Dawn of a New Paradigm Developing a Security Program for Industrial Control Systems
March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Recent News • The Stuxnet wake-up call in 2010 • Smart Grid vulnerability reports – Chinese code snippets ???
• 2011 Ponemon Institute Study – energy and utility companies: data breaches are widespread.
• ICS-ALERT-12-020-01—S4 DISCLOSURE – Disclosed vulnerabilities in multiple key ICS device vendors March 27-29, 2012 – Irving, TX
2 #GridSec
GridSec 2012
eRoadmap Security Vision • By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.
March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
NERC Long-Term Reliability Report
2009 – 2018 Key Emerging Reliability Issues
March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Barriers & Stumbling Blocks • Cyber threats are unpredictable and evolve faster than the sector’s ability to develop and deploy countermeasures • Security upgrades to legacy systems are limited – Inherent limitations of the equipment and architectures
• SCADA / DCS / Operations require “always up” systems – Performance/acceptance testing of new control and communication solutions is difficult without disrupting operations
March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Barriers & Stumbling Blocks • Threat, vulnerability, incident, and mitigation information sharing is insufficient among government and industry • Weak business case for cybersecurity investment by industry – Cybersecurity is challenging to justify to Senior Management
• Regulatory uncertainty in energy sector cybersecurity • Faulty assumption that it is all about compliance and not security March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Regulatory uncertainty • Resistance is futile, you will be assimilated – NERC CIP version 3 now • Version 4 ??? • Version 5 by 2015 – MAJOR CHANGES!!!
– SOX - now – NIST 800 convergence is happening • Influencing FERC / NERC when ???
– FIPS 199 – CFATS / SAICM ??? – ISO 27001 – ISO 27006 ??? March 27-29, 2012 – Irving, TX
7 #GridSec
GridSec 2012
Building Blocks
• Architectural approach – integrating solution into the fabric of the network. – Largely self-defending • Minimal human intervention – AUTOMATE, AUTOMATE, AUTOMATE
– Process change –strategic planning • Anticipating where Industrial Control System Security is going. • Incorporate evolving ICS security technology / procedures
– OT / IT collaboration needs to take place on the network. • Integration • Monitoring • Auditing
March 27-29, 2012 – Irving, TX
8 #GridSec
GridSec 2012
Building Blocks • Security Information Management solutions (SIM / SIEM) – Evolving beyond “card catalog” for security events. • Multiple views of data - Based on job function • Value-based analysis applications • Data sources more inclusive than just security events.
– Distinguish between prioritized ICS-related / businessrelated risk and non-emergency events – Get views of actionable information to the correct people
March 27-29, 2012 – Irving, TX
9 #GridSec
GridSec 2012
Security Program Building Blocks Incident Response
RESPOND DETECT
Reviews
Disaster Recovery
Compliance
Business Continuity Intrusion Detection
Monitoring
Build Up
Technical Controls Physical Controls
PROTECT
Net
Awareness Programs
EDUCATE
OS
DB
App
Auditing and Event Logging
Non-Technical Controls Elec Comm
Personnel
General Training
Verbal/ written
Procedures
Specialized Training -ICS/SCADA
DOCUMENT
Policies
Standards
Procedures
Asset ID and Classification
MANAGE
Dedicated ISO
Roles and Responsibilities
Security Skills
Asset Risk Management (Life Cycle Approach)
PROGRAM
Charter
Strategic Planning
Funding
Cross-Functional Security Oversight
Executive Commitment
March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Program Layer • Executive commitment to security RESPOND DETECT
PROTECT
EDUCATE DOCUMENT MANAGE
– Management committed to “improve” security posture – Specific vision/objectives for meeting that goal - widely understood across the enterprise – Security activities linked to management objectives
• Key foundational documents are promulgated – Charter – Strategic plan
• Funding for security is well established – Security is included as part of larger plans/initiatives – Security funding is clearly identified
• Oversight by all Major Business Functions PROGRAM
– Establish sense of communal responsibility to achieve security goals – Assign group and individual accountability for security progress
• Program is only as strong as the foundation March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Measurement against standards •
4-5: Advanced Security –
•
3-4: Comprehensive Security (Enterprise Focus) –
•
Measurable risk associated with data and ICS systems; meets minimum standards of due care
1-2: Technology Centric Security (IT Focus – not ICS) –
•
Regulatory compliance issues; Material risk; maintained and managed security program; meets standards of good practice
2-3: General Security (CIP version 3) –
•
Acute risk and loss potential; Advanced security program; Exceeds standards of good practice
Moderate risk, important data, financial exposure; Basic security process and technology deployed
0-1: Minimal Security –
Smaller organization public data, low risk; minimal security process and controls
March 27-29, 2012 – Irving, TX
12 #GridSec
GridSec 2012
March 27-29, 2012 – Irving, TX
13 #GridSec
GridSec 2012
March 27-29, 2012 – Irving, TX
14
#GridSec
GridSec 2012
Where to go from here • Start and do something – Avoid Analysis Paralysis – Worst case: “We have no evidence that our security has ever been compromised. We are compliant. We’ll stick with it and see what happens” • Be afraid; be very afraid.
