converged security in critical national infrastructure**a risk-modelled approach to defining...

Converged Security in Critical National Infrastructure

A Risk-Modelled Approach to Defining Priorities

Presented by: Dan Solomon

Senior Partner, Hawk ISM.

Vice President, Security Art

Security Risk Orbits

High Impact Cyber Threats 2012

Recent Research Findings

Problems with Current Approach

Converged Risk

Threat-Modelled Risk Framework

Factor Analysis System

PresentationStructure

EISN meeting Groningen March 2012 ©Dan Solomon. All rights reserved 2012.

2

Converged Risk Scenario Building

EISN meeting Groningen March 2012

FraudExtortion

Trade Secrets

Kidnapping

TerrorismAccident

IndustrialAccident

EnvironmentalProductLiability

Health &Safety

ProfessionalLiability

Designs

Forgery

Plans

TrademarkInfringement

DistributionContinuity

Sourcing &Supply Chain

ProductionSystems

ProductionContinuity

Vandalism

Stock

Arson

EquipmentDataLoss

ClientConfidentiality

IntellectualProperty

Reputation

YourOrganisation

LIABILITY

DISASTER

THEFT & DAMAGE:PHYSICAL ASSETS

CRIME

INTANGIBLE ASSETS

PRODUCT

CONTINUITY

Security Risk Orbits

EISN meeting Groningen March 2012 3 ©Dan Solomon. All rights reserved 2012.

Source: Dan Solomon. All Rights reserved 2012.

FraudExtortion

Trade Secrets

Kidnapping

TerrorismAccident

IndustrialAccident

EnvironmentalProductLiability

Health &Safety

ProfessionalLiability

Designs

Forgery

Plans

TrademarkInfringement

DistributionContinuity

Sourcing &Supply Chain

ProductionSystems

ProductionContinuity

Vandalism

Stock

Arson

EquipmentDataLoss

ClientConfidentiality

IntellectualProperty

Reputation

YourOrganisation

LIABILITY

DISASTER

THEFT & DAMAGE:PHYSICAL ASSETS

CRIME

INTANGIBLE ASSETS

PRODUCT

CONTINUITY

Cyber Security Risk Orbits



5

High Impact Cyber Threats for 2012

All rights reserved. Source: Security Art Ltd

Most malware operate in a simple 'one shot‘. The next generation of malware will be 'conditioned' hence. i.e. A ‘learning mode’

Malware are growing 'smarter', and in the future experts expect to see malware that have multidisciplinary features and attacking vectors:

1.Most of the current static security measures would be come obsolete (firewall, IPS, Anti Virus, etc).

2.Security measures will require identification and prevention measures using newly developed methods of behaviour analysis and malware family DNA

Stuxnet 2.0: Permanent Denial of Service

• Most organisations are unfamiliar with Stuxnet in detail.

• Most are not aware of the potential for Stuxnet to damage and destroy hardware.

• Most are not capable of handling defence against such a threat

• The next version of Stuxnet will become more expansive and may even impact hardware and mobile devices

The next version will be characterised by permanent Denial-of-Service attacks which will be independent, orchestrated, remotely triggered, and therefore an attractive mode of attack for terrorists & state-sponsored organised crime.

EISN meeting Groningen March 2012 ©security Art. All rights reserved 2012

6

High Impact Cyber Threats for 2012

All rights reserved. Source: Security Art Ltd

Permanent Denial-of-Service attacks will range from rendering hardware useless by crashing hard drives, machine-level PLCs and by increasing the voltage within CPU’s.

Permanent Denial-of-Service attacks can aim to push hardware to its extreme performance, or conduct actions for which it was not designed as well as the more obvious corrupting of internal program and data structures:

Permanent Denial-of-Service Attacks will include:

•Over-volting•Over-clocking•Over-usage•Power Cycling•Phlashing

Implications

Invariably the recovery will require replacement with new hardware, which will extend to millions of Euros within Critical Infrastructure sectors, and exposes the vulnerability of not holding redundant capacity.

In many cases it is not practical to hold spare parts for major pieces of infrastructure. The resultant downtime could be catastrophic for some businesses, if suitable redundancy and capacity does not exist.

Reactive security strategies are too high-risk for these potential high impact threats, and operators must shift to a more proactive approach, and improve awareness & testing of vulnerabilities.


