Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenters Robert “RJ” Hope, CPP Kevin Whaley

Published byGervais Johnston Modified over 6 years ago

Similar presentations

Presentation on theme: "Presenters Robert “RJ” Hope, CPP Kevin Whaley"— Presentation transcript:

0 Vulnerability Assessments
Presented By: RJ Hope, CPP Kevin Whaley

1 Presenters Robert “RJ” Hope, CPP Kevin Whaley
Section Manager - Security Consulting Burns & McDonnell Kevin Whaley Security Consultant

2 Agenda Why conduct a Vulnerability Assessment (VA)?
What is a Vulnerability Assessment? Purpose/Frequency Who should be involved Types of Vulnerability Assessments Vulnerabilities to consider Mitigation Options & Cost Justifications

3 Why Vulnerability Assessments?
Past events Berlin truck attack 19DEC2016 12 dead 56 injured Trespasser at Eugene Sawyer Water Purification Plant NOV 2016

4 Past Events (continued)
Ohio State Attack 28NOV2016 11 injured Bakersfield, CA Substation Intrusion & Sabotage

5 Why Vulnerability Assessments?

6 In-House vs. Outside Consultant
In-house vs. outside consultants In-house can provide institutional knowledge about environment Normally already know what the answers are to problems May have issues getting buy-in from management/executives Outside consultants can provide an objective perspective Fresh set of eyes Offer substantiation to findings Offer insight into similar environments & experience from other industries

7 Assessment Methodologies
DoD – UFC FEMA 452 FEMA 426 Sandia Labs RAM-WTM (Water) RAM-CFTM (Chemical) RAM-CITM (Critical Infrastructure) Prison, Energy, Transmission, Dams, Etc. Department of Homeland Security CARVER + Shock Criticality Accessibility Recoverability Vulnerability Effect Recognizability

8 What is a Vulnerability Assessment?
Threat, Vulnerability, & Risk Assessments defined Vulnerability = process of identifying and quantifying vulnerabilities or weak points of a facility or PPS (Physical Protection System) Threat = Means, methods and likelihood of attack Outsider, insider, outsider colluding with insider. Risk = process of determining the outcome of a successful attack and the effect on the entity.

9 Purpose & Frequency of VA
Establishes the baseline of the PPS effectiveness against your individually defined threats Conduct initial assessment, post-mitigation assessment, periodic assessments Should also be conducted: After an event (direct or non-direct) Changes in regulations (if any) To coincide with industry best practices

10 THINKING LIKE AN ADVERSARY!
Objectives of VA Obtain an objective understanding of vulnerabilities to your operation based on your entities unique operating environment Identify mitigation options that are commensurate with your operating environment and generate a Target Shift Development of plans that can generate cost savings THINKING LIKE AN ADVERSARY!

11 Objectives of VA Understanding the Attack Model Event Selection
Target Selection Preoperational Surveillance Attack Mobilization Attack Method Attack Dry Runs Attack Sequence

12 Who is involved? Team should consist of personnel with broad experience Led by Security Specialist Include: Security Manager Security Systems Specialist IT Front line Operators Operations/Facilities Legal & HR May only be needed for specific items

13 Vulnerability Examples
Physical Vulnerabilities Barriers Lighting Doors Fencing Etc. Personnel Vulnerabilities Employees Guard Force Social Engineering Electronic Vulnerabilities Surveillance Cameras Access Controls Intrusion Detection Program Vulnerabilities Policies & Procedures

14 Types of VA Performance Based Compliance Based

15 Performance Based Create an adversary sequence diagram
Conduct path analysis Perform scenario analysis Determine system effectiveness If effectiveness (or risk) is unacceptable, develop and analyze upgrades.

16 Performance Based - Qualitative
AKA CARVER Criticality – measure of impact of an attack Accessibility – ability to physically access and egress from target Recuperability – ability of a system to recover from an attack Vulnerability – ease of accomplishing attack Effect – amount of direct loss from an attack as measured by loss in production Recognizability – ease of identifying target A modified CARVER adds 7th attribute Combined health, economic and psychological impacts of an attack

17 Performance Based - Scenario
Used to determine whether a PPS has vulnerabilities that could be exploited by adversaries using varying tactics. Analyses PPS using defined threats and path analysis.

