One of InduSoft's Cybersecurity Engineers, Richard Clark, along with Professor Stephen Miller of Eastern New Mexico University – Ruidoso spoke at the February meeting of the Houston Infragard on the subject of "Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications". InduSoft and ENMU-Ruidoso have collaborated to produce a Security Guidance eBook and an eTextbook that will be used in the Cybersecurity Certificate curriculum at ENMU.

1. Cybersecurity Guidance for Industrial
Automation in Oil and Gas Applications
February 17, 2015

2. Agenda

3. Agenda
Introductions

4. Agenda
Introductions
Discussion of the current state of Cybersecurity for
Controls Systems with discussions from outside sources

5. Agenda
Introductions
Discussion of the current state of Cybersecurity for
Controls Systems with discussions from outside sources
New Cybersecurity Guidance eBook and Engineering
Services available from InduSoft

6. Agenda
Introductions
Discussion of the current state of Cybersecurity for
Controls Systems with discussions from outside sources
New Cybersecurity Guidance eBook and Engineering
Services available from InduSoft
Deeper dive into the Security eBook – a look inside.

7. Agenda
Introductions
Discussion of the current state of Cybersecurity for
Controls Systems with discussions from outside sources
New Cybersecurity Guidance eBook and Engineering
Services available from InduSoft
Deeper dive into the Security eBook – a look inside.
Discussion of the new SCADA Cybersecurity Framework
eBook and the associated certificate courses at Eastern
New Mexico University-Ruidoso

8. Agenda
Introductions
Discussion of the current state of Cybersecurity for
Controls Systems with discussions from outside sources
New Cybersecurity Guidance eBook and Engineering
Services available from InduSoft
Deeper dive into the Security eBook – a look inside.
Discussion of the new SCADA Cybersecurity Framework
eBook and the associated certificate courses at Eastern
New Mexico University-Ruidoso
Q&A Session

9. Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing and Cybersecurity Engineer

10. Richard H Clark
Cybersecurity Background
Mr. Clark has been in Automation, Process System, and Control System
design and implementation for more than 25 years and was employed by
Wonderware where he developed a non-proprietary means of using IP-Sec
for securing current and legacy Automation, SCADA, and Process Control
Systems, and developed non-proprietary IT security techniques. Industry
expert by peer review and spokesperson on IT security; consultant, analyst
and voting member of ISA- SP99. Contributor to PCSF Vendor Forum.
Consultant to NIST and other government labs and NSA during the
development of NIST Special Publication 800-82. Published engineering
white papers, manuals, and instruction documents, developed and given
classes and lectures on the topic of ICS/SCADA Security.
– Participated in forming the NIST Cybersecurity Framework during the
workshops last year along with our second speaker today…

11. Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing and Cybersecurity Engineer
Stephen Miller
– Associate Professor and Department Chair of Business and
Information Systems/Cybersecurity Center of Excellence at
Eastern New Mexico University-Ruidoso

12. Stephen Miller
Cybersecurity Background
Mr. Miller (Associate Professor/Director of Eastern New Mexico University-
Ruidoso Cybersecurity Center of Excellence) has been in the Information
Systems profession since 1966 working in many business, government,
and educational sectors; including being IT/Technology Manager and
Advisor at ExxonMobil Global Information Systems. Mr. Miller worked for
Univac Corp at NASA Mission Control for the Apollo Mission, including
Apollo 13 and Skylab missions, he also worked for Ford Tech-rep Division
and TRW Controls, among others.
Stephen developed the online computer and network Cybersecurity
Certification program at ENMU-Ruidoso, and revised the Information
Systems Associates Applied Science Degree Programs under INFOSEC
4011, 4016E, and Center of Academics (CAE-2Y) certifications

13. RICHARD H CLARK
Cybersecurity eBooks/Guidance

14. Introduction

15. Introduction
InduSoft is used in various Oil and Gas, Refinery, and
Pipeline applications around the world

16. Introduction
InduSoft is used in various Oil and Gas, Refinery, and
Pipeline applications around the world
We strive to assist customers in designing and building
safe, secure and functional applications

17. Introduction
InduSoft is used in various Oil and Gas, Refinery, and
Pipeline applications around the world
We strive to assist customers in designing and building
safe, secure and functional applications
We have condensed a great deal of our security guidance
and discussions into a single eBook