UtilitiesFinance IT & Telecomms

Source: Hawk ISM.Low HighKey :

3rd Party Risk Low High

1 52 3 4

Low High

1 52 3 4

Low High

3.5

Engaging SeniorManagement

Low High

1 52 3 4

Low High

1 52 3 4

Low High 4.0

Security Culture

Low High

1 52 3 4

Low High

1 52 3 4

Low High 4.4

ComplexThreats

Low High

1 52 3 4

Low High

1 52 3 4

Low High 4.4

Investment Low High

1 52 3 4

Low High

1 52 3 4

Low High 3.8

Full Spectrum Awareness

Low High

1 52 3 4

Low High

1 52 3 4

Low High 3.8

Overall*

Leading Security Planning Concerns by Industry


The majority of firms struggle with time, resources, intelligence, or expertise to deal with a comprehensive range of scenarios, and consequently they don’t adequately consider the full spectrum of security risks.

In most cases, companies lack the awareness of the threat landscape and therefore the drivers to upgrade their security risk agenda.

The lack of urgency tends to limit the budgets available to acquire intelligence, or engage experts to provide greater awareness.

Senior management must display leadership, and promote understanding of the importance of security.

Engaging senior management in this mission remains problematic in many firms

APTs have made executives more aware of the threats when subjected to cyber attacks, but this is still not translating into more robust policies to manage the threat to IT systems

7 ©Dan Solomon. All rights reserved 2012.


Company 6

Company 2

Company 4

Physical Security

Executive LevelConfidence

Preparedness to Prevent

Overall ConfidenceRating

Low High

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

IT Security

Preparednessto Manage

Business Continuity

Company 6

Company 2

Company 4

Risk-led Approach to Business Continuity

Risk-led Approach to Security Planning

Divisional Involvement in Security Planning

Incidence Rating

Low High

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Risk-led Approach to IT Security Planning

Central Planning for Physical Security

Central Planning for IT Security


Patterns of confidence are roughly similar among most industries with a few notable exceptions among energy & utilities companies which tend to be less confident in their cyber security and IT networks compared with other firms like business and financial services.

The complexities of structuring risk and security programs, and then integrating them tend to increase among larger firms and this is most evident in matrix organisations with multiple divisions, where decentralised responsibility for risk and security tends to lead to inconsistencies, and therefore weaknesses

Risk-led and Centralized Approach

Confidence in Security by Element


Company 2

Company 4

Changes Due To 3rd Party Risk

Changes Due To Threat Of Espionage

Changes To Business Continuity Processes

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Changes To Back-up Procedures

Changes To IT Security Processes

Company 2

Company 4

Expressed Intent to Raise Investment

Claim to beUnder-funded

Recent Focus on Espionage

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Recent Investment Appropriate to Need

Have Experienced a Security Breach



Security Investment& Focus

Implemented Changes to Business Practices

The majority of companies have made few changes to business processes in order to facilitate business continuity preparedness, despite the changes in the security risk environment, which tends to indicate complacency and lack of awareness, as much as budgetary limitations.

Little evidence of sufficiently & appropriate before 2010, aligned with a realistic awareness of their vulnerabilities.

This reinforces the point that executives are more inclined to invest when their awareness is more acute.


Company 2

Company 4

Lower Probability Scenarios

Considering a broader range of scenarios

Led to Revision of Continuity Plans

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Higher Probability Scenarios

Led to Revision of Security Plans

Company 2

Company 4

Risk Assessment of Cyber H.I.Ts

Claim to Awareness of H.I.Ts

Confidence in Managing Cyber H.I.Ts

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Risk Assessment of H.I.Ts

Confidence in Managing H.I.Ts

High Impact Threats [H.I.Ts]


Low-Probability High-Impact Threats [H.I.Ts]

Cyber High-Impact Threats [C.H.I.Ts]

The broader focus on scenarios tends to concentrate on scenarios that are more probable rather than plausible.

This serves to reinforce executives’ confidence in existing plans, when they recognise that they are relevant to many different potential incidents.

Among most firms there remains a degree of ignorance about the potential threats to physical assets from a cyber attack, and many organisations that lack integrated and formal plans for crisis management, and business continuity plans for such incidents.


Company 2

Company 4

Recent Assessment Of Espionage Impact Risk

Recent Mapping Of Interdependencies

Recent Review Of Risk Assessment Methods

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Recent Assessment Of Sabotage Impact Risk

Recent Review Of Risk Scenario Assumptions

Company 2

Company 4

Register Updated Regularly

Maintain A Formal Security Risk Register

Cross-departmental Participation

Incidence Rating

Low High

Low High

Low High

Low High

Low High

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

1 52 3 4

Register Includes Estimated Impact Value

Supported By Comprehensive Process

Risk Register & Processes


Review of Risk Agenda

New risk methodologies need to adopt a multi-dimensional analysis of converged and cyber risk. Many companies require a methodology that can be adapted to different ‘domains’ whether upstream or downstream, and for different types of risk...from operational security to operation management & process control software security.

