Homeland Security and Cyber Infrastructure Resilience

Transcription

1 January 2014 Homeland Security and Cyber Infrastructure Resilience Resources for and Results of DHS Cyber Evaluations, Incident Response, Threat Coordination, and Security Management Bradford J. Willke, CISSP Program Manager, Cyber Security Advisor Program Office of Cybersecurity and Communications (CS&C) National Protection and Programs Directorate (NPPD)

2 CYBER THREAT TRENDS AND SPECIFIC ATTACKS Presenter s Name June 17,

3 Sophistication Growth of Cyber Threats High Sophistication Required of Actors Declining Back doors Disabling audits Sophistication of Available Tools Growing Packet spoofing Sniffers Sweepers Burglaries GUI Network mngt. diagnostics Hijacking sessions Denial of Service Stealth /advanced scanning techniques Staging www attacks Automated probes/scans Convergence Stuxnet Sophisticated C2 Cross site scripting / Phishing Distributed attack tools DNS exploits DDOS Low Exploiting known vulnerabilities Password cracking Self-replicating code Password guessing Estonia DoS Russia invades Georgia Presenter s Name June 17,

4 Cyber Threat: Human Threats Who is behind these intentional threats? Insider Threat Insiders have a unique advantage due to access/trust They can be motivated by revenge, organizational disputes, personal problems, boredom, curiosity, or to prove a point Malware Authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware Phishers Individuals, or small groups who attempt to steal identities or information for monetary gain Spammers Individuals or organizations who distribute unsolicited with hidden or false information to sell products, conduct phishing schemes, distribute spyware/malware, or attack organizations Terrorists Cyber attacks have the potential to cripple unsecured infrastructures Cyber-linkages between sectors raise the risk of cascading failure Putting Cybersecurity in Perspective Presenter s Name June 17,

5 Cyber Attack: Step by Step Presenter s Name June 17,

6 ShodanHQ ShodanHQ is the first search engine designed to search for computers and devices. Recommendation: Run a search using your network IP range to identify or validate: devices, misconfigurations, location, services, HW/SW versions, etc. ShodanHQ has identified: ~500,000 devices connected to the internet 98,415 were located in the U.S. 7,257 were associated with Industrial Control Systems Presenter s Name June 17,

7 Trending Now EXECUTIVE ORDER 13636: IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY Presenter s Name June 17,

8 Executive Order 13636: Improving Critical Infrastructure Cybersecurity Effective February 12, 2013 Directs the Executive Branch to: Develop a technology-neutral voluntary cybersecurity framework Promote and incentivize the adoption of cybersecurity practices Increase the volume, timeliness and quality of cyber threat information sharing Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure Explore the use of existing regulation to promote cyber security Presenter s Name June 17,

9 Voluntary Program (under Cyber EO) Voluntary Program (VP) is a coordination point within the Federal Govt for CI owners/operators interested in improving their cyber security risk management processes Goals are to: 1. Support industry/ci to increase cyber resilience; and 2. Increase awareness and adoption of the NIST Cyber Security Framework (CSF) in support of the goal #1 Formal launch: February 14, 2014 Presenter s Name June 17,

10 Voluntary Program - Continued Phased rollout for the program At launch, Website available with self service options, including information on the alignment of existing DHS resources to the CSF CRR will be made downloadable (as self-assessment) FAQs and VP messaging kits Phase 1 (2/2014 2/2015): First 12 months focused on building momentum: Support adopters; and provide ongoing coordination for feedback on resources (to/from NIST) Alignment of CSF principles and performance goals with NIPP guidance, metrics programs, etc Phase 2 (2/2015 2/2016): Focused on implementation of sector strategies Phase 3 (2/2016+): Continuing focus on evolution of VP capabilities, resources from partners to support CSF use, etc Presenter s Name June 17,

11 DHS Cyber Security Evaluations - CYBER HYGIENE (CH) EVALUATIONS - PEN TEST (AKA RVA) - CYBER RESILIENCE REVIEW (CRR) - CYBER SECURITY EVALUATION TOOL (CSET) - CYBER INFRASTRUCTURE SURVEY TOOL (C-IST) - ICS ARCHITECTURE REVIEW Presenter s Name June 17,

