General Introduction | Module 4 - Information Security and Cyber Risk Analysis | CriticalEnergyNetworks101 Courseware

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@56172ef5d03446e8a257616855e08757" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@4582c98bd7ec44e1988bc317e99f2667"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@4582c98bd7ec44e1988bc317e99f2667" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="text-align: center; font-size: 20pt !important; color: #003478; font-weight: bold !important;">Information Security and Cybersecurity</p> <p><span style="font-size: 14pt !important; font-weight: bold !important; font-style: italic !important;">“Threat is a mirror of security gaps. Cyber-threat is mainly a reflection of our weaknesses. An accurate vision of digital and behavioral gaps is crucial for a consistent cyber-resilience.”</span><span style="font-size: 12pt !important; font-style:italic !important;"> – Stéphane Nappo, Vice President - Global Chief Information Security Officer, Groupe SEB</span></p> <p>This module serves as an introduction to information security and cybersecurity concepts and seeks to provide students with the basic elements of information security, phases of a cyber risk management model, and the anatomy of a cyberattack.</p> <p style="color: #003478;">Check the following video to see why information security and cybersecurity matter.</p> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a9025b07e239451e97f07f29a7baa960"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a9025b07e239451e97f07f29a7baa960" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <p style="text-align: center"><iframe src="https://player.vimeo.com/video/575280559" width="640" height="564" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe></p> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@69191b04060b46df99646268d0711e90"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@69191b04060b46df99646268d0711e90" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <p><span style="font-size: 13pt !important; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Topics and Learning Objectives</span></p> <p>This module serves as an introduction to information security and cybersecurity concepts and seeks to provide students with the basic elements of information security, phases of a cyber risk management model, and the anatomy of a cyberattack.</p> <table> <thead> <tr><th style="border: 1px solid black; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Topics</th> <th style="border: 1px solid black; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Learning Objectives</th> </tr> </thead> <tbody> <tr> <td style="border: 1px solid black; color: black;"> <ul> <li>Information Security Concepts</li> <li>Basic Concepts of Risk Management</li> <li>Risk Management Model</li> <li>Anatomy of an Attack</li> </ul> </td> <td style="border: 1px solid black; color: black;background-color: rgba(0,136,198,.30);"> <ul> <li>Understand information security concepts</li> <li>Explain information security program</li> <li>Understand cyber risk concepts</li> <li>Understand cyber risk management concepts</li> <li>Understand and explain the anatomy of a cyber attack</li> </ul> </td> </tr> </tbody> </table> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a8ffeb28b8ac4a2d9f462df071207b80"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a8ffeb28b8ac4a2d9f462df071207b80" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>To achieve these objectives, this module is subdivided into 7 sections:</p> <ul> <li><span style="color:#003478; font-weight: bold !important;"> Section 1</span> presents a discussion among experts on the importance of information security and cybersecurity for the protection and resilience of critical energy infrastructure and critical infrastructure systems.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 2</span> explains the importance of considering cyber threats and cyber risks, and provives general cyber trends for 2021.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 3</span> presents the concepts and the goals of an information security program, and the components of the McCumber Cube, which is a representation of an information security model.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 4</span> explains the differences between a cybercrime and a cyberthreat, and deconstructs the five stages of a cyberattack.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 5</span> reminds the components and specificities of cyber risk management.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 6</span> shows the five stages of a cyber risk management process.</li> <li><span style="color:#003478; font-weight: bold !important;"> Section 7</span> summarizes the important concepts presented in the Information Security and Cybersecurity module.</li> </ul> <p>At the end of the module, students will find a quiz to test their knowledge and to determine whether they need to review any concepts supporting information security and cybersecurity.<br/><br/>Finally, additional readings are also proposed to deepen their knowledge on information security and cybersecurity.</p> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@4ee3d0a1c7354647896d0a4015d014a0" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@83f44507232e49bc9baa491253e6b238"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@83f44507232e49bc9baa491253e6b238" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <p>In the video podcast below, <span style="color: #003478; font-weight: bold !important;">Ms. Karen Evans</span>, <span style="color: #003478; font-weight: bold !important;">Ms. Ayhan Gucuyener</span>, <span style="color: #003478; font-weight: bold !important;">Ms. Amanda Joyce</span>, and <span style="color: #003478; font-weight: bold !important;">Dr. Roland Varriale</span> discuss the importance for decision-makers and analysts to consider information security and cybersecurity in risk analysis processes to enhance the security and resilience of energy networks and critical infrastructure systems.<br/><br/> The discussion specifically addresses the following questions: <ul> <li>What are the main information security needs for the energy sector?</li> <li>What challenges have you faced implementing cybersecurity strategies/processes for energy networks and critical infrastructure systems?</li> <li>What are the future challenges and needs for enhancing information security and cybersecurity?</li> <li>How could international collaborations through the OSCE support better information security and cybersecurity for the energy sector?</li> </ul><br/> <span style="color: #003478;"><b>Click on the video below to watch the discussion on information security and cybersecurity.</b></span> </p> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@4987d58a67de471882ec3b8db8910782"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@4987d58a67de471882ec3b8db8910782" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <p style="text-align: center"><iframe src="https://player.vimeo.com/video/646527425" width="640" height="400" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe></p> <p><span style="color: #003478;">Expand the accordions below to view the discussion transcript and the expert bios.</span></p> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@7de90d96e9194db1856d2def73b05852"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@7de90d96e9194db1856d2def73b05852" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Video Podcast Transcript</button> <div class="panel"> <table> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>00:00 - General Introduction</b></td> </tr> <tr> <td style="background-color:white;">Welcome to the discussion on Information Security and Cybersecurity, a component of the training “Critical Energy Networks: from Risk Analysis to Risk Management,” of the OSCE Virtual Centre for the protection of critical energy infrastructure.<br/><br/> This presentation is an informal discussion among experts on the importance of information security and cybersecurity for the operation, security, and resilience of critical energy networks.<br/><br/> <b>Dr. Roland Varriale:</b> Hello and welcome. I am Roland Varriale, a cybersecurity analyst at Argonne National Laboratory. I work on cybersecurity of vehicle infrastructure and related systems. Today with us we have Karen Evans who is a board member at the Center for Cybersecurity and Technology Innovation and a partner at KE&T Partners LLC; Amanda Joyce, who is a cyber security group lead and cyber force program lead at Argonne National Laboratory; and Ayhan Gucuyener who is a project specialist at Kadir Has University Cybersecurity and Critical Infrastructure Protection Center in Turkey. Could you please introduce yourselves in that order?<br/><br/> <b>Ms. Karen Evans:</b> Oh sure, thank you Roland for inviting me today. I am very excited. As you said, I am here from the center, but in my former life, just recently, I was the former Chief Information Officer (CIO) at the Department of Homeland Security (DHS) and also the first and former Assistant Secretary for Cyber Security Energy Security and Emergency Response, finally known as CESER at the Department of Energy (DOE).<br/><br/> <b>Ms. Amanda Joyce:</b> I am Amanda Joyce. As you also said, I am the group lead for the Strategic Cyber Analysis and Research Group at Argonne National Laboratory, and I lead a lot of the cybersecurity workforce development efforts here at the lab.<br/><br/> <b>Ms. Ayhan Gucuyener:</b> Hello everyone, thank you for having me here. As to introduce my name is Ayhan Gucuyener and I am working as a project specialist in Kadir Has University, a university in Turkey in the Resource Center on Cybersecurity and Critical Infrastructure Protection and at the same time I am a PhD candidate in the International Relations Department of the same university. Currently, I'm working on my PhD thesis, which is tough, so.<br/><br/> <b>Dr. Roland Varriale:</b> I have been there. That is great and thanks to all of you for coming and dedicating some of your time, volunteering your time, to work on this very important problem.<br/><br/></td> </tr> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>02:45 – Information Security Needs of the Energy Sector</b></td> </tr> <tr> <td style="background-color:white;"> <b>Dr. Roland Varriale:</b> So, there are some information security needs that may be different within the energy sector than normal traditional private sector work. Amanda, do you have any insight into some maybe differences or special information security needs that are within the energy sector?<br/><br/> <b>Ms. Amanda Joyce:</b> Sure, so I think my colleagues will probably agree with me. The energy sector is not different than a lot of the other sectors. It is not a one-size-fits-all problems. Everyone is different. Every country is different. Every state is different and in part that in thinking through a cybersecurity plan for energy. Part of that is a lot of that infrastructure was built a long time ago without thinking through that cybersecurity or a lot of our things would be put on the Internet, in the fashion in which we have them today. While we have remote access and all this type of information, it is easier for people to remote into a machine that a long time ago someone would physically go to and check kinds of levels of energy or check levels of water and what not. So first and foremost, it is understanding the security around what they have. Putting a chain-link fence around something that ideally should have something a little bit more. You know, in comparison to again, similar to, should you have a firewall or should you not? So, ultimately that I would boil it down to a very simple logical basis of understanding in the energy sector. What do they even have like inventory wise? I still think even in a day and age that we have now, we still don't understand what we all have out their inventory wise that is working, what is not working, what is connected, what is not connected… And part that leads because not everything is public, to the federal government, to a state or whatnot. Some of that is privately owned, so you can't just force people to share everything. So, I think that boils down to really having a good relationship between public and private organizations to bring about the best kind of security plan. And it starts really in our foundational level, in my opinion, of just understanding your basic risk level. Do you understand what your threats are in that could start with? Do you share threat intelligence? Do you look at threat intelligence for your state? For your country? For your type of infrastructure? Do you share that out with other people? Do you have partners in that area? Do you understand what type of vulnerabilities you already have inherently in your system? And what are you doing to actually mitigate some of those? And then on top of that, do you understand the consequences in the event something were to happen? I think people just always go with the assumption nothing will happen to me because it hasn't, but as we have seen more and more over these last handful of years, I think everyone goes in with the nothing is going to happen to me until it happens, and then they kind of go: what now? And they don't have that plan in place. And so, I think understanding the basic and then react to a foundation, then we start to build up. And that is kind of where I think the energy sector kind of work starting there, and I think that is the best that we can do right now.<br/><br/> <b>Ms. Karen Evans:</b> So. Roland, I would like to jump in just a little bit to talk a little bit more about what Amanda says and maybe Amanda can jump back or whatever. But part of the things, I agree with the statement like it is different, but yet it is the same. So, a lot of the concepts that you would bring from information technology. Amanda really outlined about its foundational: know your assets, know your inventory, that is consistent regardless of whatever sector that you are in. I think one of the areas that makes energy more critical, especially for countries to think about is: it is not just the cyber program, but from an operational perspective like, you have to keep the power going regardless of what the power is. So, if it is coming from renewables, or if it is coming from oil and natural gas, or if it is electricity, you have to keep that power on. The minute that you make a decision, and this is the difference that I saw in my tenure going back into the government and then coming back out. Is the difference a lot of times between information technology security operators, and operational technology operators, is that mindset of when an incident happens, they want to shut down and isolate it to collect evidence to collect what is happening so that you can actually do the analysis. The solution has to evolve to a place where you can actually continue operations, keep things on while you have a mechanism that collects evidence that allows for people to do the greater types of analysis, like Amanda was talking about, like passing it off for threat intelligence. Passing it off to other sectors that may have to look at it while you are still doing your operations. In my tenure at DHS, as the CIO, we took that a step further and collapse the Security Operation Center and the Network Operation Center into a bigger entity called the Network Operations Security Center that would then actually allow us to keep operations running while we were collecting the information that we needed for an incident to be able to hand it off to the specialists.<br/><br/> <b>Ms. Amanda Joyce:</b> I 100% agree with what Karen just said. The energy sector, at least in the United States, that's a critical function now that we call them, and energy you need it for everything that we have, and so it is a basic necessity that we have at this point that no matter what you're doing, the water that we get, to clean the water that we have, it needs energy to do that. So, it is so intricate that no matter what happens, it is kind of like you can't, we no longer can walk blindly into any sort of whether renewable, or water, or whatnot, and say it is not going to happen to me. We have to kind of go in thinking, trying to go five steps ahead of but what happens if it does? What do you have in place that is going to keep the lights on for your customers? For the people that need that energy that you're supplying to them, or you need from someone else.<br/><br/> <b>Dr. Roland Varriale:</b>And Ayhan, since you focus specifically on critical infrastructure. Is there some intrinsic way that these systems are implemented that would lead them to be a little more fragile in terms of risk or resilience, like Karen said, so the industrial control system protocols that they use? Is there anything different that you would have to do with that consideration versus traditional information technology (IT) systems?