1 / 50

CSEC Mission

Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee CSEC. CSEC Mission.

dulcea
Download Presentation

CSEC Mission

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee CSEC

  2. CSECMission • The Cyber Security Education Consortium is a National Science Foundation ATE Regional Center of Excellence dedicated to building an information security workforce who will play a critical role in implementing the national strategy to secure cyberspace.

  3. CSEC Sites

  4. Tennessee CSEC Mission • Phase 1 • Train the trainer • Phase 2 • Develop Student Curriculum/Courses/Concentrations • Phase 3 • Develop Partnerships with Business, Industry and Government

  5. Core Train the Trainer Workshops • Principles of Information Assurance • Network Security • Enterprise Security Management • Secure E-Commerce • Digital Forensics

  6. New CSEC Courses • Automation and Control Systems • Control Systems Architecture • Control Systems Software Applications • Control Systems Security I and II • Mobile Communications Devices • Mobile Device Architecture • Mobile Device Programming • Mobile Device Hardware • Secure Coding • Secure Programming I and II • Software Testing • Software Security

  7. What are Control Systems • SCADA(Supervisory Control and Data Acquisition) • DCS (Distributed Control Systems) • ICS (Industrial Control Systems) • BAS (Building Automation Systems) • PLC (Programmable Logic Controllers) • Smart Grid

  8. Critical Infrastructures • Agriculture & Food • Banking & Finance • Chemical • Commercial Facilities • Communications • Critical Manufacturing

  9. Critical Infrastructures • Dams • Defense Industrial Base • Emergency Services • Energy • Government Facilities • Healthcare & Public Health

  10. Critical Infrastructures • Information Technology • National Monuments & Icons • Nuclear Reactors, Materials & Waste • Postal & Shipping • Transportation Systems • Water

  11. Key Critical Infrastructures • Key Sectors for Control Systems Security • Energy (Electricity, Oil, and Natural Gas) • Water & Wastewater • Nuclear • Chemical • Dams • Transportation • Critical Manufacturing

  12. Current Trends in Control Systems • Continued move to open protocols • Continued move to more COTS operating systems & applications • More remote control & management • More network access to systems • More widespread use of wireless

  13. Current State of Security • Control Systems protocols with little or no security • Migration to TCP/IP networks with its inherent vulnerabilities • Interconnection with enterprise networks • Old operating systems & applications with poor patching practices • Little monitoring of Control Systems for attacks being done • Vendors not securing their product offerings adequately

  14. Current State of Security • Increased risk of insider attacks by outsourced IT services • Experts seeing increased interest in Control Systems by terrorists & foreign governments • Evidence that nation-states have been taking remote control of Control Systems • Denial by some companies that there is a problem • Some companies are now starting to see the need and address the issues

  15. Real Control System Security Breaches • Diamler-Chrysler Plant Shutdown • Zotob worm – August 2005 • First Energy’s Nuclear Plant Infestation • Slammer worm – January 2003 • Maroochy Shire Sewage • Release of millions of gallons of sewage - January 2000 – Perpetrator accessed system 46 times

  16. Real Control System Security Breaches • Hacking the Industrial Network • http://www.isa.org/FileStore/Intech/WhitePaper/Hacking-the-industrial-network-USversion.pdf • DHS Video – Idaho National Laboratory – AURORA Test • http://www.cnn.com/2007/US/09/26/power.at.risk/index.html#cnnSTCVideo

  17. AURORA Test

  18. Real Control System Security Breaches • Stuxnet • http://www.tofinosecurity.com/stuxnet-central • http://www.exida.com/images/uploads/The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf

  19. Current Threats • Internet Based Threats • Worms • Viruses • Denial of Service Attacks • Targeted Attacks • Terrorist • Foreign Nation • Former Insider

  20. Current Threats • Physical Threats • Natural Disasters • Man-made Disasters (War, Riots, etc.) • Terrorist Attacks

  21. Current Threats • Internal Threats • Disgruntled employee • On-site contractor • Unintentional attack • IT worker • Curious Employee

  22. Current Threats • Targeted Attacks • Can use any threat & threat agent • Internet • Internal • Physical • Social Engineering • Etc.

