Final Project

Jeffrey Ryan

Salt River Project

Risk Management Framework
for
Industrial Control Systems
Executive Summary
Salt River Project (SRP) has an extensive power generation and water delivery network

depended on by over one million residential and business customers every day. A structured,

industry proven Risk Management Framework is essential for identifying, mitigating, and

continuously monitoring risks to our Industrial Control Systems, especially those considered to

be critical infrastructure on a national level.

Risk Management Overview

Risk management “requires the involvement of the entire organization—from senior

leaders/executives providing the strategic vision and top-level goals and objectives for the

organization; to mid-level leaders planning, executing, and managing projects; to individuals on

the front lines operating the information systems supporting the organization’s

missions/business functions” (NIST, 2011, pg. 6).

There are three primary security objectives

that make up what is commonly known as

the CIA triad (Figure 1). Confidentiality has to

do with preventing disclosure of information

to unauthorized individuals. Integrity

encompasses the protection of information

from modification or deletion. Availability

involves ensuring information is accessible

Figure 1 CIA Triad (Zenith Technologies, n.d.)

when needed. Availability and integrity are the primary objectives of ICS security controls.
The Risk Management Framework (RMF), developed by NIST with input from private industry,

has already been adopted by the federal government and can be used effectively by our quasi-

governmental organization. The focus of this document is on continuous monitoring and

change configuration management but we need to be familiar with all of the steps in the

process leading up to monitoring.

The scope of this RMF is limited to systems deemed to be part of an Industrial Control System

(ICS). An example ICS is located at our largest power generation facility, which in turn is

comprised of several smaller information systems – sets of information resources for the

collection, processing, use, and dissemination of ICS information (NIST, 2011). The six steps of

the RMF security life cycle are illustrated in Figure 2 below.

Figure 2 Risk Management Framework (NIST, 2008)

Information System Categorization
There are many information types used in our ICS information systems including process

control information, network authentication information, and network support information. An

example security categorization (SC) for the security objectives of process control information

would like something like:

SC process control information = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)}

The reasoning behind information type ratings are determined by analyzing how the loss of

each security objective might affect organizational operations, assets, or individuals (NIST,

2004).

Each of the rated information types within an information system are then aggregated and

used to determine the security categorization of the information system overall. The highest

value of any information type, also known as the high-water mark, is then used as the value for

the information system. Since we only have one information type in this example, the

information system rating matches the information type rating.

SC industrial control system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)}

Security Control Selection

The security control selection step is used to identify, select, tailor, and document security

controls necessary to protect the ICS information system consistent with SRP’s risk tolerance.

All selected controls are documented with functional descriptions and planned

implementations (NIST, 2017a).

NIST describes several security control families, each containing individual controls with

recommendations of suitability based on the information system rating (low, moderate, high)

determined during the previous categorization step (NIST, 2017b).

The list of security controls is very large so only a couple are provided here as examples,

highlighting the availability and integrity security objectives. Controls from the Physical and

Environmental Protection family, emphasizing availability, are selected to address risks ranging

from unauthorized individuals physically damaging equipment to fire or other natural disasters.

Controls from the Access Control family, emphasizing integrity, are selected to address risks

from unauthorized individuals logically modifying or deleting process control information by

limiting the use of administrative privileges, separation of duties, and logical boundary

defenses.

Security Control Implementation

Security controls were selected individually without giving too much thought to how they might

work with each other. An important requirement during implementation is that all controls

work together cohesively to create a trustworthy information system. A security control

implementation strategy should focus on those controls that most effectively mitigate risks

with the greatest potential impact to the system (NIST, 2015).

Upon completion of security controls implementation, a configuration baseline is established

that documents all aspects of the system including hardware, software, and firmware

configurations (NIST, 2017a). A thorough baseline is required during the continuous monitoring

step below in order to verify changes to the system.

Security Control Assessment
Security controls assessments are performed to determine whether security controls are

implemented correctly, operate as intended, and produce desired outcomes, effectively

meeting the security requirements of the information system (NIST, 2017a).

Following a completed assessment, a Security Assessment Report (SAR) is provided that details

discovered security control weaknesses and/or deficiencies requiring remediation. The findings

and recommendations are then used to create initial and long-term remediation action plans.

Remediated controls are then re-assessed when necessary.

The most recent security assessment found one noncompliant control of significant importance

from a regulatory compliance perspective. The SAR noted that a contractor who transferred to

a different facility still had unrestricted physical access to protected areas at the original facility

more than 24 hours after transfer, a violation of North American Electric Reliability Critical

Infrastructure Protection (NERC CIP) compliance requirements.