12 CYBER HYGIENE (CH) Presenter s Name June 17,

13 Cyber Hygiene Assess Internet accessible systems for known vulnerabilities and configuration errors. Work with organization to proactively mitigate threats and risks to systems. Activities include: Network Mapping Identify public IP address space Identify hosts that are active on IP address space Determine the O/S and Services running Re-run scans to determine any changes Graphically represent address space on a map Network Vulnerability & Configuration Scanning Identify network vulnerabilities and weakness Homeland Security Office of Cybersecurity and Communications

14 Cyber Hygiene - FAQ How frequently will my Agency be scanned? The frequency of the scans is up to your Agency. In addition to on-demand scans, NCATS would like to conduct quarterly, monthly, or weekly scans. Will my Agency have a decision in scan scheduling? Once we receive the signed authorization letter, we assign a Technical POC to work with your agency POC to validate /determine your public IP space and identify the frequency and time frames the scanning may occur. Will my Agency be expected to "white list" DHS scanning IPs? Your Agency is not required or expected to "white list" the DHS scanning range, although the results will be more thorough if you do. The choice is entirely up to your agency. A couple of days prior to scanning activity we send notification letters ( ) to US-CERT and to any identified Agency SOCs explaining the activity and identifying the source IP range so they will be prepared. What level of access to the reports and data will my Agency have? In addition to the report we prepare your Agency will have full access to all data and findings produced by our tools Homeland Security Office of Cybersecurity and Communications 14

15 Cyber Hygiene - FAQ What information is included in the report? A listing of systems detected, open ports, services/applications (with version number) and operating system running on those systems A listing of known vulnerabilities (if any) specific to the applications running A listing of vulnerabilities identified on each system A summary / validation of your Agency s public 2nd level domain DNSSEC status (e.g. dhs.gov, tsa.gov) For comparison statistics, non-attributable Federal Totals & Averages for all previous data points will be provided Reports will also provide trending/history and highlight any delta s between the current and previous report What value will be provided In addition to providing a free, 3rd party, objective perspective of the vulnerabilities present and risks to your Agency's Internet connected assets, participation will benefit the Federal government as a whole. A major objective is to provide non-attributable but quantifiable data to leadership to ensure initiatives and policy directives are well informed, fact based, and focused on areas with the greatest need. Homeland Security Office of Cybersecurity and Communications

16 PEN TESTS (AKA NETWORK RISK AND VULNERABILITY ASSESSMENTS) Presenter s Name June 17,

17 Risk and Vulnerability Assessment (RVA) Conducts red-team assessments and provides remediation recommendations. Identify risks, and provide risk mitigation and remediation strategies Improves an agency s cybersecurity posture, limits exposure, reduces rates of exploitation, and increases the speed and effectiveness of future cyber attack responses. Services Include: Service Description Vulnerability Scanning and Testing Penetration Testing Social Engineering Wireless Discovery & Identification Web Application Scanning and Testing Database Scanning Operating System Scanning Homeland Security Conduct Vulnerability Assessments Exploit weakness or test responses in systems, applications, network and security controls Crafted at targeted audience to test Security Awareness / Used as an attack sector to internal network Identify wireless signals (to include identification of rogue wireless devices) and exploit access points Identify web application vulnerabilities Security Scan of database settings and controls Security Scan of Operating System to do Compliance Checks Office of Cybersecurity and Communications

18 RVA Process Pre ROE Agency contacted Briefed on NCATS services Service is Requested Schedule Confirmed ROE Distributed/Agency signs ROE Pre Assessment (Minimum) 2 weeks Pre-Assessment Package Distributed Receive Completed Pre-Assessment Package Conduct Pre-Assessment Teleconference Receive Pre-Assessment Artifacts (1 week) Assessment 2 weeks Off-Site Assessment Activities On-Site Assessment Activities Reporting 3 weeks Draft Report Started/Completed Submit Draft Report to Agency Receive Draft Report with Agency Comments Q&A Process Started/Completed Homeland Security Post Assessment 1 week Final Draft Completed Final Report Delivered to Customer Assessment Out brief Office of Cybersecurity and Communications

19 CYBER RESILIENCE REVIEW (CRR) Presenter s Name June 17,

20 Cyber Resilience Review (CRR) One-day, no-cost, facilitated cyber security evaluation Deployment across all 16 CIKR sectors as well as State, local, tribal, and territorial governments Based on the CERT Resilience Management Model (RMM), a process improvement model for managing operational resilience Primary goal: Evaluate how CIKR providers manage cyber security of significant information services and assets (information, technology, facilities, and personnel) Secondary goal: Identify opportunities for improvement in cyber security management and reduce operational risks related to cyber security Presenter s Name June 17,

