HOWITSHOULDLOOKLIKE INSTRUCTIONS x
Running Head: ICS Risk & Audit Methodology Project Template 1
ICS Risk & Audit Methodology Project Template
SEC6084
Your Name
ICS RISK & AUDIT METHODOLOGY PROJECT TEMPLATE 2
Table of Contents
Description of Industry X
Industrial Control System Processes Employed X
Profile ICS Security Devices X
Create Diagrams of ICS Device Network X
Identify Security Controls X
Apply ICS Security Best Practices X
Identify Vulnerability Continuous Monitoring Strategy X
Reference X
Appendix X
Example: Test Outputs X
Example: Vulnerability Scan Reports X
Example: Analysis Metrics from Tools X
Example: Presentations X
Example: Screenshots of Systems X
6/21/17, 10)40 PM
Page 1 of 4
List of Tables and Figures
Figure 1. Example: ICS System Documentation X
Figure 2. Example: Security Solution Documentation X
Description of Industry
1. What type of industry is this?
2. What is the importance of this industry to society?
Industrial Control System Processes Employed
1. List industrial control system processes specific to industry.
2. List the control systems that control those processes and how they control those
processes.
3. Create a network diagram displaying the interconnections of the industrial control
system devices listed in item 3.
a. For example: Use ICS CERT CSET, Visio, Excel, Word, etc.
Profile ICS Devices
1. For each ICS device document:
a. Logical Ports
For example, 80, 443, etc.
http://www.digitalbond.com/tools/the-rack/control-system-port-list/
b. Protocols Running
For example, SMTP, SNMP, DNP3, Modbus, Fieldbus, Ethernet, etc.
c. Physical Connection Types
For example, serial, RJ45, USB, parallel, etc.
http://www.digitalbond.com/tools/the-rack/control-system-port-list/
d. Default Accounts:
Research the manufacturer’s information on the device. Look for default
account information to login with.
Check “Default Password List” for an entry:
http://www.defaultpassword.com/
e. Services
Research manufacturer’s information on the device and document services
running.
f. Authentication
Research manufacturer’s website for the device and locate information on
how the device authenticates users.
g. Use of Encryption
Research manufacturer’s website for the device and locate information
about encryption. For example, does the device use encrypted
connections? Is the back-end database encrypted? What type of
encryption does it use? Is public/private key encryption like RSA?
6/21/17, 10)40 PM
Page 2 of 4
h. Logging Capability
Research manufacturer’s website for the device and locate information
about logging. Answer questions like is logging enabled? Are logs stored
locally or remotely?
i. Other Security Documentation
Does the manufacturer have any security related documentation not
provided above that would be of use?
Identify Security Controls
1. Select security controls based on results from “Industrial Control System Processes
Employed” and “Profile ICS Devices”:
Reference either ICS CERT CSET or NIST 800-53, Security and Privacy Controls for
Federal Information Systems and Organizations,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4
Apply ICS Security Best Practices
1. NIST 800-82, Industrial Control System Security,
http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_draft
2. Identify unremediated risks and choose risk strategy: Accept risk, avoid risk, mitigate
risk, share risk, transfer risk, combination.
Reference: NIST 800-37, Guide for Applying the Risk Management Framework to
Federal Information Systems,
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1
Identify Vulnerability Continuous Monitoring Strategy
1. Examples:
a. Nessus – Bandolier modules.
b. Metasploit – ICS exploits.
c. Snort
d. Nmap – Identify ICS “friendly” scans.
2. Are these IA certified tools? How so?
a. For example:
i. NIAP: https://www.niap-ccevs.org/CCEVS_Products/pcl.cfm
ii. Common Criteria: https://www.commoncriteriaportal.org/products/
b. For example: Are these tools SCAP-compliant?
3. Create script rules for baselining each ICS system.
a. For example scripts rules should audit:
i. Installed programs.
ii. Users, groups.
iii. Shares.
iv. Services.
v. Processes.
vi. Etc.
6/21/17, 10)40 PM
Page 3 of 4
Reference
Appendix
6/21/17, 10)40 PM
Page 4 of 4
· Topic: SCADA Risk Management and Auditing
· Industry: Use clean water as an industry example and cover the below topics in that industry SCADA/ICS System
Generic instructions:
1. Number of content pages: 12 (12 only content pages which does not include Title, Table of content or references pages)
2. Executive summary, Conclusion should be there,
3. Use some images talks about SCADA system architecture process
4. Minimum: 8 Professional references
5. Make sure to use professional websites such as DHS, .org, .edu, .gov websites and use international journals and articles and books only
6. APA 6th edition format should be followed
7. Make sure to mention INTEXT citations for all paragraphs
8. For images make sure to mention in APA format
9.
Should not have plagiarism