18 Performance Based – Scenario (continued)
Using assumptions about threats to determine how an event might occur, then determining if your systems can effectively assist with the mitigation Threat Assumption Sample 1 Asset Theft: the unauthorized removal of facility assets. Assumptions: Adversary desires to remove the assets while minimizing potential detection or evidence that would lead to apprehension. Assets subject to theft are high value commodities such as electronics, or metals. Motivation for asset theft events is not driven by a desire to harm a facility but rather to acquire the asset components being removed. (Harm to the facility and operation can occur based on the type(s) of assets stolen and the associated downtime associated with asset replacement.)

19 Performance Based - Quantitative
Requires measurable data Security systems performance and cost Usually used for corporations with unacceptably high consequence of loss Nuclear facilities, prisons, certain government or military installations, refineries, utilities, airports, telecommunication hubs. Used mainly to measure hardware components performance CCTV, sensors, access controls, etc. Removes the subjectivity of compliance based or qualitative analysis.

20 Compliance Based Measures the conformance to specified policies or programs driven by the regulatory body within an industry.

21 Options for Mitigation
Show me an 11’ fence & I’ll show you a 12’ ladder EVERYTHING can be defeated GOAL IS TO CREATE TARGET SHIFT You don’t want to get video of an event, you want there to be no event to capture Mitigations = level of protection desired + acceptable risk Limited only by your creativity May not always be a security technology or additional personnel Industry Perception

22 Cost Justification Regulatory vs. Non-Regulatory
Carrot and Stick Required Improvements Security Overkill Event Based vs. Non-Event Based Fear Apprehension Employee Retention

23 Cost Justification Events vs. Regulatory Relation to Peers
Program Longevity Implementation Thought Process Stakeholder Involvement Leadership Support Litigation vs. Fines Relation to Peers Lowering of O&M Demonstrated Reduction of Events Reduction/Elimination of Regulatory Non-Compliance

24 Cost Justification The Argument Success is a Non-Event
Rated on Failure NOT Success Rated Against Peers Writing/Telling the Story

25 Questions Robert J. Hope, CPP Manager – Security Consulting Burns & McDonnell Engineering Kevin Whaley Security Consulting

26

Download ppt "Presenters Robert “RJ” Hope, CPP Kevin Whaley"

Similar presentations

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Threat/Vulnerability Assessments for Foods FDA Science Board Advisory Committee Meeting November 6, 2003 Robert E. Brackett, Ph.D. Director, Food Safety.

Threat/Vulnerability Assessments for Foods FDA Science Board Advisory Committee Meeting November 6, 2003 Robert E. Brackett, Ph.D. Director, Food Safety.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Actionable Process Steps and Focused Mitigation Strategies

Actionable Process Steps and Focused Mitigation Strategies
Introduction to Network Defense

Introduction to Network Defense
RAM Modelling in the Project Design Phase Friday 30 th April, 2010 Paul Websdane Reliability Modelling for Business Decisions Asset Management Council.

RAM Modelling in the Project Design Phase Friday 30 th April, 2010 Paul Websdane Reliability Modelling for Business Decisions Asset Management Council.
Chapter 13: Data Security & Disaster Recovery Database Management Systems.

Chapter 13: Data Security & Disaster Recovery Database Management Systems.
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.

SEC’s Cybersecurity Risk Alert Part 2 of 3 How-To: Assessing Cybersecurity Risk Thomas J. DeMayo, CISSP, CIPP, CEH, CPT, MCSE Director, IT Audit and Consulting.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.
M&V Part 1: D.O. Review. 1-2 Your Instructor Mark Stetz, P.E. Ø Worked with FEMP since 1997. Ø Serves as FEMP’s M&V Specialist. Ø Contributed to FEMP.

M&V Part 1: D.O. Review. 1-2 Your Instructor Mark Stetz, P.E. Ø Worked with FEMP since Ø Serves as FEMP’s M&V Specialist. Ø Contributed to FEMP.
Qualitative Risk Assessment Risk Analysis for Water Resources Planning and Management Institute for Water Resources 2008.

Qualitative Risk Assessment Risk Analysis for Water Resources Planning and Management Institute for Water Resources 2008.

Similar presentations

Ads by Google