A poor register is often a factor for not engaging in a comprehensive risk assessment process. Many registers are not fully referenced in risk-led decision-making because of common deficiencies in the construct of the register.

If companies were aware of all plausible risks and probabilities they would be able to adopt a more systematic approach to tackling a broader range of emerging converged threats.

Risk Registers and their Management


Challenges & Concerns

• Management often does not understand the scale, threat,or requirements for a solution

• Demarcation and ownership of IT security

• ‘CSO’ does not have sufficient exposure among C-level

• Some key security measures are not widely adopted

• Clash of cultures with S-A-I-C of OT with IT

• Risk assessment methods for catastrophic events

• ‘Black Swans’

• Access to Intelligence: How much can it deliver on cyber

• Interdependencies: Can these threats really be qualified

• Doubts about whether banking and phone systems can withstand attack


A Converged Approach

• Converged risk combines IT and physical security risk into one over-arching risk landscape.

• A converged approach better recognises and addresses interdependencies and multiple and/or simultaneous incidents

• Aim being to integrate business processes or assetsi.e. people, technology and information [no need to redesign the stool]

• By bringing together IT and physical security, it considers vulnerabilities dynamically:

– across the three recognised dimensions of physical risks, people risks, and process risks:

– across infrastructure, operations, and specific events.


C-level RiskResponsibility

Cross-Dept. Risk Team& Budget

ResponseTeams &

Scenario Plans

SecurityAwareness

Training

FormalizedPolicies

PersonnelBackground

ChecksVPNs

Authentic’n& AccessControl

FirewallsIntrusionDetectionSystems

Encryption ComputerLevel

Back-ups &

Updates

Log FileAnalysis

SecureSoftware

Configuration

PhysicalSecurity

Contingency Planning

Audits &Vulnerability

Analyses Systems

Processes

People


A Converged Risk Model



16

Benefits of A Converged Risk Approach

All rights reserved to Hawk ISMEISN meeting Groningen March 2012 ©Dan Solomon. All rights reserved 2012.

• Develops appropriate emphasis on both the staff andthe security processes they follow.

• Positions information security appropriately within the security risk landscape to support the company’s overall risk appetite.

• Reconciles conflicting views between cyber and physical security.

• Incorporates intuitive issues, when qualifying risk, through a judgement-aided metrics-based process.

• Risk-informed decision-making, requires complete and unbiased vulnerability & impact assessments.

• The integrity of management decisions requires an appreciation of threats, and true capabilities.

• Ensures appropriate investment, directed towards the right priorities, to provide suitable defence against converged risk.

17

Threat-modelled Risk

Framework

Risk Modelling

IntelligenceGathering

ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection

Threat-Modelled = Risk-Informed Management

To enable decision making for security-related issues for organizations, based on accurate threat modelling, a quantifiable asset valuation, and ‘what if’ scenarios that consider both the deterrence factors of a security measure or process, as well as their cost.

A continuous practice evaluating risk posture based on: past experiences, up to date intelligence feeds, recognition of ‐ ‐trends, and a valuation of the organizational assets, transient value (i.e. Marketing; reputation; legal implications of it on top of the actual base value).

Intelligence Gathering

Performed on two levels – informational and human.

Business Process Mapping

The first step in identifying every aspect of the business operations, and any interactions that the business has is required for its ongoing operations with external resources (3rd party suppliers, partners, resellers, etc.).

The mapping should take into account primarily the critical processes, and then the rest of the operations.

Identification of critical assets, and critical IT to be used later in the threat modelling and risk management process.

The

Ris

k M

odel

ling

Cyc

le -

1


Risk Modelling


ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection

18

Asset Mapping

Designed to provide the organization a clear view of all its assets, and the participating business processes that relate to these assets.

A valuation of the asset is required for every aspect of the business that the asset relates to: including “replacement” value, additional intrinsic values, and a marketing/competitive damages value.

Vulnerability and Exposure Analysis

This phase is not limited to technical vulnerabilities of but also includes risks to business processes, 3rd parties and any other aspect of the asset lifecycle.