<br/><br/> <b>Ms. Ayhan Gucuyener:</b> Well, I mean, that one of the most important things is that we are combining all technologies in energy systems. This is one of the biggest problems and basically, as both panelists said, these different systems are using different types of security mindsets and they are operated by different types of people who are coming from different backgrounds, and they have different types of safety and security understanding. So, I think that maybe one of the most important problems for the energy sector is the lack of the professionals who can handle the operational technology (OT) network security and IT network security at the same time. Maybe it should be a priority for the sector to invest in this area. We really need some kind of specific training in terms of raising the industrial control systems (ICS) security professionals, which currently we don't have many, and I think these are the main problems from my side. </td> </tr> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>11:49 – Information Security and Cybersecurity Challenges</b></td> </tr> <tr> <td style="background-color:white; "> <b>Dr. Roland Varriale:</b> And Karen, has this spurred any challenges that you may have faced when implementing cybersecurity strategies or processes for energy networks and critical infrastructure systems?<br/><br/> <b>Ms. Karen Evans:</b> So, I am glad you asked that question because challenges are always a good thing to be able to discuss. So, in my role, my former role at the Department of Energy, the focus was really on our sector specific agency, which is probably a unique concept here in the United States. And so, that is the agency that in essence represents that sector back into the Federal government as a whole. So, I got to see both of these roles because I also then went to the Department of Homeland Security, which is responsible for all the critical infrastructure across the nation. So, the challenges with that in the United States, and I am sure it is a little bit different in each and every country, is over 85% of the critical infrastructure in the energy sector is owned by the private sector. And then, when you start looking at what are the business models associated with each way that the function works between generation, transmission, and distribution, it is also regulated differently depending on what part of that supply chain you are in. So, it is a complicated piece, and as Amanda was talking about earlier as she started out, she was talking about, like all you have to have the risk management plan, and then you have to have a security plan and then you take a look at this but here the challenges is that OK, I can do certain things within the boundaries of my organization physically and logically. And then if I am in the middle of either transmission or generation or even distribution, then where is the line of demarcation and then how does that work? So, I throw that all into supply chain risk management when you really have to analyze your overall risk because the consumer, the person who is down at the end, our citizen, doesn't understand that the bulk power electric grid is regulated by one entity and the windmills that are generating and we are collecting energy from doesn't have any regulation at all. And then I can put some solar panels on my house and maybe I can start figuring out some of the stuff so that I can be self-sufficient. Or maybe I am going to join a group and then come up with a microgrid in my area, which is some of the areas that they are looking at up: let's have a microgrid. And so, it is a challenge when you are talking about how critical energy is to be generated for the ultimate consumer but the relationships are very critical, and again, as my panelists said, that is probably the hardest part of this puzzle to solve, because that is a cultural difference between each and every organization even though we are trying to get to the same outcome.<br/><br/> <b>Ms. Amanda Joyce:</b> I would also probably add on top of that, that on top of private being 85% ownership, the size of organizations vastly is different, so you may have a very small company that they own very small infrastructure, so their personnel is very small in nature. So, you are comparing, the large energy companies that we see at a country level or State level, and then you might have a very small, municipal or something that handles very small areas in a country. Trying to compare those is very difficult and saying everyone needs to kind of follow the same thing is so difficult because having thousands of people in an organization compared to five people trying to implement similar things is really difficult across the same landscape that they are ultimately doing the same thing, but in a smaller scale. So, I think that has also been a major challenge in some of the, I guess, what we like to call the have-nots, they don't have as many resources as some of the larger conglomerate type energy companies that we have in the sector.<br/><br/> <b>Ms. Ayhan Gucuyener:</b> Oh, maybe I can add something in terms of the compliance issues of the employees and the how the cybersecurity strategies cannot be backed or supported by the leadership in the company is because even though an organization might have the best monitoring devices or cyber threat intelligence technologies, implementing good cyber immunity depends really on the efforts and the compliance of the employees. And before coming to the podcast, I checked a recent survey, and it says that 58% of employers say that their greatest challenge in implementing the cyber security strategy was getting their employees to comply with their terms. So, I think this number is really alarming. It can really make all of the return cybersecurity plans, procedures, and standards less effective. So, as a solution, I think that maybe energy sector should really pay attention to guarantee the compliance of the stuff, and this can be guaranteed by gamification exercises, center-based exercises, or other types of innovative training programs. And, as another challenge, I think that senior management's role is really significant, and then I think that there should always be that open communication channel between the Chief Security Officer or Chief Information Security Officer, and then with the senior management, and then the executives should be trained on how they should react in terms of cyber risk, in terms of the media, communication and public relations because these are also important parts of a cyber breach in terms of recovery, in terms of resilience. I think these are the other major problems that we are facing in implementing strategies.<br/><br/> <b>Ms. Karen Evans:</b> Roland, she had a lot of really good points in there. Then maybe we should emphasize just a little bit more because you rolled through a whole lot of those, and I think, I mean, I think our panelists, and I know I wanted to say stuff, but I know our participants would really want to dive down in each and every one of those in order to get to a strategy and I think the big point here about when you are starting to do a strategy, and I am going to like toss it to Amanda here in a minute because I am part of the strategy is really like you don't want to test your plan when you are in the middle of a cyber breach. Like if you have a strategy going forward like exercise, exercise, exercise. Because then it is going to highlight gaps that you need to close. You can’t anticipate everything but a lot of the points that were just brought up is it is a very integrated team within a company, it is a very integrated team within the government. We always, in the federal government, call it a whole-of-government approach. So, it involves law enforcement, our leadership, our sector person, investigative CISA [DHS Cybersecurity and Infrastructure Security Agency]) to be able to communicate out to the rest of the sector. It is a very holistic approach in everything that was just rolled out there and the key to the success of that is making sure that you exercise. Amanda, I know you want to jump in on this for sure.<br/><br/> <b>Ms. Amanda Joyce:</b> No, definitely. I think practice makes perfect weather tabletop or actually running through like what would happen if we need to turn this off for whatever reason, and I think to your point on compliance and we can be compliant but that doesn't necessarily put us either in a good or a bad situation for a cyber security or information security best practice. It means we are compliant and means we are doing what is the minimum required level to meet a threshold that we are all being held up to a standard to, and the question in an exercise or strategy really is what can we do more? What can we do better? And the difference lies in that when as Karen said like putting all these people in the room together really puts you through a kind of the ringer of saying what are we missing? When you start bringing in besides people from that company, when you start bringing law enforcement, and when you start bringing people, and I will call the downstream dependency of yours when they start explaining to you how reliant they are on you for their energy. You start getting more light bulbs of this strategy needs to expand a lot more than just worrying about ourselves that we are making a bigger impact. So, a tabletop exercise turns into days and weeks of understanding, and then you get a whole community effort out of it.</td> </tr> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>18:16 – Future Challenges and Needs for Enhancing Cybersecurity</b></td> </tr> <tr> <td style="background-color:white;"> <b>Dr. Roland Varriale:</b> And I can't help but think of the two major events that have happened in the last year. One is a cyber event related to SolarWinds, which kind of proactive approach may have been a good measure for that in terms of cyber defense where it was a zero-day exploits, so none of the parties that had the software implemented were aware of the vulnerability and had time to patch. And then you have the colonial pipeline incident, which may have been more in terms of basic cybersecurity hygiene and doing a lot of the remediation that I know I am talked about previously. So, knowing this and that is kind of a current challenge and what the current climate is going to the future and pointing to the future. What do you see as some future challenges and needs for enhancing information security and cyber security icon?<br/><br/> <b>Ms. Ayhan Gucuyener:</b> Oh, Amanda and Karen already mentioned about the problems in operational technologies and industrial control systems, but I think that in the future. We will have some security, safety and environmental problems regarding the breach in the OT systems because we know that due to their economic and strategic importance, the energy sector is one of the most targeted sectors, and particularly nation-state actors come to forefront as a significant challenge and Shamoon attack, for example, in 2012, was a watershed moment. However, it didn't touch the OT systems; however, the black energy really opened the Pandora's box. I mean it shows how the vulnerability of the operational technologies can create for reaching results in the physical work, in the kinetic works. So, from my perspective, as I said in my first step, the problem is about the difference in the security designs of IT and OT systems. And then, these two systems are significantly different in terms of the operations of their mindset but one of the things that I should mention that, in the future, the breed in the OT systems should not be on the limited with blackouts or the interruption in the oil flows, etc. They can create some kind of safety problems. They can put humans at risk. For example, when we remember Triton malware. Triton malware was coded to disable a safety system in a petrochemical facility. So, this shows us that cyber breach in the OT system, in the worst-case scenario, could end up with release of toxic gases explosions, it can create environmental pollution and put people's lives and human safety at risk. And I think that Karen also mentioned it. The renewable distributed energy resources are introducing new vulnerabilities, and this is a real challenge for the future because since we are already struggling with transponder threats like pandemic, like cyber threat, that climate change is also a very significant issue for International Society. So as a part of the decarbonization action, energy industry is witnessing a paradigm shift in terms of the increased penetration of renewable. Overall, this is a very positive aspect, of course, for the climate change, but these renewable or distributed energy resources are introducing new vulnerabilities, and then, now we are facing with new challenges because at attacks surface is expanding and we are witnessing an increasing interconnectivity at all levels, and these kinds of systems are adopting new technologies with not known vulnerabilities. So, unlike the fossil fuel-based electricity generation, renewables are using the advanced digital solutions, for example digital sensors. So, for example, the solar plants are very important to be taken into consideration because they are using the Internet enables inverters. So, a hacker my just easily tapped into communications to change the grid voltage. So, as more we are using the solar and other types of distributed energy resources, I think that in the future we need to secure our energy transition. This is important and that is why we need to start to secure the individual digital components from individual digital components to protect our system.<br/><br/> <b>Ms. Karen Evans:</b> So, Roland, I have to jump in just a little bit here because you brought up SolarWinds and then you also bought up Colonial pipeline. And so, I had the wonderful opportunity of handling the response to SolarWinds because DHS was one of the nine departments that were affected by SolarWinds. Maybe I interpreted erroneously the implications of your statement but the case in the SolarWinds is, even though it was activated, no one would have ever been able to detect that, because that was a very sophisticated way of the way that the vulnerability actually was introduced to the system and what it did and this really gets to what was just previously said with all new types of components and capabilities and things that are coming in is really looking at how the operating system and what is the underlying pinning of what is happening there and then, how do you actually start trusting that. So, it is coming under the umbrella of supply chain risk management. But what SolarWinds actually did was abused the trust relationship. It doesn't matter that I had a great strategy, or that we had great people on board, that we had monitoring, and we had all these other capabilities, because the way that was launched was: it exploited a trust relationship and some of the underlying technologies that we used within our environment. Like some of it is still being investigated and then part of the other challenge of that was then once they were in. Because they exploited that relationship, there were certain things because of the sophistication of what they did that they were able to laterally move, which then was not detected by traditional types of capabilities that a company would have in place. In the case of colonial pipelines because I watched that hearing, we had a hearing with the CEO. I watched the hearing and what actually happened is something very basic which gets back to points that both the panelists have made, which is a lack of knowledge of my inventory because it was a legacy VPN capability and then basic upgrades that should have happened to that particular capability that was being used, because multi-factor authentication wasn't implemented, and so that was why the single password, it was complicated password, but the single password was able to be able to gain access and then it gets into when you look at this environment overall, how much interconnectivity do you do to the safety instrumented systems? Do you segment at all and start thinking? And this is to the higher-level strategy of having the right workforce that is properly trained so that they can really understand this of how do you do the strategy? And then how do you segment? For example, what I do with renewables versus what I am going to do with the traditional generation. How am I going to do the transition from coal fire plants to renewables? And how my integrating that in? And then you have to go to a level lower because you really have to understand where have these things been manufactured? And what is really happening with those operating systems before I just plug-and-play? I mean the simpler we make this for ourselves the simpler we make it for everybody else who wants to exploit it.<br/><br/> <b>Ms. Amanda Joyce:</b> And then I am going to jump in on another point that was made about the IT and OT education and I after agree that I think that is a future challenge and problem. I think a lot of our OT knowledge and expertise is sitting in typically a singular human being brain that has been working on that system for years, and as they reach their prime, they decide to retire to move on for the next journey in their life. We don't have the next person lined up because it doesn't always seem like the flashy job. It is not the big tech company that people seem to believe, and I think there does need to be some paradigm shift in the educational realm as well because it is not solely cybersecurity jobs. And there are not very many OT or operational technology degrees out there, and it is a lot of crossbreeding of cybersecurity or IT and some sort of engineering that people need to kind of understand of pollination and I think having more of that at an educational level earlier so people understand what it is and less on falling into it on accident. Or getting it and your final year of college or whatnot or dads, friends, brothers, sisters, work somewhere that you got an internship at or job opened up and that is kind of what you worked on. It is not flashy, we understand that, but I think when people start to realize how critical that job is, it starts to appeal to people more, and I think the problem is that it is kind of an uphill battle to get someone to understand just the OT side and how critical it is because it is very different from IT. It is just not worrying about an email server, not worrying about someone's files all day. If this machine goes down, you got someone's livelihood potentially at stake, so you kind of got to make really quick judgment decisions and less worried about, well, you can pick up the phone and call someone instead of sending them an email Amanda. Yes, I can but there is probably some manual ability for that to happen on a lot of our OT stuff. That manual level can only go so far with so many people. After a while, it is going to turn off and then what? So, I think there is a shift that is going to have to occur really in the educational side to just get more people aware and understood of what is needed.