Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement

Transcription

1 FEMP Cybersecurity Program Review Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida

2 Resources/Demonstration-Plans/Cybersecurity-Guidelines 2

3 3

4 4

5 Which Best Practice is Right for You? a security patch caused monitoring equipment in a large engineering oven to stop running, resulting in a fire that destroyed spacecraft hardware inside the oven. The computer reboot caused by the software upgrade also impeded alarm activation, leaving the fire undetected for 3.5 hours before it was discovered. 5

6 DHS ICS-CERT Cyber Security Evaluation Tool 8.0

7 Training UNCLASSIFIED Web - Based Training available on the ICS-CERT Virtual Learning Portal Operational Security (OPSEC) for Control Systems (100W) - 1 hour Cybersecurity for Industrial Control Systems (210W) - 15 hours Instructor Led Format - Introductory Level Introduction to Control Systems Cybersecurity (101) - 1 day or 8 hrs Instructor Led Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (201), lecture only - 1 day or 8 hrs Hands-On Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (202), with lab/exercises - 1 day or 8 hrs Hands-On Format - Technical Level ICS Cybersecurity (301) 5 days 7

8 Other Training and Much More!! SANS ICS ICS410: ICS/SCADA Security Essentials ICS515: ICS Active Defense and Incident Response CYBATI ISA (International Society of Automation) ISA Red Tiger Security YouTube (ISA) Wireless Security for Water/Waste Water Networks Joe Weiss' lecture at Stanford 8

9 NDAA 18 Selected DRAFT Proposed Bills DHS: Cyber Vulnerability Disclosure Reporting Act Cyber Training and Talent Management (increased training for cyber protection of critical infrastructure) Pilot Projects to Streamline DoD Authorization of ICS and Nontraditional IT Devices New Collar Jobs Act (re-educate workforce in cyber) Measuring DoD Compliance Cybersecurity Requirements for Securing ICS (SECDEF Scorecard) Kaspersky Lab Product Ban 9

10 Simplified System Model & Mission Heat Map Fuel System Fire and Alarm System Water System HVAC Automatic Metering Lighting Control System LMR Physical Security Threat LOE High Low 1 Low High Mission Impact

11 Sample LoE & Mission Impact Chart 1 Threat LOE High Low Low High Mission Impact

12 Illustrative Scenario: Disruption Fuel System 1. Phishing attack via the Internet 2. Reconnaissance on NIPRNet to identify PLC controller of pump 3. Persistent normal PLC shutdown commands stop fuel delivery Specific Attack: Internet phishing attack targets unpatched system Level of Effort: Script Kiddies to access CS systems Impact: Lack of ability to execute MISSION

13 Illustrative Scenario: Fuel System Dependency Model 13

14 Illustrative Scenario Mitigation: Fuel System 14

15 Cyber Trust Rating What s Yours? Rating # Correlates to Breach Potential Detailed Event and Configuration Information via External Parties 15

16 Which Companies Will You Trust? Analysis of 27,458 companies reveals companies with ratings >400 are 5X more likely to have experienced a publicly disclosed breach 16

17 Discussion UNCLASSIFIED Reinventing the wheel is sometimes the right thing, when the result is the radial tire. Jonathan Gilbert 17

18 Resources UNCLASSIFIED Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology Certification Program (ESTCP) [info & funding solicitations] Risk Management Framework (RMF) Knowledge Service (KS) -DoD's official site for enterprise RMF policy and implementation guidelines Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1, 2017: UFC CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept UFGS CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Feb DoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-day Building Control System Cyber Resilience Forum in Nov '15. DoDI Cybersecurity in the Defense Acquisition System Jan Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Installation Energy (IE) IEC STANDARDS AND ISASECURER CERTIFICATION: APPLICABILITY TO BUILDING CONTROL SYSTEMS each subpage offers a PDF document: Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure (IG ) Whole Building Design Guide website cyber references National Initiative for Cybersecurity Careers and Studies - free cyber training Industrial Control Systems Joint Working Group (ICSJWG) DHS Cyber Security Evaluation Tool: DoDI Cybersecurity 14 March DoDI Risk Management Framework 12 March DoDI Cybersecurity Activities Support to DoD Information Network Operations 7 March NIST SP r2 Guide to Industrial Control Systems (ICS) Security May GAO Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning GAO 15-6 DHS and GSA Should Address Cyber Risk to Building and Access Control Systems GAO SU Defense Cybersecurity: DOD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Increased Oversight (For Official Use Only) Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 18