Bird of a Feather Automated Responses

Transcription

1 Bird of a Feather Automated Responses Energy-Sec Summit Th Security and Compliance August 2017

2 INL s Position Nationally A network of 17 DOE national labs DOE s lead lab for nuclear energy A major center for National Security National Labs are Capability Machines that rely on unique capabilities They innovate to solve multi-disciplinary problems of national interest They do what Universities and Industry Can t, Won t or Shouldn t do Research in the National Interest that Maintains American Competitiveness & Security 2

3 INL National & Homeland Security RDD&D Capabilities Control Systems Cybersecurity Electric Grid Resilience Nuclear Safeguards & Security by Design Emergency Training & Response Nuclear Forensics/ Ultratrace Detection Materials & Energetics Wireless Communications & RF Modeling Over 120 professionals focused on cyber security of industrial control systems Armor Development National Laboratories are Capability Machines 3

4 The Nexus of Critical Infrastructure Protection Cyber Power Wireless Control Systems Unique Focus on the Interdependencies Enhances Critical Infrastructure Resilience 4

5 Agenda Cyber Security Core for Industrial Control Systems Programs DHS National Cybersecurity and Communications Integration Center (NCCIC) DOE-OE Cybersecurity for Energy Delivery Systems (CEDS) Industry Automated Response Why Needed? State of Art in Information Technology Energy Sector Focus Measuring and Evaluating Feasibility Performance Mitigation Actions Mitigation Trade-offs Security 5

6 Cyber Security Leadership INL Reputation for Top Cyber Security Researchers throughout International Critical Infrastructure Cyber Security Groups Participated in DHS Cyber Skills Task Force 10 Skills - 5 Objectives People want to work with us based on reputation Partnering Control Engineers with Cyber Researchers Employees Are Actively Recruited Top U.S. Cyber Defenders Work in Idaho Falls -Wall Street Journal November 14, 2012 As the department moves ahead, I will look to your leadership and expertise... Janet Napolitano Secretary, Homeland Security 6

7 Core Programs Research Since 2004, Department of Homeland Security NCICC Vulnerability Analysis, Disclosure and Guidance Incident Response, Advanced Analytics Malware Since 2003, Department of Energy Office of Electricity Delivery and Energy Reliability CEDS National SCADA Test Bed Other Government: Defense Advanced Research Project Agency (DARPA); Cyber Commands Industry Strategic Partnerships Resilient Control Systems Signature Area Laboratory Directed Research and Development 7

8 Leveraged Concepts DHS Malware Analysis, Automated Vulnerability Assessment; Consequence Based Analysis DOE-OE Validation and Measurement of Automated Response (VMAR) Exploit, Malware and Vulnerability (EMV) California Energy System for the 21 st Century Machine to Machine Automated Threat Response Structured Threat Information exchange (STIX) DARPA Rapid Attack Detection, Isolation and Characterizations Systems (RADICS) Test Effect Payloads LDRD Firmware Validation, Binary Analysis Official Use Only - Business Sensitive 8

9 What is Automated Response Needed? Patching cycles are problematic Patch availability, Proof of Implementation Impact, Application Always after detection or incident later on the cyber kill chain Automated Response for Information Technology Finance Sector: Orchestrators; Indicators of Compromise; Remediation Actions: Block IP, Match Hashes, Block URLs Volume and Velocity of Indicators Pre- Compromise Compromise Post- Compromise Reconnaissance Weaponized Delivery Exploitation Installation Command & Control Actions on Intent Official Use Only - Business Sensitive 9

10 What Could Automated Response Be? Focused on the most Critical Functions in Energy Systems Detect targeted indicator for targeted consequence Actions matching Threat and Vulnerabilities Moving Left of BOOM Agile and Responsive - Provide a response platform added capability Unique, temporary remediation actions Roll-back remediation actions after better mitigations designed and tested Proven Indicators and Remediation Actions Shared via common language Machine Speed implementation Official Use Only - Business Sensitive 10

11 Focus on Exploit Malware Vulnerability & Threat Solves the Volume and Velocity Problem EMV Scoring for Priority Issues Urgency Incident source, Availability, Repeatability Maturity Sophistication Persistence, Stealth, Simplicity Functional Impact Foothold to degraded resource to physical damage Exposure steps required, layers to cross Ability to Defend detection, removal of EM, isolation, patch Consequence slow down - reputation Threat Motivation Capability Opportunity Intent Official Use Only - Business Sensitive 11