<br/><br/> <b>Dr. Roland Varriale:</b> And I think education is probably one of the many things that you have all discussed as kinds of siloed areas like public versus government versus private, the need for specialized workforce and education speaks to that supply chain problems, threat sharing.</td> </tr> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>33:46 – Importance of International Collaboration</b></td> </tr> <tr> <td style="background-color:white;"> <b>Dr. Roland Varriale:</b> Do you think international collaborations through organizations like the Organization for Security and Cooperation in Europe can better support information security and cyber security within the energy sector?<br/><br/> <b>Ms. Amanda Joyce:</b> I do think that they can help in the educational side. I think it is harder in general to have like a one size fits all. I know we all talk like we are missing this and then like to have someone say like, alright, I will solve that problem. It is really hard to do. Coming from Argonne, I have worked with Karen trying to even work on something in the Department of Energy. We have started to try to work on a workforce effort, but again, at the end of the day, you have to understand that it goes only so far because you only can do so much with what we have. But having a larger organization that can work internationally I think helps when you can all come to a respectable agreement and strategy on like we all know that this is needed. We are here as a partnership to build the next group of people that need to defend this, to strengthen our energy sector, and then, at the end of the day, kind of bringing our next folks through the door so that we are not working extra hard to try to mold someone into a job that it is not really what they are interested in versus having more of the line of people that are interested in that job, and you are finding your best of the best.<br/><br/> <b>Ms. Karen Evans:</b> So, I am going to jump in a little bit from an international perspective, and I think yes, organizations such as this can really be helpful because I am going to go back to some of this stuff that all of us were talking about dealing with your strategy and looking at your interdependence and looking outside of your organization. I think that we are coming together in an international forum is really important, but I think you can also then find out, for example, here the way that it works in the United States because our grid goes up into Canada. And so, we have huge interdependencies here in the United States. We actually run an international exercise and it is run by the NERC, which is the North American Electric Reliability Corporation, but when they run it, it is based on the rules and the regulations and those types of things that get enforced by our regulatory group, and then they run this and we had the opportunity to just run the exercise on a bunch of new authorities that Department of Energy happens to have gotten from legislatures that industry doesn't necessarily know how it translates. So, for example, the Secretary of Energy gets to declare an emergency, an energy emergency. So, what ends up happening in that particular case is the secretary can make a recommendation to the President of the United States and then take actions and direct the private entities, the private corporations to do certain things. Well, that's going to have huge international implications of the United States. Does something that we haven't communicated, or we have in a plan? Or that we have exercised somehow with Canada. Also, in my former role, when I worked previously in the government, I also worked at the White House. During the Bush administration, we used to have annual meetings internationally, both with Mexico and Canada, and specifically talked about our technology solutions as it related to the big policy decisions that our country presidents were making. Because regardless of what the programs are or how they want to implement certain outcomes for a country. It always comes down to you have to have the right technology, you have to be able to support what those solutions are and you have to keep the power on, you have to keep the lights on. I mean, that is really what it comes down to. And so, when you start looking at what is happening in Europe in the way that they work as a group there and also to the other panelists, the way that is going to work is through international organizations like this who anticipate in advance what is going to happen and then can exercise it.<br/><br/> <b>Ms. Ayhan Gucuyener:</b> Well, I will also jump in as we discussed this, cyber threats are transboundary. They are contagious and they can easily jump from one sector to another. So, dealing with cybersecurity crisis requires the international response, truly international response and there is also an urgent need for strong cooperation among States. I think in that way we must think and act in a global way. So, when I remember the WannaCry nightmare, it really affected hundreds of thousands of computers across the globe, which makes the international collaboration necessary. So, for the energy sector, as Karen discussed, the impact of cyber breach could be far-reaching. For example, when we consider the transponder pipelines or electrical transmission lines, we can say that a successful cyberattack can affect many countries and many actors at the same time simultaneously, so this could be a real problem not only for regional security and energy security. It can affect the supplier country, consumer, country. And in the fight against a cyber threat in International Society, we already have some kinds of initiatives. For example, about the global cyber norms, the United Nations (UN) for example, the United Nations Communications Group (UNCG) of governmental experts, they already reached a consensus on the 11 cyber norms about the responsible behavior, states responsible behavior in cyberspace. But the problem about the international collaboration and norms or rules is that they still do not have a force, or they do not have “teeth” to punish the non-state actor violence, which is very violent, which is very present in cyberspace. In terms of OSCE efforts, I think that they already saw the great effort in building the international collaboration for supporting the cybersecurity of the energy sector. And as far as I know, since 2016, the organization has been organizing tabletop exercises for capacity building, for encouraging discussion. I think that in the future maybe the organization can strengthen its role as a forum or as a hub to implement the dialogue among the participating States and then the organization can continue to disseminate the best practices among the participants and then publish some good practices, and handbooks, or manuals. This can be really vital work for the organization.</td> </tr> <tr> <td style="background-color:rgba(0,136,198,.30); vertical-align: middle; text-align:left;" colspan="1"><b>41:21 - Closing</b></td> </tr> <tr> <td style="background-color:white;"> <b>Dr. Roland Varriale:</b>Alright, I think that will conclude our recording for today, and I would like to thank all our panelists for this pretty well-detailed discussion on the current state of operational technology, security, critical infrastructure, and a viable path going forward. So, thank you all.<br/><br/>Thank you to our experts for sharing their perspectives about information security and cybersecurity. Find more information about these topics in the corresponding training module on the OSCE Virtual Centre for the protection of critical energy infrastructure. Watch other videos addressing key elements of risk analysis for critical infrastructure on the OSCE Virtual Centre for the protection of critical energy infrastructure.</td> </tr> </table> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@2ed2b170f9e14018ad3cc09fce3e3e74"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@2ed2b170f9e14018ad3cc09fce3e3e74" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <p><em><span style="color: #003478; text-decoration: underline !important; font-weight: bold !important;">Meet the experts:</span><span style=";color: #003478;"> Select each of the following accordions to find out more about our experts.</span></em></p> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@246cea34bffc4ed095cf7f6ee72824ec"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@246cea34bffc4ed095cf7f6ee72824ec" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new1" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Ms. Karen Evans</button> <div class="panel3"> <br/> <p><strong>Ms. Karen Evans</strong> is a Partner at KET Partners, LLC located in Martinsburg, West Virginia, United States. As a Senate confirmed, Presidentially Appointed executive, Ms. Evans served as the first Assistant Secretary for Cybersecurity, Energy Security and Emergency Response at the U.S. Department of Energy. An executive who served in three Presidential Appointed positions in two administrations, she possesses 30 years of executive-level management experience focused on cybersecurity, national security, technology innovation, service delivery and supply chain risk management.</p> <p><em><a href="https://www.linkedin.com/in/karensevans/" target="[object Object]">Click here for more information</a></em></p> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new1"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-5" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@46074421c1bf4937b248d67631736aad"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@46074421c1bf4937b248d67631736aad" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new2" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Ms. Ayhan Gucuyener</button> <div class="panel3"> <br/> <p><strong>Ms. Ayhan Gucuyener</strong> is a Project Specialist at Kadir Has University Cybersecurity and Critical Infrastructure Protection Center, Istanbul, Turkey. Ms. Gucuyener’s professional expertise includes project coordination, monitoring and management, research, strategy and policy development, international relations, strategic shareholder management, think tanks-NGO’s, and civil society.</p> <p><em><a href="https://www.linkedin.com/in/ayhan-gucuyener-157b0b44/" target="[object Object]">Click here for more information</a></em></p> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new2"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-6" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@66508a978d8548ccb28d9bfb6a72ada8"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@66508a978d8548ccb28d9bfb6a72ada8" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new3" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Ms. Amanda Joyce</button> <div class="panel3"> <br/> <p><strong>Ms. Amanda Joyce</strong> is the Cyber Security Group Lead and CyberForce Program Lead at Argonne National Laboratory, Lemont Illinois, United States. Mrs. Joyce provides expertise to DHS as an instructor of cybersecurity. She has lead and co-lead strategic studies on remote access within industrial control systems and cloud technology and conducts cybersecurity assessments and surveys for DHS with the intent to evaluate the cybersecurity posture of critical infrastructure.</p> <p><em><a href="https://www.linkedin.com/in/amanda-joyce-5ab917b8/" target="[object Object]">Click here for more information</a></em></p> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new3"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-7" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a1b8a50125ce4ad0a4fd9a4cd0f27d5b"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a1b8a50125ce4ad0a4fd9a4cd0f27d5b" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new4" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Dr. Roland Varriale</button> <div class="panel3"> <br/> <p><strong>Dr. Roland Varriale</strong> is a Cyber Security Analyst in the Strategic Security Sciences Division at Argonne National Laboratory, Lemont Illinois, United States. Dr. Varriale works closely with government agencies to ensure that emerging technologies are incorporated using sound, cyber security practices. His research focus lies within securing transportation related systems and its supporting infrastructure by leveraging information gleaned through open-source intelligence gathering, vulnerability analysis, and interactive system testing.</p> <p><em><a href="https://www.linkedin.com/in/roland-varriale-a74738b/" target="[object Object]">Click here for more information</a></em></p> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new4"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@06db64425b324216833085b20359db71" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@5e16e84835bf471bb714dc88fd15e5af"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@5e16e84835bf471bb714dc88fd15e5af" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Importance of Considering Cyber Threats and Cyber Risks</p> <p>The previous modules introduced the importance of considering cybersecurity threats and risks:</p> <ul> <li>In the first module, Dr. Elisabeth Pate-Cornell stressed out the importance but also difficulty to analyze and assess cybersecurity and cyber risk.</li> <li>In the second module, the description of various lifeline infrastructure networks illustrated the importance of cyber components, which are used by all infrastructure systems for communications, information technology (IT), operational technology (OT), and industrial control systems.</li> <li>In the third module, we saw that the transferts of information and data create cyber dependencies, which are increasingly interconnected with physical infrastructure components. Furthermore, in older comuting systems, IT and OT are not always segregated (or well integrated), which create additional vunerabilities.</li> </ul> <p>Increasing use of information technology to operate critical infrastructure systems create new vulnerabilities that must be addressed. The recent report from IBM ad the Ponemon institute shows that the cost of a data breach hits record high during the COVID-19 pandemic. The security study, based on in-depth analysis of real-world data breaches experienced by over 500 organizations, indicates that data breaches now cost surveyed companies $4.24 million per incident on average in 2021, the highest cost in the last 17-years <a href="https://www.ibm.com/security/data-breach" target="_blank">(IBM, 2021)</a>. The following figure shows the average total cost of data breach by industry.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/a5fe33c7e185265ad99dd2584d601225/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Data-Breach-Cost.jpg" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/a5fe33c7e185265ad99dd2584d601225/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Data-Breach-Cost.jpg" alt="Get Alt Text" /></a><br/> <span style="color: #003478;"><b>Average Total Cost of a Data Breach by Industry in US$ millions</b><a href="https://www.ibm.com/security/data-breach" target="[object Object]"> (IBM, 2021)</a></span></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p>The average total cost for healthcare increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Energy dropped from the second most costly industry to fifth place, decreasing in cost from $6.39 million in 2020 to $4.65 million in 2021 (27.2% decrease). Other industries that saw large cost increases included services (7.8% increase), communications (20.3% increase), consumer (42.9% increase), retail (62.7% increase), media (92.1% increase), hospitality (76.2% increase), and public sector (78.7% increase) <a href="https://www.ibm.com/security/data-breach" target="[object Object]"> (IBM, 2021)</a>.</p> <p>In addition to data breaches, cyberattacks on critical infrastructure increase by 41% in the first half of 2021 compared to the previous six months <a href="https://security.claroty.com/1H-vulnerability-report-2021" target="_blank">(Claroty, 2021)</a>. The figure below show the vulnerabilities of industrial control systems by levels of critical infrastructure operations (i.e., Purdue Enterprise Reference Architecture <a href="https://www.zscaler.com/resources/security-terms-glossary/what-is-purdue-model-ics-security" target="_blank">(ZSCALER, 2021)</a>).