  23. IT Security for Control Systems • CIA • Confidentiality • Integrity • Availability

  24. IT Security for Control Systems • Technical Controls • Firewalls • IDS • Smart Cards • Access Controls

  25. IT Security for Control Systems • Administrative Controls • Security Policies & Procedures • Security Awareness • People

  26. IT Security for Control Systems • TCP/IP • Patches & Updates • Intrusion Detection Systems • Control Systems Monitoring • Signatures for Control Systems • Anti-Virus Software

  27. IT Security for Control Systems • Access Control Methods • Passwords • Multi-Factor • Smart Cards • RFID • Proximity • Biometric

  28. IT Security for Control Systems • Authentication • Active Directory • Control Systems Integration • Certificates

  29. IT Security for Control Systems • Authorization • Role Based • Area of Responsibility • Station Access Control

  30. Using an IDS with a Control System • Network based • Inspects all network traffic on that segment (incoming & outgoing) • Uses pattern based signatures • Anomaly based uses baseline • Uses network tap or mirrored port • Monitors multiple hosts

  31. Using an IDS with a Control System • Host based • Inspects network traffic for a specific host • Better at protecting a machines specific function • Misses LAN based attacks

  32. Using an IDS with a Control System • Commercial • Pre-configured fee based IDS • CA eTrust • McAfee IntruShield & Entercept • SonicWall • StillSecure Strata Guard

  33. Using an IDS with a Control System • Open Source • Snort • Base • Sguil – Real-time GUI interface • OSSEC (Open Source Host-based Intrusion Detection System)

  34. Using an IDS with a Control System • IPS • Intrusion Prevention System • Automated Response • Dynamically change firewall ruleset • NIST IDS Guide (SP800-94)

  35. Security Solutions • Network Segmentation • DMZ Design • Can use ISA S99 standard as guide • Design to protect each segment • Allows for centralized services

  36. Security Solutions • Network Segmentation • Centralized Services • Anti-Virus • Updates & Patches • Active Directory Services • Data Historians • System Management

  37. Security Solutions • Secure Remote Access • Secured VPN connections • Escorted Access for vendors • Require secured tokens • Call in by vendor with request • Issue 1-time code for access

  38. Security Solutions • IDS/IPS for Control Systems • Which one to use? • Where to use? • HIDS or Application Whitelisting? • UTM – Unified Threat Management

  39. Security Solutions • Security Event Monitoring & Logging • Network Devices • Switches, Routers, Firewalls, IDS • Computing Devices • Historians, Servers, Operator consoles • Field Devices • RTU, PLC, Telemetry Devices, Embedded Devices

  40. Security Solutions • Security Framework • NIPP • NERC CIP • CSSP DHS • NIST

  41. Security Solutions • Policy & Guidance • Developing Good Policies • Track Data • Points of Contact • Areas of Concern • Data Risk Assessment • Evaluate the Impact of Data Loss • Available Controls • Technical, Administrative, & Compensating

  42. Security Solutions • Policy & Guidance • Implementation • Roles & Responsibilities • Security Requirements • Change Management Process • Backup & Redundancy • Self Assessments

  43. Control Systems Security Initiatives • NIPP (National Infrastructure Protection Plan) • CIPAC (Critical Infrastructure Partnership Advisory Council) • ICSJWG (Industrial Control Systems Joint Working Group) • ICS-Cert (Industrial Control Systems Cyber Emergency Response Team) • Strategy for Securing Control Systems

  44. Control Systems Security Initiatives • CSSP (Control Systems Security Program) • Idaho National Laboratory • National SCADA Test Bed Program • SCADA & Control Systems Procurement Project • Smart Grid Interoperability Standards Project • UK NISCC - Now CPNI (Centre for the Protection of National Infrastructure) • PCSF/SCySAG (SCADA Cyber Self Assessment Working Group) - Historical

  45. Control Systems Regulations • NERC (North American Electric Reliability Council) • Develop & enforce reliability standards • CIDX/ACC – Now ChemITC (American Chemistry Council) • CFATS guidance & assessment tools

  46. Control Systems Regulations • ISA SP99 (Industrial Automation & Control System Security) – International Society of Automation • Part 1 Standard: Concepts, Terminology & Models • Part 2 Standard: Establishing an Industrial Automation & Control Systems Security Program • Part 3 Standard: Technical Requirements for Industrial Control Systems (Currently in development

  47. Control Systems Regulations • AGA 12 – Discontinued and used in IEEE 1711 Trial Standard • Encryption of Serial Communications • Serial Encrypting Transceivers now available • API Standard 1164 (American Petroleum Institute) • Standard on SCADA security for pipelines • NIST – National Institute of Standards and Technology

  48. Control Systems Regulations • SP800-82 – Guide to Industrial Control Systems (ICS) Security • NIST initiative on Critical Infrastructure Protection (CIP) • Uses ISO 15408 Common Criteria methodology

  49. Control System Security Takeaway • The 7 Things Every Plant Manager Should Know About Control System Security – John Cusimano – Director of Security Solutions for exida • http://www.exida.com/images/uploads/The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf

  50. Contact Information Dr. Thomas L. Pigg Professor of Computer Information Systems Jackson State Community College 2046 N. Parkway Jackson, TN 38305 (731) 424-3520 Ext. 201 tpigg@jscc.edu

More Related