1 / 14

National Strategy for Control System Security

National Strategy for Control System Security. George A. Beitel, Ph.D. Consulting Engineer Critical Infrastructure Assurance Idaho National Engineering and Environmental Laboratory (208) 526-0042 bei@inel.gov. Date: July 15, 2004 . Introduction.

monty
Download Presentation

National Strategy for Control System Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. National Strategy for Control System Security George A. Beitel, Ph.D. Consulting Engineer Critical Infrastructure Assurance Idaho National Engineering and Environmental Laboratory (208) 526-0042 bei@inel.gov Date: July 15, 2004

  2. Introduction • Securing critical infrastructure requires securing the control systems on which depend. • Protects industry customers, investors, the public. • Strengthens public confidence and valued assets. • INEEL drafted this DHS Strategy as a sequel to National Strategy to Secure Cyberspace and National Strategy for Physical Protection of Critical Infrastructure and Key Assets.

  3. Background • Control systems in the past were produced based on closed networks. • Control systems today are: • Increasingly based on remote access, open connectivity, and open networks. • Manufactured (may be) with limited processing capabilities to reduce costs. • Often do not include adequate security features such as encryption, authorization, and authentication.

  4. Background • Back fitting security technologies create concern for operators. • May degrade performance and jeopardize reliability. • Older obsolete systems (10-20 years old) most likely replaced first. • Most secure systems. • Replacement with web-enabled units running open operating systems may create a less secure network.

  5. Background (cont.) • Current security posture of control systems not well understood. • Threat and risk of malicious and terrorist attacks • Inadequate awareness and mindset concerning control system security in some arenas • Escalating Cyber attacks and threats is creating perception of high risk to infrastructure even though there is little historical evidence to judge risk level. • National Strategy for Control System Security addresses physical, cyber, and communication vulnerabilities associated with our nation’s infrastructure.

  6. Approach • Prior Strategies • GAO Audits • Literature • National Laboratory input • Approximately 35 interviews with cognizant, subject matter experts. • Structured with Problem Definition, Mission, Vision, Goals, Objectives, and Activities.

  7. Integrated Goals • Rapid response capability • Improved technology and practice • Active industry participation • Training and security awareness • Next-generation secure control systems.

  8. Rapid Response Capability • Establish a control system focused affiliate of US-CERT. (US-CERT is the nation’s focal point for preventing, protecting against, and responding to cyber security and vulnerabilities.) • (Already established and operating.) • Will interact closely with a Control System Security Reporting System, a neutral call center where input can be offered free of recrimination or identification.

  9. Rapid Response Capability (cont.)(Find and fix the worst first) • DHS will assemble a team of experts to identify and prioritize the nation’s most critical control systems. • Adopt set of ranking criteria and a process to prioritize control systems. • Conduct vulnerability assessments and perform penetration testing. • Site visits to assess vulnerabilities. • “Red Teaming”

  10. Improved Technology and Practice • Establish national Control System Security Center. • Provide facility for large scale tests and a centralized test analysis and data repository for sharing objectives and test results. • Design and build tools. • Support test and development activities. • Provide neutral meeting place for vendors and users to better understand real threats. • Collaborate with the Office of Energy Assurance. • Establish business relationships with between industry users and vendors. • Collaborate with national laboratories and universities.

  11. Active Industry Participation • Establish Sector Trusted Partnerships. • Vulnerabilities, needs, improvements, lessons-learned. • Establish levels of information characterized by sensitivity. • Level 1 - Openly shared • Level 2 – Shared only within the Partnership • Members sign non-disclosure agreements • Level 3 – Shared at Level 1 or 2 but anonymously • Level 4 – Not Shared • Level 4 – Classified.

  12. Active Industry Participation (cont.) • Build industry consensus on technologies and practices. • Support security standards. • Provide Center information at professional organization meetings.

  13. Training and Security Awareness • Enhance awareness and improve human factors related to security. • Disseminate critical knowledge on security issues. • Evaluate and demonstrate the business case. • Motivate vendors to redesign equipment.

  14. Next-Generation Secure Control Systems • Annually update the R&D needs for securing control systems. • Prioritize R&D needs. • Support R&D activities.

More Related