18. Introduction
InduSoft is used in various Oil and Gas, Refinery, and
Pipeline applications around the world
We strive to assist customers in designing and building
safe, secure and functional applications
We have condensed a great deal of our security guidance
and discussions into a single eBook
InduSoft has recently added On-Demand Engineering
Services to assist your development and engineering
teams

19. Introduction
InduSoft is used in various Oil and Gas, Refinery, and
Pipeline applications around the world
We strive to assist customers in designing and building
safe, secure and functional applications
We have condensed a great deal of our security guidance
and discussions into a single eBook
InduSoft has recently added On-Demand Engineering
Services to assist your development and engineering
teams
InduSoft has assisted in creating the NIST Cybersecurity
Framework and collaborated with ENMU-Ruidoso in
creating a curriculum textbook

20. The Scope of the Problem

21. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity.

22. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.

23. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

24. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

25. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

26. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

27. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

28. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

29. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

30. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”

31. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”
– Major Problems that I have with this “Unified Approach”:

32. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”
– Major Problems that I have with this “Unified Approach”:
• They’ve thrown the SME’s (plant engineers) “under the bus”

33. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”
– Major Problems that I have with this “Unified Approach”:
• They’ve thrown the SME’s (plant engineers) “under the bus”
• They are only addressing security patches and antivirus

34. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”
– Major Problems that I have with this “Unified Approach”:
• They’ve thrown the SME’s (plant engineers) “under the bus”
• They are only addressing security patches and antivirus
• It is being managed from a central location which is the same entry vector
used in the retail and healthcare cyberattacks

35. The Scope of the Problem
IT Departments believe that they are equipped to handle
Control System Cybersecurity. They aren’t.
– Example: AutomationWorld, February 10, 2015, “Shell Works with
Yokogawa and Cisco on a Unified Cybersecurity Approach”
– Major Problems that I have with this “Unified Approach”:
• They’ve thrown the SME’s (plant engineers) “under the bus”
• They are only addressing security patches and antivirus
• It is being managed from a central location which is the same entry vector
used in the retail and healthcare cyberattacks
• They are considering the refinery as part of the IOT, which is to say that they
think it is just as important as Mrs. Fitsby’s new hot water heater, not critical
infrastructure.

36. New SCADA Cybersecurity eBooks
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Available at Smashwords.com and other major booksellers

37. Available to you as “Name Your Price”
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Download at Smashwords.com to “Name Your Price”

38. All eBook Proceeds Benefit the Eastern
New Mexico University-Ruidoso Foundation

39. InduSoft Security Guide– Why?

40. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place

41. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place
– There is a chapter on guidelines for designing and building your
projects

42. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place
– There is a chapter on guidelines for designing and building your
projects
– Includes reprints of many InduSoft white papers and published
articles on cybersecurity guidance describing everything from
runtime servers and IT guidance for control system networks, to
handheld smart devices and wireless networks

43. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place
– There is a chapter on guidelines for designing and building your
projects
– Includes reprints of many InduSoft white papers and published
articles on cybersecurity guidance describing everything from
runtime servers and IT guidance for control system networks, to
handheld smart devices and wireless networks
– The eBook contains transcripts of many InduSoft webinars on
securing InduSoft Web Studio as well as broader IT and SCADA
security guidance

44. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place
– There is a chapter on guidelines for designing and building your
projects
– Includes reprints of many InduSoft white papers and published
articles on cybersecurity guidance describing everything from
runtime servers and IT guidance for control system networks, to
handheld smart devices and wireless networks
– The eBook contains transcripts of many InduSoft webinars on
securing InduSoft Web Studio as well as broader IT and SCADA
security guidance
– Also contains an Appendix with NIST Framework information

45. InduSoft Security Guide– Why?
The eBook is a compilation of InduSoft cybersecurity
guidance making it available in one place
– There is a chapter on guidelines for designing and building your
projects
– Includes reprints of many InduSoft white papers and published
articles on cybersecurity guidance describing everything from
runtime servers and IT guidance for control system networks, to
handheld smart devices and wireless networks
– The eBook contains transcripts of many InduSoft webinars on
securing InduSoft Web Studio as well as broader IT and SCADA
security guidance
– Also contains an Appendix with NIST Framework information
– Available in .mobi (Kindle), .epub, .pdf, .html, and .doc formats

