Your Solution for SMART Response Plans

Cyber-Security for ICS Necessary in Business Continuity Planning

Posted on Thu, Nov 21, 2013

The 2013 Global Risk Report ranks cyber-attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber-attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for risk analysis, computer security, downloads, and backups in order to secure necessary integrated technologies. A recent report by The European Union Agency for Network and Information Security (ENISA) highlighted security concerns over Industrial Control Systems (ICS), including the widely utilized Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems (DSC), and programmable logic controllers (PLC). These concerns are echoed in recent publications by the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT).

ICS are often used to control industrial processes, such as manufacturing, product handling, production, and distribution, and is a necessary element to promote business continuity. The main concern expressed by ENISA and ICS-CERT is that prevalent industrial control systems are riddled with varying outdated and un-patched software, leaving them exposed and vulnerable to hackers and cyber-attacks. Mitigating this high risk is critical for maintaining continuity of operations.

Recent SCADA and ICS security incidents greatly emphasize the importance of vigilant observation, analysis, and control of SCADA infrastructures. The ICS-CERT quarterly newsletter entitled Monitor, stated that the response team responded to 198 incidents across all critical infrastructures in 2012. That number was surpassed by May 2013 with energy infrastructures comprising 53 percent of the targeted attacks.  That percentage was up from 41 percent in 2012.

Cyber-Security-response-planning.jpg

ICS-CERT urges operators to embrace coordination by sharing attack data, specifically indicators of system compromises, and established a secure portal to allow companies to actively engage in protecting critical infrastructure. Through the portal, ICS-CERT was able to identify 10 IP addresses that participated in a recent attack against a gas compressor station. The alert prompted other station owners to investigate their own networks and they eventually reported another 39 IP addresses associated with attacks.

According to ENISA, critical infrastructure companies should employ continual risk-based assessments of cyber security policies to prioritize and tailor recommended guidelines and solutions to fit specific security, business, and operational requirements. ICS-CERT offers recommended practices, vetted by subject-matter experts, to bolster technology security. In addition to these recommended practices, identifying procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establishing technology and business continuity of critical business processes, in the event of an attack.  

There must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, security efforts, and response measure during cyber disruption events.  The ability to respond to critical incidents and identify root causes are key aspects in the ability to mitigate potential threats. With technology-based incidents, analyzing the deficiencies that led to IT downtime enables countermeasures to be implemented. ENISA offers four key areas that promote investigative capabilities that allow mitigated efforts: These key areas include:

  1. Facilitate integration with existing structures
    • Determine source of evidence of security breach
    • Clarify data retention impact on systems
    • Streamline operational and IT interfaces
  2. Safeguard systems and configurations
    • Deploy security controls
    • Ensure logging controls
  3. Review key roles and responsibilities
  4. Embrace partnership coordination and cooperation

 

Free resources from TRP Corp: Receive the Example Response Procedures Flow Chart

New Call-to-Action

Tags: ICS, Security plans, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Spike in Cyber Attacks Requires Specific Business Continuity Efforts

Posted on Mon, Jun 03, 2013

“According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country – and around the world – it also has increased complexity of our shared risk.” - Department of Homeland Security

Based on statistics from the Department of Homeland Security (DHS), it is critical for companies to establish business continuity plans associated with technology, and related applications. As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.

A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended due to an incident or cyber attack. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records. According to the DHS, the increasing number of cyber attacks elevates the potential for critical data lapses or loss. Recent cyber statistics include:

  • 68% increase in cyber incidents between 2009 and 2011 (Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies)
  • Confirmation of cyber intrusion campaign targeting oil and pipeline companies (Janet Napolitano, DHS Secretary)
  • Confirmation that the majority of companies in the energy sector had experienced cyber attacks, and approximately 55% of those attacks targeted control systems (Charles Edwards, DHS Deputy Inspector General)
  • In 2012, DHS responded to 177 cyber control systems incidents, up from 9 in 2012

To counteract the increasing threat on critical technology infrastructure, DHS has developed CSET, Cyber Security Evaluation Tool. “CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.” After a thorough evaluation, CSET then produces a prioritized list of recommendations for improving the cyber security and industrial control cyber systems. Each recommendation is linked to a set of actions that can be applied to enhance cyber security controls.

In 2012, over 1,000 companies utilized CSET to evaluate cyber security measures. Sectors with the highest number of self-assessments include: water and water treatment, energy, transportation, commercial and government facilities, and public health or health care. By leveraging the CSET application and Control System Security Program onsite consultation opportunities, companies can mitigate cyber security issues and increase the potential for business continuity. Some key business continuity benefits of the programs include:

  • Highlighting vulnerabilities in a company’s system(s) and providing recommendations of mitigation efforts
  • Identifying areas of strength and recommended practices being followed in the organization
  • Providing a method to systematically compare and monitor cyber systems improvement
  • Informing a risk management and decision-making process
  • Raising awareness and facilitating discussion on cyber-security within the organization.

