Cyber Security Improvement Plan

1. Case Learning Objectives:

This assignment provides practical experience developing a plan to improve security on an Industrial Control System based on a completed Cyber Security risk assessment (provided to the student). The following learning objectives are designed to reinforce the unique requirements associated with Industrial Control System Security.

• Document and communicate the current state for security of the ICS

• Provide an overview of the network design including major weaknesses in the physical design and layout of network components with suggested network layout improvements

• Identify the threats and vulnerabilities facing the assets of an Industrial Control System including Advanced Persistent Threats and recommend potential security measures that could have prevented those incidents

• Understand applicable regulations and include provisions for achieving compliance within the plan

• Based on knowledge of recommended security best practices and standards, document and communicate the desired future state for security of the ICS

• Build the plan in a way that incorporates differing levels of security controls depending on risk and criticality of the various devices within the system

• Demonstrate understanding of ICS functionality, network components, and protocols by devising a plan that improves security and concurrently minimizes negative impact to process operations and productivity

• Provide multiple options for security enhancements to management with guidance on trade-offs involved with the different options

• Demonstrate awareness of the unique challenges the exist in securing Industrial Control Systems and customize security plan to address those challenges

2. Assumptions for this case

Build your security improvement plan while taking into account the following assumptions.

• The information provided in the risk assessment is accurate.

• Time Horizon for implementation is 12-24 months.

• DHS Regulated Chemical of Interest is used at the Pressurization Station which is physically isolated from the main plant site at a remote location with good physical security.

• Sample organization is using two ICS standards systems to target Cyber Security improvements:

1. NIST Guide to Industrial Control Systems (ICS) Security as its preferred guidance document.

2. Department of Homeland Security CFATS regulation where chemicals of Interest are used.

• Security on the business network is average for a mid-sized corporation but has much room for improvement and routinely deals with malware infection and security incidents.