46. Contents of “Security Guidance” eBook
The Chapters and Sections contain many useful topics
Chapter 1: New Projects and Security as a Design
Consideration
Section 1: Building your Project
– Extract from the InduSoft Technical Note: Application
Guidelines
Chapter 2: Existing Projects
Chapter 3: Cloud Based Applications
Section 1: Working with Cloud Based Applications
– The following is an extract from the InduSoft White
Paper: Cloud Computing for SCADA
Chapter 4: InduSoft Application Security
Section 1: SCADA System Security Best Practices
– The following is a transcript extract from the InduSoft
Webinar: SCADA System Security Webinar
Chapter 5: InduSoft Security Discussion for Web
Based Applications
Section 1: Using Security with Distributed Web
Applications
– Extract 1 - From InduSoft White Paper: Security Issues
with Distributed Web Applications
Section 2 – Using Security with Web-Based
Applications
– Extract 2 - From the InduSoft Tech Note: IWS Security
System for Web Based Applications
Section 3 – Using Security with Web-Based
Applications
– Reprint - Control Engineering Magazine - August 2014:
Cybersecurity for Smart Mobile Devices
Chapter 6: InduSoft Recommendations for IT
Security
Section 1: Firewalls and other SCADA Security
Considerations
– Transcript extract from the InduSoft Webinar: SCADA
and HMI Security in InduSoft Web Studio
Section 2: Control Systems Security Overview
– Transcript extract from the InduSoft Webinar: SCADA
Security Considerations: Overview
Section 3: SCADA Security - Operational
Considerations
– Transcript extract from the InduSoft Webinar: SCADA
Security Considerations: Operational
Section 4: SCADA Security - Management
Considerations
– Transcript extract from the InduSoft Webinar: SCADA
Security Considerations: Management
Appendix A: NIST Cybersecurity Framework Core
Appendix B: Cyber Security Evaluation Tool (CSET)
Information

47. Examples of topics and subjects covered

48. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:

49. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration

50. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation

51. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

52. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

53. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

54. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

55. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

56. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

57. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

58. New SCADA Projects Should be
Designed with Security as a Primary Goal
Good project design
includes the following:
Security as a primary design
consideration
Safety needs to be
considered throughout
project design and
implementation
Functionality should be
moderated based on the first
two design goals

59. Diverse SCADA Projects Require
Different Types of Security Profiles

60. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.

61. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.
– This fact presents many differing security scenarios for our
customers

62. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.
– This fact presents many differing security scenarios for our
customers
– A specific type of security implementation to a particular SCADA
system may be entirely inappropriate for a differing system.

63. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.
– This fact presents many differing security scenarios for our
customers
– A specific type of security implementation to a particular SCADA
system may be entirely inappropriate for a differing system.
We have recommended many different ways that
security can be implemented into SCADA and HMIs

64. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.
– This fact presents many differing security scenarios for our
customers
– A specific type of security implementation to a particular SCADA
system may be entirely inappropriate for a differing system.
We have recommended many different ways that
security can be implemented into SCADA and HMIs
– Talks, classes, white papers, webinars, forums, Technical
Support, and individualized guidance on projects has been
available for quite some time

65. Diverse SCADA Projects Require
Different Types of Security Profiles
We recognize that customers use InduSoft Web
Studio in many different ways.
– This fact presents many differing security scenarios for our
customers
– A specific type of security implementation to a particular SCADA
system may be entirely inappropriate for a differing system.
We have recommended many different ways that
security can be implemented into SCADA and HMIs
– Talks, classes, white papers, webinars, forums, Technical
Support, and individualized guidance on projects has been
available for quite some time
– InduSoft now has on-demand engineering assistance available
on our website!

66. Services On Demand is Now Live!
Engineering assistance is available when designing
projects and implementing project security

67. Stay Informed…
How to get Product Update and Webinar Announcements

68. Stay Informed…
How to get Product Update Announcements

69. THANKS FOR ATTENDING!
Here’s how to contact us…

70. Email
(US) info@indusoft.com
(Brazil) info@indusoft.com.br
(Germany) info@indusoft.com.de
Support support@indusoft.com
Web site
(English) www.indusoft.com
(Portuguese) www.indusoft.com.br
(German) www.indusoft.com.de
Phone (512) 349-0334 (US)
+55-11-3293-9139 (Brazil)
+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft Today

71. Email
(US) info@indusoft.com
(Brazil) info@indusoft.com.br
(Germany) info@indusoft.com.de
Support support@indusoft.com
Web site
(English) www.indusoft.com
(Portuguese) www.indusoft.com.br
(German) www.indusoft.com.de
Phone (512) 349-0334 (US)
+55-11-3293-9139 (Brazil)
+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft TodayEmail richard.indusoft@gmail.com if you
would like to request a copy of this
presentation or with other questions.

