ISA IC33 Flashcards
Security Life Cycle include?
Access,
Develop & implement,
and Maintain Phase
Security Life Cycle is.
Continuous steps to minimize risk.
IC33 focus on the Access Phase. Access Phase include?
1- High Level Cybersecurity assessment
2- Allocation of IACS assets to Security Zones and Conduits
3- Detailed Cyber Risk Assessment
IC33 Access phase focuses are found in?
ISA/IEC62443-3-2
IC34 is related to the Develop & Implement phase which include?
4- Cyber Security Requirement Specification (CRS) ISA 62443-3-2
5- Design and Engineering of Cybersecurity Countermeasures ISA 62443-3-3
6- Installation, Commissioning, and Validation of Cyber security Countermeasures
- It also includes Design and Develop other means of Risk Reduction
IC34 Develop and Develop phase works with
ISA 62443-3-2 and ISA 62443-3-3
IC37 is the Maintain Phase which includes…
7- Cybersecurity maintenance, monitoring, and management of change ISA 62443-2-1
8- Cyber security response and Recovery ISA 62443-2-1
IC37 works with?
ISA/IEC62443-2-1
ISA 62443-2-1 also used for the the what?
- Cybersecurity management system for policies, procedures, training & Awareness.
- Periodic Cybersecurity Audits.
Before running any assessment you must define what?
The Scope of the project must be defined first.
Scope
Determine the parameters on what is included in the assessment and how it is performed.
Scope include?
1- Identify Requirement
2- Specify Devices.
3- Select Collection Method
4- Document
The Documents in the scope is to help identify
1- constrains
2- deliverables
3- assumptions
4- boundaries
Key Component of project scope include
1- system architecture diagram
2- Network Diagram
3- asset Inventory
4- Criticality assessment
ISA 62443 Reference Model include
- Level 0 Process
- Level 1 Safety/Protection and Basic Control
- Level 2 Supervisory Control
- Level 3 Operations Management
- Level 4 Enterprise Systems
Network Diagram should illustrate
- How the network logically and physically constructed.
- ## Port assignment, VLANS, device types.
Asset Inventory should be done for all component such as software, hardware, and network this can be done by means of
- Documentations
- Tools such as automated tools.
- Using Site Surveys.
Automated tools should always be tested
this is important to ensure no security vulnerability are introduced in the network.
Cyber Criticality Assessment
Is the measure of the negative impact, should information are not available, not reliable, or compromised . it will always refer to the AIC and how each one of them is effected.
CHAPTER 2
Cybersecurity vulnerability assessment
RISK IS?
Threat * Vulnerability * Consequences.
Understanding Vulnerability will help with
Better understanding the Risk.
Management is responsible to determine
The Acceptable Risk Level that they can tolerate - risk Tolerance.
Risk Types are divided into the following
- Design Risk Out by changing the design
- Reduce Risk by implementing countermeasure.
- Transfer risk using insurance.
- Eliminate and remove redundant controls.
- Accept Risk
Why conducting Cybersecurity Vulnerability Assessment
The CVA defines, identify, and classify the vulnerability in the Industrial Control System and it is network component,.
First Step in evaluating Cyber Risk is?
Cybersecurity Vulnerability Assessment
Cybersecurity Vulnerability Assessment
Evaluate the configuration, Implementation, Management, and Operation.
Cybersecurity Vulnerability Assessment
Identify security deficiencies
Cybersecurity Vulnerability Assessment Types
- High Level - GAP Assessment - least invasive
- Passive Assessment
- Active Assessment
- Penetration Test - Most Invasive
When conducting risk you should always look at
- Cost of the Assessment
- Benefit gained from the Assessment.
GAP ASSESSMENT
meant for reviewing the system and compare it to the industrial standards and regulations.
GAP Assessment include
- Interviews with key personnel
- Questionnaires
- Walk though
- Examine of Sample Configurations and Drawings.
Passive CVA include
- Reviewing configuration
- Collecting logs, data,
- Capture traffic from network
- Analysis of actual traffic.
- Reviewing ARP tables.
