Dawn of a New Paradigm Developing a Security Program for Industrial Control Systems

March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Recent News • The Stuxnet wake-up call in 2010 • Smart Grid vulnerability reports – Chinese code snippets ???

• 2011 Ponemon Institute Study – energy and utility companies: data breaches are widespread.

• ICS-ALERT-12-020-01—S4 DISCLOSURE – Disclosed vulnerabilities in multiple key ICS device vendors March 27-29, 2012 – Irving, TX

2 #GridSec

GridSec 2012

eRoadmap Security Vision • By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.

March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

NERC Long-Term Reliability Report

2009 – 2018 Key Emerging Reliability Issues

March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Barriers & Stumbling Blocks • Cyber threats are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures • Security upgrades to legacy systems are limited – Inherent limitations of the equipment and architectures

• SCADA / DCS / Operations require “always up” systems – Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations

March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Barriers & Stumbling Blocks • Threat, vulnerability, incident, and mitigation information sharing is insufficient among government and industry • Weak business case for cybersecurity investment by industry – Cybersecurity is challenging to justify to Senior Management

• Regulatory uncertainty in energy sector cybersecurity • Faulty assumption that it is all about compliance and not security March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Regulatory uncertainty • Resistance is futile, you will be assimilated – NERC CIP version 3 now • Version 4 ??? • Version 5 by 2015 – MAJOR CHANGES!!!

– SOX - now – NIST 800 convergence is happening • Influencing FERC / NERC when ???

– FIPS 199 – CFATS / SAICM ??? – ISO 27001 – ISO 27006 ??? March 27-29, 2012 – Irving, TX

7 #GridSec

GridSec 2012

Building Blocks

• Architectural approach – integrating solution into the fabric of the network. – Largely self-defending • Minimal human intervention – AUTOMATE, AUTOMATE, AUTOMATE

– Process change –strategic planning • Anticipating where Industrial Control System Security is going. • Incorporate evolving ICS security technology / procedures

– OT / IT collaboration needs to take place on the network. • Integration • Monitoring • Auditing

March 27-29, 2012 – Irving, TX

8 #GridSec

GridSec 2012

Building Blocks • Security Information Management solutions (SIM / SIEM) – Evolving beyond “card catalog” for security events. • Multiple views of data - Based on job function • Value-based analysis applications • Data sources more inclusive than just security events.

– Distinguish between prioritized ICS-related / businessrelated risk and non-emergency events – Get views of actionable information to the correct people

March 27-29, 2012 – Irving, TX

9 #GridSec

GridSec 2012

Security Program Building Blocks Incident Response

RESPOND DETECT

Reviews

Disaster Recovery

Compliance

Business Continuity Intrusion Detection

Monitoring

Build Up

Technical Controls Physical Controls

PROTECT

Net

Awareness Programs

EDUCATE

OS

DB

App

Auditing and Event Logging

Non-Technical Controls Elec Comm

Personnel

General Training

Verbal/ written

Procedures

Specialized Training -ICS/SCADA

DOCUMENT

Policies

Standards

Procedures

Asset ID and Classification

MANAGE

Dedicated ISO

Roles and Responsibilities

Security Skills

Asset Risk Management (Life Cycle Approach)

PROGRAM

Charter

Strategic Planning

Funding

Cross-Functional Security Oversight

Executive Commitment

March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Program Layer • Executive commitment to security RESPOND DETECT

PROTECT

EDUCATE DOCUMENT MANAGE

– Management committed to “improve” security posture – Specific vision/objectives for meeting that goal - widely understood across the enterprise – Security activities linked to management objectives

• Key foundational documents are promulgated – Charter – Strategic plan

• Funding for security is well established – Security is included as part of larger plans/initiatives – Security funding is clearly identified

• Oversight by all Major Business Functions PROGRAM

– Establish sense of communal responsibility to achieve security goals – Assign group and individual accountability for security progress

• Program is only as strong as the foundation March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Measurement against standards •