• Become Pirates of the CIP CyberSea – DO NOT REINVENT THE WHEEL!!! • In-house development of security technology dies a painful death
– Software piracy – BAD; Security & Compliance Piracy – GOOD • Learn & use what is out there – Use resources at end of presentation – Join Cyber Security groups mailing lists March 27-29, 2012 – Irving, TX
15 #GridSec
GridSec 2012
Find & Use What is Out There • Join Groups and email lists that provide Sector relevant information – Collaboration with those who have done or are doing the same thing. – Download FREE ICS and NERC security and compliance tools • Cyber Security Evaluation Tool (CSET) • Bandolier – Audit optimal security configuration for industrial control system (ICS) servers and workstations March 27-29, 2012 – Irving, TX
#GridSec
GridSec 2012
Resources & References •
Industrial Control Systems Cyber Emergency Response Team –
•
Cyber Security Evaluation Tool (CSET) – DOWNLOAD and USE!!!! –
•
http://www.us-cert.gov/control_systems/
Poneman Institute Survey –
•
https://www.controlsystemsroadmap.net/ieRoadmap%20Documents/roadmap.pdf
US-CERT Control System Security Program –
•
https://www.controlsystemsroadmap.net/Pages/default.aspx
2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity –
•
http://www.us-cert.gov/control_systems/cscalendar.html
ieRoadmap: Map energy delivery system cybersecurity efforts to specific milestones –
•
http://www.us-cert.gov/control_systems/satool.html
ICS-CERT Training – Course descriptions and Calendar –
•
http://www.us-cert.gov/control_systems/ics-cert/
http://www.crn.com/news/security/229401212/critical-infrastructure-companies-plagued-by-securitybreaches-survey-finds.htm
DEC 2011 new SCADA Bugs –
http://www.informationweek.com/news/security/vulnerabilities/232300653
March 27-29, 2012 – Irving, TX
17 #GridSec
GridSec 2012
Resources & References •
DHS - 2011 Blueprint for a Secure Cyber Future –
•
NERC Long Term Reliability Report –
•
http://www.digitalbond.com/tools/ http://www.digitalbond.com/tools/bandolier/ (funded significantly by DOE)
ES-ISAC Electricity Sector Information Sharing and Analysis Center – VISIT Often; get on distribution and mailing lists –
•
http://www.sans.org/
Digital Bond (the guys who released the four 2012 ICS vulnerabilities at S4)– SCADA Research & Security Tools – –
•
http://www.nerc.com/files/2009_LTRA.pdf
SANS – IT Security training in all areas (includes SCADA Advanced Training & SCADA Security Summits) –
•
http://www.dhs.gov/xlibrary/assets/nppd/blueprint-for-a-secure-cyber-future.pdf
http://www.esisac.com/SitePages/Home.aspx
NERC – See CIP, CIP RSAWs, Alerts, CANs – –
http://www.nerc.com/ http://www.nerc.com/page.php?cid=2%7C20
March 27-29, 2012 – Irving, TX
18 #GridSec
GridSec 2012
March 27-29, 2012 – Irving, TX
19
#GridSec
GridSec 2012