This week we will be learning about Industrial Control Systems, both critical and non-critical. Several challenges in securing these systems include accurately identifying critical vs. non-critical ICS systems and identifying the unique challenges that exist in securing Industrial Control Systems as compared to business systems.  To participate in this discussion, please complete the following steps:

• First, read the document titled, PureLand Cyber Security Case Studyavailable on the main menu in the PureLand Case Study area.
• Within the discussion board for Introduction to PureLand Case Study, create a new thread and post your thoughts that cover the following points:
  • Do you feel the computer(s) used to control the sterilization process PureLand uses with a highly toxic chemical would be considered a critical or non-critical asset and why?
  • Identify what organization regulates the industry where this ICS is used. 
  • Explain two unique challenges that exist securing the PureLand Industrial Control System as compared to business systems.

 

 

PureLand Wastewater Treatment
Cyber Security Case Study Company Summary
PureLand Wastewater Treatment Inc. (est. 2001) is a company providing years of experience in
all aspects of Wastewater Treatment with special emphasis on the Chemical Manufacturing and
Biological Fermentation industries. We are a flexible, responsive organization with a network of
resources to handle any size project. Each project is approached by utilizing our strong
sterilization and engineering skills while drawing on our background in Operations, Service,
Validation, and Quality to provide solutions for all of your Wastewater Treatment needs. We
provide personal attention to ensure customer satisfaction in all services and equipment we
supply. Security Concerns
PureLand has special security concerns due to the highly toxic nature of some of the chemicals
they use to sterilize and treat wastewater streams for their customers. Although Physical Security
has always been on their radar and relatively strong, Cyber Security has not been something that
they were particularly concerned about. After all, the chemicals they use to do their work were
not proprietary so they had little concern about theft of intellectual property or trade secrets
being compromised.
All this changed recently when PureLand executives and operations folks were contacted by the
Department of Homeland Security (DHS) in regard to a particularly toxic chemical they use to
sanitize Wastewater in biologically hazardous processes-Chlorine Dioxide. DHS officials were
aware of their use of the chemical because of publicly available waste treatment permits
provided to PureLand by the EPA. As it turns out, Chlorine Dioxide is on the DHS Chemical
Facility Anti-Terrorism Standards (CFATS) list of chemicals of interest because of the risks
associated with chemical release or sabotage using this chemical. PureLand was aware Chlorine
Dioxide was a very dangerous chemical, but they had never considered Cyber Terrorism or theft
of the chemical for sabotage when completing prior risk assessments. The implications of this
were quite serious for PureLand, as they now are required by Federal law to comply with both
Physical and Cyber Security regulations related to their use of this chemical of interest. DHS
officials made PureLand aware of their obligations and informed them that they would be subject
to an audit by DHS within eighteen months that would assess their compliance with CFATS
regulations. If compliance was not achieved within 12 months of the initial audit, PureLand
would be subject to huge fines and penalties that could include closure of their facility. PureLand Reaction
The PureLand Executives were quite alarmed by the news and immediately formed an internal
team to create a Cyber Security improvement and compliance plan. The team researched the
issue and reviewed the information provided by DHS around security standards. The first
objective was to use a tool provided by DHS to perform a Cyber Security Self Evaluation on
their computing systems. The hope was that by using this free tool, they could get some insight
on the most critical Cyber Security gaps that existed and potentially provide a road map on
where to focus their security improvement plan. A team of system administrators, security
professionals, and management representatives worked on the Cyber Security Self Evaluation
over a period of two days. Cyber Security Self Evaluation Results
The results of the Self Evaluation were very disturbing for the entire team. The evaluation
reported varying levels of compliance from 0% to 100%, but it was very clear that they had their
work cut out for them. The leadership team met with the IT staff and their IT Security Analyst,
and it was decided that they didn’t have the internal staffing or appropriate skillset to implement
the needed security improvements within one year. The decision was made to hire an outside
consultant to help devise and implement a Cyber Security improvement plan that would achieve
these critical objectives:
1. Reduce their risk from Cyber Security incidents to an acceptable level
2. Achieve compliance with CFATS regulations
3. Minimize negative impacts to production and safety Path Forward
As the outside consultant, it’s your job to lead the effort to create the Cyber Security
improvement plan per the objectives laid out in the accompanying document: Developing Cyber
Security Improvement Plan for Industrial Control System - Case Study.
You’ll focus your efforts by studying the PureLand Cyber Security Assessment which includes
various tables and charts indicating the areas of most concern. PureLand has contracted you to
provide two major deliverables for this contract:
1. Industrial Control System Cyber Security Improvement Plan (Detailed requirements
included in document – ICS security improvement case description)
2. Presentation to key stakeholders one week prior to formal plan presentation

Attachments:

• 1493276240-PureLand Cyber Security Case Study1.doc