This is the next in a series of blogs concerning the Security Vulnerability Assessment (SVA) instructions recently published by DHS. This blog deals with the computer systems analysis for the SVA. The previous blogs in this series are listed below.
- SVA for Tier 4 Facilities
- Getting Started with SVA Submissions
- SVA – Facility Security Issues
- SVA – Facility Security Information
- SVA – Identification of COI Assets
- SVA – Characterization of COI Assets
- SVA – Attack Scenarios – Getting Started
- SVA – Attack Scenarios – Scenario Development
- SVA – Attack Scenarios – Vulnerability Factors
The Computer Systems Analysis section of the SVA is divided into three parts. The general computer systems questions will be answered by all facilities. Those facilities that identified cyber control system on the facility earlier in the SVA will be required to answer questions about those systems. Those facilities that identified a business control system earlier in the SVA will have to answer questions about that system.
General Computer Systems Questions
All facilities will be required to answer these three general questions about cyber security:
- "Are personnel allowed to carry portable cyber equipment into the facility (e.g., laptop computers, personal digital assistants (PDAs), flash drives, data disks, smart cell phones, etc.)?"
- "Are personnel screened at facility entrances for unauthorized cyber related equipment?"
- "Has the personnel screening process been validated through testing by professional security services?"
Cyber Control System Questions
The first thing that the Preparer will be required to do is to locate the Cyber Control System on the facility map. The same mapping tool will be used for this function that was used earlier in the SVA. The only difference is that the "LOCATE ASSET’ button is now labeled as "LOCATE SYSTEM".
What is not clear is what DHS wants annotated on the map; the control room where the operators access the system, the location of the computer that runs the system, or the room where the wiring from the various subsystems comes together. Lacking specific guidance from DHS, I would use the location of the main computer for the system location.
Once the location is marked on the facility map, there are 29 questions that have to be answered about each control system described earlier in the SVA. Rather than listing all of the questions we will look at categories that they fall under according to the CSAT Security Vulnerability Assessment Instructions. Those categories (with a sample question from each) are:
- External Access
- Is external access (e.g., Internet, modem, wireless) to cyber systems allowed?
- Security Policy
- Does the facility have a documented and distributed cyber change management policy and supporting procedures (e.g., new hardware/software, employee access)?
- Access Control
- Does the facility practice the concept of least privilege (e.g., users are only granted access to those files and applications based on roles and responsibilities)?
- Personnel Security
- Does the facility perform background checks for personnel in critical/sensitive positions?
- Physical and Environmental
- Does the facility restrict physical access to sensitive or restricted IT, telecommunications, media storage and control areas to those with appropriate need?
- Awareness and Training
- Does the facility provide cyber security training?
- Monitoring and Incident Response
- Does the facility report significant cyber security events to senior management?
- Configuration Management
- Are configuration changes to the network and application's hardware and software reviewed by an IT security professional and by management to assess the security impact prior to the changes being implemented to the operational environment?
- Risk and Vulnerability Management
- Does the facility have a means to identify and measure cyber security risk (including requirements, processes, and procedures) that is based on recognized cyber security methodologies, standards, or best practices?
Business Control System Questions
As one would expect, the questions for the Business Control System will be much the same as those for the Cyber Control System. The major difference is that provisions have been made for the off-sit location of the server for the system. If the ‘system’ cannot be located on the map (not on the facility) there are provisions for listing the address for the server.
The questions asked about these computer systems will undoubtedly make some security managers uncomfortable. They point out some wide open areas for cyber attacks on facilities, areas that many in the industry will be uncomfortable with closing.
For example, too many people have come to rely on thumb drives and similar devices to record and share data. It has become entirely too common for people to show up at meetings with their presentations on such devices. Of course their very portability allows them to be used for stealing data, or inserting malware into computer systems.
Many in the process chemical industry will be unwilling to give up their off-site access to control systems. In my last job working in a chemical plant, my boss, Senior Process Engineer, and I took home our lap tops every night. This allowed us to log onto the control system to diagnose process upsets from where ever we were. This allowed for a faster better educated response to unusual process conditions.
Sales and business management personnel will be unwilling to give up access to enterprise applications in the Business Control System. These road warriors routinely use access to these systems to formulate business proposals, process and check on customer orders and solve customer problems.
For most high-risk chemical facilities addressing these cyber issues will be the most difficult part of dealing with the vulnerabilities identified in the SVA. Hard questions will have to be asked. The software industry will have a field day with coming up with and selling applications that allow chemical facilities to deal with these problems.