When there is a need to quickly determine where a company is standing in terms of the maturity of its security programme, I developed the below questionnaire which can be useful in this endeavour.
|1.||Information security policy|
|1.1||Is there an information security policy that is appropriate to the purpose of the organisation, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?|
|1.2||Is the policy documented and communicated to employees within the organisation and available to interested parties, as appropriate?|
|1.3||Is there an established ISMS policy that is ensuring the integration of the information security management system requirements into the organisation’s processes?|
|2.||Information security risk assessment and treatment|
|2.1||Has an information security risk assessment process been defined and applied?|
|2.2||Is there an information security risk treatment process to select appropriate risk treatment options for the results of the information security risk assessment, and are controls determined to implement the risk treatment option chosen?|
|3.||Planning and measuring|
|3.1||Are measurable information security objectives and targets established, documented and communicated throughout the organisation?|
|3.2||Does the organisation determine what needs to be done, when and by whom, in setting its objectives?|
|4.1||Does the organisation conduct internal audits at planned intervals to provide information on whether the information security management system conforms to requirements?|
|5.1||Does the leadership undertake a periodic review of the information security processes and controls, and ISMS?|
|6.||Corrective action and continual improvement|
|6.1||Does the organisation react to the nonconformity and continually improve the suitability, adequacy and effectiveness of the information security management system?|
|7.1||What security laws and data protection legislation apply to the organisation?|
Download the full Questionnaire (with instructions)
Image courtesy Pong / FreeDigitalPhotos.net
In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.
Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:
- Modicon Momentum PLC
- Rockwell Automation MicroLogix 1100 PLC
- Siemens S7 1200 PLC
- Small embedded RTU device
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.
If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.
Information systems audit do’s:
1. The main goal of an audit is not to find weak controls or policy violations, but to help a company mitigate its risks and achieve compliance.
2. Remember that an audit strengthens a discipline within a company.
3. An auditor is responsible for making sure that risks in weak areas don’t materialize, so he makes appropriate observations and comments.
4. Beware of flattery and concealment.
5. Replace opinions with facts and evidences.
6. Invest in improving communication skills.
7. When you finish interviewing someone, always give them a brief summary of the current situation (e.g. your observations: good and/or bad) if possible.
8. Do not add any photo/video materials or document copies to your final report.
9. Create good report templates in advance.
Information systems audit don’ts:
1. Don’t criticize.
2. Don’t argue.
3. Don’t use professional or specialized jargon.
4. Don’t say that you understand if you actually don’t.
5. Don’t try to guess.
6. Don’t use tests that can potentially cause incidents.
7. Don’t write only negative observations in your final report.
Image courtesy of Michal Marcol / FreeDigitalPhotos.net