slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What is a Control System (CS)? Why are they of concern: Generally? To me as a Educator? How can we help our agencies in PowerPoint Presentation
Download Presentation
What is a Control System (CS)? Why are they of concern: Generally? To me as a Educator? How can we help our agencies in

Loading in 2 Seconds...

play fullscreen
1 / 25

What is a Control System (CS)? Why are they of concern: Generally? To me as a Educator? How can we help our agencies in - PowerPoint PPT Presentation


  • 327 Views
  • Uploaded on

Control Systems Security Education for the Federal Information Systems Security Professional What is a Control System (CS)? Why are they of concern: Generally? To me as a Educator? How can we help our agencies in this arena? Dr. John Saunders National Defense University

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'What is a Control System (CS)? Why are they of concern: Generally? To me as a Educator? How can we help our agencies in' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Control Systems Security Educationfor the Federal Information Systems Security Professional

  • What is a Control System (CS)?
  • Why are they of concern:
    • Generally?
    • To me as a Educator?
  • How can we help our agencies in this arena?

Dr. John Saunders

National Defense University

The views expressed herein are personal ones and do not reflect the official policy or position of the National Defense University, The Department of Defense, or the U.S. Government.

simplified control system cs
Simplified Control System (CS)

1

- Control System

- Sensors, Switches

  • Valves, Pumps, Transformers
  • Resource

2

3

4

4

1

Courtesy NIST Manufacturing Engineering Lab, Intelligent Systems

2

3

Control System – brains of a electronic and/or electro-mechanical system with sensors used to monitor & change levels or direct: air, water/fluid, electricity, traffic, fuel, etc.

u s government facility

What is a CS?

U.S. Government Facility

SOURCE: Vendor Site

Other frequently used terms for this arena include Distributed Control Systems or Supervisory Control and Data Acquisition (SCADA)

local infrastructure possibly using css
Electrical distribution, & UPS

Natural gas distribution

Fuel Oil storage & flow

Water storage & flow

Lighting

Heating, cooling, ventilation

Fire alarms & suppression

Elevators & escalators

Gates & doors, alarms

Video security cameras

Traffic signals

Process Line Control

What is a CS?

Local Infrastructure possibly using CSs
who controls the controls

What is a CS?

Who Controls the Controls?

& Contractors?

Who educates the controllers? especially about security?

the cultures
Focus

Safety

100% Availability

Electro-mechanical

No updating, Aged equipment

The Language

RTUs, PLCs, IEDs

DNP, Modbus

Low Bandwidth

Analog & Digital

The Vendors

Allen Bradley(AB)/Rockwell, Honeywell, Siemens, Johnson Controls

Focus

Security

99.5% Availability

Electronic

Continuous Updating, New

The Language

Routers, Switches, Servers

IP, Ethernet

High Bandwidth

All Digital

The Vendors

IBM, Microsoft, CISCO, Dell

What are the concerns?

The Cultures

Physical Plant

Network Operations

the changing landscape

What are the concerns?

The Changing Landscape

1.

  • Remote connectivity/control of CS devices
  • Standardization of CS Protocols
  • Connection of CS & Business LANs
  • “Windowing” of CS & SCADA Control

2.

IP

4.

3.

slide10

What are the concerns?

REMOTE

ACCESS

SOURCE: GAO Report 04-140T Critical Infrastructure Protection: Challenges in Securing Control Systems. October 2003.

slide11

What are the concerns?

Access Airport Lighting ControlsFrom your PDA

SOURCE: Vendor’s web site

slide12

What are the concerns?

Facility Electrical Grid Accessvia your cell phone

SOURCE: Vendor’s web site

cost justification

What are the concerns?

Cost Justification

WAYNE, Pa., Oct. 24, 2002 -- Energy information systems and wind-powered generation will emerge as the two most critical energy technologies in the next five years, according to a majority of energy entrepreneurs and investors surveyed at the EnerTech Forum in Phoenix last week. Scott Ungerer, Managing Director of EnerTech Capital, said respondents believed energy information systems, which allow companies to better manage their energy use, would continue to grow, particularly given the current economic climate. "With corporate America's increased focus on the bottom line, monitoring and managing energy use is receiving more attention than ever by corporate users." On the telecommunications front, respondents predicted the following communications technologies would be in widespread use in the next five years: broadband wireless (named by 68 percent) and optical networks (named by 51 percent). When asked why utilities have been so slow to adopt energy management solutions like sophisticated monitoring, data collection, and equipment control and dispatch, 49 percent said the economics of the technology is not yet compelling enough for utilities. The same percentage predicted that the energy management market sector would remain fragmented for many years, with no clear and pronounced trend.

slide15

What are the concerns?

Operational Security

operational security partial list online federal government installation dcs network descriptions

What are the concerns?

Operational SecurityPartial List – Online Federal Government Installation DCS Network descriptions

SOURCE: Vendor’s web site

as educators what can we do

What can we do?

