Industrial Control System (ICS) Security . - Csrc.nist.rip
Industrial Control System (ICS)Security: An Overview of EmergingStandards, Guidelines, andImplementation Activities.Joe Weiss, PE, CISMExecutive ConsultantKEMA, Inc.(408) 253-7934joe.weiss@kema.comStuart Katzke, Ph.D.Senior Research ScientistNational Institute of Standards and Technology(301) 975-4768skatzke@nist.govNational Institute of Standards and Technology1
Session Presentations Private sector industrial control system securitystandards, guidelines, and countermeasureimplementation activities; Joe Weiss Applying NIST SP 800-53, Revision 1 toindustrial control systems; Stu KatzkeNational Institute of Standards and Technology2
Private sector industrial controlsystem security standards,guidelines, and countermeasureimplementation activitiesJoe Weiss, PE, CISMExecutive ConsultantKEMA, Inc.(408) 253-7934joe.weiss@kema.comNational Institute of Standards and Technology3
Industrial Control Systems - ICS What are ICS– SCADA, DCS, PLCs, Intelligent Field devices Used in all process control andmanufacturing processes including electric,water, oil/gas, chemicals, automanufacturing, etcNational Institute of Standards and Technology4
SCADACONTROL Generator Set Points Transmission Lines Substation EquipmentDATASCADA is used extensively in theelectricity sector. Other SCADAapplications include gas and oilpipelines, water utilities, transportationnetworks, and applications requiringremote monitoring and control. Similarto real-time process controls found inbuildings and factory automation. Critical Operational Data Performance Metering Events and AlarmsCommunicationMethods Directly wired Power line carrier Microwave Radio (spread spectrum) Fiber opticControl CenterProvides network status,enables remote control,optimizes systemperformance, facilitatesemergency operations,dispatching repair crews andcoordination with otherutilities.National Institute of Standards and Technology5
What Makes ICS Different than IT Deterministic systems with VERY high reliabilityconstraints– Follow AIC rather than CIA Generally utilize a combination of COTS(Windows, etc) and proprietary RTOS Often are resource and bandwidth constrained– Block encryption generally does not workNational Institute of Standards and Technology6
Why Are There So Few yberSecurityNational Institute of Standards and Technology7
ICS Security Myths Firewalls make you secureVPNs make you secureEncryption makes you secureIDSs can identify possible control system attacksMessaging can be one-wayField devices can’t be hackedYou can keep hackers outYou are secure if hackers can’t get inMore and better widgets can solve securityproblemsNational Institute of Standards and Technology 8
Common ICS Vulnerabilities Ports and services open to outside Operating systems not “patched” with currentreleases Dial-up modems Improperly configured equipment (firewall doesnot guarantee protection) Improperly installed/configured software (e.g.,default passwords) Inadequate physical protection Vulnerabilities related to “systems of systems”(component integration)National Institute of Standards and Technology9
Need for Private Sector ICSStandards IT security standards are not fully adequate– Need unique standards for field devices withproprietary RTOS– Need to be coordinated with IT Private industry ICS security requirements aredifferent than for IT and DOD– Performance more important than security Lack of metrics and design requirements forindustrial ICSNational Institute of Standards and Technology10
Example Differences Between ITand ICS Passwords– Unique, complex,changed frequently Patching– Timely with automatedtools Administrator– Central administrator Passwords– Role-based, alpha,unchanged Patching– May not be timely, noautomation Administrator– Control systemengineerNational Institute of Standards and Technology11
ICS Impacts More than 80 known cases (intentional andunintentional) All industries––––––Electric (T&D, fossil, hydro, and s Damage ranging from trivial to equipment damageand deathNational Institute of Standards and Technology12
Bench-Scale Vulnerability DemonstrationsSCADA Protocol (DNP 3.0)Operator InterfaceScenarios Denial of service Operator spoofing Direct manipulationof field devices Combinations of aboveField Device Remote Terminal Unit (RTU)Protocol Analyzer Intelligent Electronic Device (IED) Programmable Logic Controller (PLC)(Intruder)Vulnerability implications vary significantlydepending on the scenario and applicationNational Institute of Standards and Technology13