4-5: Advanced Security –

•

3-4: Comprehensive Security (Enterprise Focus) –

•

Measurable risk associated with data and ICS systems; meets minimum standards of due care

1-2: Technology Centric Security (IT Focus – not ICS) –

•

Regulatory compliance issues; Material risk; maintained and managed security program; meets standards of good practice

2-3: General Security (CIP version 3) –

•

Acute risk and loss potential; Advanced security program; Exceeds standards of good practice

Moderate risk, important data, financial exposure; Basic security process and technology deployed

0-1: Minimal Security –

Smaller organization public data, low risk; minimal security process and controls

March 27-29, 2012 – Irving, TX

12 #GridSec

GridSec 2012

March 27-29, 2012 – Irving, TX

13 #GridSec

GridSec 2012

March 27-29, 2012 – Irving, TX

14

#GridSec

GridSec 2012

Where to go from here • Start and do something – Avoid Analysis Paralysis – Worst case: “We have no evidence that our security has ever been compromised. We are compliant. We’ll stick with it and see what happens” • Be afraid; be very afraid.

• Become Pirates of the CIP CyberSea – DO NOT REINVENT THE WHEEL!!! • In-house development of security technology dies a painful death

– Software piracy – BAD; Security & Compliance Piracy – GOOD • Learn & use what is out there – Use resources at end of presentation – Join Cyber Security groups mailing lists March 27-29, 2012 – Irving, TX

15 #GridSec

GridSec 2012

Find & Use What is Out There • Join Groups and email lists that provide Sector relevant information – Collaboration with those who have done or are doing the same thing. – Download FREE ICS and NERC security and compliance tools • Cyber Security Evaluation Tool (CSET) • Bandolier – Audit optimal security configuration for industrial control system (ICS) servers and workstations March 27-29, 2012 – Irving, TX

#GridSec

GridSec 2012

Resources & References •

Industrial Control Systems Cyber Emergency Response Team –

•

Cyber Security Evaluation Tool (CSET) – DOWNLOAD and USE!!!! –

•

http://www.us-cert.gov/control_systems/

Poneman Institute Survey –

•

https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf

US-CERT Control System Security Program –

•

https://www.controlsystemsroadmap.net/Pages/default.aspx

2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity –

•

http://www.us-cert.gov/control_systems/cscalendar.html

ieRoadmap: Map energy delivery system cybersecurity efforts to specific milestones –

•

http://www.us-cert.gov/control_systems/satool.html

ICS-CERT Training – Course descriptions and Calendar –

•

http://www.us-cert.gov/control_systems/ics-cert/

http://www.crn.com/news/security/229401212/critical-infrastructure-companies-plagued-by-securitybreaches-survey-finds.htm

DEC 2011 new SCADA Bugs –

http://www.informationweek.com/news/security/vulnerabilities/232300653

March 27-29, 2012 – Irving, TX

17 #GridSec

GridSec 2012

Resources & References •

DHS - 2011 Blueprint for a Secure Cyber Future –

•

NERC Long Term Reliability Report –

•

http://www.digitalbond.com/tools/ http://www.digitalbond.com/tools/bandolier/ (funded significantly by DOE)

ES-ISAC Electricity Sector Information Sharing and Analysis Center – VISIT Often; get on distribution and mailing lists –

•

http://www.sans.org/

Digital Bond (the guys who released the four 2012 ICS vulnerabilities at S4)– SCADA Research & Security Tools – –

•

http://www.nerc.com/files/2009_LTRA.pdf

SANS – IT Security training in all areas (includes SCADA Advanced Training & SCADA Security Summits) –

•

http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf

http://www.esisac.com/SitePages/Home.aspx

NERC – See CIP, CIP RSAWs, Alerts, CANs – –

http://www.nerc.com/ http://www.nerc.com/page.php?cid=2%7C20

March 27-29, 2012 – Irving, TX

18 #GridSec

GridSec 2012

March 27-29, 2012 – Irving, TX

19

#GridSec

GridSec 2012