A. Describe the policies adopted as a result of your implemented project.
1. Summarize how the solution improves cybersecurity decision-making.
B. Describe how your solution meets the following cybersecurity assurance criteria:
• promotes automation in cybersecurity
• improves and modernizes security
• implements industry-standard security tools and infrastructure or environment
C. Explain how your solution addresses the following data collection and implementation elements:
• collects digital evidence, including data for analysis or forensics
• implements confidentiality, integrity, and availability
D. Explain how your solution investigates and mitigates cybersecurity incidents or crimes within the environment where the solution was implemented.
E. Describe the cybersecurity plans, standards, or procedures that were developed for the solution.
1. Explain how the solution is aligned with cybersecurity initiatives or regulatory compliance in the environment where the solution was implemented.
2. Summarize the applications, tools, installation guides, or user guides you developed in conjunction with the solution.
F. Discuss the post-implementation environment, including the new systems implemented, new processes developed, or network diagrams created demonstrating the new infrastructure.
1. Describe how the solution improved the security posture and efficiency of the organization.
2. Analyze the new data (e.g., new reports, logs, processes in place) collected, including how the solution will affect business processes.
3. Describe the summative evaluation plan from Task 2, including the test results and a plan of action to correct any weaknesses or deficiencies.
4. Discuss post-implementation risks, including their likelihood, organizational impact, and mitigation.
5. Explain how the security solution meets each of the project stakeholders' needs, including a description of the stakeholder needs as identified in Task 2.
G. Describe the post-implementation maintenance plan for the solution.
H. Provide one original artifact (e.g., security policy, procedure, network diagram) of the completed project.
I. Acknowledge sources, using in-text citations and references, for content that is quoted, paraphrased, or summarized.
DDN1: Capstone Topic Approval and Release Forms
Cybersecurity Graduate Capstone
Topic Approval Form
The purpose of this document is to help you clearly state the research question for this capstone project, as well as your project’s scope and timeline, to ensure these align with your degree emphasis. While you may not have a complete and realistic overview of your project at this time, the acceptability of your project for the purposes of this course cannot be accurately assessed without clearly defining each of these areas. Many students use a project they have already completed within the past two years. If you choose a finished project, you will write the proposal as if the project is not yet complete. Then, when you report on your project, use your complete after-implementation report.
If you have not yet started your project, this document can help ensure the scope is in the acceptable range for this capstone. An instructor must approve this form before you submit your capstone for evaluation. The task will not be evaluated without an instructor’s signature. The instructor may ask for additional information before approving the form.
Capstone Project Name: Evaluating Compensating Controls for Insecure SCADA Protocols
Project Topic: Assessing the security risks of legacy SCADA protocols and proposed mitigations
Summary of the Problem: Supervisory Control and Data Acquisition, otherwise known as SCADA, systems are the primary source of technology that manages sensitive and critical infrastructure such as power generation, oil/gas operations, water treatment, and many manufacturing applications. It is extremely common to see the use of legacy and insecure communication protocols such as Modbus and DNP3. When initially designed, security was not taken in to consideration so commonly lack authentication, encryption, and data integrity verification. If these protocols were used freely in modern systems, they would be prone to man-in-the-middle attacks, tampering, and even unintended command execution. Being a multibillion-dollar industry, this could be a prime target vector for malicious threat actors. Risk rapidly increases as interconnectedness and remote access become more and more prevalent. Across the U.S., there have been countless incidents involving SCADA systems including the Colonial Pipeline Ransomware Attack, Bowman Dam, and several water sector intrusions. It is extremely paramount that proper security measures are in place to mitigate, as much as possible, the possibility of disrupting our critical infrastructure.
Outline of a Technology-Supported Security Solution: Using network segmentation with the Purdue Model as a framework, deployment of industrial firewalls capable of deep packet inspection (NGFWs), intrusion detection systems, continuous monitoring, and implementing VPN solutions for remote access.
Context: Explain why the situation or question would benefit from your security solution. The dated protocols are an absolute requirement for some of these SCADA systems to functions correctly. The implementation of a new technology often isn’t immediately possible so compensating controls must be put in place to optimize the strength of cybersecurity. Since systems must be run and technology can’t be altered, defense in depth is best practice.
Stakeholders: Identify the project stakeholders. Stakeholders include SCADA operators, SCADA owners, SCADA engineers, IT, incident response teams, C-suite personnel, and risk management
Project Plan: Describe the project plan, scope, goals, and objectives. Project plan: Describe SCADA systems and where they are used, identify security weaknesses, risks associated with the weaknesses, introduce technologies and strategical compensating controls, describe defense in depth/how it reduces attack surface/status of residual risk
Methodology: Outline the project approach. Research current accepted strategies/best practices and examine case studies where failures have occurred. Use threat modeling to assess attack vectors specifically in ICS systems.
Implementation Plan: Identify the project phases. Collect data on SCADA protocols, identify vulnerabilities and impact to the CIA triad, threat model, discuss the most practical defense strategy, evaluate how well the mitigations reduce risk, document findings
Project Outcomes: List the key anticipated project outcomes and deliverables in 500 words or less. Expected outcomes from this capstone include a detailed analysis of security risks from SCADA/ICS systems, threat modeling with an emphasis on SCADA systems, best practice mitigation strategies, residual risk within specific SCADA systems, failures of the past, and a framework of what can be done by current systems without needing to completely replace technology/infrastructure
Sources: Include a list for all references and citations that support the summaries above and are used in-text and as outside sources. NIST SP 800-82, CISA ICS Advisories, MITRE ATT&CK framework for ICS systems, case studies relevant to SCADA systems, previous SCADA attacks
2