Very Few Publicly Identified Cases of Control SystemCyber Events (Two attached are not public) Event: Unintentional substationcommunication failure caused by intentionalWelchia worm traffic from unpatched system Impact: Shutdown of 30-40% of allcommunication traffic from the distributionSCADA to the Control Center Lessons learned: Use up-to-date patchesand software & implement effective cybersecurity program/ protocols Event: Unsecured GIS mapping system (nofirewall) enabled Internet-based targetedattack, resulting in loss of SCADA system Impact: SCADA servers and mappingsystem unavailable for two weeks Lessons learned: Isolate SCADA systemfrom corporate LAN, install firewall betweenthe DSL router and corporate LAN, installfirewalls between frame relay and neighborsto isolate all non business-related ports More than 80 casesacross multiple industries Impacts range from trivialto equipment damage todeath Anecdotal evidencesuggests other cases gounreported, for fear ofvulnerability exposure,business liabilityNational Institute of Standards and Technology14
Private Sector ICS StandardsActivities Standards efforts ongoing internationally and byindustry More than 40 standards and industry organizationsworld-wide– Need effective coordination– NIST 800-53 can help provide a common basisNational Institute of Standards and Technology15
Typical ICS Standards By Industry– NERC (electric) , NRC (nuclear), IEC TC57(electric), AGA (gas), AWWA (water), etc. Generic– ISA SP99, IEC TC65, ISO-17799National Institute of Standards and Technology16
ISA SP99 Developing an Standard for Industrial ControlSystem Security– Part 1 – Terminology, Concepts and Models– Part 2 – Establishing an IndustrialAutomation and Control Systems ProgramPart 3 – Operating an Industrial Automationand Control Systems Program– Part 4 – Security Requirements forIndustrial Automation and Control ID 988&CommitteeID 6821National Institute of Standards and Technology17
Why the Need to ExtendNIST SP 800-53 NIST SP 800-53 was developed for thetraditional IT environment It assumes ICSs are information systems When organizations attempted to utilize SP800-53 to protect ICSs, it led to difficultiesin implementing SP 800-53countermeasures because of ICS-uniqueneedsNational Institute of Standards and Technology18
Applying NISTSpecial Publication (SP) 800-53to Industrial Control SystemsStuart Katzke, Ph.D.Senior Research ScientistNational Institute of Standards and Technology(301) 975-4768skatzke@nist.govNational Institute of Standards and Technology19
FISMA LegislationOverview“Each federal agency shall develop, document,and implement an agency-wide informationsecurity program to provide information securityfor the information and information systems thatsupport the operations and assets of the agency,including those provided or managed by anotheragency, contractor, or other source ”-- Federal Information Security Management Act of 2002National Institute of Standards and Technology20
NIST Publications Federal Information Processing Standards(FIPS) Special Publication (SP) 800 SeriesdocumentsNational Institute of Standards and Technology21
Federal Information ProcessingStandards (FIPS) Approved by the Secretary of Commerce Compulsory and binding standards for federalagencies non-national security informationsystems Voluntary adoption by federal national securitycommunity and private sector Since FISMA requires that federal agenciescomply with these standards, agencies may notwaive their use for non-national securityinformation systemsNational Institute of Standards and Technology22
Special Publication (SP) 800 Seriesdocuments Special Publications in the 800 series are documents ofgeneral interest to the computer security community Established in 1990 to provide a separate identity forinformation technology security publications. Reports on guidance, research, and outreach efforts incomputer security, and collaborative activities withindustry, government, and academic organizations Agencies must follow NIST 800 series guidancedocuments; but 800 series documents generally allow agencies somelatitude in their applicationNational Institute of Standards and Technology23
The Risk FrameworkStarting PointFIPS 199 / SP 800-60SP 800-37 / SP 8800-53ASecurity ControlMonitoringContinuously track changes to the informationsystem that may affect security controls andreassess control effectivenessSecurityCategorizationDefine criticality /sensitivity ofinformation system according topotential impact of lossFIPS 200 / SP 800-53Security ControlSelectionSelect minimum (baseline) security controls toprotect the information system; apply tailoringguidance as appropriateSP 800-37FIPS 200 / SP 800-53 / SP 800-30SystemAuthorizationSecurity ControlRefinementDetermine risk to agency operations, agencyassets, or individuals and, if acceptable,authorize information system operationUse risk assessment results to supplement thetailored security control baseline as needed toensure adequate security and due diligenceSP 800-53ASecurity ControlAssessmentDetermine security control effectiveness (i.e.,controls implemented correctly, operating asintended, meeting security requirements)SP 800-70Security ControlImplementationImplement security controls; applysecurity configuration settingsSP 800-18Security ControlDocumentationDocument in the security plan, the securityrequirements for the information system andthe security controls planned or in placeNational Institute of Standards and Technology24
