BKTRON Risk Consultancy and Comnpliancy based on Laws, Regulatories, standards and Best Practices:

HSPD-7 the strengthening of the security and resilience of critical infrastructure against cyber threats that could have a debilitating impact on national security, economic stability, or public health and safety, including acts of terrorism.

CFATS identifies and regulates high-risk chemical facilities to ensure that they have the necessary security measures to avoid attack or exploitation.

NERC CIP defines industrial cybersecurity standards, focusing on system reliability and customer information security. 

Security Incidents:

1. Point-of-Sale Intrusions

2. Crimeware

3. Cyber Espionage

4. Insider Misuse

5. Web App Attacks

6. Miscellaneous Errors

7. Physical Theft/Loss

8. Payment Card Skimmers

9. Denial of Service Point-of-Sale Intrusions



GUIDELINES

American Petroleum Institute (API) 1164

API – Recommended Practice 780,  Risk Assessment Methodology 

ISA/IEC-62443

Interstate Natural Gas Association of America (INGAA) – Control Systems Cyber Security Guidelines for the Natural  Gas Pipeline Industry

The lure of the Smart Grid appears irresistible. If Smart Grids can realize their full potential then consumers, utilities, nations, and even the earth itself will benefit. Unfortunately, as with nearly any new technology, the focus has been on getting Smart Grids up and running, often with little consideration for Cyber Security. Even worse, many experts appear to believe that IT networks and Industrial Control Systems have the same Cyber Security issues and can be secured with the same countermeasures – they cannot.

Smart Grid discussions are dominated by Smart Metering, but there is far more to it than that. Intelligent transmission, automated distribution, and creative use of substations can improve utility efficiency as well. BKTRON can work with you to report and identify a number of key issues that require attention if Smart Grids are to become and remain secure.

One central issue is that many Industrial Control Systems have seemed secure simply by being isolated from IT networks. The Stuxnet attacks demonstrated that USB memory sticks give attackers a convenient workaround for that lack of connectivity. The other critical market issue is that IT and Operations groups at utilities must collaborate effectively. It is common knowledge that IT and Operations do not understand each other, nor in many cases do they trust one another. This is a cultural barrier to success for a Smart Grid deployment.

Smart meter deployment continues to pick up speed in nearly all regions of the world; however, as with all information technologies introduced in the past 50 years, cyber security was at first overlooked in the rush to create a working device. Now, utilities, governments, systems integrators, device manufacturers, and nearly everyone else involved realize that smart meters and their surrounding networks can be attacked, and that cyber security measures are necessary to protect the meters and their environment.

A recent analysis done illustrates the end-to-end protection of private and commercial usage data is impossible. Home area networks (HANs), commercial building networks, and utility networks all perform well in terms of keeping data encrypted within their domains. However, these domains terminate at the smart meter, and the only way for data to pass from one network to the other is for the smart meter to decrypt the data from one side and re-encrypt it on the other. Consequently, the data are, for a short while, unencrypted on the meter and could be successfully eavesdropped.

BKTRON can work with your organization to provide risk mitigating technology and assurance services in the following Smart Grid domains;

Legacy Control Systems: Transmission, Distribution, and Substations security risks

Access Control risks

1. Smart Metering Infrastructure and security risks
2. Home Area Network (HAN) security risks
3. Communications and Operational risks
4. Operational change management services
5. Human Resources risks
6. Security Incident Response Framework