21 Cyber Resilience Definition: The ability of an organization to continue vital IT services and information management functions in a less-than-ideal situation while reacting and adapting to stresses Protect (Security) Sustain (Continuity) Perform (Capability) Repeat (Maturity) Presenter s Name June 17,

22 IM SA VM TRNG CNTL EXD CCM RISK AM SCM CRR Domains These represent key areas that typically contribute to an organization s cyber resilience each domain focuses on: Documentation in place, and periodically reviewed & updated Communication & notification to all those who need to know Execution/Implementation & analysis in a consistent, repeatable manner Alignment of goals and practices within & across CRR domains Asset Management identify, document, and manage assets during their life cycle Service Continuity Management ensure continuity of IT operations in the event of disruptions Configuration and Change Management ensure the integrity of IT systems and networks Risk Management identify, analyze, and mitigate risks to services and IT assets Controls Management identify, analyze, and manage IT and security controls Vulnerability Management identify, analyze, and manage vulnerabilities External Dependency Management manage IT, security, contractual, and organizational controls that are dependent on the actions of external entities Training and Awareness promote awareness and develop skills and knowledge Incident Management identify and analyze IT events, detect cyber security incidents, and determine an organizational response Situational Awareness actively discover and analyze information related to immediate operational stability and security Presenter s Name June 17, 2003

23 Maturity Not Just Capability A MIL (Maturity Indicator Level) measures process institutionalization, and describes attributes indicative of mature capabilities. MIL Level 5 Defined All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); measured (MIL-4); and consistent across all internal constituencies who have a vested interest processes/practices are defined by the organization and tailored by organizational units for their use, and supported by improvement information shared amongst organizational units. MIL Level 4 Measured All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); and periodically evaluated for effectiveness, monitored & controlled, evaluated against its practice description & plan, and reviewed with higher-level management. MIL Level 3 Managed All practices are performed (MIL-1); planned (MIL-2); and governed by the organization, appropriately staffed/funded, assigned to staff who are responsible/accountable & adequately trained, produces expected work products, placed under appropriate configuration control, and managed for risk. MIL Level 2 Planned All practices are performed (MIL-1); and established, planned, supported by stakeholders, standards and guidelines. MIL Level 1 Performed All practices are performed, and there is sufficient and substantial support for the existence of the practices. MIL Level 0 Incomplete Practices are not being performed, or incompletely performed. 23

24 CRR Report 24

25 Cyber Resilience Reviews (CRR) A no-cost, voluntary, interview-based review producing a formal report Takes one (1) day (i.e., 5-6 hours excluding lunch and breaks) to complete Helps CIKR and SLTT partners understand and measure cyber security capabilities as they relate to operational resilience and cyber risk during: normal operations (i.e., protection & sustainment) times of operational stress and crisis (i.e., survivability & resilience) Based on the CERT Resilience Management Model (CERT RMM), a process improvement model for managing operational resilience Cross-referenced and compatible with the NIST Security Management Framework (i.e., EO 13636) Information provided during the CRR is afforded protection under the DHS Protected Critical Infrastructure Information Program Scheduling or general inquiries to: CSE@hq.dhs.gov Sean McCloskey (sean.mcloskey@hq.dhs.gov), Program Manager, Cyber Security Evaluations 25

26 CYBER SECURITY EVALUATION TOOL (CSET) Presenter s Name June 17,

27 Cyber Security Evaluation Tool (CSET ) Stand-alone software application Self-assessment using recognized standards Tool for integrating cybersecurity into existing corporate risk management strategy R CSET Download: 27

28 CSET Standards R Requirements Derived from Widely Recognized Standards NIST Special Publication TSA Pipeline Security Guidelines NERC Critical Infrastructure Protection (CIP) Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls Transportation Security Administration (TSA) Pipeline Security Guidelines, April 2011 Reliability Standards CIP-002 through CIP-009, Revisions 2 and 3 DoD Instruction Information Assurance Implementation, February 6, 2003 NIST Special Publication Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010 CFATS RBPS 8- Cyber DHS Catalog of Recommendations Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 Cyber, 6 CFR Part 27 DHS Catalog of Control Systems Security, Recommendations for Standards Developers, Versions 6 and 7