</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/9bd82f7069b9ffdb4093fdcf6913d119/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Cyber-Vunerabilities.jpg" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/9bd82f7069b9ffdb4093fdcf6913d119/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Cyber-Vunerabilities.jpg" alt="Get Alt Text" /></a><br/> <span style="color: #003478;"><b>ICS Cyber Vulnerabilities</b><a href="https://security.claroty.com/1H-vulnerability-report-2021" target="[object Object]"> (Claroty, 2021)</a></span></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p>Cyber attacks can be complex. They encompass unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems. In the current, connected digital landscape, cybercriminals use sophisticated tools to launch cyber attacks against enterprises. Their attack targets include personal computers, computer networks, IT infrastructure and IT systems. The IBM website provides additional information on the common types of cyber attacks (e.g., backdoor trojan, cross-site scripting attack, denial-of-service [DoS], DNS tunneling, malware, phishing, ransomware) <a href="https://www.ibm.com/topics/cyber-attack" target="_blank">(IBM, 2021)</a>. The figure below portrays the top cyberattacks on each industry type.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/1b30297cd013cb5a5d28e58a9e052c90/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Cyber-Attacks.jpg" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/1b30297cd013cb5a5d28e58a9e052c90/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Cyber-Attacks.jpg" alt="Get Alt Text" /></a><br/> <span style="color: #003478;"><b>Average Total Cost of a Data Breach by Industry in US$ millions</b><a href="https://www.ibm.com/security/data-breach/threat-intelligence" target="[object Object]"> (IBM, 2021)</a></span></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p style="font-size: 13pt !important; color: #003478;"><u><b>Cybersecurity Myths</b></u></p> <p>Several misconceptions exist about cybersecurity <a href="https://www.ibm.com/topics/cybersecurity" target="_blank">(IBM, 2021)</a>: <ul> <li><span style="color: #003478;">Cybercriminals are outsiders.</span> Cybersecurity breaches are often the result of insider threats.</li> <li><span style="color: #003478;">Risks are well-known.</span> Cyber risks are still expanding, with thousands of new vulnerabilities being reported.</li> <li><span style="color: #003478;">Attack vectors are contained.</span> Cybercriminals are finding new attack vectors all the time - including Linux systems, operational technology (OT), Internet of Things (IoT) devices, and cloud environments.</li> <li><span style="color: #003478;">My industry is safe.</span> Every industry has its share of cybersecurity risks, with cyber adversaries exploiting the necessities of communication networks within almost every government and private-sector organization.</li> </ul> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Cybersecurity 2021 Trends</p> <p>The annual Cost of a Data Breach Report, conducted by Ponemon Institute and sponsored and analyzed by IBM Security, identified the following trends amongst the organizations studied <a href="https://www.ibm.com/security/data-breach/threat-intelligence" target="_blank">(IBM, 2021)</a>: <ul> <li><span style="color: #003478;">Remote work impact:</span> The rapid shift to remote operations during the pandemic appears to have led to more expensive data breaches. Breaches cost over $1 million more on average when remote work was indicated as a factor in the event, compared to those in this group without this factor.</li> <li><span style="color: #003478;">Healthcare breach costs surged:</span> Industries that faced huge operational changes during the pandemic (healthcare, retail, hospitality, and consumer manufacturing/distribution) also experienced a substantial increase in data breach costs year over year.</li> <li><span style="color: #003478;">Compromised credentials led to compromised data:</span> Stolen user credentials were the most common root cause of breaches in the study. At the same time, customer personal data (such as name, email, password) was the most common type of information exposed in data breaches – with 44% of breaches including this type of data.</li> <li><span style="color: #003478;">Modern approaches reduced costs:</span> The adoption of AI, security analytics, and encryption were the top three mitigating factors shown to reduce the cost of a breach, saving companies between $1.25 million and $1.49 million compared to those who did not have significant usage of these tools. For cloud-based data breaches studied, organizations that had implemented a hybrid cloud approach had lower data breach costs ($3.61m) than those who had a primarily public cloud ($4.80m) or primarily private cloud approach ($4.55m).</li> <li><span style="color: #003478;">Vulnerabilities surpass phishing as most common infection vector:</span> The most successful way victim environments were accessed last year was scanning and exploiting for vulnerabilities (35%), surpassing phishing (31%) for the first time in years.</li> <li><span style="color: #003478;">Europe felt the brunt of 2020 attacks:</span> Accounting for 31% of attacks X-Force responded to in 2020, per the report, Europe experienced more attacks than any other region, with ransomware rising as the top culprit. In addition, Europe saw more insider threat attacks than any other region, seeing twice as many such attacks as North America and Asia combined.</li> </ul> <p>The figure below shows the upward trend of new vulnerabilities identified on a yearly basis.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/d37b740400faa89224d3ce8e526e2049/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_New-Vulnerabilities.jpeg" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/d37b740400faa89224d3ce8e526e2049/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_New-Vulnerabilities.jpeg" alt="Get Alt Text" /></a><br/> <span style="color: #003478;"><b>ICS Cyber Vulnerabilities</b><a href="https://securityintelligence.com/posts/top-10-cybersecurity-vulnerabilities-2020/" target="[object Object]"> (IBM, 2020)</a></span></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p> Cyber threats and cyber vulnerabilities can be reduced by implementing information secuity processes and cyber risk management. The following sections present the basic concepts of information security and risk management.</p> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@ec0284b4613d4dd795347fa5a27973d6" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@366e05c6880a4c1589be5deda1d5e4cb"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@366e05c6880a4c1589be5deda1d5e4cb" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Goals of an Information Security Program</p> <p>An information security program seeks to evaluate different risks to information systems and are used to evaluate system performance based on three foundational concepts presented below.</p> <table> <tr> <td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2"><b>Foundational Concepts of Information Security </b></td> </tr> <tr> <td style="border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;" rowspan="4"><img src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/f26c60d5c89d841a182e94eedb95bebd/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Information-Security-Goals.jpg" alt="Get Alt Text" /></td> </tr> <tr> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px;"><b><u>Integrity</u></b><br/>Integrity characterizes the protection of system information or processes from intentional or accidental modification. Integrity focuses on the message contents and is prone to attacks such as tampering or hash collisions which may subvert common measures to check message contents like hashing.</td> </tr> <tr> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px;"><b><u>Confidentiality</u></b><br/>Confidentiality prevents the disclosure of sensitive information from unauthorized people, resources, and processes. Confidentiality focuses on protecting message contents from unwanted viewing and is often preserved by using encryption.</td> </tr> <tr> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px;"><b><u>Availability</u></b><br/>Availability characterizes the passurance that systems and data are accessible by authorized users when needed. Common attacks against availability include techniques trying to deplete or eliminate system resources, such as Denial of Service (DoS), Distributed Denial of Service (DDoS), or amplification attacks.</td> </tr> </table> <p>Some of these attacks and techniques may not be common knowledge and are provided for additional context or further research. None of the listed techniques are typically advanced; however, their names may commonly be associated with these different information security concepts.</p> <p style="font-size: 13pt !important; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Information Security Model</p> <p>Information Security Model typically includes information security properties, infornation states, and security measures. The interplay between these three elements can be presented as a cube, known as the McCumber Cube. This model makes viewing the intersection between these three main concepts more obvious. The figure below shows a representation of the McCumber Cube.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/911cd34e048d7d08b0c9da15cc6b3364/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_McCumber-Cubev2.jpg" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/911cd34e048d7d08b0c9da15cc6b3364/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_McCumber-Cubev2.jpg" alt="Get Alt Text" /></a><br/> <span style="color: #003478;"><b>McCumber Cube</b><a href="http://www.sis.pitt.edu/jjoshi/courses/IS2150/Fall11/nstissi_4011.pdf" target="[object Object]"> (NSTISS, 1994)</a></span></center></p> <p style="color: #003478;">Click on the figure to enlarge it.</p> <p style="color: #003478;">Expand the accordions below for more information on the components of the McCumber Cube.</p> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@8ca4a8d9d48a498dbef8405796a63215"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@8ca4a8d9d48a498dbef8405796a63215" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Information Security Properties</button> <div class="panel"> <div> <p><center><img style="width: 35%;" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/d11848121188a9b802bc7fdffcbf8644/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Information-Security-Properties.jpg" alt = "Get Alt Text"/><br/> <b><span style="color: #003478;">Information Security Properties</span></b></center></p> <p>Information security properties consider the three characteristics of information security (i.e., <b>confidentiality, integrity, and availability</b>). These provide one of the three facets of the McCumber cube and allow to evaluate a security posture by including heuristics for their comparison.<br/><br/> Remember that confidentiality protects the data from unwanted access; Integrity preserves message contents all the way from sender to receiver; and availability ensures necessary system resources are accessible when needed.</p> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@fcea044312b141e8a54f8bb865841bc2"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@fcea044312b141e8a54f8bb865841bc2" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new1" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Information States</button> <div class="panel1"> <div> <p><center><img style="width: 40%;" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/44d635aad6c16f2cc7f2440c3c45ca49/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Information-States.jpg" alt = "Get Alt Text"/><br/> <b><span style="color: #003478;">Information States</span></b></center></p> <p>The second facet of the McCumber Cube represents the three information states: processing, storage, and transmission. These three information states can also be described as data in process, data at rest, and data in motion.<br/><br/><b> Data in process (processing)</b> includes information that is currently being processed by a system such as loaded into RAM. Although that portion of the stat state may be short-lived, the ability of RAM to retain data until overwritten or power loss makes it a target for memory scraping attacks.<br/><br/> <b>Data at rest (storage)</b> pertains to data stored on a hard disk or solid state drive. Once written to storage, the data persists until overwritten.<br/><br/> <b>Data in transit (transmission)</b> refers to information being sent over a medium. When communicating across networks this information is typically encrypted before being sent over the public Internet in an attempt to safeguard it from espionage.</p> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new1"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@7049a7d0088d4b1287fcf6ae2ce79b77"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@7049a7d0088d4b1287fcf6ae2ce79b77" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new2" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Security Measures</button> <div class="panel2"> <div> <p><center><img style="width: 50%;" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/2251482517d9d4fd9f748c147b79490e/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Security-Measures.jpg" alt = "Get Alt Text"/><br/> <b><span style="color: #003478;">Security Measures</span></b></center></p> <p>The third facet of the McCumber Cube represents the three main types of security measures, which provide concrete ways of safeguarding the confidentiality, integrity, and availability of data across its three modalities (i.e., data in process, data at rest, and data in motion).<br/><br/><b> Policies and procedures</b> refer to organization-based rules and guidance that dictate how data is labeled, used, and protected.<br/><br/> <b>Technology</b> may include techniques, such as encryption, or software that assists in safeguarding data or data loss, such as a data loss prevention (DLP) device. DLP devices can search for anomalies in data transmission or words and phrases to identify potential loss of sensitive information.<br/><br/> Finally, <b>education, training, and awareness</b> provides security guidance and context for personnel that may be responsible for data during any part of its lifecycle.</p> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new2"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@85d900851f84423ba366d2f2ef396b52"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@85d900851f84423ba366d2f2ef396b52" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; font-weight: bold !important; text-decoration: underline !important;">Conclusion</p> <p>Combining the nine concepts presented above, information security properties (i.e., confidentiality, integrity, and availability), information states (i.e., processing, storage, and transmission), and security measures (i.e., policy and procedures, technology, and education, training, and awareness), presented above, allows to completely assembled the McCumber cube.</p> <p><center><img style="width: 55%;" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/648acf698835c86efa448945309872d6/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_McCumber-Cubev3.jpg" alt = "Get Alt Text"/><br/> <b><span style="color: #003478;">Information Security Model</span></b></center></p> <p>This succinctly shows the interplay between the different concepts of information security. Remember that a successful information security program incorporates security measures across the data states to maintain good information security properties.</p> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@3a337922e93d4efc8c7bb46139c0beda" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@2ab6bfa921ca4ee6974bb147f543331a"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@2ab6bfa921ca4ee6974bb147f543331a" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478;"><u><b>Types of Cyberattacks</b></u></p> <p>The types of cyberattacks are linked to the types of attackers presented in the Skills Pyramid in the previous section on Risk Management Model. There are three main types of attacks presented in the table below.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Types of Cyberattacks</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Accidental</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Accidental attackers are typically completely unaware of their effects on a system and interrupt systems purely due to error. This can be as innocuous as kicking a power plug out of a socket by accident or turning off a computer performing a critical system function.<br/><br/><b><u>Example of accidental attacks:</u></b><br/> <ul> <li>Denial of Service by continual inadvertent pinging of a server.</li> </ul></td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Opportunistic</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Opportunistic attacks are perpetrated by attackers who have limited knowledge of a system and try to gain access or profit through correlation with metadata from a tool or technique. For example, a vulnerability may be released which affect Microsoft Remote Desktop. An opportunistic attack might entail scanning the Internet for IP addresses with that port open and using a small piece of code to interact with the vulnerability in an attempt to exploit it.<br/><br/><b><u>Examples of opportunistic attacks:</u></b><br/> <ul> <li>New vulnerability discovered (zero day). Attacker scans the entire internet looking for targets. Doesn’t care who is compromised.</li> <li>Phishing scams send email to millions of people. Anyone with money is a viable target.