The human factor can be usually evaluated in relation to the criticality of the assets, and the general awareness to risks related to the business process at stake – both logical as well as physical ones.

Each vulnerability should include as much information on the ability to exploit such opportunity, to gain access, as well as the current countermeasures placed in order to mitigate such incident.

The

Ris

k M

odel

ling

Cyc

le -

2


Framework

Risk Modelling


ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection


Key technical evaluations focused on the less standard devices such as mobile equipment, custom systems and applications, control systems, embedded devices, etc. to ensure that the entire infrastructure have been reviewed – as a motivated attacker would.

©security Art. All rights reserved 2012



The

Ris

k M

odel

ling

Cyc

le –

Hum

an F

acto

rs

Mapping the Relevant Threat Agents

20

Threat Modelling

In the threat-modelling phase, the relevant threats for each asset are identified, correlated to the intelligence gathered, and evaluated on the basis of the threat’s exposure frequency to the asset, and its capability to successfully attack the asset.

This modelling should be expressed in statistical terms that can be repeated independently even when based on different subject matter expert opinions.

Dataflow Protections

The last element of the base evaluation phase is the analysis of any means that are designed to detect incorrect data flows, critical to identifying cyber threats.

This includes DLP systems (Data Leak Protection/Prevention), as well as business processes that are in place to prevent information from getting to the wrong places inside the organization and outside of it.

The

Ris

k M

odel

ling

Cyc

le -

3


Framework

Risk Modelling


ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection


All the communication systems should be included in this phase – data, voice, image, and physical.

©security Art. All rights reserved 2012


21

Risk Modelling

A risk model should be created for all the identified assets, and a quantitative compound score applied to it, based on the expected liability it yields and the probability/frequency.

What-If Modelling

A what if scenario can be analyzed for both ‐incident handling, as well as placing & modifying controls.

This is critical to decision making for organizations that need to adapt to a changing threat landscape or other circumstances.

Both infrastructure, and individual security measures can be modelled to see how they reflect on the overall future risk posture of the business.

The

Ris

k M

odel

ling

Cyc

le -

4


Framework

Risk Modelling


ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection



Ultimately

Outputs need to be quantitative values to enable a real appreciation of the potential loss exposure.

Threat CommunityShared Database

Import Selected Threat Communities from Public Threat Community Library

NAICS Classification Keyword Search:

Industry Threat Community Name Information Source Rating Select + All

+ Agriculture - Finance & Insurance Cyber Criminals - Pro Hackers Shared - Anonymous

Trusted Vendors Shared - Anonymous

Field Employees Premium - Security Art

HQ Physical Security Premium - Security Art

Natural - Earthquake Shared - Anonymous

Natural - Tornado Shared - Anonymous

+ Government

+ Healthcare

+ Real Estate & Renting

+ Retail Trade

+ Services

+ Transportation + Utilities

+ Wholesale Trade

View

View

View

View

View

View

FAIRiq – Intuitive Graphical Input

Copyright 2012 CXOWARE, Inc. CXOWARE 22

FAIRiq – Meaningful Reporting

$0 $10 $20 $30 $40 $50 $60 $70 $80

AccountingFinance

HRIT

MarketingRetail

R&DSales

Loss Exposure: Millions

0 50 100 150 200 250 300 350 400 450

AccountingFinance

HRIT

MarketingRetail

R&DSales

Loss Event Frequency: Number of Times p/year

Departmental Loss Exposure & Loss Event Frequency Report Loss Exposure & Percent Vulnerability Loss Exposure & Loss Event Frequency

0% 25% 50% 75% 100%$0

$5,000,000

$10,000,000

$15,000,000

$20,000,000

$25,000,000

$30,000,000

$35,000,000

$40,000,000

$45,000,000

$0

$5

$10

$15

$20

$25

$30

$35

$40

$45

0 50 100 150 200

% Vulnerability Loss Event Frequency (times p/year)

Loss

Mag

nitu

de -

Mill

ions

Loss

Mag

nitu

de -

Mill

ions

Copyright 2012 CXOWARE, Inc. CXOWARE 23

24

Risk Management and Decision Making

1. Senior management needs to define its tolerance to risk for each one of the assets or processes it owns, by analysing the risk capacity provided by the model, identifying the resources & capabilities that the organization already possesses to mitigate the risk, and any applicable regulation that may contribute to defining the risk tolerance.

2. Any value propositions that would affect the risk model should be identified and analysed, and the overall impact to the risk posture should be calculated for these, along with the required internal and capital resources of such a proposition.