Information System Authorization

The SAR provided upon completion of the security controls assessment included

recommendations that can be used in the creation of a Plan of Action and Milestones (POA&M)

document. The POA&M serves as a way to identify and prioritize corrective actions needed to

mitigate the risks of noncompliant security controls found during the assessment. The progress

of individual corrective actions can be monitored by tracking the achievement of specific

milestones.

A security authorization package, made up of the POA&M document, updated security plans

and/or security assessments, if needed, and any other requested documentation is then
submitted to the authorizing official (AO). The AO will then determine risk to the organization, a

preferred course of action to mitigate the determined risk from the list of plans in the POA&M,

and an authorization decision (approval or denial of operation or use of common controls)

(NIST, 2017a).

Security Continuous Monitoring

ICS information systems are relatively static in nature, especially compared to their more

traditional IT system brethren. However, changes do still occur, more often in the external

threat landscape but occasionally within the system boundaries due to equipment failure,

vulnerability remediation by software/firmware updates, or life cycle upgrades. To facilitate

these inevitable system changes, it is important to have a continuous monitoring system and

Management of Change (MoC) process.

Continuous monitoring is the process of maintaining situational awareness of the ICS

information system security posture and its relationship to SRP’s risk management decisions. If

changes are deemed necessary, whether to remediate a vulnerability, meet a regulatory

compliance requirement, or some other reason, the MoC process is there to thoroughly

document the change. Both monitoring and the MoC process work together to observe changes

to the system and its operational environment (NIST, 2017a).

An MoC form has been created for use by the change requestor, reviewer, approver, and

implementer for tracking changes from beginning to end. The form is used to document the

change description, impacted assets, affected security controls, approval status,

implementation status, verification status, a backout strategy if available, and the location of all

supporting documentation including an updated configuration baseline.

An example of the MoC process in action can be illustrated using the noncompliant access

control discovered in the previous security control assessment. A change is deemed necessary

by reviewing existing security plans and the configuration baseline to verify employee and

contractor access is, in fact, not removed after termination or transfer.

A change request is submitted to create an automated integration of the protected area access

controls system with the corporate human resources system so ICS access controls are always

in sync with the corporate access controls. Due to the criticality of these ICS controls, two

approvers, both with sufficient knowledge of the affected systems and assets, must accept the

change as necessary before implementation can begin. Once approved, pre-implementation

steps are performed like gathering system backups and creating a backout strategy if

implementation fails to go as planned.

Implementation commences, all the while keeping track of progress against the milestones set

forth in the POA&M document from the authorization step. After all milestones have been

reached and the system is verified to function as designed, security plans and the configuration

baseline are updated to reflect the change(s). Depending on the complexity of the change and

its touch points, a new security controls assessment may be necessary.

It is important to note that security control assessments are not only performed immediately

after security control implementation or a substantial change in security controls. Ongoing

assessments are performed on an annual basis with their results reported to the AO for

continuing operation of our ICS systems.

When the time comes for disposal of ICS assets with the capability to store confidential

information, a disposal process has been created that describes appropriate tasks for

sanitization of assets. Removal of an asset for disposal constitutes a change in the system, so

configuration baselines and security plans also need to be updated accordingly.

Conclusion
The RMF created for SRP’s ICS environments ensures we have identified and mitigated risks to

some of our most critical company operations needed to meet organizational goals and

objectives. Strict adherence to the six steps of the security life cycle including ongoing

continuous monitoring to detect changes to the system or operating environment will provide

continued power and water delivery to our most important asset, our customers.

References
National Institute of Standards and Technology, Information Technology Laboratory, Computer
Security Division. (2011) Managing Information Security Risk: Organization, Mission, and
Information System View (NIST SP 800-39).

Zenith Technologies. (n.d.) The CIA Triad and Life Science Manufacturing. Retrieved from
https://www.zenithtechnologies.com/zen-blog/the-cia-triad-and-life-science-
manufacturing/

National Institute of Standards and Technology, Information Technology Laboratory, Computer

Security Division. (2008) Volume I: Guide for Mapping Types of Information and Information
Systems to Security Categories (NIST SP 800-60 Volume I Rev 1).

National Institute of Standards and Technology, Information Technology Laboratory. Computer

Security Division. (2004) Standards for Security Categorization of Federal Information and
Information Systems (FIPS PUB 199).
National Institute of Standards and Technology. (2017a) Risk Management Framework for
Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Draft
NIST SP 800-37 Rev 2).

National Institute of Standards and Technology. (2017b) Security and Privacy Controls for
Information Systems and Organizations (Draft NIST SP 800-53 Rev 5).

National Institute of Standards and Technology. (2015) Guide to Industrial Control Systems (ICS)
Security (NIST SP 800-82 Rev 2). Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf