|
|
|
Through a very strict, professional, and proven methodology, combined with extensive experience and highly
specialized expertise, our primary goal
is to improve your organization’s reliability, security,
and regulatory compliance through a comprehensive approach and seamless due diligence. Even though the following CiSACS services can be utilized individually, they are intended to be used together in a complete lifecycle process just as the CiSACS model prescribes.
The terms "Audit" and "Assessment" are used interchangabely throughout the industry. Although there is no formal distinction between the two, an audit typically refers to the more formal of the two. In some cases, an "assessment" can even be part of an "audit." Whatever the case may be, whether you are using a self assessment tool such as CS2SAT and CSATS, or a 3rd party consultant to perform a security vulnerability assessment (SVA), they both measure
where you currently stand in regards to a set of predetermined criteria, whether it be industry standards, internal standards, or industry best practices.
However, an SVA or gap analysis alone will not ensure that your organization is compliant with those standards, or even secure for that matter. In fact, if done improperly, it can actually create liability for your organization. Many organizations are not aware that there are many necessary steps to a proper security audit or assessment, which are all part of an entire security compliance lifecycle. Our assessment methodologies comply with NSA IAM (National Security Agency INFOSEC (Information Security) Assessment Methodology) and are tailored specifically for industrial control system environments and critical infrastructure environments.
• – Self Assessments, and self assessment tools such as CS2SATS and CSATS, are a preliminary way of measuring where you currently stand in regards to industry standards and regulations from a theoretical standpoint. They help you identify, classify, and even quantify critical assets, systems, and components. A Self Assessment should be the first step in the compliance lifecycle approach and can help smooth the way for each of the subsequent phases. Even though many organizations perform the Self assessment without 3rd party assistance, some organizations find themselves short of resources or time. If you find yourself in this circumstance, we will expertly augment your staff and help you with your Self Assessment.
• – Physical security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks. Our physical security experts have extensive experience with some of the most secure environments in the world including Air Force Bases, financial institutions, and nuclear facilities. We will help you identify gaps and potential vulnerabilities in your physical security as part of our complete Holistic Lifecycle Approach to your compliance.
• – Like physical security weaknesses, operational security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks.
• – Vulnerabilities are the entire reason security
standards and regulations exist. These are what attackers look to find and exploit in order to gain
access and/or damage your environment and/or systems. Cyber vulnerabilities not only make up a large part of those vulnerabilities but they are the newest breed of vulnerability to industrial networks and process control systems.
For these reasons, it is no wonder why so many industry standards have recently focussed primarily on cyber security. However, cyber vulnerabilities, alone, should not be the only consideration when perorming an SVA. (NOTE: The SVA is the most typical version of an "audit" or "assessment" you will find in the industry. It is also the most improperly performed. As you can see, it is actually just one small part of an overall process.)
Physical and operational vulnerabilities can also provide additional attack vectors into your process control systems and network. Therefore, they must be taken into account when performing a vulnerability assessment. In this step,
we will help your organization accurately identify
and understand the current vulnerabilities within
your architecture by performing the necessary vulnerability assessments from both a vulnerability focused perspective as well as a controls focused perspective. CIDG performs the following vulnerability assessments:
• Physical Vulnerability Assessment – Physical security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks. Our physical security experts have extensive experience with some of the most secure environments in the world including Air Force Bases, financial institutions, and nuclear facilities. We will help you identify gaps and potential vulnerabilities in your physical security.
• Operations Vulnerability Assessment – Like physical security weaknesses, operational security weaknesses can often provide an attack vector to your critical systems as well as the more obvious cyber attacks. Through procedure review and staff interviews, We will help you identify gaps and potential vulnerabilities in your >operational security as part of our complete Holistic Lifecycle Approach to your compliance. With this expert knowledge, we will help you identify any cyber vulnerabilities in your architecture and systems.
• Cyber Vulnerability Assessment – Our security analysts are experts in cyber security and cyber security vulnerabilities. They stay up to date on the latest vulnerabilities and security controls. They are able to analyze systems and locate vulnerabilities from the viewpoint of the attacker. Our assessment methodologies are completely safe to industrial network systems. |
• – Regardless of any vulnerabilities discovered during an assessment, the only
way to know for sure if an attacker can actually
gain access to your systems, aside from a real breach, is with
penetration testing. We do not just run vulnerability scanning tools and hand you the results. We verify key findings to eliminate false positives and to also help establish more accurate risk analysis probabilities later on. Our highly trained experts utilize specialized
techniques to gain privileged access to systems by
using an industrial network safe "hacker"
methodology. They use the same proven techniques
and methodologies that hackers use to gain unauthorized
entry to systems, while at the same time, posing absolutely
no actual risk to your industrial network or control
systems. Penetration Testing can be done in collaboration
with the client staff for “proof of concept”
and feasibility of any key vulnerabilities identified, in a covert setting
before
any other assessments take place (black box), or
both.