29

30

31 Hard-copy Reports 31

32

33 CYBER INFRASTRUCTURE SURVEY TOOL (C-IST) 33

34 Primary Capabilities Identify and document critical cyber security information including systemlevel configurations and functions, cyber security threats, cyber security measures, IT business continuity/disaster recovery and cyber security organizational management; Provide information to DHS, SSAs, and facility owner/operators to support cyber security planning and resource allocation Enhance overall capabilities, methodologies, and resources for identifying and mitigating gaps Facilitate cyber security information sharing Benchmark overall cyber security for all sectors and demonstrate how assets and sectors are reducing risk 34

35 Scope and Stakeholders No-cost, lightweight, protective measure-based survey Short in length minutes Administered by DHS Cyber Security Advisors with valid training Aggregated data will be presented to Sector-Specific Agencies (SSAs) and DHS, federal, state, regional, and local stakeholders. 35

36 C-IST Input Tool Web Based tool made available to the assessors User-Friendly, logical tool similar to the IST (i.e., SIAconsistent) Validation mechanisms to ensure competition Centralized Secure Database to allow for analysis and metrics/reporting Offline version 36

37 Question Areas and Topics 1. Background Information 1.1 Cyber Service Point of Contact and Visit Participants 1.2 Service Contact that Should Receive Primary Access to the Cyber Survey Dashboard 1.3 Other Service Contacts, Assessment Participants 2. General Information 2.1 Critical Cyber Service 2.2 Comments and Briefing Notes 2.3 General Cyber Service Description (Information Only) 3. Cyber Security Management 3.1 Cyber Security Leadership 3.2 Cyber Service Documentation 3.3 Change Management 3.4 Lifecycle Management 3.5 Accreditation and Assessment 3.6 Cyber Security Plan 3.7 Cyber Security Exercises 3.8 Information Sharing 4. Cyber Security Forces 4.1 Personnel 4.2 Cyber Security Training 5. Cyber Security Controls 5.1 Identification, Authentication, and Authorization Controls 5.2 Access Controls 5.3 Monitoring and Scanning 5.4 Information Protection 5.5 User Training 5.6 Defense Sophistication and Compensating Controls 6. Incident Response 6.1 Incident Response 6.2 Alternate Site and Disaster Recovery 7. Dependencies 7.1 Dependencies Data at Rest 7.2 Dependencies Data in Motion 7.3 Dependencies Data in Process 7.4 Dependencies End Point Systems

38 C-IST Dashboard Interactive Online Dashboard For the Owner/Operator Relational Data comparing to similar sites Create Scenarios Depict General PMI/CPRI and Threat Preparedness Index 38

39 Example of Top-Level IST Dashboard 39

40 Example of Second-Level IST Dashboard 40

41 ICS ARCHITECTURE REVIEWS 41

42 Architecture Review Intensive and exhaustive review of the security architecture for industrial control, process automation, and other cyber-physical systems Expert-led review Industrial Control System SMEs from Idaho National Lab and the Industrial Control System Computer Team Readiness Team Hands-on verification and document review 4-6 week data collection and analysis phase Formal, written report of options for consideration / improvement 42

43 Document Review Network Topology Diagrams (logical and physical) Requirements/guidance documentation for system design System description Architecture design/documentation Equipment list System interconnections to other systems Control Network Network topology diagrams (logical and physical) that depict connectivity Software suite Industrial protocols used End device list (vendors and models of PLCs, RTUs, etc.) Business/Control Interconnections Documented zones/network layers Document direct connections through firewalls/filtering routers/etc Analysis and Response Activities Review network architecture Review interconnectivity Discuss technical options for potential security gaps and vulnerabilities 43