12 Indicators and Remediation Actions Official Use Only - Business Sensitive 12

13 GIRL Graph Indicator Remediation Language Backdoor.Industroyer Official Use Only - Business Sensitive 13

14 Why Measurements are Needed Availability and Integrity are Critical in Control Largest Concern for Operations is Latency Monitoring for Indicators and Remediation Actions Pull version vs Matched hash Monitoring for Performance Measuring and Testing provides assurances that Indicators and Remediation Actions will not impact operations Trade-offs in Remediation Actions Temporary fix cost to remove and apply a more permanent mitigation Official Use Only - Business Sensitive 14

15 Tale of Two Configurations Technologies for Interface Historian IED Management System Threat Management C&C SCADA Legacy Substation HMI PLC 1 PLC 2 Software Defined Substation -Virtual Machine -Firewall -Remote Access Proxy Hardware Defined Substation -RTU -PLC -Protective Relay Protective Relay Network Switch Transformer Monitor Threat Monitor Appliance (TMA) Sensors Sensor 1 Open Source Tools: Exploit; IDS; SIEM Tools Data Collection Sensors Threat Monitor Appliance (TMA) Tools Data Collection Sensor 3 Sensor 2 NetFlow Switch NetFlow Switch Test Lab Laptops Testing Tools Official Use Only - Business Sensitive 15

16 Next Steps in Measuring Automated Response Collect Performance Data Run baselines static and under duress Run indicators and remediation actions Compare highly integrated orchestrator to standards-based response Data Analytics of Volume and Velocity for Applicability for integrations Coding EMV for machine readable automated prioritization Incorporate vulnerability scanners, discovery products Move to Firmware Race to Bottom Malware Segments for key malware functions Dynamic binary analysis Official Use Only - Business Sensitive 16

17 OASIS and STIX OASIS is the Organization for the Advancement of Structured Information Standards, a not-for-profit, international consortium that drives the development, convergence and adoption of open standards for the global information society DHS turned over custody of STIX to OASIS in early 2015 Changes to STIX Language are required for ICS applications such as CES-21 As part of Task 6, New Context (a voting member of OASIS) is the CES-21 advocate to getting these necessary STIX changes adopted Some of the significant players in OASIS include: 17

18 Next Generation Grid Systems: From Reliable to Resilient Threats are those elements that counter normalcy and destabilize grid system networks human error, damaging storms, malicious attacks, complex failures & interdependencies State Awareness provides essential knowledge of operating parameters to fully characterize the decision space Resilient Design provides an adaptive capacity and agility for response to threats, including those that are not well characterized by traditional means Resilience is the capacity of a grid system to maintain state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature. 18

19 Resilient Cyber Tools/Demonstrations at INL Sophia Fingerprints conversations across a network for better situational awareness NextDefense commercialization (2013) Intelligent Cyber Sensor Protection of field devices allowing for agile response, better situational awareness (2013) Data Fusion Provides common view and quality of data for better situational awareness (2013) Resilient Metrics Prototyped (2014) Predictive Battery Recharging (2012) Resilient Design Microgrid Controls(2013) Situational Awareness Demonstration (2013) Mitigation Actions (2016) 19

20 Power Systems Research & Testing Unique Facilities/Equipment/Experience Infrastructure INL utility scale power grid with real-time INL monitoring and control located at INL s 890 square mile federal reservation Experience Test design and grid configuration, data collection and analysis Personnel Electrical/power engineers PhD analysis, utility and research test design engineering, utility operations 20

21 Other Leveraged Research DOE-OE Funded Projects Over 40 Vulnerability Assessments Sophia fingerprinting tool for control systems transferred to NextDefense RENDER Risk Evaluation Nexus for the Digital-age Energy Reliability 2013/14 ATAC Advanced Threat Analysis Characterization 2013/14 ReACT - Root-Cause Attack Characterization of Threat 2013/14 CYOTE-A/B and CET - Cybersecurity for the Operational Technology Environment Pilot and Full Assessment and Cybersecurity Emerging Threat 2016/7 Support of ISER and Incident Response Department of Homeland Security Funded Projects NAVV Network Analysis Verification and Validation, CSET Cyber Security Evaluation Tool & RRAP - Regional Resiliency Assessment Program CLAPI Component Level Access Physical Impact 2015 AVA Automated Vulnerability Assessment 2016 Other (funding source) GrassMarlin, Bro, Security Onion (open source tools) CRITs Collaborative Research Into Threats (Open Source MITRE) CCE - Consequence-Driven Cyber-Informed Engineering (INL) 2016/7 RIM - Risk Informed Methods (INL) 2016 IACD - Integrated Adaptive Cyber Defense (JH/APL)