Federal Agency Challenges Federal agencies required to apply NIST SP800-53 Recommended Security Controls forFederal Information Systems (general ITsecurity requirements) to their controlsystems Federal agencies that own/operates controlsystems could potentially have to meet 2standards (NIST SP 800-53 and NERC CIPstandards)National Institute of Standards and Technology25
Federal Strategy Hold workshop to discuss the development ofsecurity requirements and baseline securitycontrols for federally owned/operatedindustrial/process control systems (ICS) based onNIST SP 800-53 Develop bi-directional mapping and gap analysisbetween NIST SP 800-53 and the NERC CIPstandard to discover and propose modifications toremove any conflicts Develop an “ICS” interpretation of SP 800-53 thatwould also comply with the management,operational and technical controls in the NERCCIP.National Institute of Standards and Technology26
Federal Strategy (continued) Develop a guidance document (NIST SP 800-82)on how to secure industrial control systems Work with government and industry ICScommunity to foster convergence of ICS securityrequirements– DHS, DoE, FERC, DoI, ICS agencies (BPA, SWPA,WAPA)– Industry standards groups NERC ISA SP99 Industrial Automation and Control System Securitystandard IEC 6 intenance and TestingR1. Test ProceduresR2. Ports and ServicesR3. Security Patch ManagementR4. Malicious Software PreventionR5. Account ManagementR6. Security Status MonitoringR7. Disposal or RedeploymentR8. Cyber Vulnerability AssessmentR9. Documentation Review andR1. Cyber Security Incident ResponseR2. Cyber Security IncidentR1. Recovery PlansR2. ExercisesR3. Change ControlR4. Backup and RestoreR5. Testing Backup MediaCIP-0022,192 3 2 11 2 7 2,221 21181222 23Count 0 0 0 0 1 0 0 0 2 0 0 0 0 2 2 5 3 0 0 1 0 0 0 0 0 0 1 0 0 2 0 0 0 0 0 0 0 0 0 0 04300030100000000332881313131713Codes8 NERC req SP800-53 controls9 NERC morespecific than SP800-53 controlNERC SP800-53 control1317171313NERC lessspecific than SP800-53 control812 9 87 17 1717 170National Institute of Standards and Technology32
SP 800-53/NERC CIP MappingFindings (1 of 2) Generally, conforming to moderate baseline in SP 80053 generally complies with the management,operational and technical security requirements of theNERC CIPs; the converse is not true. NERC contains requirements that fall into the categoryof business risk reduction– High level business-oriented requirements– Demonstrate that enterprise is practicing due diligence– SP 800-53 does not contain analogues to these types ofrequirements as SP 800-53 focuses on information securitycontrols (i.e., management, operational, and technical) at theinformation system level.National Institute of Standards and Technology33
SP 800-53/NERC CIP MappingFindings (2 of 2) NERC approach is to define critical assets first and theircyber components second– Definition of critical asset vague– Non-critical assets not really addressed FIPS 199 specifies procedure for identifying securityimpact levels based on a worst case scenario (calledsecurity categorization)– applies to all information and the information system– Considers impact to the organization, potential impacts to otherorganizations and, in accordance with the Patriot Act andHomeland Security Presidential Directives, potential national-levelimpacts– Confidentiality, availability, and integrity evaluated separately– Possible outcomes are low, moderate, and high– Highest outcome applies to system (High Water Mark) Documentation requirements differ; more study requiredNational Institute of Standards and Technology34
NIST SP 800-82 Guide to Supervisory Control and Data Acquisition(SCADA) and Industrial Control Systems Security– Provide guidance for establishing secure SCADA and ICS,including the security of legacy systems Content––––––Overview of ICSICS Characteristics, Threats and VulnerabilitiesICS Security Program Development and DeploymentNetwork ArchitectureICS Security ControlsAppendixes Current Activities in Industrial Control System Security Emerging Security Capabilities ICS in the Federal Information Security Management Act (FISMA)Paradigm Initial public draft released September 2006 nal Institute of Standards and Technology35
SP 800-82 Audience Control engineers, integrators and architects whendesigning and implementing secure SCADA and/or ICS System administrators, engineers and other ITprofessionals when administering, patching, securingSCADA and/or ICS Security consultants when performing securityassessments of SCADA and/or ICS Managers responsible for SCADA and/or ICS Researchers and analysts who are trying to understandthe unique security needs of SCADA and/or ICS Vendors developing products that will be deployed inSCADA and/or ICSNational Institute of Standards and Technology36