</li> </ul></td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Targeted</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Targeted attacks are much more serious and leverage sophisticated attacks and tools in an attempt to gain access to a specific system or privileged information. These campaigns may take significant amounts of time and result in large losses. <br/><br/><b><u>Example of targeted attacks:</u></b><br/> <ul> <li>Attacker will spend months of even years testing a large variety of attack techniques until compromise is successful.</li> </ul></td> </tr> </table> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@d212a844b70245e6a6066e2146e047b1"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@d212a844b70245e6a6066e2146e047b1" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>The term of cybercrime is often used in the political and judicial fields but is there a difference between a cyberattack and a cybercrime?</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Cybercrime vs Cyberattack</p> <p>There is no international definition of cybercrime nor of cyberattack. Broadly, <span style="color: #003478; font-style: italic !important; font-weight: bold !important; ">a cybercrime can be described as having cyber-dependent offences, cyber-enabled offences and, as a specific crime-type, online child sexual exploitation and abuse</span>.<a href="https://www.unodc.org/unodc/en/cybercrime/global-programme-cybercrime.html" target="[object Object]"> (UNODC, 2021)</a></p> <ul> <li>Cyber-dependent crime requires an information and communications technology (ICT) infrastructure and is often typified as the creation, dissemination and deployment of malware, ransomware, attacks on critical national infrastructure (e.g. the cyber-takeover of a power-plant by an organised crime group) and taking a website offline by overloading it with data (a DDOS attack).</li> <li>Cyber-enabled crime is that which can occur in the offline world but can also be facilitated by ICT. This typically includes online frauds, purchases of drugs online and online money laundering.</li> <li>Child Sexual Exploitation and Abuse includes abuse on the clear internet, darknet forums and, increasingly, the exploitation of self-created imagery via extortion - known as "sextortion".</li> </ul> <p>A cyberattack mainly corresponds to the first two types of cybercrime listed above and involves illegal activities, by a hacker, who exploits the vulnerabilities of computer systems or components. A computer hacker is a person who uses a computer system for purposes other than those intended. However, cyber disruptions can also occur without a malicious intent (i.e., an accidental attack).</p> </div> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c66c393349094d68984a6219d1e1df1b"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c66c393349094d68984a6219d1e1df1b" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; text-decoration: underline !important; font-weight: bold !important; color: #003478;">Anatomy of a Cyberattack</p> <p>The anatomy of a cyberattack can be represented as an attack chain, also known as the cyber kill chain <a href="https://www.unodc.org/unodc/en/cybercrime/global-programme-cybercrime.html" target="[object Object]"> (Lockheed Martin, 2021)</a>. The figure below shows the five main stages characterizing an attacker’s methodology.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/478a9bae4d9961a206a337816cbbf6d6/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Anatomy-Cyberattack.jpg" target="_blank"><img width="60%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/478a9bae4d9961a206a337816cbbf6d6/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Anatomy-Cyberattack.jpg" alt = "Get Alt Text"/></a> <span style="color: #003478;"><br/> <b>Anatomy of A Cyberattack</b></span></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p>The stages depicted in this flow chart loosely define how an attacker would interact with a system. The flow is depicted as linear; however, in reality an attacker may need to revisit specific parts of the attack in order to progress through this attack flow. For example, after gaining access to a system (Infiltration) oftentimes additional reconnaissance must be performed in order to identify additional resources or data that may be available to the attacker.</p> <p style="color: #003478;">Expand the accordions below for more information on the five stages of a cyberattack.</p> </div> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@09e3ead3b5054d809296944ba133e1dc"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@09e3ead3b5054d809296944ba133e1dc" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Reconnaissance</button> <div class="panel"> <p></p> <div> <p>Common reconnaissance techniques involve both active and passive scanning and analysis of systems. In addition to the methods listed on this slide, so-called open-source intelligence (OSINT) analysis can add context and detail through search engine usage or data aggregators like Shodan <a href="https://www.shodan.io" target="[object Object]"> (Shodan, 2021)</a> or Censys <a href="https://censys.io" target="[object Object]"> (Censys, 2021)</a>. Additionally, reconnaissance may include looking for commonly used technologies within a system by looking at employee LinkedIn information, searching for keywords or file extensions, and looking at historic website data through the Wayback Machine <a href="https://archive.org/web/" target="[object Object]"> (Wayback Machine, 2021)</a>. A target is chosen and researched for weaknesses and the reconnaissance stage varies in lengths of time from minutes to years dependent on the target.<br/><br/>The purpose of this stage is to gather as much information as possible regarding how the system is organized, any misconfigurations or vulnerabilities that may exist, and creating an inventory of deployed services. This sets the stage for later techniques and facilitates later functions, like lateral movement/pivoting, by identifying different hosts and services that may be useful.</p> <p><u>Examples of reconnaissance include:</u></p> <ul> <li>Unauthorized discovery and mapping of systems, services, or vulnerabilities.</li> <li>Ping sweep of target network.</li> <li>Determine services and ports that are active</li> <li>Query ports and services for types and versioning of applications</li> </ul> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@054ba67d0fb6406d9a8bf07c00980903"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@054ba67d0fb6406d9a8bf07c00980903" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new1" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Infiltration</button> <div class="panel1"> <p></p> <div> <p>The infiltration stage provides an initial access point to a system. If vulnerabilities were identified during the reconnaissance phase then perhaps those could be leveraged to gain access. Other common methods for gaining initial access are through phishing (spear-phishing, vishing, whaling), providing malware to a network member (dropping USB keys with malicious software or plugging a malicious USB key into a computer USB port), or physical plugging into a network (RJ45) port. Successful attack creates an initial breach point.<br/><br/>The infiltration stage may occur more than once depending on later stages of the attack. For example, the initial access may occur through an unprivileged user. If the attacker cannot find a way to expand the privilege of that account through escalation/elevation of privilege, then a different entry point may prove beneficial. This is when returning to reconnaissance may prove useful to identify additional users who may have privileged accounts in the system, such as executives or IT administrators.</p> <p><u>Examples of infiltration include:</u></p> <ul> <li>Injection proxy.</li> <li>Spear phishing.</li> <li>Surreptitious entry.</li> <li>Sniffer.</li> <li>USB Key.</li> <li>Wireless infiltration.</li> </ul> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new1"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-5" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@731df330e03a4bd09ae665cf61de96f0"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@731df330e03a4bd09ae665cf61de96f0" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new2" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Propagation / Pivoting</button> <div class="panel2"> <p></p> <div> <p>Once access to a system is gained, an attacker usually surveys the network and identifies additional devices, or hosts, that may provide a better vantage point. Many times, the attacker tries to gain access to a Windows network’s domain controller in an attempt to gain administrator-level access to all devices and resources on that network. Once attackers gain access, they move to targeting more systems.<br/><br/>A different type of pivoting is to leverage new network access to craft phishing emails or attempt other attacks from within the company. This may result in additional levels or types of access based on the exploited personnel.</p> <p><u>Examples of propagation include:</u></p> <ul> <li>Attacker may have access to an email of user but try to get the administrator to click a follow-on email link.</li> <li>Attacker may begin to sniff additional network locations with the stolen credentials.</li> </ul> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new2"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-6" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b9a1e4de1539426292713838486cf5fa"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b9a1e4de1539426292713838486cf5fa" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new3" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Capture</button> <div class="panel3"> <p></p> <div> <p>Once an attacker has identified high-value assets they will likely record them for transfer off of the current system. This may include using am off-site staging server to store the information for retrieval or exfiltration of data. In the capture stage, sensitive data is identified, acquired, and amassed.<br/><br/>Identifying what files or assets are valuable may prove to be quite a challenge and can require revisiting several steps in the attack process in order to access more devices or achieve additional privileges.</p> <p><u>Examples of capture include:</u></p> <ul> <li>Trade Secret File copied.</li> <li>Financial documents deleted.</li> <li>Personally Identifiable Information (PII) stolen.</li> </ul> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new3"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-7" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@0419546174a64ba190e2d79803e2d08e"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@0419546174a64ba190e2d79803e2d08e" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new4" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Exfiltration</button> <div class="panel4"> <p></p> <div> <p>Typically, exfiltration occurs either over a network or by copying data to physical media and removing from the premises. These two actions can trigger logging events and warnings when IT systems are configured properly to look for large movement of data, or movement of data with sensitive keywords or phrases. During the exfiltration stage, data is moved to the attacker’s external system.<br/><br/>Exfiltration may also be thwarted by configuring outbound firewall rules to limit data egress since some attackers use non-standard protocols to disguise their intentions.</p> <p><u>Example of exfiltration includes:</u></p> <ul> <li>The data is copied over to the attacker’s personal system. The information within the original database can seem untouched or can be deleted.</li> </ul> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new4"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-8" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@f026a7a14402490687fbbd9e0733cd5a"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@f026a7a14402490687fbbd9e0733cd5a" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Additional Considerations</p> <p>In addition to normal concerns of disruption to operational conditions, businesses have additional considerations that may manifest over time as a result of a successful cyberattack or data breach. Data breach disclosure and protection remains a dynamic topic within incident response and many governmental agencies have guidance and action plans based on the latest accepted procedures. An often overlooked portion of the cyberattack aftermath is understanding the original breach and its indicators of compromise. Proper auditing and analysis can yield a comprehensive look at how an attacker interacted with a system. However, more sophisticated actors may leverage less known or unknown vulnerabilities, such as so-called 0-day vulnerabilities, in an attempt to circumvent logging and auditing rules for known vulnerabilities. This may result in a partial or incomplete cleanup of the environment and may leave remnants of the attacker’s foothold. Larger corporations may require holding currency in reserve, which may include cryptocurrency, in the unfortunate event of a ransomware attack. Cyber insurance can offer risk transference but requires the organization practice due diligence in the application and execution of security measures in order to successfully claim against a cyberattack.</p> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@c6313216a2264b0e88774c8b2601b94a" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c854a3536d0e40849978bad496a4f97d"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c854a3536d0e40849978bad496a4f97d" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>A cyber risk is a <i>risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.</i> <a href="https://csrc.nist.gov/glossary/term/cyber_risk" target="[object Object]"> (NIST, 2021)</a> A cyber risk is therefore the result of a cyberattack or an unintentional cyber incident.<p> <p><center><img width="30%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/7bbe2f401513af4efcf344dd35fe7261/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_CyberTVC.jpg" alt="Get Alt Text"/><br/> <span style="color: #003478; font-weight: bold !important;">Cyber Risk Components</span></center></p> <p>The calculation of a cyber risk generally uses <span style="color: #003478; font-weight: bold !important;">a combination of threat, vulnerability, and consequence</span> to produce a measure that may be used comparatively. A cyber risk therefore represents the likelihood that a threat will exploit a vulnerability:</p> <ul> <li>A threat represents a potential danger;</li> <li>A vulnerability represents a system vulnerability; and</li> <li>A consequence represents a potential loss.</li> </ul> <p>Cyber risk management processes and strategies are similar to the general risk management processes presented in the first module on Introduction to Risk Analysis. Risk analysis and assessment generally falls into two categories, qualitative and quantitative. Cyber risk analysis and assessment generally fall under the qualitative branch of risk analysis despite assigning numeric values to threats, vulnerabilities, and consequences.</p> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@3936eba09d0046cb924e33021481631f"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@3936eba09d0046cb924e33021481631f" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Cyber Threats</p> <p>In addition to the elements characterizing cyberattacks, which are presented in the previous section, the MITRE Attack Framework provides a comprehensive data source for understanding attacker threats and techniques<a href="https://attack.mitre.org" target="[object Object]"> (MITRE, 2021).</a></p> <p><center><a href="https://attack.mitre.org" target="_blank"><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/ac24cd0d5f7d827517ebae4199eeb319/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_MITRE.jpg" alt = "Get Alt Text"/></a> <span style="color: #003478; font-weight: bold !important;"><br/>MITRE Attack Framework</span></center></p> <p style="color: #003478;"> Click on the figure to access the MITRE Framework.</p> <p>Within each entry in the framework there are related attacks and known threat groups that utilize each technique as well as examples. There are now several versions of this framework that include enterprise, mobile, and industrial control systems. This resource may be overwhelming at first, but it should not be used as a casual reference site. Its robustness provides encyclopedic information pertaining to an abundance of different techniques and attacks.</p> </div> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@29718026727c4df0bc2e7854767bafe5"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@29718026727c4df0bc2e7854767bafe5" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Cyber Vulnerabilities</p> <p>Cyber vulnerabilities relate to OT and IT operations, management flaws. They correspond to the weaknesses of the system's information security posture (i.e., Information security properties - confidentiality, integrity, and availability). Additional information on cyber vulnerabilities is presented in the previous sections on <b>Information Security Concepts</b> and <b>Anatomy of an Attack</b>.