150 likes | 331 Views
National Strategy for Control System Security. George A. Beitel, Ph.D. Consulting Engineer Critical Infrastructure Assurance Idaho National Engineering and Environmental Laboratory (208) 526-0042 bei@inel.gov. Date: July 15, 2004 . Introduction.
E N D
National Strategy for Control System Security George A. Beitel, Ph.D. Consulting Engineer Critical Infrastructure Assurance Idaho National Engineering and Environmental Laboratory (208) 526-0042 bei@inel.gov Date: July 15, 2004
Introduction • Securing critical infrastructure requires securing the control systems on which depend. • Protects industry customers, investors, the public. • Strengthens public confidence and valued assets. • INEEL drafted this DHS Strategy as a sequel to National Strategy to Secure Cyberspace and National Strategy for Physical Protection of Critical Infrastructure and Key Assets.
Background • Control systems in the past were produced based on closed networks. • Control systems today are: • Increasingly based on remote access, open connectivity, and open networks. • Manufactured (may be) with limited processing capabilities to reduce costs. • Often do not include adequate security features such as encryption, authorization, and authentication.
Background • Back fitting security technologies create concern for operators. • May degrade performance and jeopardize reliability. • Older obsolete systems (10-20 years old) most likely replaced first. • Most secure systems. • Replacement with web-enabled units running open operating systems may create a less secure network.
Background (cont.) • Current security posture of control systems not well understood. • Threat and risk of malicious and terrorist attacks • Inadequate awareness and mindset concerning control system security in some arenas • Escalating Cyber attacks and threats is creating perception of high risk to infrastructure even though there is little historical evidence to judge risk level. • National Strategy for Control System Security addresses physical, cyber, and communication vulnerabilities associated with our nation’s infrastructure.
Approach • Prior Strategies • GAO Audits • Literature • National Laboratory input • Approximately 35 interviews with cognizant, subject matter experts. • Structured with Problem Definition, Mission, Vision, Goals, Objectives, and Activities.
Integrated Goals • Rapid response capability • Improved technology and practice • Active industry participation • Training and security awareness • Next-generation secure control systems.
Rapid Response Capability • Establish a control system focused affiliate of US-CERT. (US-CERT is the nation’s focal point for preventing, protecting against, and responding to cyber security and vulnerabilities.) • (Already established and operating.) • Will interact closely with a Control System Security Reporting System, a neutral call center where input can be offered free of recrimination or identification.
Rapid Response Capability (cont.)(Find and fix the worst first) • DHS will assemble a team of experts to identify and prioritize the nation’s most critical control systems. • Adopt set of ranking criteria and a process to prioritize control systems. • Conduct vulnerability assessments and perform penetration testing. • Site visits to assess vulnerabilities. • “Red Teaming”
Improved Technology and Practice • Establish national Control System Security Center. • Provide facility for large scale tests and a centralized test analysis and data repository for sharing objectives and test results. • Design and build tools. • Support test and development activities. • Provide neutral meeting place for vendors and users to better understand real threats. • Collaborate with the Office of Energy Assurance. • Establish business relationships with between industry users and vendors. • Collaborate with national laboratories and universities.
Active Industry Participation • Establish Sector Trusted Partnerships. • Vulnerabilities, needs, improvements, lessons-learned. • Establish levels of information characterized by sensitivity. • Level 1 - Openly shared • Level 2 – Shared only within the Partnership • Members sign non-disclosure agreements • Level 3 – Shared at Level 1 or 2 but anonymously • Level 4 – Not Shared • Level 4 – Classified.
Active Industry Participation (cont.) • Build industry consensus on technologies and practices. • Support security standards. • Provide Center information at professional organization meetings.
Training and Security Awareness • Enhance awareness and improve human factors related to security. • Disseminate critical knowledge on security issues. • Evaluate and demonstrate the business case. • Motivate vendors to redesign equipment.
Next-Generation Secure Control Systems • Annually update the R&D needs for securing control systems. • Prioritize R&D needs. • Support R&D activities.