gasoline and diesel fuel are made from one barrel of oil? Retrieved from https://www.eia.gov/tools/faqs/faq.php?id=327&t=9

Vacca, J.  (2014).  Managing Information Security 2nd Ed.  Syngress: New York, NY.

Wallace, M. Webber, L. (2017).  The Disaster Recovery Handbook: A Step-By-Step Plan to Ensure Business Continuity and Protect Vital Operations, Facilities, and Assets, Third Edition.  AMACOM: New York, New York.

Zetter, K.  (2014).  Countdown To Zero Day.  Broadway Books: New York

Powered by WordPress