Please review the following for this week as well as All Week 8 Online Course Materials:
NIST SP 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
View the following video:
https://www.youtube.com/watch?v=2jbFOCcvEJk&feature=youtu.be&t=4
————————————————————
Final Exam
Question 1 (2 pages)
1. (a) In the NIST Cybersecurity Framework, the Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes. It presents key cybersecurity outcomes identified by stakeholders as helpful in managing cybersecurity risk. What are elements that comprise the Core? (Answer: Identify, Protect, Detect, Respond, and Recover)
(b) Provide a brief description of each of these elements.
(c) The cybersecurity Framework also incorporates Implementation Tiers that provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. They help determine the extent to which cybersecurity risk management is informed by business needs. Please list the different Implementation Tiers.
(d) In which Tier are the organizations risk management practices formally approved, expressed as policy, and regularly updated based on the application of risk management processes to changes in business/mission requirements.
Question 2 (2 pages)
NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
The document specifies sets of security controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to security control baselines described in NIST SP 800-53. The baseline controls are the starting point for the security control selection process and chosen based on the security category and associate impact level of information systems.
1. According to NIST SP 800-82, what are the key factors that drive design decisions regarding the control, communication, reliability, and redundancy properties of the ICS? List the factors and provide a short description of each in your own words.
2. Based on NIST SP 800-82, effectively integrating security into an ICS using cloud technology requires defining and executing a comprehensive program that addresses all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing auditing for compliance and improvement. What steps does NIST SP 800-82 describe as the basic process for developing a security program?
————————————————————
Week 8 Discussion: Security of Cloud Applications in Government and Industrial Automation (1 page)
Write one page using APA format and providing one reference.
From what you have gathered from this lesson, in your opinion, what are some of differences in the issues related to ICS cloud applications and conventional IT applications.
————————————————————
Week 8 Assignment: Security of Cloud Applications in Government and Industrial Automation (2 pages)
Write one page (for each question) using APA format and providing two references. Precede each answer with the question and its corresponding number.
1. In a DoD cloud application, the Mission Owner inherits compliance from the CSPs Cloud Service Offering (CSO) for the security controls (or portions thereof) that the CSP meets and maintains. Figure A-1 depicts, in general terms, the varying degrees of compliance shared by the Mission Owner and the CSP as a function of the type of service offerings. Please discuss why the proportions are different for each type of service offering.
Figure A-1 (See attachment labeled Figure A-1)
2. Using wireless communication in industrial control systems poses possible risks and vulnerabilities. According to NIST SP 800-82, what are some of the guidelines that have to be observed in ICS wireless applications?