Index
A
Advanced Local Emergency Response Team (ALERT), 233
American National Standards Institute (ANSI), 210
Ammonium Nitrate and Fuel Oil (ANFO), 243
Animal Liberation Front (ALF), 236
attack techniques, in SCADA systems
key-logger software, 183
Man-In-The-Middle Attacks (MITM), 182
Awareness intra-preneur, 162
B
battery-operated lights
handheld lights, 210–307
headlamps, 210–308
illumination lamps, 210
spots and floodlights, 210
BHMA/ANSI Standards
for auxiliary locks, 210
for high security locks, 210–211
for security locks, 201–202
transformation of convention lock, 203
156.30 version
deficiencies, 214–215
destructive testing, 213
key control, 213
surreptitious entry resistance tests, 214
Bilevel®, 200
BiLock®, 199
biometric authentication systems, SCADA security
comparison parameters, 258–260
description of, 255–256
factors for authentication, 257
measurement tools
DNA sampling, 262
facial recognition, 261–262
fingerprints analysis, 263
parameters used, 257–258
voice analysis, 262–263
minutia measurement, 271–272
vulnerabilities
device tricking, 266–268
electronic manipulation, 268–269
identity theft, 269–272
biometric signature, 269–270
blasting caps, 241–242
bomb threat planning
explosive device components
container, 240
initiator, 241–242
main charge, 242–243
power source, 240
switch, 241
target hardening
delivery, 246
employee identification, 246
interior doors, 246–247
mail rooms, 247
outside of work environment, 245
using camera, 246
terrorist profiles
domestic terror targets, 236
formalized terror groups, 237
International terror targets, 236–237
terror target classification
commercial and transportation targets, 239
infrastructure target, 238
statement target, 237–238
British Columbia Institute of Technology (BCIT), 174–175
Builders Hardware Manufacturers Association (BHMA), 210
business defense plan, 233–289
C
Charlotte Fire Department (CFD), 233
communication protocols, in SCADA, 70–71
conventional pin tumbler lock
components of, 193
essentials for design, 196–197
mechanism of, 192
security enhancements
anti-bumping pins, 197
bitting design, 199–200
design of key, 200
keyways, 199
security pins, 198
vs. high security lock, 202–204
covert entry, 192
Crime deterrent technique, 244
Critical Infrastructure Information (CII) Act of 2002, 99–100
D
Diamant®, 201
distributed control system (DCS), 66–67
double-detainer locking theory, 195
E
Egyptian pin tumbler lock, 194–195
electronic manipulation authentication, 268–269
emergency planning
communication
dynamo radio, 236
family radio service (FRS) radio, 236
ham radio, 236
plain old telephone system (POTS) line, 236
specific area message encoding (SAME) alert radio, 236–315
cooking, 236–301
family
communication, 236–293
community shelter, 236–295
evacuation bag, 236
fire plan, 236
ready kit, 236–304
testing, 236–302
lighting
candles and other sources, 236–305
flashlight, 236
handheld lights, 236–307
headlamps, 236–308
illumination lamps, 236–309
light sticks, 236
spots and floodlights, 236
pantry
food, 236–299
water, 236–300
personal
escape packs, 236–287
safety, 236–285
power
alternative power sources, 236–314
inverter generator, 236–311
portable and backup electric generators, 236
portable 12-volt inverters, 236–313
UPS and battery backup, 236
threats, 236–283
workforce
business defense plan, 236–289
evacuation, 236–292
first-aid kits, 236
Environmental Liberation Front (ELF), 236
event loggers, 67–68
F
facial recognition technology, 261–262
fear-uncertainty-doubt (FUD) factor, 103
firewall architectures
application-level gateway, 85–86
circuit-level gateway, 84–85
deep packet inspection firewall, 88
intrusion prevention system (IPS), 87
stateful packet filtering, 83
static packet filter, 82–83
unified threat management (UTM), 89
firewall security infrastructure, 85–86
G
generic pin tumbler mechanism, 192
Gramm-Leach-Bliley Act, 159
H
hand geometry biometric system, 263
Health Insurance Portability and Accessibility Act (HIPAA), 272
hybrid controllers, 67
I
IDS/IPS devices, 181
Information delivery channels, 146
Information security awareness program
Awareness Standard, 150–151
business plan presentations, 147–148
and communication failure, 157
company intranet, 154
designing, 143–145
financial (money) source for, 148–149
implementation of, 155–156
importance, 140–141
information delivery channels, 146
internal consultants, 161
Manager’s Quick Reference Guide, 158
materials for, 155
online orientation program, 154
program measurement
awareness quotient survey, 165
progress of program, 166
quality management process, 164
Quick Reference Guide
key topics, 152
post-acceptance package, 157
sensitive information, 153
stopgap solution, 147
Information Security Web site, 154
Insider information theft, 234
Instakey®, 199
Internal and external Security Incidents, 174
International Engineering Consortium (IEC), 66
Internet protocol Ethernet, 177
K
Kaba Peaks®, 199
Keso®, 197
key-logger software, 183
keystroke readers, 28–31
Kwikset, 197
L
Letter of Authorization (LOA), 120
locks, in SCADA systems
Abus Diskus No. 24 lock, 9–10
key control, 3–4
lock-picking equipment, 13–15
operation of, 4–5
pin tumbler Master brand padlock, 7
Sargent & Greenleaf 8077AD, 10–12
warded padlock, 8
M
Manager’s Quick Reference Guide, 158
Man-In-The-Middle Attacks (MITM), 182
Medeco®, 197
modern pin tumbler lock
essentials for design, 196–197
shear line and pins, 195
vs. Egyptian lock, 194–195
N
National Institute of Standards and Technology (NIST), 98
National Security Agency (NSA), 97
NERC Critical Infrastructure Protection (CIP) Standards, 99
O