</p> </div> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c1e960a48c164012a36f4d148ca0cf91"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@c1e960a48c164012a36f4d148ca0cf91" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Cyber Consequences</p> <p>The last part of the risk calculation is the characterization of consequences, or impacts. This stems from an understanding of how the overall system works and what may be affected through disruption or compromise of one or more components. Quantitative risk analysis components such as single loss expectancy (how much an individual event might cost) and annual rate of occurrence (how often the event happens annually) can provide monetary basis for making these judgements. For example, if you calculate that you might fall victim to a ransomware attack on average once every five years, and it will cost $500,000 to recover from then you can easily compare that cost against a ransom or cyber insurance policy. So, the single loss expectancy is 500,000 and the annual rate of occurrence is 0.2 which yields $100,000 annual loss expectancy. So, from a purely quantitative standpoint, any risk decision such as transference, would need to cost less than $100,000 a year. This does not take into account any ancillary costs such as reputation.</p> <p>The consequences of a cybersecurity breach fall into five main categories <a href="https://www.sungardas.com/en-us/blog/the-consequences-of-a-cyber-security-breach/" target="[object Object]"> (Sungard Availability Services, 2021):</a></p> <ul> <li>Theft - theft of financial, personal, and business sensitive data.</li> <li>Financial losses - Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015<a href="https://cybersecurityventures.com/annual-cybercrime-report-2019/" target="[object Object]"> (Cybersecurity Ventures, 2019).</a></li> <li>Reputational damages - A data breach can pose a damage to a critical infrastructure's reputation and revenue, and it can take years to recover from the reputational damage. </li> <li>Fines - Regulators can impose fines to organizations that don’t properly protect consumer data. For example, The EU General Data Protection Regulation (GDPR) can impose fines up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher for more serious infringements to the right to privacy and the right to be forgotten<a href="https://gdpr.eu/fines/" target="[object Object]"> (GDPR, 2021).</a></li> <li>Below-the-surface costs - In addition to the economic costs of incident response, more intangible costs like the impact of operational disruption generally tends to be underestimated.</li> </ul> </div> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@f7f63a7091a3414087fed236265d1119"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@f7f63a7091a3414087fed236265d1119" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>Risk management is the practice of itemizing and assessing risks within an environment by identifying, monitoring, and limiting risks to a manageable level. Risk management cannot eliminate all risks but aims to reduce residual risks (i.e., amount of risks that remains after the risk management process) to acceptable levels ("as low as reasonably practicable" [ALARP]).</p> <p>The following section on the <b><span style="color: #003478;">Risk Management Model</span></b> provides more details on the cyber risk management process.</p> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@0b24676aca5e401c9e57e206c5ff3d13" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@32e0028c04214c25b37bfbf0b4a31d4b"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@32e0028c04214c25b37bfbf0b4a31d4b" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>A basic cyber risk management model is organized in five steps presented in the figure below.</p> <p><center><img width="50%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/33bcf324089ad1262d6d5a6736eb38bc/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Cyber-Risk-Management.jpg" alt="Get Alt Text"/><br/> <span style="color: #003478; font-weight: bold !important;">Cyber Risk Management Model</span></center></p> <p style="color: #003478;">Click on the figure to enlarge it.</p> <p>The steps are sequential and purposeful in order to first understand the operational environment before providing general guidance and then more fine-grained guidance for risk decisions. Often, this process turns into a more iterative process where some areas might reveal.</p> <p style="color: #003478;">Expand the accordions below for more information on the five steps of the cyber risk management model.</p> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b2c70c17df7449128ff68a5c4a21bd2a"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b2c70c17df7449128ff68a5c4a21bd2a" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Step 1 - Asset Identification</button> <div class="panel"><br/> <div> <p>Asset Identification is the most basic, but also a very difficult, task of risk management. This step requires in-depth understanding of the different components of the system being analyzed and may require input from many different stakeholders depending on the size of the organization. This may also include understanding partnerships and procurements that may interact with the OT or IT system as well as points of data ingress and egress.<br/><br/> The first order of business in this step is usually to understand business operations and people by identifying, categorizing, and prioritizing the various elements that make up the system:</p> <ul> <li>Inventory</li> <li>Buildings</li> <li>Cash</li> <li>Information and data</li> <li>Hardware</li> <li>Software</li> <li>Services</li> <li>Documents</li> <li>Personnel</li> <li>Brand recognition</li> <li>Organization reputation</li> <li>Goodwill</li> </ul> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a57895530aaa4e0b98a54bb151086b43"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@a57895530aaa4e0b98a54bb151086b43" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new2" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none; ">Step 2 - Threat Assessment</button> <div class="panel2"><br/> <div> <p>The second step of cyber risk management aims to identify the likelihood of occurrence of possible threats and vulnerabilities:</p> <ul> <li>Terrorism</li> <li>Errors</li> <li>Malicious damage or attacks</li> <li>Fraud</li> <li>Theft</li> <li>Equipment/software failure</li> <li>Unprotected facilities/computer systems/data</li> <li>Insufficient procedures and controls</li> </ul> <p>Although threat assessment primarily focuses on humans as the threat within the context of risk, threat assessment must also consider many other hazards which may endanger standard business operations. These hazards range from natural disasters to unintentional human hazards like the loss of key personnel.</p> <p>Analyzing and assessing a cyber threat require to understand and characterize the factors defining a cyber attack. They primarily relate on the characterization of an attacker based on several criteria like their intent (e.g., white vs gray vs black hats), types, motivations, and skills. <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">White vs Gray vs Black Hat</p> <p>From a cybersecurity perspective, cyber analysts look at a gradient of white to black to identify the intention of attackers. Many analyses may only care about black hat attackers, but it is useful to understand where they fall in context and how they differ from other types of ”hats”. The table below presents the differences between white, gray, and black hats.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2"> Differences between each type of "hats"</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>White Hat</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Typically white hats are people that are hired to perform security analysis as part of penetration testing, red teams, or as a part of an in-house security team. They have a well-documented purpose and a scope that includes what they can and cannot do.<br/><br/> <u>Example:</u> a person who breaks into a computer network in order to test or evaluate its security systems.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Gray Hat</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Grey hats typically observe security vulnerabilities in the wild on systems that they do not have permission to access; however, they follow ethical guidelines and responsible disclosure statutes in order to ensure that vulnerabilities are not shared in a manner hurtful to the business.<br/><br/><u>Example:</u> computer attacker or computer security expert whose ethical standards fall somewhere between purely altruistic and purely malicious.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Black Hat</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Black hats do not follow or care for rules or governance. They willingly shirk laws in order to perform attacks against systems they do not have permission to access. Their actions are typically for personal or collective benefit.<br/><br/><u>Example:</u> a person who breaks into a computer network with malicious or criminal intent.</td> </tr> </table> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight:bold !important;">Types of Attackers</p> <p>There are three main types of attackers presented in the table below. <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2"> Characteristics of the Types of Attackers</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Insider Attackers</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; "> <ul> <li>They are already authorized to use the network</li> <li>They are often underestimated and overlooked</li> <li>Disgruntled employees pose the greatest risk</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Outsider Attackers</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">An outsider attacker is someone who does not have authority to use the network.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Red Team Attacker</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Ared team attacker is an outsider that has the authority to attack a network by the organization for testing purposes.<br/><br/>The red team attacker is a hired attacker to try and subvert systems like a black hat would. These personnel can assist in identifying or verifying risks on a system and can emulate the previous two types of attackers in an attempt to enumerate weaknesses or vulnerabilities within a system. A Red Team attack is typically done in coordination with a Blue Team who defends the system.</td> </tr> </table> <p>The first two categories (i.e., insider and outsider attackers) fall under the black hat label whereas the last category corresponds to the white hat label. The difference between the first two categories compared to the last is that they pose risk to the organization and should be accounted for within risk modeling and a risk register.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight:bold !important;">Motivations of Attackers</p> <p>The typical motivation of attackers is economic prosperity or gain of power, but several other motivations exist. The table below presents examples of attackers' motivations.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2"> Motivations of Attackers</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Deliberate</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; "><p>There are three main deliberate motivations:</p> <ul> <li style="color: #003478; font-weight: bold !important;">Political</li> <ul> <li style="margin-left:20px;" type="circle">Destroying</li> <li style="margin-left:20px;" type="circle">Disrupting</li> <li style="margin-left:20px;" type="circle">Espionage</li> </ul> <li style="color: #003478; font-weight: bold !important;">Economic</li> <ul> <li style="margin-left:20px;" type="circle">Theft</li> <li style="margin-left:20px;" type="circle">Fraud</li> <li style="margin-left:20px;" type="circle">Blackmail</li> </ul> <li style="color: #003478; font-weight: bold !important;">Socio-Cultural</li> <ul> <li style="margin-left:20px;" type="circle">Philosophical</li> <li style="margin-left:20px;" type="circle">Humanitarian</li> </ul> </ul> <p>The rise of the Anonymous group also brought “hacktism” (i.e., a portmanteau of hacking and activism) to main news cycles and expanded the view of why some groups were motivated to do what they do. The prevalence of nation-state actors closely tied to political motivations also emerge to sway public opinion, gain access to privileged information, or participate in (dis)information warfare.</p> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Accidental</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; "><p>Accidental “attackers” cover employees who may push changes to production environments without testing code thoroughly or changes to physical infrastructure that may result in resource down time (like inadvertently removing a necessary power plug from an outlet). Accidental motivations cover two main elements:</p> <ul> <li style="color: #003478; font-weight: bold !important;">Idnavertent</li> <ul> <li style="margin-left:20px;" type="circle">Accident or unintentional attack (i.e., Human Error).</li> </ul> <li style="color: #003478; font-weight: bold !important;">Inaction</li> <ul> <li style="margin-left:20px;" type="circle">An action isn’t done as promised. When corruption isn’t uncovered, an attacker may decide to leak information on their own.</li> </ul> </ul> </td></tr> </table> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Skills Pyramid</p> <p>This pyramid depicts an approximate relationship between the number of people at each skill level.</p> <p><center><img width="40%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/7bf40b3b7e40055b9e2927c3353d261d/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Skills-Pyramid.jpg" alt="Get Alt Text"/><br/><span style="color: #003478; font-weight: bold !important;"> Skills Pyramid</span></center></p> <p>The base of the pyramid, which comprises the largest number of people, represents <b>unskilled attackers</b> who may simply rely on other people’s handiwork or exploit scripts.</p> <p>The next largest tier also represents <b> unskilled attackers with applied knowledge and skills</b>. Although they may not have an intimate knowledge of the toolsets, they understand the different components of an attack methodology and how to leverage tools to achieve their means. This may include modifying some of the data provided to the tools or using tools in different ways than they were designed.</p> <p>The second smallest tier represents <b>semi-skilled attackers</b> who may be able to craft tools from the work of others or combine tools in unique ways in order to execute an attack on a system. This may also include people that modify or write code based on existing techniques in new or novel ways.</p> <p>Finally, the top tier of the pyramid represents the smallest number of <b>attackers who are skilled game changers</b>. This includes those who write novel software that exploits systems in ways that are not widely known or documented. Their work is often copied by semi-skilled attackers and widely distributed throughout communities for reuse.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Threat Matrix</p> <p>Sandia National Laboratories provide a general look at quantifying the strength of a threat actor (i.e., attacker, hacker) based on several criteria. This offers a high-level way to incorporate different threat characteristics into the basic Threat, Vulnerability, and Consequence risk calculation.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/04001edfdf7c446f2e8b970e9b9ea0fc/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Threat-Matrix.jpg" target="_blank"><img width="40%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/04001edfdf7c446f2e8b970e9b9ea0fc/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Threat-Matrix.jpg" alt="Get Alt Text"/></a><br/> <span style="color: #003478; font-weight: bold !important;"> Generic Threat Matrix</span><a href="https://www.energy.gov/sites/prod/files/oeprod/DocumentsandMedia/14-Categorizing_Threat.pdf" target="[object Object]"> (Duggan <i>et al.</i>, 2007)</a></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p>The Generic Threat Matrix identifies 8 threat levels based on a attacker commitment (i.e., intent) and resources (i.e., capability). Threat Level 1 will always be the most capable of achieving an objective or goal, while Threat Level 8 is the least capable. The report on Categorizing Threat Building and Using a Generic Threat Matrix <a href="https://www.energy.gov/sites/prod/files/oeprod/DocumentsandMedia/14-Categorizing_Threat.pdf" target="[object Object]"> (Duggan <i>et al.</i>, 2007)</a> explains how the matrix was developed and how to use it.</p> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new2"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b4a66b6e0d7a450190998592b0905fc0"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@b4a66b6e0d7a450190998592b0905fc0" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new3" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none;">Step 3 - Impact Determination and Quantification</button> <div class="panel3"><br/> <div> <p>Impact Determination and Quantification aims to identify potential threats and to select appropriate risk calculation approaches. The selection of risk calculation (i.e., quantitative vs qualitative) that will be applied is typically defined according to the impact categories (i.e., tangible vs intangible).