44 DHS EVALUATION FINDINGS Presenter s Name June 17,

45 Data Points: 2011 Nationwide Cyber Security Review Strengths: Weaknesses: Documented Policy - Documented Risk Measured -Risk Rank 52% have implemented Process and/or Area validated Ad-Hoc 42% of respondents stated they do not have Standards and Validated protective measures for the detection and independent Procedures testing and/or audit program removal of malicious code established 1 Malicious Code 12% 36% 52% 81% 2 of all Physical respondents Access have Control adopted cyber 16% 45% of respondents 39% stated they have 46% not security 3 Logical control Access frameworks Control and/or 18% implemented 40% a formal risk management 42% security methodologies program (e.g., risk assessments, security 4 Security Testing 42% 22% 36% categorization) 42% 5 have Incident implemented Management and/or validated 32% 38% 31% logical 6 access Business controls Continuity (e.g., 33% 46% of respondents 36% stated they have 31% not termination/transfer 7 Personnel and procedures, Contracts ACLs, 29% implemented 41% Monitoring and Audit 30% Trails remote access) which is important to determine if an 8 Security Program 30% 40% 30% incident is occurring or has occurred. 9 Information Disposition 27% 44% 29% Security within Technology 31% of all respondents have never 10 36% 35% 29% Lifecycle performed a contingency exercise 11 Risk Management 45% 67% of all respondents 26% stated it has 29% been at 12 Monitoring and Audit Trails 46% least two years 27% since they updated 28% their Information Security Plan These results are based on the 162 responses 66% of all respondents stated it has been at least two years since they updated their Disaster Recovery Plans Presenter s Name June 17,

46 DHS CRR Analytical Findings From an analysis of a total of 115 organizations in 43 states across 12 sectors participating in evaluations of cyber security management and operational practices in Critical Infrastructures / Key Resources (CIKR), DHS found: Only 14% of organizations have a documented plan for performing situational awareness activities. 55% to 65% of organizations have not developed a strategy to guide their vulnerability management effort. Nearly half of the organizations assessed do not document which assets support critical services. A majority (70%) of organizations do not have a documented risk management plan. A majority (65%) of organizations lack a process to escalate and resolve incidents. A large majority (>80%) of organizations identify external dependencies, but nearly half fail to identify risks associated with these dependencies. Less than half of organizations identify control objectives, and worse yet less than half of those that do actually implement security control to meet those objectives 50% of organizations do not have a formal strategy to ensure continuity of the critical service, and even fewer (<40%) execute a formal test of these continuity plans. Source: U.S. Department of Homeland Security. Cyber Resilience Review Data Analysis. Office of Cybersecurity and Communications. Washington: September

47 DHS CRR Analytical Findings 1 47

48 DHS CRR Analytical Findings 2 48

49 DHS CRR Analytical Findings 3 49

50 DHS CYBER COORDINATION AND INCIDENT RESPONSE Presenter s Name June 17,

51 NCCIC in Brief Responsibilities include: The mission of the National Cybersecurity and Communications Center (NCCIC) is to serve as a national center for reporting of and mitigating communications and cybersecurity incidents. Provide alerts, warnings, common operating picture on cyber and communications incidents in real time to virtual and on-site partners Work 24X7 with partners to mitigate incidents: On-site partners include the Department of Defense, Federal Bureau of Investigation, Secret Service, Information Sharing and Analysis Centers (ISACs) and DHS components such as Office of Industry and Analysis Public and private sector partners share and receive information subject to information sharing protocols Presenter s Name June 17,

52 ICS-CERT Provide operational support for critical infrastructure stakeholders to respond and defend against emerging cyber threats Situational Awareness Observe, identify, acquire, or receive relevant ICS information Incident Response Provide on-site assistance and off-site analysis to bridge information gap Technical Analysis Perform digital media analysis for malware and consequences Vulnerability Coordination Coordinate and monitor for vulnerabilities in ICS systems Benefits to the ICS and Critical Infrastructure Community Awareness of emerging issues and threats State of the art analysis capabilities specific to ICS Incident response support for recovery and future defense Established partnership for immediate support and guidance ICS-CERT collaboration with other agencies and partners Presenter s Name June 17,

53 Incident Reporting NCCIC provides real-time threat analysis and incident reporting capabilities 24x7 contact number: Malware When to Submission Report: Process: If there Please is a send suspected all submissions or confirmed cyber attack or incident that: to AMAC at: -Affects submit@malware.us-cert.gov core government or critical infrastructure functions; -Results Must be in provided the loss of in data, system availability; or control of systems; password-protected zip files -Indicates using password malicious infected software is present on critical systems Web-submission: 53

54 Contact Information Evaluation Inquiries General Inquiries DHS Contact Information Bradford Willke Program Manager, Cyber Security Advisor Program Chad Adams Cyber Security Advisor, Region VI Department of Homeland Security National Protection and Programs Directorate Office of Cybersecurity and Communications