According to the Business Continuity Institute online survey conducted in December 2011, the top identified threat from conducting a thorough risk assessment was an unplanned IT or telecommunication outage. However, the top three identified threats were all related to the viability of technology, highlighting the need for technology-associated business continuity efforts.

Here are the top three threats from Business Continuity Insight survey:

1. 74% - Unplanned IT and telecommunications outages
  • Departments or business units should define workaround procedures, or alternate processes, to support critical process recovery until key systems and applications have been restored.
  • Ensure all business documentation, records, and files necessary for resumption and recovery purposes are backed up and stored/located safely away from the primary office facility to minimize data loss.
  • Identify alternate methods of communication: landlines, cell phones, satellite phones.

2. 68% - Data breach (i.e. loss or theft of confidential information):  Organizations need site specific data security solutions that can detect, prevent, and continually audit interactions with sensitive data. Through continual monitoring of file and application access, organizations can minimize theft of confidential information.

3. 65% - Cyber attack (e.g. malware, denial of service): Companies should follow security best practices and implement practical and effective safeguards to mitigate internal and external attacks.

Each department should be responsible for assessing computer and software needs when developing critical process recovery strategies, and obtaining the review and input of the IT Department in support of any identified computer and software recovery time objectives.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Data Recovery, Computer Security, Data Loss, Cyber-Security, Data Backup, Business Continuity Plan, Terrorism Threat Management

Cyber Security is Essential for Business Continuity

Posted on Thu, Mar 21, 2013

Media organizations, multinational companies, and government agencies have all been victims of recent cyber attacks. February’s highly publicized 60-page Mandiant report entitled APT1: Exposing One of China's Cyber Espionage Units, revealed evidence of cyber data theft of nearly 141 organizations. It was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, said House Intelligence Committee Chair Mike Roger.

The 2013 Global Risk Report ranks cyber attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.  A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.  The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.

Companies should address the following DHS cyber security points to ensure business continuity:

  • Is cyber preparedness integrated with your current all hazards preparedness efforts?
  • Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
  • Are cyber security risk-based policies established in your organization?
  • Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
  • Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
  • Are audits conducted on cyber security systems?
  • Are cyber  security plan requirement in place and are they being adhered to?
  • Are all systems compliant to company and/or cyber  security plan requirements?
  • Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
  • Upon being notified of a compromise/breach of security regarding an employee:
    • Who is notified?
    • What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
    • What steps are followed?
    • Should legal representation be sought and at what point?
    • Who determines if the employee should be held criminally responsible?
  • Are there policies (formal and informal) pertaining to removable storage devices?
  • What is the priority of cyber preparedness, including cyber security, in your organization?
  • What level of funding and/or resources is devoted to cyber preparedness?
  • What are your estimated losses if a cyber attack were to terminate system functionality?
  • What are your critical business unit software requirements?
  • What are the procedures for backing up and restoring data?
  • How often are security patches updated?

Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security. 

Discussion based exercises:

  • Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
  • An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
  • Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies

Operations based exercises:

  • Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
  • May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
  • Generally involve mobilization and response as opposed to policies and procedures

By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: Data Recovery, Computer Security, Business Continuity, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Protect Critical Systems from Cyber Disaster for Business Continuity

Posted on Thu, Aug 23, 2012

In July, General Keith Alexander, head of the National Security Agency and U.S. Cyber Command chief warned that the changing nature of dangerous cyber attacks is taking a toll on American business. A Department of Homeland Security report on cyber security revealed 198 cyber attack incidents were reported to DHS in 2011. This is a sharp contrast to the nine incidents reported in 2009. The report noted that companies who control critical infrastructure reported higher numbers of attacks on their systems over the past three years.

With cyber threats to these computer systems on the rise, the U.S. Department of Homeland Security (DHS) is working to better protect control systems of critical infrastructure. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERTs were deployed to investigate and analyze threats in 17 of the 198 cases in 2011. By understanding the threats and effectively managing the risks, actions can be taken to reduce the occurrences and sustain critical systems. Specific company names were not released in order to maintain a level of confidentiality and encourage reporting of other cyber attack incidents. Alexander said that for every intrusion detected by the FBI, there are 100 others that remain undetected.

DHS admits that the number of incidents reported to DHS's ICS-CERT has increased partly due to this increased communication between ICS-CERT and the private sector. However, through proper mitigation and business continuity measures companies will be prepared to combat their current lapses in technology.

According to the EPA, “Technological emergencies include any interruption or loss of a utility service, power source, life support system, information system or equipment needed to keep the business in operation.”  Identifying all critical technology related operations is the first step in mitigating and combating threats. Possible critical technologies involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing equipment, pollution control equipment
  • Communication systems, both data and voice computer networks
  • Transportation systems including air, highway, railroad and waterway

Once technology systems are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of technology service disruptions.
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security practices, such as password-protected information, in order to secure technologies. (See CSET Assessment to determine system vulnerabilities)
  • Establish procedures for restoring systems. Determine the need for backup systems.
  • Establish preventive maintenance schedules for all systems and equipment.