Organizational Information Criticality Matrix (OICM), 110
organizational vulnerabilities
documentation review and interviews, 123
system demonstrations and observations, 124
Organization for Optimal Power Supply (OOPS)
business description and mission statement, 108
critical information, 109
critical systems/networks, 113–116
impact considerations, 110
OICM, 112–113
organizational criticality, 113
P
physical security, in SCADA systems
dumpster diving process, 18–20
key control in locks, 3–4
operation of locks, 4–5
social engineering skills
corporate/agency phonebooks, 23–24
drop ceilings, 28
employee badges, 20–21
for internal auditor, 40
keystroke readers, 28–31
in Manholes, 37–39
motion-sensing light controls, 33–34
private branch exchange (PBX), 31–32
video security logs, 32–33
piggybacking, See tailgating technique
pin stack, 195
pin tumbler lock
components of, 193–194
conventional cylinder, 197
design of key, 200
essentials for design, 196–197
mechanism of, 192
modern, 194–195
Pipe bombs, 244
Programmable Logic Controllers (PLC)
continuous control applications, 65–66
discrete control applications, 65
Q
Quick Reference Guide
key topics, 152
post-acceptance package, 157
sensitive information, 153
R
retinal scan technology, 263
S
SCADA security
biometric authentication systems
biometric signature, 269–270
comparison parameters, 258–260
device tricking, 266–268
DNA sampling, 262
electronic manipulation, 268–269
facial recognition, 261–262
fingerprint analysis, 263
minutia measurement, 271–272
voice analysis, 262–263
information protection requirements, 98–100
logical flow diagram, 100
on-site assessment process
NSA baseline INFOSEC classes and categories, 123
organizational vulnerabilities, 123–124
technical vulnerabilities, 124–127
post assessment process
conducting analysis, 127–128
final report creation, 128
pre-assessment process
assessment plan components, 120–122
critical information, 107–109
critical systems/networks, 113–116
impact considerations, 109–110
information criticality matrix, 110–113
legal authorization, 120
logical and physical boundaries, 117
organizational mission, 107
rules of engagement, customer concerns, and constraints, 117–120
pre-project process
baseline/repeated assessment, 106
gaining management, 102–103
regulatory and policy requirements, 105
researching organization, 104
vetting assessment request, 102
primary phases, 101
resources, 129
Schlage Everest®, 199
Secure network management
business partner links, 180
configured firewalls, 180
corporate VPNs, 179
database links, 179–180
network access control, 176
RTU, dial-up access, 178
secure wide area network perimeter, 175
transmitting non-routable protocol, 176–177
two-factor authentication, 176
vendor support agreements, 178
wide area network perimeter, 175
Security Event Management System (SEMS), 180–181
security pins, 198
security vulnerabilities, 126
Sequel Query Language (SQL), 180
Six Sigma quality management process
awareness quotient chart, 165
paper mailer survey, 164
progress of program, 166
Slurries and ditching charges, 243
sound amplification devices
amplified listening device, 35
radioshack amplified listener, 36
Supervisory Control and Data Acquisition (SCADA) systems, 238
applications for, 63–64
attack techniques
key-logger software, 183
Man-In-The-Middle Attacks (MITM), 182
backup and recovery of, 176
challenges of, 173
communication protocols, 70–71
components
distributed control system (DCS), 66–67
event loggers, 67–68
hybrid controllers, 67
Programmable Logic Controllers (PLC), 65–66
Remote Terminal Unit (RTU), 65
components and functions of, 173
controlling access, 177
firewall architectures
application-level gateway, 85–86
circuit-level gateway, 84–85
deep packet inspection firewall, 88
intrusion prevention system (IPS), 87
stateful packet filtering, 83
static packet filter, 82–83
unified threat management (UTM), 89
firewall tool
definition, 78
multi-network connectivity, 79–80
positive and negative security models, 79
reactive and proactive solutions, 80–81
internal and external security incidents, 174
law enforcement on, 172–183
network architecture, 68–70
risk determination
active scanning, 75–76
passive scanning, 76
risk mitigation, 76–78
roles in industries, 62
security issues
British Columbia Institute of Technology (BCIT) report, 71–72
disadvantages, 75
high-level weaknesses, 74
security policy, 77–78
TCP/IP error handling, 73
vs. distributed control systems, 67
T
tailgating technique, 21
technical security, in SCADA systems
destroyed disk drive, 16–17
digital Shredder device, 15–16
EDR’s disk destroyer, 18
sound amplification devices, 35–36
technical vulnerabilities, 124
customer communication, 127
enumeration activities, 125
tools for IEM baseline activities, 127
vulnerability identification activities, 125–126
terror targets, classification
commercial and transportation targets, 239
infrastructure target, 238
statement target, 237–238
touch point communications, 156
3T2R rule, 211
U
U-Change®, 199
UL (Underwriters Laboratories) 437 Standards
deficiencies
bump key attacks, 207
decoding attacks, 208
forced entry resistance test, 206
key control, 208–209
mechanical bypass, 209
picking and impressioning techniques, 205–206
test by criminals, 204–205
for security locks, 201–202
transformation of convention lock, 203
unified threat management (UTM)
in firewall SCADA systems, 89
reactive signature-based systems, 81
V
W
Water Infrastructure Security Enhancement (WISE), 99
workforce continuity
planning, 234
Y
Yale pin tumbler lock, See modern pin tumbler lock
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.