Environmental Engineering Reference
In-Depth Information
including remote telephone/computer network/fiberoptic cables,
that could be tapped; radio and microwave links that are exploit-
able; computer terminals that could be accessed; and wireless local
area network access points. Identify and eliminate single points of
failure. The security of the site must be adequate to detect or pre-
vent unauthorized access. Do not allow live network access points at
remote, unguarded sites simply for convenience.
11.
Establish SCADA “Red Teams” to identify and evaluate possible attack sce-
narios
. Establish a “Red Team” to identify potential attack scenarios
and evaluate potential system vulnerabilities. Use a variety of peo-
ple who can provide insight into weaknesses of the overall network,
SCADA system, physical systems, and security controls. People who
work on the system every day have great insight into the vulner-
abilities of the SCADA network and should be consulted when iden-
tifying potential attack scenarios and possible consequences. Also,
ensure that the risk from a malicious insider is fully evaluated, given
that this represents one of the greatest threats to an organization.
Feed information resulting from the “Red Team” evaluation into
risk-management processes to assess the information and establish
appropriate protection strategies.
The following steps focus on management actions to establish an effective
cyber security program:
12.
Clearly define cyber security roles, responsibilities, and authorities for man-
agers, system administrators, and users.
Organization personnel need to
understand the specific expectations associated with protecting infor-
mation technology resources through the definition of clear and logi-
cal roles and responsibilities. In addition, key personnel need to be
given sufficient authority to carry out their assigned responsibilities.
Too often, good cyber security is left up to the initiative of the indi-
vidual, which usually leads to inconsistent implementations and inef-
fective security. Establish a cyber security organizational structure
that defines roles and responsibilities and clearly identifies how cyber
security issues are escalated and who is notified in an emergency.
13.
Document network architecture and identify systems that serve critical
functions or contain sensitive information that require additional levels of
protection
. Develop and document a robust information security archi-
tecture as part of a process to establish an effective protection strategy.
It is essential that organizations design their network with security
in mind and continue to have a strong understanding of their net-
work architecture throughout its lifecycle. Of particular importance,
an in-depth understanding of the functions that the systems perform
and the sensitivity of the stored information is required. Without this