As Educators what can we do?
  • Raise Awareness
    • Of your building engineers in Computer Networks
    • Of your IT security engineers in Building Engineering
  • Encourage Inventory, Audit, Assessment of CS
  • Encourage application of easy, yet high payoff, countermeasures
  • Publicize the DOE 21 steps
  • Follow along with Process Control Security Requirements Forum & ISA’s SP99 progress
  • Learn the terminology
raise awareness improve understanding connections between computer it building engineers
IT Security Worker

Electronic

Equipment settings

Switch settings

Access Control

Computer Programming & Data

Creation

Execution

Storage

Building/Campus Engineer

Supply & Discharge

Electricity

Water

Fuel

Circuit Settings

Valve Settings

Electro-Mechanical Equipment

Physical Plant Safety

What can we do?

Raise AwarenessImprove Understanding & Connections between Computer/IT & Building Engineers

Educate

education opportunities
Education Opportunities
  • SANDIA National Labs
    • Assessment of SCADA systems; 2.5 days
    • Best Practices for SCADA Security & Design; 2 days http://www.sandia.gov/scada/training_courses.htm
  • NIST IEL Lab, Gaithersburg
  • Instrumentation Systems & Automation Society (ISA)
    • IC32C - Cyber Security for Automation, Control, and SCADA Systems
    • http://www.isa.org
  • AIChE
    • Cybersecurity for Process Control Systems in Chemical Plants and Refineries
    • http://www.aiche.org/education/cecrsdtl.asp?Number=553
  • KEMA
    • Annual SCADA Cyber Security Conference
    • http://www.kemaseminars.com/
  • Infosec Institute
    • SCADA Security: Protecting our Homeland Security
    • http://www.infosecinstitute.com/courses/scada_security_training.html
assessment methodologies
Assessment Methodologies
  • Sandia National Labs
    • RAM-T;RAM-D;RAM-W
    • http://www.sandia.gov/media/NewsRel/NR2001/ramdramt.htm
  • ISS X-Force
    • http://documents.iss.net/whitepapers/SCADA.pdf
  • Asset Based Vulnerability Checklist for Waste Water Utilities, AMSA, 2002.
    • http://www.vsatusers.net/pubs.html
  • FERC Cyber Security Guidelines
    • http://www.nerc.com/~filez/cipfiles.html
  • Energy Infrastructure Vulnerability Survey Checklists. Office of Energy Assurance, U.S. Department of Energy
    • http://www.esisac.com/publicdocs/assessment_methods/VS_Checklist_Attachment.pdf
    • http://www.esisac.com/publicdocs/assessment_methods/Risk_Management_Checklist_Small_Facilities.pdf
promote high profile cs protection measures

What can we do?

Promote High Profile CS Protection Measures
  • Authentication - 2 factor preferred
    • Tokens
    • Dial Back
  • Telephony Firewalls (see securelogix.com)
  • Operations Security
  • Physical Security
  • Failure Mode
    • Redundancy – dual, triple
    • Disconnect with
      • Ability to Bypass / Backup / Manually Operate
  • Penetration Testing
21 steps to improve cyber security of scada networks

What can we do?

21 Steps to Improve Cyber Security of SCADA Networks
  • Identify all connections to SCADA networks.
  • Disconnect unnecessary connections to the SCADA network.
  • Evaluate and strengthen the security of any remaining connections to the SCADA network.
  • Harden SCADA networks by removing or disabling unnecessary services.
  • Do not rely on proprietary protocols to protect your system.
  • Implement the security features provided by device and system vendors.
  • Establish strong controls over any medium that is used as a backdoor into the SCADA network.
  • Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.
  • Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns.
  • Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security.
  • Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios.
  • Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users.
  • Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection.
  • Establish a rigorous, ongoing risk management process.
  • Establish a network protection strategy based on the principle of defense-in-depth.
  • Clearly identify cyber security requirements.
  • Establish effective configuration management processes.
  • Conduct routine self-assessments.
  • Establish system backups and disaster recovery plans.
  • Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance.
  • Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls.

SOURCE: Office of Energy Assurance, U.S. Department of Energy.

cs scada security guidance
CS/SCADA Security Guidance
  • Security Standards Efforts
    • ISA’s SP99 Committee
      • http://www.isa.org/MSTemplate.cfm?Site=SP99,_Manufacturing_and_Control_Systems_Security1
    • NIST’s Process Control Security Requirements Forum (PCSRF) & IEL Lab
      • http://www.isd.mel.nist.gov/projects/processcontrol/
  • SCADA Security Test Beds
    • Sandia http://www.sandia.gov/
    • INEEL http://www.inel.gov
  • Industry Specific Guidance NERC, EPRI, AGA, CIDX
  • Matthew Franz’s links: http://scadasec.net/
  • Critical Infrastructure Protection: Challenges in Securing Control Systems. GAO Report 04-140T. October 2003.
  • IT Security for Industrial Control SystemsJoe Falco, Keith Stouffer, Albert Wavering, Frederick Proctor, NIST. 2003.
  • Other Documents/Guidance from Sandia http://www.sandia.gov/scada/documents.htm
quiz answers
Quiz Answers
  • Programmable Logic Controller
  • Terminal or Telemetry
  • d. Treasury Building, 15th & Penn Ave
  • a. Army
  • c. Three
  • d. All the Above
  • c. Protocol Analyzer
  • d. All the above
  • b. PCSRF
  • T, True