3. Finally, the organization can view the comprehensive risk model along with all the alternatives for impacting the risk posture and their cost & resource impacts in a way that allows informed decision- making processes. ‐

The

Ris

k M

odel

ling

Cyc

le -

5


Framework


Framework

Risk Modelling


ProcessMapping

AssetMapping

Vulnerability

ThreatModelling

DataProtection


Closing the Cycle

The full cycle is ongoing > The model should be updated, challenged, and assumptions adapted from different areas of the organization..refined to better reflect current status as the threat landscape shifts


Scenario Building for Security Planning

More suited than any other approach for developing a better appreciation of converged threats, because it is now near-impossible to identify precisely how future threats will manifest themselves in a combined cyber/physical domain.

Working with Converged Risk Scenarios

EISN meeting Groningen March 2012 ©Dan Solomon. All rights reserved 2012.

Wor

king

with

Sce

nario

s

Presentations Review of Analysis

Mapping Assumptions Priorities & Fears

Presentations Review of Analysis

Mapping Assumptions Priorities & Fears

TwoTwoOneOne

Create Element

‘Batches’

Create Element

‘Batches’

Assumptions Factors

Vulnerabilities Uncertainties

Assumptions Factors

Vulnerabilities Uncertainties

ThreeThree

ScenarioExerciseSessions

ScenarioExerciseSessions

Interdependencies Factor Impact Dynamics of Uncertainties

Interdependencies Factor Impact Dynamics of Uncertainties

FourFour

Short-listingShort-listing

Trade-Offs Trade-Offs

FiveFive

Capture Current Understanding

Define Elements

& IssuesExamine Uncertainties

Identify macro issues to be examined

Interpret and apply risk intelligence

Develop an insightful understanding of the

operating context

Build Consensus

Incorporate a range of opinions & inputs

Target macro-factors or vulnerabilities that

should drive focus

Characterise degree of uncertainties that

are critical to the focus issues

Acknowledge & examine the nature

of uncertainties

Recognise when assumptions are challenged by

events

Create recognition of vulnerabilities

Creating new awareness among all decision-makers

Inform where to short-list options for investment &

planning

Implications for the trade-offs

Scenario-Building Workshop Process Map

Phase

Aims

Activity

SessionObjectives

Source: Hawk ISM

• Scenarios enable managers to prepare a schedule of responses, and serve as roadmaps for setting future investment & priorities without dismissing certain risks on the basis of lack of awareness, or misunderstanding of interdependent dynamics.

• Scenarios are specifically relevant to developing a shared appreciation of risks, particularly when mapping interdependencies, and their function within the larger networks of infrastructure

• Outcomes lead to decisions that effectively mitigate risk across several possible future threats or attacks.

• Scenarios illustrate several ways that one threat can evolve and develop into different plausible outcomes, that planners need to be able to cope with.

• Helps managers recognise when assumptions are being challenged by events, while exercises will develop the ability to respond appropriately.

• Creates awareness of how changes in underlying factors can change the way events unfold during an crisis, and better understand the relationship between different factors.

• Creates the recognition of vulnerabilities, and informs managers of where to short-list options for investment planning, and implications for the trade-offs they may need to consider.

• Accommodates both qualitative & quantitative inputs and reconsiders multiple views & priorities across physical & cyber security.

26

High Reliability Organisations

• Preoccupation with Failure

• Reluctance to Simplify

• Sensitivity to Operations

• Commitment to Resilience

• Deference to Expertise

R e s i l i e n c e ©Malcolm Baker (T/A Resilience). All rights reserved 2012.

©Dan Solomon. All rights reserved 2012.

Dan SolomonSenior Partner

Tel: +44 7850 761834Email: [email protected]

Security and Risk Consultingwww.hawk-ism.com

Dan SolomonVice President, Europe

Tel: +44 7850 761834Email: [email protected]

Proactive Security in a Reactive World

Risk & Resilience Consulting

Workshops & Scenario-Building

‘Red Team’ Exercises

Strategy Consulting

Added Value Analytics

Intelligence Gathering

Threat Modelling

Factor Impact Analysis

Risk Analysis

Management support

Workshops

Security Policy Analysis

Scenarios-Building

Risk Management

Your Contact

EISN meeting Groningen March 2012 29

mailto:[email protected]

converged security in critical national infrastructure**a risk-modelled approach to defining...

Documents

rights security

converged security

security art

security measures

low high source

potential high impact

current static security

cyber attacks