Active CVA include
running tools which are more invasive to the system. tools such as Nessus, Advance IP scanner, NMAP, Shodan, and others.
PEN Test
is the most intrusive to the system.
PEN TEST start with active scanners then it exploit known vulnerabilities in the system,.
- The JOB of the PEN TEST is to Validate the effectiveness of the countermeasures.
Difference Between VA and PEN Test
VA only assess and collect data, identify weakness, and report. PEN test exploit Vuln and try to gain access using complex tools.
How to conduct GAP assessment
- Identify benchmark standards.
- Gather information from system by performing interviews, site visit and documentation
- Compare the Benchmark standard with the performance - compart 1 and 2.
- Document and report the results.
Gap Assessment tools include
- CSET tool
- Custom Databases
- Custom Spreadsheets
Benefit of CSET tool
- Repeatable and Systematic approach to assess the network
- Evaluate against the security standards and regulation.
- Identify potential Vuln in the system
- Provide and offer guidelines
CSET LIMITATIONS
- Its component focus and not system focus
- it cannot provide detailed risk assessment to deigns.
- it is not meant to substitute the in depth analysis.
- it is not risk analysis tool for system.
- date should be treated securely.
Standard listed in CSET are
- NERC-CIP
- NIST Special publications.
- NIST SP800-82
- DoD Instruction 8500
- NIST Cyber Security Framework
- CNNSI 1253
- FIPS 199
- CFATS RBPS
- NRC-RG
CSET Process includes
- Form a Team
- Add Assessment Information
- Select Mode and Standard
- Determine Security Level
- Build a Network Diagram
- Answer Questions
- Analyze the Results.
Which assessment give feedback
GAP Assessment
Conducting Risk Assessment include
- Pre Assessment
- Kick off meeting
- Walk through
- Passive Data collection
- Network Scanning - Active
- Vulnerability Scanning - Active
- Analysis
- Reporting
Pre Assessment phase include -1
- scope of the project
- Find assessment team
-`Select standard - set time and logistics
- Review Documents
- PPE requirement
it is important to identifying gaps by
asking and collecting all documents required to help with assessment
Kickoff meeting -2
- identify personnel
- timelines
- contract needs
- pre assessment requirement
Walk through 3
- Visual inspection of the system
- Physical Security Review
- Review design document against actual installation.
- Observe Operating Environment
- Interview operational Personnel.
Passive Data Collections - 4
- Windows System information
- Log files
- Firewall, switches, routers configuration.
- Network packet capture
SPAN
capture traffic in all ports or same VLAN of the switch
RSPAN
Remote Switch Port Analyzer - it is used with bigger network to allow for traffic to be sent. if a lot of messages running then some packets or frames will be lost.
why do we use packet capture tools?
- identify what devices talk to
- identify protocols in the network
- detect unexpected or unusual traffic.
- recognize messages with clear text
- troubleshooting
Active Scanning include
- Port Scanning
- Vulnerability Scanning
- Pentation Testing
when running active scanning.
always make sure you have the proper approval for it.
if port scanning return no response it basically means the network was effected
this behavior means the network is vulnerable.
Vulnerability Scanner
is a computer program designed to assess computers, computer systems, and applications.
Scanners for Vulnerability are
- Nessus
- Open Vas
- Nexpose
- Quslysy
Pen Test
is the most invasive method to evaluate the network. it will exploits known vulnerabilities and unknown ones as well.
Pen Test tools are
- Kali Linux
- Metasploit
- Canvas
what type of tool is used to capture and display ethernet communication?
Packet Capture
a feature that send copy of that data from one port to another
Port Mirroring
what term is used to describe the passive collection of data packet capture
Sniffing the Ethernet
Computer program that assess the network against weakness from known vulnerabilities is called?
Network Vulnerability Scanning tool
Risk Management
Understanding risk is important to determine how to assess risk
Understanding Risk in order to Manage it. how can we do that?
- Identify critical assets.
- Determine realistic Threat
- Identify existing Vulnerabilities
- Understand the consequences of compromise
- asses the effectiveness of the current countermeasures.
How to develop plan for unacceptable risk?