</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Categories of Impacts</p> There are two main categories of impacts presented in the table below. <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Tangible vs Intangible Impacts</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Tangible impacts</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Tangible impacts (or losses) can be very accurately depicted in terms of monetary or asset loss and their frequency is usually well-known. For example, a business has a good grasp on how often a laptop is lost and how much each laptop costs and can use that as a basis for a risk calculation. Tangible impacts result in financial loss and they may include: <ul> <li>Direct loss of money</li> <li>Endangerment of staff or customers</li> <li>Loss of business opportunity</li> <li>Reduction in operational efficiency or performance</li> <li>Interruption of a business activity</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Intangible Impacts</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Intangible impacts are hard to accurately capture and may require probabilistic approaches or approximations in order to include them within risk calculations. This may include events that have never occurred or rarely occur, which lend themselves to calculations leveraging qualitative methods. Intangible impacts are hard to quantitatively measure and assigning financial value is difficult. They may include: <ul> <li>Breach of legislation or regulatory requirements</li> <li>Loss of reputation or goodwill (brand damage)</li> <li>Breach of confidence</li> </ul> </td></tr> </table> <p>After determining the impacts, the next task is to perform an assessment of the potential consequences.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Consequence Assessments</p> <p>Consequence assessments start with the identification of the system assets and their value. After the identification, two types of assessments can be conducted. They are shown in the table below.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Quantitative vs Qualitative Assessments</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Quantitative Assessments</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Quantitative assessments use specific monetary amounts to identify cost and asset values. Quantitative risk assessments are built upon calculation where the entities are relatively well-known and documented which can result in a precise measure of loss.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Qualitative Assessments</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Qualitative assessments use judgment to categorize risks based on probability and impact. Qualitative risk assessment rely on the assessor’s expertise and knowledge to discern different characteristics and probabilities that are included within the risk calculation.</td></tr> </table> <p>These two types of calculations are not at odds with each other and many times they are used in a complementary fashion to create a more holistic view of an organization’s risk.<br/><br/> The remainder of this section on consequence assessments focuses only on quantitative assessments.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Quantitative Consequence Assessments</p> <p>The quantitative calculation of consequences aims to define the <b>Annual Loss Expectancy (ALE)</b>, which is the product of two elements:</p> <ul> <li><b>Single Loss Expectancy (SLE)</b> represents the cost of any single loss</li> <li><b>Annual Rate of Occurrence (ARO)</b> defines how many times the loss will occur annually</li> </ul> <p style="color: #003478; text-align: center; font-weight: bold !important;">ALE = SLE x ARO</p> <p><b><u>Example:</u></b><br/><br/>Let's consider the loss of a laptop.</p> <table> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:200px; "> Employees lose one laptop per month that costs $ 2,000. <ul> <li>What is the SLE?</li> <li>What is the ARO?</li> <li>What is the ALE?</li> </ul></span></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">In this example the single loss expectancy is $2,000 and the annual rate of occurrence is 12 (once per month -> 12 per year). Using these two data points we calculate that the annual loss expectancy is $24,000. <ul> <li>SLE = $2,000</li> <li>ARO = 12 per year</li> <li>ALE = $24,000</li> </ul> </td></tr> </table> <p>By using this information, it is possible to make a decision as to which insurance policies may make sense to purchase. The maximum annual insurance cost to successfully transfer this risk would be $23,999. Any amount greater than this would not make fiscal sense.<br/><br/>Using qualitative measures how can we calculate consequence, or loss, for intangible or less tangible impacts? It is possible to use approximations and probabilistic measures provided by several different guiding metrics:</p> <ul> <li>Use the Common Vulnerability Scoring System (CVSS)</li> <li>Enumerate affected resources</li> <li>Calculate Dependencies</li> <li>Determine aggregate outage time and cost</li> <li>Understand business and operational processes</li> <li>Elicitate methods such as Tabletop Exercises</li> </ul> <p>Once we have followed the steps to identify assets that may be affected by a particular threat, we can calculate the approximate threat strength (Generic Threat Matrix), vulnerability (CVSS), and then approximate the cost of loss of resources.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Exercises</p> <p>The table below shows two main types of exercises.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Types of Exercises</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Tabletop Exercises</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Tabletop exercises (TTX) can provide useful ways to evaluate and act through threat events and what the appropriate response would be. Additionally TTX may offer reinforcement techniques for employees which can aid during real-life situations. These TTX can allow for role-playing and response to events and situations that may occur and can highlight gaps in response plans or employee actions. This may facilitate the strengthening of risk understanding or incident response plans.<br/><br/><b><u>TTX Characteristics:</u></b> <ul> <li>TTX are simulated exercises where stakeholders are asked to consider possible scenarios.</li> <li>TTX can enumerate possible gaps in security, resilience, and knowledge/documentation.</li> <li>TTX are useful to enforce operational and security policies.</li> <li>TTX can be focused on a domain or diversified across different groups/roles of employees.</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Scenario-based TTX</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">In addition to TTX which may emulate extenuating circumstances, different scenarios may be constructed to evaluate what employee response would be to a change in operational conditions which can aid in identifying new risk considerations. This allows for a proactive way to understand and anticipate future threats without requiring experience. <br/><br/><b><u>Scenario-based TTX:</u></b> <ul> <li>A scenario-based TTX is an exercise where a specific scenario is provided to assess typical business procedures.</li> <li>A scenario-based TTX can involve different injections where conditions change, or new information is gleaned.</li> <li>A scenario-based TTX may include several cohesive scenarios which might highlight the breadth of the attach chain.</li> </ul></td></tr> </table> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new3"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@fa9b66fdb71245e7b2e52deb24ce8738"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@fa9b66fdb71245e7b2e52deb24ce8738" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new4" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none;">Step 4 - Control Design and Evaluation</button> <div class="panel4"><br/> <div> <p>Once threats and vulnerabilities are identified, the fourth step of the risk management process aims to design and implement countermeasures (i.e., controls, safeguards) to mitigate these risks and reduce consequences to an acceptable level. This should be the first attempt in triaging the risks present on a network.<br/><br/>Several types of controls (i.e., actions, devices, or procedures) may be implemented. They are organized in five main categories presented in the table below.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Types of Controls</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Preventive Controls</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Preventative controls aim at stopping the risk from occurring.<br/><br/><u>Examples of preventive controls:</u> <ul> <li>Administrative (e.g., policies, separation of duties, security awareness)</li> <li>Physical (e.g., swipe cards, locks, alarms)</li> <li>Technical (passwords, encryption, firewalls, anti-virus)</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Detective Controls</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Detective controls promote quick discovery of any threat.<br/><br/><u>Examples of detective controls:</u> <ul> <li>Administrative (e.g., job rotation, incident response, audits)</li> <li>Physical (e.g., motion detectors, camera) <li>Technical (e.g., intrusion detection systems, audit logs, forensics)</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Corrective Controls</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Corrective controls aim at getting a system back to operational capabilities.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Deterent Controls</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Deterent controls aim to prevent threats through discouragement.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Recovery Controls</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Recovery controls, which complement corrective and compensating controls, aim at counteracting risks once they occur.</td></tr> </table> <p>The choice of countermeasures and controls depends on the system's existing vulnerabilities. Several approaches and tools can help identifying and characterizing the system's vulnerabilities. Some of these approaches are presented below.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">MITRE Common Vulnerabilities and Exposures (CVEs)</p> <p>Common vulnerabilities and exposures (CVEs) is a list of vulnerabilities maintained and indexed by MITRE.<a href="https://www.cve.org/" target="[object Object]"> (MITRE, 2021)</a> This database contains descriptions and metadata about vulnerabilities that are community sourced and verified by MITRE. This list of vulnerabilities provides an excellent basis for comparing your system’s software to understand potential weaknesses. Many software products, such as nikto and OpenVAS, ingest basic CVE data in order to try and identify known vulnerabilities.</p> <p>A CVE is:</p> <ul> <li>One identifier for one vulnerability or exposure</li> <li>One standardized description for each vulnerability or exposure</li> <li>A dictionary rather than a database</li> <li>How disparate databases and tools can "speak" the same language</li> <li>The way to interoperability and better security coverage</li> <li>A basis for evaluation among services, tools, and databases</li> <li>Free for public download and use</li> <li>Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE</li> </ul> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Common Vulnerability Scoring System (CVSS)</p> <p>The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. <a href="https://www.first.org/cvss/" target="[object Object]"> (Forum of Incident Response and Security Teams, 2021)</a> It provides a comparative way to identify the potential impact of a specific vulnerability. It offers an environment where comparisons between vulnerabilities can be made by using a set of defining characteristics.</p> <p><center><a href="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/b25ea1f49507588f0c8ddf6f6bbcc7e2/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_CVSS-Metrics.jpg" target="_blank"><img width="60%" src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/b25ea1f49507588f0c8ddf6f6bbcc7e2/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_CVSS-Metrics.jpg" alt="Get Alt Text" /></a><br/> <span style="color: #003478; font-weight: bold !important;">CVSS V3.1 Metric Groups</span><a href="https://www.first.org/cvss/v3.1/specification-document" target="[object Object]"> (Forum of Incident Response and Security Teams, 2021)</a></center></p> <p style="color: #003478;"> Click on the figure to enlarge it.</p> <p>The <b>Basic metric group</b> represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics. The Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. While the vulnerable component is typically a software application, module, driver, etc. (or possibly a hardware device), the impacted component could be a software application, a hardware device or a network resource. </p> <p>The <b>Temporal metric group</b> reflects the characteristics of a vulnerability that may change over time but not across user environments.</p> <p>The <b>Environmental metric group</b> rrepresents the characteristics of a vulnerability that are relevant and unique to a particular user’s environment.</p> <p>When the Base metrics are assigned values by an analyst, the Base equation computes a score ranging from 0.0 to 10.0. The CVSS calculator implements the calculation formula, generating scores based on the metric values. The CVSS calculator and associated standard are available <a href="https://www.first.org/cvss/calculator/3.1" target="[object Object]"> here</a>.</p> <p>CVSS scores accompany CVEs in the National Vulnerability Database which offer at-a-glance vulnerability impact metrics.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">National Vulnerability Database (NVD)</p> <p>The United States national vulnerability database hosts a repository of known vulnerabilities that combines the MITRE common vulnerabilities and Exposures with a common vulnerability scoring system. <a href="https://nvd.nist.gov/" target="[object Object]"> (National Institute of Standards and Technology, 2021)</a> This allows for rapid searching and identification of risks to a system by understanding the vulnerability as well as its consequences. For example, if a service was identified with a known vulnerability but required local access in order to exploit that vulnerability, you may be able to record the presence of the vulnerability but note that it is not applicable to your system. This should be recorded in a risk register for future reference.</p> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new4"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-5" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@ca32c9247aa649418d42c9c6f13e97b4"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@ca32c9247aa649418d42c9c6f13e97b4" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div><button class="accordion_new5" style= "font-size: 12.0pt; font-family: 'Calibri'; background-color: #003478; background-image: none;">Step 5 - Residual Risks Management</button> <div class="panel5"><br/> <div> <p>Whatever the reason may be, some risk will never be able to be eliminated. For example, in order for a business to function it must rely on IT for external website and client communications. Some risk within those technologies is outside the control of the organization’s IT staff. What if a vulnerability was discovered in the mail client software being used? What would happen if an employee was reusing credentials from another site which was breached?</p> <p>Residual risks, which are the risks that remain after implementing controls, may need consideration in the form of action plans or inclusion within incident response.</p> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Risks Response Techniques</p> <p>The choice of a risk response technique depends on the nature of the risk and its relationship to business operations or disruptions. Some risk may be accounted for and handled through the creation of policies and procedures to reduce the risk or the risk’s impact (mitigate). Other risks may be better handled by a third party through risk calculation and cost-benefit analysis (transfer). Finally, sometimes a risk may be unavoidable, such as a natural disaster, and you may simply accept that risk as a cost of doing business in a certain area.</p> <p>The table below shows the four main types of actions to manage residual risks.</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;" colspan="2">Types of Risk Response Techniques</td> </tr> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Technique</td> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Objective</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Avoid</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Not participate in risky activity.</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Transfer</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Outsource risky activities: <ul> <li>Purchase insurances.</li> <li>"Share" risks.</li> </ul> </td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Mitigate</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Implement controls to reduce risks (e.g., antimalware to reduce risk from malware).</td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Accept</u></b></td> <td style="background-color:white; border: 1px solid black; padding: 15px; width:300px; ">Use if cost of control greater than the benefit.</td></tr> </table> </div> </div> </div> <script type="text/javascript"> var acc = document.getElementsByClassName("accordion_new5"); var i; for (i = 0; i < acc.length; i++) { acc[i].addEventListener("click", function() { this.classList.toggle("active"); var panel = this.nextElementSibling; if (panel.style.display === "block") { panel.style.display = "none"; } else { panel.style.display = "block"; } }); } </script> </div> </div> <div class="vert vert-6" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@62d352ad17ac4c1cac634c2055a5fca0"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@62d352ad17ac4c1cac634c2055a5fca0" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Qualitative Risk Management</p> <p>The five steps of the quantitative risk management process can also be used for qualitative risk assessment and management.