72. Email
(US) info@indusoft.com
(Brazil) info@indusoft.com.br
(Germany) info@indusoft.com.de
Support support@indusoft.com
Web site
(English) www.indusoft.com
(Portuguese) www.indusoft.com.br
(German) www.indusoft.com.de
Phone (512) 349-0334 (US)
+55-11-3293-9139 (Brazil)
+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft TodayEmail richard.indusoft@gmail.com if you
would like to request a copy of this
presentation or with other questions.
The upcoming InduSoft webinar tomorrow
(Feb 18th) month will focus on Engineering
Services and how you can get the most out
of them. Visit: http://www.indusoft.com

73. Email
(US) info@indusoft.com
(Brazil) info@indusoft.com.br
(Germany) info@indusoft.com.de
Support support@indusoft.com
Web site
(English) www.indusoft.com
(Portuguese) www.indusoft.com.br
(German) www.indusoft.com.de
Phone (512) 349-0334 (US)
+55-11-3293-9139 (Brazil)
+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)
Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft TodayEmail richard.indusoft@gmail.com if you
would like to request a copy of this
presentation or with other questions.
The upcoming InduSoft webinar tomorrow
(Feb 18th) month will focus on Engineering
Services and how you can get the most out
of them. Visit: http://www.indusoft.com
Join our webinars and we will send you an
InduSoft webinar series Tee-Shirt!

74. Next: STEPHEN MILLER
SCADA Cybersecurity Framework

75. CAE-2Y Accredited

76. Topics Covered
• E-Book Purpose
• Key Objectives
• Outline Of Content
• Training Plans
– Cybersecurity Programs
– Boot Camp
• About ENMU-Ruidoso
• Q & A?
76
CAE-2Y Accredited

77. E-Book Purpose
• Provide a quick reference guide to the
framework
Promote awareness of
• Cybersecurity Critical Infrastructure Framework
• SCADA Cybersecurity threats and vulnerabilities
• The importance of risk assessments
• How to use the framework
• Look into applying security to Indusoft Web Studio
77
CAE-2Y Accredited

78. Key Objectives
• Knowledge of SCADA and cybersecurity
environment
– Types of SCADA systems
– Threats and risks
Understanding of framework
Knowledge of tools and processes for risk
analysis
Ability to apply risk management processes to
obtain the right framework tier for an
organization 78
CAE-2Y Accredited

79. Outline Of Content
• Chapter 1 - SCADA Cybersecurity Introduction
and Review
– What is SCADA
• How it works, In Depth Look, field devices, control units, HMI
– Overview of Cybersecurity Vulnerabilities
• Security Challenges, Understanding & defining information security,
Cyber Threat Source to Control/SCADA Systems, GAO Threats, Attacks
& Defenses, Vulnerability Scanning vs Penetration Testing
– Understanding Control System Cyber Vulnerabilities
• Gaining control of SCADA Systems, Categories of SCADA Systems
79
CAE-2Y Accredited

80. Information security components

81. Gov’t Acct. Office
Threat Table

82. Steps of a cyberattack

83. Geographic Layer

84. Physical Network Layer

85. Logical Network Layer

86. Cyber Organization/Personal
Layer “Internet of Things”

87. One individual…
…with multiple,
complex relationships
to other levels of the
environment...
…that also change over time.

88. Control System Environment

89. Three Categories of SCADA Systems
Modern/Common Diagram Modern/Proprietary Diagram
Legacy/Proprietary
Diagram

90. Outline Of Content
• Chapter 2 – Cybersecurity Framework
Introduction
• Framework Introduction
– Executive Order 13636 (EO), “Improving Critical
Infrastructure Cybersecurity”
• Risk Management Process
• The Cybersecurity Framework
90
CAE-2Y Accredited

91. Overview of the Framework

92. Risk Management Decomposition Diagram

93. Outline Of Content
• Chapter 3 – Cybersecurity Framework Basics
– Basic framework overview
– Framework core
CAE-2Y Accredited

94. Business Process Management (BPM)
Approach to the Framework

95. How Does it All Come Together?

96. Outline Of Content
• Chapter 4 – How to Use
the Framework
Basic Review of
Cybersecurity Practices
Establishing or
Improving a
Cybersecurity Program
Communicating
Cybersecurity
Requirements with
Stakeholders
CAE-2Y Accredited

