1 / 25

Control Systems Security Education for Federal Information Systems Security Professionals

This article discusses control systems security, including the definition and concerns related to control systems. It also explores ways in which educators can help agencies in this area.

gpace
Download Presentation

Control Systems Security Education for Federal Information Systems Security Professionals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Control Systems Security Educationfor the Federal Information Systems Security Professional • What is a Control System (CS)? • Why are they of concern: • Generally? • To me as a Educator? • How can we help our agencies in this arena? Dr. John Saunders National Defense University The views expressed herein are personal ones and do not reflect the official policy or position of the National Defense University, The Department of Defense, or the U.S. Government.

  2. Simplified Control System (CS) 1 - Control System - Sensors, Switches • Valves, Pumps, Transformers • Resource 2 3 4 4 1 Courtesy NIST Manufacturing Engineering Lab, Intelligent Systems 2 3 Control System – brains of a electronic and/or electro-mechanical system with sensors used to monitor & change levels or direct: air, water/fluid, electricity, traffic, fuel, etc.

  3. What is a CS? U.S. Government Facility SOURCE: Vendor Site Other frequently used terms for this arena include Distributed Control Systems or Supervisory Control and Data Acquisition (SCADA)

  4. Electrical distribution, & UPS Natural gas distribution Fuel Oil storage & flow Water storage & flow Lighting Heating, cooling, ventilation Fire alarms & suppression Elevators & escalators Gates & doors, alarms Video security cameras Traffic signals Process Line Control What is a CS? Local Infrastructure possibly using CSs

  5. What is a CS? Who Controls the Controls? & Contractors? Who educates the controllers? especially about security?

  6. Focus Safety 100% Availability Electro-mechanical No updating, Aged equipment The Language RTUs, PLCs, IEDs DNP, Modbus Low Bandwidth Analog & Digital The Vendors Allen Bradley(AB)/Rockwell, Honeywell, Siemens, Johnson Controls Focus Security 99.5% Availability Electronic Continuous Updating, New The Language Routers, Switches, Servers IP, Ethernet High Bandwidth All Digital The Vendors IBM, Microsoft, CISCO, Dell What are the concerns? The Cultures Physical Plant Network Operations

  7. What are the concerns? So what? …the Changing Landscape

  8. What are the concerns? The Changing Landscape 1. • Remote connectivity/control of CS devices • Standardization of CS Protocols • Connection of CS & Business LANs • “Windowing” of CS & SCADA Control 2. IP 4. 3.

  9. What are the concerns? REMOTE ACCESS SOURCE: GAO Report 04-140T Critical Infrastructure Protection: Challenges in Securing Control Systems. October 2003.

  10. What are the concerns? Access Airport Lighting ControlsFrom your PDA SOURCE: Vendor’s web site

  11. What are the concerns? Facility Electrical Grid Accessvia your cell phone SOURCE: Vendor’s web site

  12. What are the concerns? Natural Gas Well Accessvia your browser SOURCE: Vendor’s web site

  13. What are the concerns? Cost Justification WAYNE, Pa., Oct. 24, 2002 -- Energy information systems and wind-powered generation will emerge as the two most critical energy technologies in the next five years, according to a majority of energy entrepreneurs and investors surveyed at the EnerTech Forum in Phoenix last week. Scott Ungerer, Managing Director of EnerTech Capital, said respondents believed energy information systems, which allow companies to better manage their energy use, would continue to grow, particularly given the current economic climate. "With corporate America's increased focus on the bottom line, monitoring and managing energy use is receiving more attention than ever by corporate users." On the telecommunications front, respondents predicted the following communications technologies would be in widespread use in the next five years: broadband wireless (named by 68 percent) and optical networks (named by 51 percent). When asked why utilities have been so slow to adopt energy management solutions like sophisticated monitoring, data collection, and equipment control and dispatch, 49 percent said the economics of the technology is not yet compelling enough for utilities. The same percentage predicted that the energy management market sector would remain fragmented for many years, with no clear and pronounced trend.