ICS-CERT encourages companies to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Data Recovery, Cloud Computing, Data Loss, Cyber-Security, Business Continuity Plan, Business Disruption, Information Security

Solar Radiation Storms Affect Emergency Planning

Posted on Thu, Mar 01, 2012

In January of 2012, the earth experienced the largest solar storm since 2003. Although the full impact of the coronal mass ejections (CME) was moderate because of the trajectory path, scientists believe that the sun is entering an active period know as "solar maximum", with the height of activity predicted to occur in 2013.

According to Discovery News,
“As the sun increases in activity toward "solar maximum" (predicted to occur in 2013), we can expect more intense solar storms over the coming months. Magnetic activity is bursting through the solar "surface" (the photosphere), producing a rash of sunspots. This in turn has resulted in explosive events -- solar flares and coronal mass ejections (CMEs) -- boosting the intensity of radiation environment surrounding our planet.”

What does this mean for Environmental, Health and Safety Professions?

Solar storms can adversely affect established infrastructure, specifically power supplies and satellite-based communications. Since the sun’s electromagnetic activities are predicted to be at an elevated activity level into 2013, the chances of disruptions become more likely. Emergency managers should review and revise plans accordingly.

1) Potential power failures: Power companies, which operate long transmission lines, are subject to damage by CME’s. On March 13, 1989, Quebec and portions of the northeastern United States, experienced a nine hour power failure to over 6 million people due to a large geomagnetic storm. Some areas of Sweden were similarly affected.

Solar storms are also harmful to electrical transmission equipment, especially generators and transformers. The CMEs can induce core saturation in these devices, which constrains performance.  The safety devices within these devices can also be tripped, causing coils and cores to overheat, causing damage.  

2) Communications failures:  Solar storms can adversely affect current satellite technology by interfering with signals sent to and from the satellites. Many businesses are susceptible to CME’s because of the complex dependency on satellite technology. Current satellite technology is used to synchronize computers, and direct navigational systems, telecommunications networks, and other electronic devices. GPS systems and cell phones also can be affected by CMEs.

Effective emergency planning and business continuity plans and systems should be implemented due to the many unknown events which may occur. However, increased solar activity further amplifies the need to identify critical business processes, safety procedures, and the necessary infrastructure for a rapid recovery to “business as usual” after an event.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: Radiation, Business Continuity, Crisis Management, Data Loss, Disaster Recovery, Notification Systems

Re-Evaluating your Business Continuity Plan - Corporate Survival

Posted on Mon, May 23, 2011

Over the past two months, the “business as usual” routine for thousands of Japanese residents has been displaced by what the Japanese Government has named the “Eastern Japan Great Earthquake Disaster”.  Even as aftershocks continue, businesses within Japan, as well as those across the globe, continue to be affected by production problems and supply chain interruptions. Risk managers and business continuity advisers should be alert to lessons learned from the Japanese crisis and re-evaluate their company’s ability to endure a crisis, both large and small.

Disasters, whether natural or man made, will continue to occur and threaten companies around the world. Both large and small businesses that are able to continue operations throughout a crisis situation may avoid economic hardship and potential failure.  Determining how to operate “business as usual” in less than ideal situations may be the key to survival. Business continuity plans can become a company’s “Plan B” when a disaster strikes.

Understanding response procedures and the intricacies of a “Plan B” can make the difference between corporate survival or failure. Crisis and disaster situations usually result in the loss or temporary disruption of one or more of the following necessary key business resources:

  • Facilities
  • Infrastructure
  • IT Applications/Systems
  • People
  • Supply Chain

CASH3-resized-600.jpg

A detailed company identification and evaluation of critical business processes should be performed as an integral part of a business continuity plan. This “bare bones” evaluation should list the minimum criteria necessary to keep your business in operation. Necessary information includes the following:

  • Alternate workplace location(s)
  • Necessary Equipment, software, vital records, off-site storage
  • Key vendors lists, inventory and supplier requirements, and notification procedures for key stakeholders
  • Predefined personnel roles and responsibilities with current and alternate contact information
  • Business Continuity Team notification and activation procedures
  • Staff relocation requirements, including name, department, title, function code, home address, type of PC (PC or Laptop), number of adults and children in immediate family, pets /other, relocation priority, recovery location or facility, relocation seat number/room assignment, alternate employees, and special needs

A business continuity plan should be reviewed periodically and critical business processes, recovery factors, and personnel contact information should be updated regularly.  For companies that prepare a business continuity which encompasses a thorough post-disaster plan, customer relationships and overall business performance can be sustained until a “business as usual” environment is re-established.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Business Continuity key points, Emergency Preparedness, Crisis Management, Emergency Management Program, Data Loss