97. Using the CSET Tool for Risk Management
and Future Framework Analysis

98. Select Standard(s)
 NIST Framework for Improving Critical Infrastructure Cybersecurity V1 (Recommended)
 NIST Special Publication 800-53 Rev 3 and NIST Special Publication 800-53 Rev 3 App l
 NIST Special Publication 800-53 Rev 4 and NIST Special Publication 800-53 Rev 4 App l
 Consensus Audit Guidelines (CAG)
 Components Questions Set
 CFATS Risk Based Performance Standard (RBPS) 8: Chemical Facilities Anti-Terrorism Standard, Risk- Based Performance Standards
Guidance 8 - Cyber, 6 CFR Part 27
 CNSSI No. 1253 Baseline
 CNSSI No. 1253 Industrial Control System (ICS) Overlay V1
 Catalog of Recommendations Rev 7 – (DHS Catalog of Control Systems Security: Recommendations for Standards Developers,
Revisions 6 and 7)
 INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry Key Questions Set
 DoD Instruction 8500.2 Information Assurance Implementation, February 2, 2003
 ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security Evaluation, Revision 3.1
 NERC Reliability Standards CIP-002-009 Revisions 3 and 4
 NIST Special Publication 800-82 Guide to Industrial Control Systems Security, June 2011
 NIST Special Publication 800-82 Rev 1
 NIST Special Publication 800-82 Rev 2 (Draft)
 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS
Controls
 NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010
 NEI 0809 Cyber Security Plan for Nuclear Power Reactors
 TSA Pipeline Security Guidelines April 2011
 Universal Questions Set

99. Outline Of Content
• Chapter 5 – Indusoft Security Guide
– Embedded in this chapter.
• Appendix (Framework Core, CSET Tool, References, and Glossary)
CAE-2Y Accredited

100. CSET 6.1 Tool
100
https://ics-cert.us-cert.gov/Assessments
CAE-2Y Accredited

101. ENMU-Ruidoso
Cybersecurity Programs
• Computer and Network Security Certification Program (Online) Credited or
Self-paced ($2,495)
• Associates of Applied Science Degree - Information Systems Cybersecurity
• The programs are designed to prepare students as:
– Information Systems Security (INFOSEC) Professionals NSTISSI No. 4011
– CNSSI No. 4016 Entry Level Risk Analysts
– CAE-2Y Information Assurance/Cyber Defense Accredited
• IS 131: Network Security Fundamentals-3
• IS 136: Guide to Disaster Recovery- 3
• IS 153/L: Introduction to Information System- 4
• IS 253: Firewalls and How They Work- 3
• IS 257: Network Defense and Counter Measures- 3
• IS 258: Cyber Ethics, Professionalism, and Career Development- 3
• IS 285: Ethical Hacking – 3
• IS 289: Capstone/Internship/NCL Cybersecurity Challenge
CAE-2Y Accredited

102. Training Plans:
Boot Camp
Four day Boot Camp covering:
• Course Orientation and Introduction to Cybersecurity and SCADA
• CompTIA-Security+ Key Topics
• SCADA Cybersecurity Recommended Practice/ Infrastructure
Guiding Principles/National Infrastructure Protection Plan
– IS-821 Critical Infrastructure and Key Resources Support Annex
– IS-860.a National Infrastructure Protection Plan (NIPP)
• Cybersecurity Critical Infrastructure Framework / CAP
Process/Intro to a SCADA Product (IDUSOFT)
• CSET Department of Homeland Security Risk Assessment Process
and Tools Using the Cybersecurity Critical Infrastructure Framework
102
CAE-2Y Accredited

103. About ENMU-Ruidoso
 The National Security Agency and the Department of Homeland
Security have designated Eastern New Mexico University - Ruidoso
 National Center of Academic Excellence in Information
Assurance/Cybersecurity Defense through academic year 2019. “CAE-2Y”
 Based on the universities ability to meet the increasing demands
of the program criteria will serve the nation well in contributing to
the protection of the National Information Infrastructure.
 Meets the eleven Knowledge Units learning objectives
 Recognized by the National Initiative in Cybersecurity Education
(NICE) as a certified Training Institution for the NIST National
Cybersecurity Workforce Framework.
 http://csrc.nist.gov/nice/index.htm
103
CAE-2Y Accredited

104. ENMU-Ruidoso Foundation
Foundation, as noted below.
If you find this ebook useful in your business, tax deductable donations to the
university 501 (c) (3) foundation are encouraged by contacting:

105. http://www.us-cert.gov/control_systems/csstandards.html
CAE-2Y Accredited