• – Like a penetration
test, a red team test is an attempt to gain access
by exploiting vulnerabilities. However, it is not
limited to just “cyberspace.” It is
a complete attempt to gain access to your industrial
network and control systems using all or a combination
of network vulnerabilities, social engineering,
and physical weakness. Our team is professionally trained and experienced to
use the same proven techniques and methodologies
that could be used by real world hackers, thieves,
intruders, or even terrorists. A red team test is
one of the most comprehensive ways to verify weaknesses
in your organization that allow unauthorized access
to your industrial network and control systems.
This test is performed at the beginning of the engagement prior to gaining any knowledge of the organization as part of the complete Lifecycle. Again, these tests pose absolutely no actual
risk to your industrial network, control systems,
physical assets, or personnel.
• – A gap analysis
is the formal “audit” that brings the entire
assessment phase together. We will review all of
your written policies and procedures, as well as
all of the data collected from each of the other
steps within the assessment phase, and compare it
against all of the standards you are required to comply with. This can be industry standards as well as internal standards. NOTE: The term "audit" used here is for descriptive purposes only since this is how much of the industry identifies this process. This is not referring to a formal audit performed by regulation authorities.
• – Every organization is unique and so are the threats that an organization may face. For example, specific business objectives or geographic locations may pose a particular threat that another organization may not face. Does a particular employee or contractor present a potential "insider" threat? How does an organization know when a threat is substantial enough to warrant action? Our highly trained experts are uniquely qualified in this area to address concerns exactly like these. Through a process of technical, environmental, organizational, and operational analysis, combined with staff evaluations, we will build a threat model specific to your organization and environment providing specialized data needed for a proper risk analysis.
• – The risk assessment and analysis step will help guide you to the mitigation phase.
We will compile all of the data gathered up to this
point in our metaframework tool and analyze it with you to establish appropriate levels of risk
based on proven formulas. Assessing and analyzing your level
of risk will help you decide what safeguards you
need to put into place during the mitigation phase. |
ion & ion
In the mitigation phase, we will work with you to build an effective mitigation strategy and then help you put your plan into action using our workflow management tool designed specifically for risk management and compliance mitigation. From start to finish, we will help you enhance your policies
and procedures, put the necessary safeguards in place, minimize your risk, and
bring your organization up to compliance. Our experts have extensive real-time, SCADA, and process
control experience as well as both cyber and physical security expertise. They understand
that, within an industrial network, a failed mitigation
strategy can turn out to be more harmful than the risk itself,
due to unforeseen system impacts. Our team is also completely
vendor agnostic/independent. This enables the CIDG team to effectively
analyze the data from the assessment phase and present to
you the most flexible, reliable, and comprehensive security
solution for your organization; while at the same time,
not posing a single risk to your production environment.
ion
The validation phase verifies that all issues have
been resolved, and that all remediation and mitigations put in place are deployed and working properly, by revisiting certain aspects of the assessment phase. We will
re-run a complete vulnerability assessment along with any
other key areas of concern. We will also re-run a penetration
and/or red team test if needed or upon request. Finally, we will revisit
the gap analysis and verify that all standards and regulatory
gaps have been resolved. All areas will receive any necessary adjustments and "tuning."
Many organizations are not aware that simply performing an SVA or gap analysis can actually create liability if proper due dilignece is not adhered to. Improper communication, record keeping, and standards selection can also create liability. Have you performed the necessary due diligence and covered all angles necessary to prevail should someone take legal action against you as a result of an incident? Are you prepared for broad auditor interpretation that could lead to regulatory fines? The legal phase is active throughout the entire process and has specific methods in place to ensure no other processes create liability, both short and long term, for your organization. (The methods used throughout the legal phase are proven “lessons learned” taken from actual litigation.)
Finally, now that all remediation and mitigations have been deployed and validated, a long-term maintenance program must be put in place to ensure that all processes, procedures, and technical safeguards are monitored, maintained, and kept up to date with emerging threats and changing industry standards. This is also where a training program as well as a Disaster Recovery Program (DRP) will be developed and deployed if necessary. Much of this will be accomplished by our industrial risk management and compliance metaframework tool. The metaframework will automatically track industry standards updates and new threats, updating you upon any changes. The metaframework will also house a consolidated knowlegebase of your infrastructure and procedures, and assist you with the creation and maintenance of your DRP.
In
the end, your organization will end up with the most comprehensive,
long term security and compliance solution available. Final deliverables
are:
- Complete assessment and gap analysis reports with easily readable executive summaries, a complete list and explanation of all validated findings cross-referenced with applicable standards, and thorough technically detailed recommendations.
- Customized Remediation/Mitigation deployment, integration, and support that fits your environment and organizational needs.
- A comprehensive security and compliance management program supported with seamless due diligence that is customized to your organization and safe for your production environment.
- The most powerful industrial risk management and compliance metaframework tool in place to support and help you continue to manage your organizational risks and compliance.
|
|
