500 likes | 689 Views
Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee CSEC. CSEC Mission.
E N D
Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee CSEC
CSECMission • The Cyber Security Education Consortium is a National Science Foundation ATE Regional Center of Excellence dedicated to building an information security workforce who will play a critical role in implementing the national strategy to secure cyberspace.
Tennessee CSEC Mission • Phase 1 • Train the trainer • Phase 2 • Develop Student Curriculum/Courses/Concentrations • Phase 3 • Develop Partnerships with Business, Industry and Government
Core Train the Trainer Workshops • Principles of Information Assurance • Network Security • Enterprise Security Management • Secure E-Commerce • Digital Forensics
New CSEC Courses • Automation and Control Systems • Control Systems Architecture • Control Systems Software Applications • Control Systems Security I and II • Mobile Communications Devices • Mobile Device Architecture • Mobile Device Programming • Mobile Device Hardware • Secure Coding • Secure Programming I and II • Software Testing • Software Security
What are Control Systems • SCADA(Supervisory Control and Data Acquisition) • DCS (Distributed Control Systems) • ICS (Industrial Control Systems) • BAS (Building Automation Systems) • PLC (Programmable Logic Controllers) • Smart Grid
Critical Infrastructures • Agriculture & Food • Banking & Finance • Chemical • Commercial Facilities • Communications • Critical Manufacturing
Critical Infrastructures • Dams • Defense Industrial Base • Emergency Services • Energy • Government Facilities • Healthcare & Public Health
Critical Infrastructures • Information Technology • National Monuments & Icons • Nuclear Reactors, Materials & Waste • Postal & Shipping • Transportation Systems • Water
Key Critical Infrastructures • Key Sectors for Control Systems Security • Energy (Electricity, Oil, and Natural Gas) • Water & Wastewater • Nuclear • Chemical • Dams • Transportation • Critical Manufacturing
Current Trends in Control Systems • Continued move to open protocols • Continued move to more COTS operating systems & applications • More remote control & management • More network access to systems • More widespread use of wireless
Current State of Security • Control Systems protocols with little or no security • Migration to TCP/IP networks with its inherent vulnerabilities • Interconnection with enterprise networks • Old operating systems & applications with poor patching practices • Little monitoring of Control Systems for attacks being done • Vendors not securing their product offerings adequately
Current State of Security • Increased risk of insider attacks by outsourced IT services • Experts seeing increased interest in Control Systems by terrorists & foreign governments • Evidence that nation-states have been taking remote control of Control Systems • Denial by some companies that there is a problem • Some companies are now starting to see the need and address the issues
Real Control System Security Breaches • Diamler-Chrysler Plant Shutdown • Zotob worm – August 2005 • First Energy’s Nuclear Plant Infestation • Slammer worm – January 2003 • Maroochy Shire Sewage • Release of millions of gallons of sewage - January 2000 – Perpetrator accessed system 46 times
Real Control System Security Breaches • Hacking the Industrial Network • http://www.isa.org/FileStore/Intech/WhitePaper/Hacking-the-industrial-network-USversion.pdf • DHS Video – Idaho National Laboratory – AURORA Test • http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo
Real Control System Security Breaches • Stuxnet • http://www.tofinosecurity.com/stuxnet-central • http://www.exida.com/images/uploads/The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf
Current Threats • Internet Based Threats • Worms • Viruses • Denial of Service Attacks • Targeted Attacks • Terrorist • Foreign Nation • Former Insider
Current Threats • Physical Threats • Natural Disasters • Man-made Disasters (War, Riots, etc.) • Terrorist Attacks
Current Threats • Internal Threats • Disgruntled employee • On-site contractor • Unintentional attack • IT worker • Curious Employee
Current Threats • Targeted Attacks • Can use any threat & threat agent • Internet • Internal • Physical • Social Engineering • Etc.