- Evaluate existing countermeasures.
- Recommend additional countermeasures.
- Recommend changes to policies and procedures.
- priortize recommendation
- evaluate effectiveness and evaluate risk
Benefit of Cyber Risk Assessment
- help to determine what needs to be addressed first
- help with understanding the threats and vlunrabilities
- provide information to reduce risk by introducing segmentation, hardening
- help with proritize the resources and activities.
- help to evaluate the countermeasure based on their cost/complexity.
fine balance in security is defined as
cost vs the security level as per the organiziation.
what standard addresses risk assessment requirement?
IEC62443-2-1
Cybersecurity risk assessment process is listed under?
IEC62443-3-2
the cybersecurity risk assessment process include
- Identify system under consideration SuC section 4.1
- Conduct high-level risk assessment section 4.2.
- partition the SuC into zones and conduits 4.3
first step of the cybersecurity risk assessment process is identify the system under consideration which include?
- high-level diagrams
- inventory list review
the outcome if the system under consideration is normally
- updated high level diagram and update inventory list.
second step of the cybersecurity risk assessment process is to conduct high level risk assessment. the outcome of this include?
it is meant to perform high level assessment for the SuC. the result include the worst case unmitigated risk that the SuC is brining to the organization.
High Level design normally address and understand the following
- performing exersie to understand the worst case scenario in term of financial and HSE.
- the scope should include the entire system under assessment.
- the team with the knowledge should develop the worst case scenario.
- any process hazard and process should be reviewed to identify potential consequences.
- the results of the high level design should then be rated using the CONSEQUENCE SCALE..
Consequence scale include things like
High, Medium, and Low
consequence scale also include areas defined such as
- Business Continuity Plan
- Information Security
- Process Safety
- Environment safety.
Third step in the cybersecurity risk assessment process is?
define zones and conduits. this can be done based on the highlevel risk assessment. zones should be based on same function. same level, same security requirment.
dont mix business and IACS system together
those are two different systems with different requirements. they should always be divided.
Always remember that
Safety instrument systems are different from basic control systems. those two should not be interfered and put in the same zone.
Temporary access should be set in a different zone than permement devices. this include
- usbs, maintenance machines, portable processing equipment’s. .
Wireless devices ?
should always be in one zone or more but not in the control system zones. this is because those devices are part of bigger network behind them.
devices from untrusted network should always be ?
connect in one zone which is different from the rest of the network.
drawing for the SuC is important and it should include
- illustration of the different zones in the network
- clearly shows how each zone is separated in the network
- assets contained with those zones and conduits should be marked too.
Cybersecurity Requirement Specifications (CRS)
- SuC description
- operation environment assumption
- threat landscape
- mandatory security function.
- tolerable risk
- regulatory requirement .
there are Three main key task when preparing for Detailed risk assessment. those are?
- schedule a facilitator - someone can lead and have confidence in running cyber security assessment.
- Team and establishing team - the team should include, the facilitator, control engineer, network engineers. process, process safety, SMEs.
- prepare workshop material - this include network diagrams, previous assessment, data flow diagrams, inventory list, process flow,
Detailed risk assessment as per the IEC62443-3-2 described as follow:
as per the standard it is defined under section 5-
the standard explain the input which is the requirement for each zone and conduit. the middle is the requirement and the output is the results.
the list is
5.1 identify threat
5.2 identify vulnerabilities
5.3 determine consequences and impact.
5.4 determine likelihood.
5.5 calculate unmitigated cyber security risk
5.6 determine security level target.
5.7 consider exaiting countermeasures,
5.8 reevaluate likelihood and impact
5.9 calculate residual risk
5.10 all risk mitigated or below tolerable risk.
5.11 apply additional cybersecurity measure.
5.12 document results
Section 5.1 talk about identifying threat.
here we should list all the threats that could effect the assets. we should include
- threat description.,
- description of the threat skills.
- description of possible threat vector.
- identifying possible effected systems.
Threat source
threat source could be - person or group. they normally created a software or hardware threat. it could also be environmental such as flood.
the list should be comprehensive. and the threat should be classified and listed.
common threat sources.
