improvement plan outlineThis week we will be continuing our journey to develop and communicate a cyber-security improvement plan in our case study assignment for PureLand Waste Water. During Week 2, we’ll be developing and submitting an outline for the improvement plan that will demonstrate understanding of the assignment along with all the required elements of a quality plan.
1. First, read the document titled, “Outline for Cyber-Security Improvement Plan” available in Blackboard in the PureLand Case Study area. This document will explain all the necessary parts included in your plan.
2. Using the detailed instructions attached in the file, “Outline for cyber security improvement plan.doc”, create your own outline that has the following components:
Current state description
Overview of network weaknesses
Threats and vulnerabilities facing the ICS
Understanding of applicable regulations
Desired future state
Five areas of cyber-security you want to improve
Submit to Blackboard your outline for the final paper (in Microsoft Word format) which is a cyber-security improvement plan for PureLand Wastewater.
Important: This is an outline only, not a paper. It should only include headings, not paragraphs and content under each heading.
PureLand Wastewater Treatment
Cyber Security Case Study
PureLand Wastewater Treatment Inc. (est. 2001) is a company providing years of experience in all aspects of Wastewater Treatment with special emphasis on the Chemical Manufacturing and Biological Fermentation industries. We are a flexible, responsive organization with a network of resources to handle any size project. Each project is approached by utilizing our strong sterilization and engineering skills while drawing on our background in Operations, Service, Validation, and Quality to provide solutions for all of your Wastewater Treatment needs. We provide personal attention to ensure customer satisfaction in all services and equipment we supply.
PureLand has special security concerns due to the highly toxic nature of some of the chemicals they use to sterilize and treat wastewater streams for their customers. Although Physical Security has always been on their radar and relatively strong, Cyber Security has not been something that they were particularly concerned about. After all, the chemicals they use to do their work were not proprietary so they had little concern about theft of intellectual property or trade secrets being compromised.
All this changed recently when PureLand executives and operations folks were contacted by the Department of Homeland Security (DHS) in regard to a particularly toxic chemical they use to sanitize Wastewater in biologically hazardous processes-Chlorine Dioxide. DHS officials were aware of their use of the chemical because of publicly available waste treatment permits provided to PureLand by the EPA. As it turns out, Chlorine Dioxide is on the DHS Chemical Facility Anti-Terrorism Standards (CFATS) list of chemicals of interest because of the risks associated with chemical release or sabotage using this chemical. PureLand was aware Chlorine Dioxide was a very dangerous chemical, but they had never considered Cyber Terrorism or theft of the chemical for sabotage when completing prior risk assessments. The implications of this were quite serious for PureLand, as they now are required by Federal law to comply with both Physical and Cyber Security regulations related to their use of this chemical of interest. DHS officials made PureLand aware of their obligations and informed them that they would be subject to an audit by DHS within eighteen months that would assess their compliance with CFATS regulations. If compliance was not achieved within 12 months of the initial audit, PureLand would be subject to huge fines and penalties that could include closure of their facility.
The PureLand Executives were quite alarmed by the news and immediately formed an internal team to create a Cyber Security improvement and compliance plan. The team researched the issue and reviewed the information provided by DHS around security standards. The first objective was to use a tool provided by DHS to perform a Cyber Security Self Evaluation on their computing systems. The hope was that by using this free tool, they could get some insight on the most critical Cyber Security gaps that existed and potentially provide a road map on where to focus their security improvement plan. A team of system administrators, security professionals, and management representatives worked on the Cyber Security Self Evaluation over a period of two days.
Cyber Security Self Evaluation Results
The results of the Self Evaluation were very disturbing for the entire team. The evaluation reported varying levels of compliance from 0% to 100%, but it was very clear that they had their work cut out for them. The leadership team met with the IT staff and their IT Security Analyst, and it was decided that they didn’t have the internal staffing or appropriate skillset to implement the needed security improvements within one year. The decision was made to hire an outside consultant to help devise and implement a Cyber Security improvement plan that would achieve these critical objectives:
1. Reduce their risk from Cyber Security incidents to an acceptable level
2. Achieve compliance with CFATS regulations
3. Minimize negative impacts to production and safety
As the outside consultant, it’s your job to lead the effort to create the Cyber Security improvement plan per the objectives laid out in the accompanying document: Developing Cyber Security Improvement Plan for Industrial Control System – Case Study.
You’ll focus your efforts by studying the PureLand Cyber Security Assessment which includes various tables and charts indicating the areas of most concern. PureLand has contracted you to provide two major deliverables for this contract:
1. Industrial Control System Cyber Security Improvement Plan (Detailed requirements included in document – ICS security improvement case description)
2. Presentation to key stakeholders one week prior to formal plan presentation
Outline for Cyber Security Improvement Plan
This assignment requires the student to write an outline for your final paper which is a cyber-security improvement plan for PureLand WasteWater.
Instructions for assignment
1. Read the PureLand Cyber Security Case Study document to understand the premise of this assignment. In summary, you are a consultant hired by PureLand Wastewater to improve their CyberSecurity due to new CFATS regulations from the US Department of Homeland Security.
2. Read Developing ICS cyber security improvement plan.doc in the PureLand Case Study section within Blackboard and be sure the required elements from section 1 are included.
3. Write an outline that will be used to build your cyber-security improvement plan, and have these required parts in your outline:
a. Include an introduction
b. Document and communicate the current state for security of the PureLand WasteWater Industrial Control System and overall network
c. Provide an overview of the network design including major weaknesses in the design and layout of network components with suggested network layout improvements
d. Identify the threats and vulnerabilities facing the assets of an Industrial Control System including Advanced Persistent Threats and recommend potential security measures that could have prevented those incidents
e. Understand applicable regulations and include provisions for achieving compliance with CFATS regulations within the plan
f. Based on knowledge of recommended security best practices and standards, document and communicate the desired future state for security of the ICS.
g. Document at least 5 security improvements you would recommend for PureLand to implement in their Industrial Control System. (Hint: These 5 improvement areas should be areas that are weak as stated in the document titled, Site Summary Report PureLand WasteWater.docx)
h. Include a conclusion