Future NIST Plans Anticipated FY07 Products––––White paper on ICS cyber security in the FISMA paradigmAnnotated SP 800-53 addressing conformance to NERC CIPAnnotated NERC CIP showing correspondence to FISMA paradigmInput to revision 2 of SP 800-53 Continue working with the federal ICS stakeholders– Including FERC, Department of Homeland Security (DHS),Department of Energy (DOE), the national laboratories, and federalagencies that own, operate, and maintain ICSs– To develop an interpretation of SP 800-53 for ICSs that permitsreal/practical improvements to the security of ICSs and, to the extentpossible, ensures compliance with the management, operational, andtechnical requirements in the NERC CIP standards Continue working with private sector ICS stakeholdersNational Institute of Standards and Technology37
NIST ICS Security Project Summary Issue ICS security guidance– Evolve SP 800-53 Recommended Security Controls forFederal Information Systems security controls to betteraddress ICSs– Publish SP 800-82 Guide to Supervisory Control and DataAcquisition (SCADA) and Industrial Control System Securityinitial public draft released September 2006 Improve the security of public and private sector ICSs– Raise the level of control system security R&D and testing– Work with on-going industry standards activities Assist in standards and guideline development Foster convergence http://csrc.nist.gov/sec-cert/icsNational Institute of Standards and Technology38
NIST ICS Security ProjectContact InformationProject LeadersKeith Stouffer(301) 975-3877keith.stouffer@nist.govDr. Stu Katzke(301) 975-4768skatzke@nist.govsec-ics@nist.govWeb PagesFederal Information Security Management Act (FISMA)Implementation Projecthttp://csrc.nist.gov/sec-certNIST ICS Security Projecthttp://csrc.nist.gov/sec-cert/icsNational Institute of Standards and Technology39
QuestionsNational Institute of Standards and Technology40
Applying NIST SP 800-53, Revision 1 to industrial control systems; Stu Katzke. National Institute of Standards and Technology 3 Private sector industrial control system security standards, guidelines, and countermeasure implementation activities Joe Weiss, PE, CISM Executive Consultant
For specific safety information, read the Safety Message. For specific medical information, refer to the ICS 206. 5. Site Safety Plan Required? Approved Site Safety Plan(s) Located at: 6. Incident Action Plan (the items checked below are included in this Incident Action Plan): ICS 202 ICS 203 ICS 204 ICS 205 ICS 205A ICS 207 ICS 208 ICS 220 Map .
Jan 08, 2015 · Incident Organization Chart (ICS 207) Site Safety Plan (ICS 208) Incident Summary Status (ICS 209) Check-In List (ICS 211) General Message (ICS 213) Resource Request Message (ICS 213RR) Activity Log (ICS 214) Operational Planning Worksheet (ICS 215) Incident Action Plan Safety Analysis (ICS 215a)
Jan 08, 2015 · Incident Organization Chart (ICS 207) Site Safety Plan (ICS 208) Incident Summary Status (ICS 209) Check-In List (ICS 211) General Message (ICS 213) Resource Request Message (ICS 213RR) Activity Log (ICS 214) Operational Planning Worksheet (ICS 215) Incident Action Plan Safety Analysis (ICS 215a)
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include: Updates to ICS threats and vulnerabilities. Updates to ICS risk management, recommended practices, and architectures. Updates to current activities in ICS security.
Number Purpose ICS 201 (p.1)** Incident Briefing Map ICS 201 (p.2)** Summary of Current Actions ICS 201 (p.3)** Current Organization ICS 201 (p.4)** Resources Summary ICS 202 Incident Objectives ICS 203 Organization Assignment List ICS 204 Assignment List ICS205 Incident Radio Communications Plan
This unit will review the ICS features and concepts presented in ICS-100 through ICS-300. Unit 2 Fundamentals Review for Command and General Staff Page 2-2 ICS-400: Advanced ICS—Student Manual August 2006 Topic Unit Objectives Visual 2.2 Unit 2: Visual 2.2 Fundamentals Review for Command and General Staff Unit Objectives (1 of 2) Describe types of agency(ies) policies, guidelines, and .
1 MGT-347 ICS Forms February 5, 2019 Franklin County 2 ICS-300 Intermediate ICS February 5 – 7, 2019 Franklin County 3 ICS-300 Intermediate ICS February 6 – 8, 2019 Montgomery Co. 4 OH-230 Intro. to Emergency Management in Ohio February 11 - 14, 2019 Ohio EMA 5 ICS-400 Advanced ICS February 12 - 13, 2019 Wood County
Entering programming for system coordinators 134 Entering programming using other passwords 135 . (key system), AB6CAN-20706-MF-E (hybrid system), and AB6CAN-23740-PF-E (PBX system). Connection of the Norstar key telephone system to the nationwide telecommunications network is made . Nortel Networks. ISDN . ICS ICS. ICS. ICS. ICS. Compact