- unauthorized internal personnel
- authorized internal personnel
- unauthorized external personnel - hacker.
- authorized 3rd party.
- malware, equipment, equipment.
Threat vector
Is the means the threat source may utilize to compromise zone or conduit.
this only describe what the attack is in general for documentation purposes. for example we talk about spoofing in general, tampering and what they mean in general.
Section 5.2 talk about identify Vulnerabilities.
Vulnerability is the weakness or the flow in a system design .
Classes of vulnerability include
- policy and procedural
- architecture and design
- configuration and maintenance.
- physical
- software
- communication and network
section 5.3 is determine consequences and impact.
basically each threat and VULN found in section 5.1 and 5.2 should be evaluated to determine the consequences and impact. everything should be documented, for example when a person is injured then we need to know what is the conesquence who got effected and how much the fine.
example of consequence include
create statement of the worst case consequence if threat would have happened. then assign impact rating as per consequence. normally worst case scenario is when no countermeasure in place.
section 5.4 talk about the determining the likelihood.
likelihood is based on section 5.2 which is evaluating the vulnerability. the likelihood is either defined using frequency or probability.
likelihood based on frequency include
- target attractiveness
- attack surface.
likelihood based on probablitiy include
- capability of threat vector
- known vulnrability
- motive/intent of threat.
likelihood scale
most of the time is qualitative ( no numbers) it uses low, medium, or high. another
unmitigated likelihood threat.
we will always need the UTL - unmitigated threat Likelihood for each threat. this is important.
the UTL means that likelihood of threat leading to final consequence.
Section 5.5 is calculating unmittigated cybersecurity risk
this calculation is normally done using RISK MATRIX that establish the relationship between the likelihood and impact.
By providing the likelihood and impact measures we can easily determine and calculate the unmitigated cybersecurity risk
Section 5.6 focuses on determining the security level target.
this needs to be done for each zone and conduit. the SLT in general is related to the CRRF and it is the unmitigated risk/tolerable risk.
5.7 consider existing countermeasure.
in this level we evaluate the level of existing countermeasure to reduce the likelihood or attack.
5.8 revaluate the likelihood and impact.
5.9 Calculate Residual Risk
- it is the combination of mitigate likelihood and impact measure.
5.10 Residual Risk
it should be less than the tolerable risk. the company can decided to either transfer it, accept it, or reduce it.
5.11 apply additional cybersecurity countermeasure
this step is used to take care of any residual risk that it exceeds the tolerable risk. you can use IEC62443-3-3 which have option to how risk is and countermeasure are treated.
documentation is important. this include
- documenting the results and participants for the assessment.
- ## date should be identified on when the assessment was conducted.
Why documentations are so important?
- documents are meant to verify, audit, and prove the finding of the assessment.
documents should be under control scheme, they also needs to tracked, verified, updated and amended as per the requirement.
what documents are important to keep?
- Gap assessment reports.
- Vulnerability assessment reports.
- Risk Assessment Reports.
- Zone and Conduit diagrams.
Cybersecurity Requirement Specifications CRS.
GAP assessment is
High level document with all the findings. THIS DOCUMENT INCLUDES THE SL-T
vulnerability assessment report should include information concerning the “as found” in the system. results include:
PEER COMPARISION
- Discovered cyber assets.
- policy and procedure VULN
- Arch and Design Vuln
- physical VULN
- Software VULN.
- Communication and network vuln
cybersecurity risk assessment report - RISK PROFILE
it general it provide risk profile. risk profile include
- document finding such as high risk threats, high risk vulnerability and detailed assessment worksheet.
Zone and Conduits
one of the requirement is to divide the network into zones and conduits.
Cybersecurity Requirement Specification CRS - THIS IS LIVING DOCUMENT!
this document include general security requirement based upon company policy, standard and regulations.
- NOTE- CRS INCLUDE DEFINATIONS OF ZONES AND CONDUITS, ACCESS CONTROL REQUIREMENT,
when developing the CRS the following should be included.
- system arch
- definition of zone and conduits.
- network segment requirement
- access control requirement
- physical requirement
- detection requirement