  14. What are the concerns? Operational Security

  15. What are the concerns? Operational SecurityPartial List – Online Federal Government Installation DCS Network descriptions SOURCE: Vendor’s web site

  16. What can we do? As Educators what can we do? • Raise Awareness • Of your building engineers in Computer Networks • Of your IT security engineers in Building Engineering • Encourage Inventory, Audit, Assessment of CS • Encourage application of easy, yet high payoff, countermeasures • Publicize the DOE 21 steps • Follow along with Process Control Security Requirements Forum & ISA’s SP99 progress • Learn the terminology

  17. IT Security Worker Electronic Equipment settings Switch settings Access Control Computer Programming & Data Creation Execution Storage Building/Campus Engineer Supply & Discharge Electricity Water Fuel Circuit Settings Valve Settings Electro-Mechanical Equipment Physical Plant Safety What can we do? Raise AwarenessImprove Understanding & Connections between Computer/IT & Building Engineers Educate

  18. Education Opportunities • SANDIA National Labs • Assessment of SCADA systems; 2.5 days • Best Practices for SCADA Security & Design; 2 days http://www.sandia.gov/scada/training_courses.htm • NIST IEL Lab, Gaithersburg • Instrumentation Systems & Automation Society (ISA) • IC32C - Cyber Security for Automation, Control, and SCADA Systems • http://www.isa.org • AIChE • Cybersecurity for Process Control Systems in Chemical Plants and Refineries • http://www.aiche.org/education/cecrsdtl.asp?Number=553 • KEMA • Annual SCADA Cyber Security Conference • http://www.kemaseminars.com/ • Infosec Institute • SCADA Security: Protecting our Homeland Security • http://www.infosecinstitute.com/courses/scada_security_training.html

  19. What can we do? Encourage CS Inventory, Audit, & Vulnerability Assessment

  20. Assessment Methodologies • Sandia National Labs • RAM-T;RAM-D;RAM-W • http://www.sandia.gov/media/NewsRel/NR2001/ramdramt.htm • ISS X-Force • http://documents.iss.net/whitepapers/SCADA.pdf • Asset Based Vulnerability Checklist for Waste Water Utilities, AMSA, 2002. • http://www.vsatusers.net/pubs.html • FERC Cyber Security Guidelines • http://www.nerc.com/~filez/cipfiles.html • Energy Infrastructure Vulnerability Survey Checklists. Office of Energy Assurance, U.S. Department of Energy • http://www.esisac.com/publicdocs/assessment_methods/VS_Checklist_Attachment.pdf • http://www.esisac.com/publicdocs/assessment_methods/Risk_Management_Checklist_Small_Facilities.pdf

  21. What can we do? Promote High Profile CS Protection Measures • Authentication - 2 factor preferred • Tokens • Dial Back • Telephony Firewalls (see securelogix.com) • Operations Security • Physical Security • Failure Mode • Redundancy – dual, triple • Disconnect with • Ability to Bypass / Backup / Manually Operate • Penetration Testing

  22. What can we do? 21 Steps to Improve Cyber Security of SCADA Networks • Identify all connections to SCADA networks. • Disconnect unnecessary connections to the SCADA network. • Evaluate and strengthen the security of any remaining connections to the SCADA network. • Harden SCADA networks by removing or disabling unnecessary services. • Do not rely on proprietary protocols to protect your system. • Implement the security features provided by device and system vendors. • Establish strong controls over any medium that is used as a backdoor into the SCADA network. • Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring. • Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns. • Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security. • Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios. • Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users. • Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection. • Establish a rigorous, ongoing risk management process. • Establish a network protection strategy based on the principle of defense-in-depth. • Clearly identify cyber security requirements. • Establish effective configuration management processes. • Conduct routine self-assessments. • Establish system backups and disaster recovery plans. • Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance. • Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls. SOURCE: Office of Energy Assurance, U.S. Department of Energy.

  23. CS/SCADA Security Guidance • Security Standards Efforts • ISA’s SP99 Committee • http://www.isa.org/MSTemplate.cfm?Site=SP99,_Manufacturing_and_Control_Systems_Security1 • NIST’s Process Control Security Requirements Forum (PCSRF) & IEL Lab • http://www.isd.mel.nist.gov/projects/processcontrol/ • SCADA Security Test Beds • Sandia http://www.sandia.gov/ • INEEL http://www.inel.gov • Industry Specific Guidance NERC, EPRI, AGA, CIDX • Matthew Franz’s links: http://scadasec.net/ • Critical Infrastructure Protection: Challenges in Securing Control Systems. GAO Report 04-140T. October 2003. • IT Security for Industrial Control SystemsJoe Falco, Keith Stouffer, Albert Wavering, Frederick Proctor, NIST. 2003. • Other Documents/Guidance from Sandia http://www.sandia.gov/scada/documents.htm

  24. Quiz Answers • Programmable Logic Controller • Terminal or Telemetry • d. Treasury Building, 15th & Penn Ave • a. Army • c. Three • d. All the Above • c. Protocol Analyzer • d. All the above • b. PCSRF • T, True

More Related