CREDITS: The following notes were from a lecture originally created by Schweitzer Engineering Laboratories This is all for study purposes only. THESE WERE PUBLISHED WITH PERMISSION AS WELL.

Gooooood morning Spacehey! We're back at it again, this is part 2 of my 5 blog series of notes from Cybersecurity Training I did this weekend if you have NOT seen part 1 check it out here!! Sit back, get something to eat and drink if you didn't eat or drink today, and let's get started! :D

Asset Management

• ID.AM-1: Physical devices and systems within the organization are inventoried.
• ID.AM-2: Software platforms and applications within the organization are inventoried.
• ID.AM-3: Organizational communication and data flows are mapped.
• ID.AM-4: External information systems are catalogued
• ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
• ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third party stakeholders are accounted.

Definition- Asset

The data, personnel, devices, systems, and facilities that enable the organization to achieve business.

Importance of Asset Management

Benefits of a strong asset management solution:

• Maintenance of device firmware/software versioning
• Rapid identification of unknown or new devices on OT network
• Change control logging and management
• Supporting backup and disaster recovery efforts.

"You cannot protect what you don't know"

Asset Identification

• Data: Information
• People: Personnel and their role/classification
• Software: OS, SCADA software, HMI software, IT software.
• Hardware: Computers, servers, distributed and embedded computing systems.
• Communication assets: Firewalls load balances, etc.
• Facilities: Buildings, home environment, etc.

Asset Identification Tools

• Asset Discovery
• Threat Detection
• Case Management
• Workflow
• Playbooks

• Manual: Database that is typically stored in a spreadsheet which is updated by hand (Excel, MS Access database).
• Automated: Leverages OT network connections to query devices, gather configuration information, and store it in a database (Spiceworks, GLPI).

Active vs Passive Identification

Active Identification:

• Query-based Discovery

Passive Identification:

• Traffic analysis-based discovery

Passive Identification:

• Dragos
• GRASSMARLIN
• Network Perception

Categorize Communications Channels

Examples:

• Business Communications (Events, Syslog, Metering, and Planning)
• Engineering Access
• SCADA
• DMZ
• M2M protections and system state

• Use of cloud computing
• Distributed database management system
• Multiple locations across country/globe

• Assign a value for an asset for Risk management to be effective.
• Classify based on criticality and the sensitivity of the information
• What will happen if this resource becomes unavailable?
• What is the business impact of the resource?
• For OT systems, what is the safety impact?

Business Environment

• ID.BE-1:The organizations role in the supply chain is identified and communicated
• ID.BE-2: The organizations place in critical infrastructure and its industry sector
• ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated
• ID.BE-4: Dependencies and critical functions for delivery of critical services are established
• ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)

• Business Plans
• Mission
• Strategic Plans
• Tactical Plans
• Goals
• Objectives
• Critical Success Factors
• KPIs
• Projects

Governance

• ID.GV-1: Organizational cybersecurity policy is established and communicated
• ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
• ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
• ID.GV-4: Governance and risk management processes address cybersecurity risks

• Driven by executive-level business management.
• Integrate importance of cybersecurity into foundational documentation
• Multiple Methods of Delivery:
• In-person Trainings
• Internet-based Trainings
• Physical or virtual documentation review.

Risk Assessment

• Architectural Deficiencies
• Defect in final product
• Misconfiguration
• Advanced Technology
• Nature
• Environmental
• Human behavioral
• Production material pre-conditions

• Up-to-date asset inventory can be used with vulnerability databases for assessment
• National Vulnerability Database
• Common Vulnerabilities and Exposure Database
• ICS-CERT Advisories

• US-CERT.gov
• FBI.gov
• CVE.MITRE.org

• Includes level, confidentiality, integrity, and availability.
• High - Catastrophic Effects
• Moderate- Serious Adverse effect
• Low- moderate adverse effect

• Leverage external and internal sources to identify threats facing the business (OSINT, DRAGOS, Threat intelligence, Insider Threat Awareness, MITRE, Open Threat Taxonomy)
• Aggregate threat information (Risk Register)
• Apply appropriate risk model and approach to assess risk

• Assets
• Vendor
• Business Environments
• Prioritize responses based on severity of risks.
• Comprehensive risk management plan that unifies business response to all risks,

Risk Management Strategy

• ID.RM-1:Risk management processes are established, managed, and agreed to by organizational stakeholders
• ID.RM-2:Organizational risk tolerance is determined and clearly expressed
• ID.RM-3:The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis

• The organizations or stakeholders readiness to bear the risk after risk treatment in order ot achieve its objectives,
• Can be influenced by sector-specific risks (business environment)
• Can be influenced by legal or regulatory requirements. (governance)

Supply Chain Risk Management

• ID.SC-1:Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
• ID.SC-2:Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
• ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan
• ID.SC-4:Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
• ID.SC-5:Response and recovery planning and testing are conducted with suppliers and third-party providers

• Develop an incident response plan
• Test the effectiveness of the incident response capability for the system
• Coordinate incident handling activities with contingency planning activities.

Summary And Closing

• A strong asset management solution provides a solid foundation for risk management
• Business environment analysis reveals key business dependencies
• Policies, standards, and procedures provide a tangible approach to implementing governance.
• Risk assessments must factor in both general threats as well as unique threats facing a specific business or sector.
• A robust risk management strategy must reflect the business' risk tolerance.

Thank you!

Thank you so much for reading! Be sure to stay tuned as part 3 comes up later tonight! <3