</p> <p><b><u>Likelihood of occurrence:</u></b></p> <ul> <li>Probability that an event will occur.</li> <li>Probability that a threat will attempt to exploit a vulnerability</li> </ul> <p>By comparing the qualitative risk model to the five steps of the quantitative risk model, it is possible to map threats and vulnerabilities into likelihood of occurrence by using a simple multiplication.</p> <p><b><u>Impact:</u></b></p> <ul> <li>Magnitude of harm resulting from a risk</li> <li>Negative result of the event</li> <li>Loss of confidentiality, integrity, or availability of a system or data</li> </ul> <p>Impact requires intimate knowledge of the system being assessed and may involve several secondary calculations to account for collateral events stemming as a direct result of an adverse event.</p> <p>By using experience and loose quantifications, it is therefore possible to calculate the risk for intangible or hard to define threats.</p> <p><b><u>Calculation Examples:</u></b></p> <p><span style="color: #003478;"><b>1.</b></span> Web server selling products on the Internet</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Probability</td> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Impact</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>High (10)</u></b></td> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>High (10)</u></b></td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:white; border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;" colspan="2"> Risk score (10 * 10 = 100)</td></tr> </table> <p><span style="color: #003478;"><b>2.</b></span> Library Computer</p> <table> <tr> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Probability</td> <td td style="background-color:#003478; color: white; border: 1px solid black; padding: 15px; vertical-align: middle; text-align:center;">Impact</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Low (1)</u></b></td> <td style="background-color:rgba(0,136,198,.30); border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;"> <b><u>Low (1)</u></b></td></tr> <tr style="align: middle; vertical-align: middle;"> <td style="background-color:white; border: 1px solid black; padding: 15px; width:100px; vertical-align: middle; text-align:center;" colspan="2"> Risk score (1 * 1 = 1)</td></tr> </table> <p>These examples illustrate simple calculations. More in depth calculation would be to include quantifications of threat, vulnerability, and consequence by using techniques presented in the quantitative risk management. This might include a threat score (0-10), a vulnerability score (based on CVSS), and a consequence/impact score based on perceived asset loss.</p> </div> </div> </div> <div class="vert vert-7" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@36e782924c48453daa9c205ce8b75bea"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@36e782924c48453daa9c205ce8b75bea" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p style="font-size: 13pt !important; color: #003478; text-decoration: underline !important; font-weight: bold !important;">Risk Assessment and Risk Register</p> <p>Risk registers are controlled documents that allow for the identification and tracking of risks and an organization’s actions to that risk. These documents assist in understanding the overarching risk mindset as well as tracking risk actions over time. They should be regularly revisited in order to ensure that the organization’s operation is still in line with the perceived risk and that employee trainings stay current with the actions defined within the risk register.</p> <p>A risk register is therefore a repository of information on risks. They generally include the following:</p> <table> <tr> <td style="width:200px; border: 0px; padding: 0px;" > <ul> <li>Category</li> <li>Specific risk</li> <li>Likelihood</li> <li>Impact</li> <li>Risk score</li> </ul> </td> <td style="border: 0px; padding: 0px;"> <ul> <li>Security controls</li> <li>Contingencies</li> <li>Risk score (with controls)</li> <li>Action assigned to</li> <li>Action deadline</li> </ul> </td> </tr> </table> <p>Regular risk assessment aim at verifying the relevance of risk registers, and other risk related documentation, as well as broadening perspective to include emerging and new risks that may not be present within current documentation. As organizations grow and change, risks evolve and take different forms. For example, in a merger two organizations must reconcile risks and assets between companies which may require substantial effort. In many cases, this is not a definitive task and may take significant amounts of time and assessments in order to obtain a level of risk that is palatable by the organization.</p> <p>The risk register includes risk assessment documentation. It includes valuable results that:</p> <ul> <li>help organization evaluate threats and vulnerabilities;</li> <li>should be protected; and</li> <li>should only be accessible to management and security professionals.</li> </ul> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@a67da773a4274c23a907b455275fa50f" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@61e2578bf3ac48e0b4c41ba67fd77127"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@61e2578bf3ac48e0b4c41ba67fd77127" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div> <p>The general concepts presented in this module constitute the foundations necessary to understand Information security and cybersecurity principles and processes. <p style="color: #003478; text-decoration: underline !important; font-weight: bold !important;">The seven key elements presented through this module are:</p> <p style="color: #003478; font-weight: bold !important;">1. Increasing use of information technology to operate critical infrastructure systems create new vulnerabilities.</p> <p style="color: #003478; font-weight: bold !important;">2. Cyber attacks can be complex. They encompass unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.</p> <p style="color: #003478; font-weight: bold !important;">3. Cyber threats and cyber vulnerabilities can be reduced by implementing information security processes and cyber risk management.</p> <p style="color: #003478; font-weight: bold !important;">4. An information security program seeks to evaluate different risks to information systems and are used to evaluate a system performance based on three foundational concepts:</p> <ol class="SecondOrderList" id="SecondOrderList" style="padding-left: 50px;" type="a" start="1"> <li>Integrity</li> <li>Confidentiality</li> <li>Availability</li> </ol> <p style="color: #003478;"><b>5. Information Security model includes three elements that can be represented with the McCumber Cube:</b></p> <ol style="padding-left: 50px;" class="SecondOrderList" id="SecondOrderList" type="a" start="1"> <li>Information Security Properties, which characterize data confidentiality, integrity, and availability.</li> <li>Information States, which characterize data processing (data in process), data storage (data at rest), and data transmission (data in transit).</li> <li>Security Measures, which characterize cybersecurity policies and procedures, technologies, and education, training, and awareness.</li> </ol> <p style="color: #003478;"><b>6. The Anatomy of a cyberattack include five main stages:</b></p> <ol style="padding-left: 50px;" class="SecondOrderList" id="SecondOrderList" type="a" start="1"> <li>Reconnaissance - A target is chosen and researched for weaknesses.</li> <li>Infiltration - Successful attack creates an initial breach point.</li> <li>Propagation - Attacker gains access, moves to more systems.</li> <li>Capture - Sensitive data is identified, acquired, and amassed.</li> <li>Exfiltration - Data is moved to the attacker’s external system.</li> </ol> <p style="color: #003478;"><b>7. Cyber Risk Management comprises 5 steps to inform risk decision:</b></p> <ol style="padding-left: 50px;" class="SecondOrderList" id="SecondOrderList" type="a" start="1"> <li>Step 1 - Asset Identification aims to characterize the different components of the system being analyzed.</li> <li>Step 2 - Threat Assessment aims to identify the likelihood of occurrence of possible threats and vulnerabilities.</li> <li>Step 3 - Impact Determination and Quantification aims to identify potential threats and to select appropriate risk calculation approaches.</li> <li>Step 4 - Control Design and Evaluation aims to design and implement countermeasures to mitigate risks and reduce consequences to an acceptable level.</li> <li>Step 5 - Residual Risks Management aims to implement controls, action plans, and incident response techniques to manage residual risks.</li> </ol> </div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@30346628a95241479534a7b970b47473" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@34f2b8516906469183d09febfc4eb7b4"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@34f2b8516906469183d09febfc4eb7b4" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <div>The following learning quiz will help you test your understanding of the important elements presented in the Information Security and Cyber Risk Analysis module.<br/><br/> The test includes five questions.<br/><br/> <p style="color: #003478;">In case you make a mistake while answering a question, <span style="text-decoration: underline !important;">go back to the corresponding sections to review the concepts presented.</span></p> </div> </div> </div> <div class="vert vert-1" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@420c0383c12d425b974b5264f4fe640a"> <div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-block-type="problem" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@420c0383c12d425b974b5264f4fe640a" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="True"> <div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Question 1 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div> </div> </div> <div class="vert vert-2" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@ef58a1b278434ebdb87d65b4b16b31b0"> <div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-block-type="problem" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@ef58a1b278434ebdb87d65b4b16b31b0" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="True"> <div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Question 2 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div> </div> </div> <div class="vert vert-3" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@5f131f3ffeaa46c7b813fa432ff93f00"> <div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-block-type="problem" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@5f131f3ffeaa46c7b813fa432ff93f00" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="True"> <div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Question 3 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div> </div> </div> <div class="vert vert-4" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@3e10f94651fb45c69b9422bfe7b2485b"> <div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-block-type="problem" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@3e10f94651fb45c69b9422bfe7b2485b" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="True"> <div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Question 4 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div> </div> </div> <div class="vert vert-5" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@9afc046a4b9543b7b6928285ca30664d"> <div class="xblock xblock-public_view xblock-public_view-problem xmodule_display xmodule_ProblemBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-block-type="problem" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@problem+block@9afc046a4b9543b7b6928285ca30664d" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="True"> <div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Question 5 is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>

<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@vertical+block@6b530a2d0e6647349e2853bde2ae33ae" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <div class="vert-mod"> <div class="vert vert-0" data-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@0f1eb77c04974843bfa1eae402ed71b8"> <div class="xblock xblock-public_view xblock-public_view-html xmodule_display xmodule_HtmlBlock" data-course-id="course-v1:OSCE+CriticalEnergyNetworks101+2021" data-init="XBlockToXModuleShim" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="html" data-usage-id="block-v1:OSCE+CriticalEnergyNetworks101+2021+type@html+block@0f1eb77c04974843bfa1eae402ed71b8" data-request-token="472bc26c379411f0a81a0acea2b89876" data-graded="False" data-has-score="False"> <script type="json/xblock-args" class="xblock-json-init-args"> {"xmodule-type": "HTMLModule"} </script> <style></style> <table> <tbody> <tr> <td style="background-color: #003478; color: white; font-weight: bold !important;" colspan="2">Key Practices in Cyber Supply Chain Risk Management</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="align: middle; vertical-align: middle; width: 15%"><img src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/031a729b937661d7655acaa0e888701b/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Ref1.jpg" alt="Get Alt Text" /></td> <td style="align: left; vertical-align: top;">The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The Key Practices presented in this document can be used to implement a robust C-SCRM function at an organization of any size, scope, and complexity.</td> </tr> <tr> <td colspan="2"><span style="color: #003478; font-weight: bold !important;"><em>Reference:</em></span> Boyens, J., C. Paulsen, N. Bartol, K. Winkler, and J. Gimbi, 2021, <a href="https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8276.pdf" target="_blank">Key Practices in Cyber Supply Chain Risk Management: Observations from Industry</a>, NISTIR 8276, National Institute of Standards and Technology, U.S. Department of Commerce, accessed on November 10, 2021.</td> </tr> <tr> <td style="background-color: #003478; color: white; font-weight: bold !important;" colspan="2">Cyber Essentials Starter Kit</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="align: middle; vertical-align: middle; width: 15%"><img src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/ab280b26523d13e2eb18132689661c77/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Ref2.jpg" alt="Get Alt Text" /></td> <td style="align: left; vertical-align: top;">CISA’s Cyber Essentials is a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.<br/><br/>Consistent with the NIST Cybersecurity Framework and other standards, the Cyber Essentials are the starting point to cyber readiness.</td> </tr> <tr> <td colspan="2"><span style="color: #003478; font-weight: bold !important;"><em>Reference:</em></span> Cybersecurity and Infrastructure Security Agency (CISA), 2020, <a href="https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf" target="_blank">Cyber Essentials Starter Kit</a>, The Basics for Building a Culture of Cyber Readiness, U.S. Department of Homeland Security, accessed on November 10, 2021.</td> </tr> <tr> <td style="background-color: #003478; color: white; font-weight: bold !important;" colspan="2">Cybersecurity Framework</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="align: middle; vertical-align: middle; width: 15%"><img src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/28a2a9ced0a418b81be6e99cfab60411/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Ref3.jpg" alt="Get Alt Text" /></td> <td style="align: left; vertical-align: top;">NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology based on existing standards, guidelines, and practices. The framework provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.</td> </tr> <tr> <td colspan="2"><span style="color: #003478; font-weight: bold !important;"><em>Reference:</em></span> National Institute of Standards and Technology (NIST), 2021, <a href="https://www.nist.gov/cyberframework" target="_blank">Cybersecurity Framework</a>, U.S. Department of Commerce, accessed on November 10, 2021.</td> </tr> <tr> <td style="background-color: #003478; color: white; font-weight: bold !important;" colspan="2">Security and Privacy Controls for Information Systems and Organizations</td> </tr> <tr style="align: middle; vertical-align: middle;"> <td style="align: middle; vertical-align: middle; width: 15%"><img src="//d24jp206mxeyfm.cloudfront.net/assets/courseware/v1/1f5a1c143aa33c6056255ba02a635548/asset-v1:OSCE+CriticalEnergyNetworks101+2021+type@asset+block/Mod4_Ref4.jpg" alt="Get Alt Text" /></td> <td style="align: left; vertical-align: top;">This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.</td> </tr> <tr> <td colspan="2"><span style="color: #003478; font-weight: bold !important;"><em>Reference:</em></span> National Institute of Standards and Technology (NIST), 2020, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf" target="_blank">Security and Privacy Controls for Information Systems and Organizations</a>, ENIST Special Publication 800-53, Version 5, U.S. Department of Commerce, accessed on November 10, 2021.</td> </tr> </tbody> </table> </div> </div> </div> <script type="text/javascript"> (function (require) { require(['https://d24jp206mxeyfm.cloudfront.net/static/js/dateutil_factory.a28baef97506.js?raw'], function () { require(['js/dateutil_factory'], function (DateUtilFactory) { DateUtilFactory.transform('.localized-datetime'); }); }); }).call(this, require || RequireJS.require); </script> <script> function emit_event(message) { parent.postMessage(message, '*'); } </script> </div>