IT Security for Control Systems • CIA • Confidentiality • Integrity • Availability
IT Security for Control Systems • Technical Controls • Firewalls • IDS • Smart Cards • Access Controls
IT Security for Control Systems • Administrative Controls • Security Policies & Procedures • Security Awareness • People
IT Security for Control Systems • TCP/IP • Patches & Updates • Intrusion Detection Systems • Control Systems Monitoring • Signatures for Control Systems • Anti-Virus Software
IT Security for Control Systems • Access Control Methods • Passwords • Multi-Factor • Smart Cards • RFID • Proximity • Biometric
IT Security for Control Systems • Authentication • Active Directory • Control Systems Integration • Certificates
IT Security for Control Systems • Authorization • Role Based • Area of Responsibility • Station Access Control
Using an IDS with a Control System • Network based • Inspects all network traffic on that segment (incoming & outgoing) • Uses pattern based signatures • Anomaly based uses baseline • Uses network tap or mirrored port • Monitors multiple hosts
Using an IDS with a Control System • Host based • Inspects network traffic for a specific host • Better at protecting a machines specific function • Misses LAN based attacks
Using an IDS with a Control System • Commercial • Pre-configured fee based IDS • CA eTrust • McAfee IntruShield & Entercept • SonicWall • StillSecure Strata Guard
Using an IDS with a Control System • Open Source • Snort • Base • Sguil – Real-time GUI interface • OSSEC (Open Source Host-based Intrusion Detection System)
Using an IDS with a Control System • IPS • Intrusion Prevention System • Automated Response • Dynamically change firewall ruleset • NIST IDS Guide (SP800-94)
Security Solutions • Network Segmentation • DMZ Design • Can use ISA S99 standard as guide • Design to protect each segment • Allows for centralized services
Security Solutions • Network Segmentation • Centralized Services • Anti-Virus • Updates & Patches • Active Directory Services • Data Historians • System Management
Security Solutions • Secure Remote Access • Secured VPN connections • Escorted Access for vendors • Require secured tokens • Call in by vendor with request • Issue 1-time code for access
Security Solutions • IDS/IPS for Control Systems • Which one to use? • Where to use? • HIDS or Application Whitelisting? • UTM – Unified Threat Management
Security Solutions • Security Event Monitoring & Logging • Network Devices • Switches, Routers, Firewalls, IDS • Computing Devices • Historians, Servers, Operator consoles • Field Devices • RTU, PLC, Telemetry Devices, Embedded Devices
Security Solutions • Security Framework • NIPP • NERC CIP • CSSP DHS • NIST
Security Solutions • Policy & Guidance • Developing Good Policies • Track Data • Points of Contact • Areas of Concern • Data Risk Assessment • Evaluate the Impact of Data Loss • Available Controls • Technical, Administrative, & Compensating
Security Solutions • Policy & Guidance • Implementation • Roles & Responsibilities • Security Requirements • Change Management Process • Backup & Redundancy • Self Assessments
Control Systems Security Initiatives • NIPP (National Infrastructure Protection Plan) • CIPAC (Critical Infrastructure Partnership Advisory Council) • ICSJWG (Industrial Control Systems Joint Working Group) • ICS-Cert (Industrial Control Systems Cyber Emergency Response Team) • Strategy for Securing Control Systems
Control Systems Security Initiatives • CSSP (Control Systems Security Program) • Idaho National Laboratory • National SCADA Test Bed Program • SCADA & Control Systems Procurement Project • Smart Grid Interoperability Standards Project • UK NISCC - Now CPNI (Centre for the Protection of National Infrastructure) • PCSF/SCySAG (SCADA Cyber Self Assessment Working Group) - Historical
Control Systems Regulations • NERC (North American Electric Reliability Council) • Develop & enforce reliability standards • CIDX/ACC – Now ChemITC (American Chemistry Council) • CFATS guidance & assessment tools
Control Systems Regulations • ISA SP99 (Industrial Automation & Control System Security) – International Society of Automation • Part 1 Standard: Concepts, Terminology & Models • Part 2 Standard: Establishing an Industrial Automation & Control Systems Security Program • Part 3 Standard: Technical Requirements for Industrial Control Systems (Currently in development
Control Systems Regulations • AGA 12 – Discontinued and used in IEEE 1711 Trial Standard • Encryption of Serial Communications • Serial Encrypting Transceivers now available • API Standard 1164 (American Petroleum Institute) • Standard on SCADA security for pipelines • NIST – National Institute of Standards and Technology
Control Systems Regulations • SP800-82 – Guide to Industrial Control Systems (ICS) Security • NIST initiative on Critical Infrastructure Protection (CIP) • Uses ISO 15408 Common Criteria methodology
Control System Security Takeaway • The 7 Things Every Plant Manager Should Know About Control System Security – John Cusimano – Director of Security Solutions for exida • http://www.exida.com/images/uploads/The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf
Contact Information Dr. Thomas L. Pigg Professor of Computer Information Systems Jackson State Community College 2046 N. Parkway Jackson, TN 38305 (731) 424-3520 Ext. 201 tpigg@jscc.edu