EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

Transcription

1 EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM Wurldtech Security Technologies

2 Objectives Discuss how to: Evaluation of effectiveness Ø How do we define and measure effectiveness? Implementation of cyber-security policies Ø What policies do we need to implement? Management and administration of cyber security Ø How do we ensure we are complying with policies?

3 EVALUATING EFFECTIVENESS

4 Effectiveness Complicated topic for a number of reasons. Here are but a few: How do you define effectiveness? How do you measure effectiveness? Is saying that security measures are effective the same as having assurance/confidence that the system is secure? How do you measure unknown vulnerabilities that lead to zeroday attacks? Does it have to consider the environment in which the system is installed? Does it have to consider all threats or only applicable threats? Can the same system s security features be effective in one environment but not another?

5 Product effectiveness criteria Was the product developed using a commonly accepted Secure Development Life Cycle (SDLC) process? If so, what is the maturity of the process used? Is supply chain security practiced? Was a security risk assessment performed on the product design? By a third party? Does the product implement applicable IEC security capabilities? Was the product thoroughly tested? Requirements testing, vulnerability testing, penetration testing? Were tests performed by a third party? Were the product developers trained in secure development? Can the product be configured to meet a variety of customer security policies/ requirements? Are the product s security patches validated? *SDLC examples: Microso4 SDLC, BSIMM, Security by Design with CMMI for Development, IEC (currently being balloted among NaLonal CommiMees)

6 Integration/maintenance effectiveness criteria Was the system integrated (installed) and maintained using a qualified secure process? What is the maturity of this process? Was a security risk assessment performed on the system design? By a third party? Were the integrators and maintenance providers trained in ICS security? Was the system properly segmented? (e.g. Level 2/3, wireless, SIS) Were system security capabilities configured to meet customer policies and requirements? Can it be configured to meet a variety of customer security policies/ requirements? Are all devices and portable media free of known malware? *Qualified Secure IntegraLon and Maintenance Process example: IEC cerlficalon

7 Asset owner/operator effectiveness criteria Does the site have a Security Management System in place? Are all the appropriate security policies and processes in place and have they been communicated to vendors? What is the maturity of these policies and processes? Have the security policies associated with security mechanisms (e.g. password policies) defined a Security Level as specified in IEC ? Have personnel been trained on security policies and processes? Are change management, patch management, event management, and backup/restore processes in place? Is a security incident response team active? Was a security risk assessment performed on the site that covers policy and system design decisions? By a third party? * Security Management System examples: IEC and ISO/IEC 27002

8 IMPLEMENTING CYBER-SECURITY POLICIES

9 Understanding the environment Remote users Human users (e.g. operation & maintenance) Application processes (e.g. historian) Remote access Process control system/components in one location Client applications in another location What is in between? Plant/enterprise network Public network (Internet, public or private communications lines)

10 Understanding threats What are they trying to do? Malware insertion (run the attackers code) Change/steal system parameters using existing system code How do they get in? Network interfaces Software interfaces (e.g. TCP/UDP Ports, Named Pipes) by: - Authorized devices (usually infected) - Unauthorized devices (e.g. laptops) Local interfaces USB and portable media interfaces Configuration & Maintenance ports User interfaces

11 Unintentional and intentional attacks Unintentional attacks Accidental actions by users Improper operational values Improper configuration Failure to do a required action Bugs in the system (is this really a security issue?) Intentional attacks Misuse of the system (e.g. by disgruntled personnel or malicious attacker) Not specifically targeted to the system (e.g. viruses, worms, ) Targeted attacks Semi-sophisticated (e.g. canned Metasploit users, Shodan users) Sophisticated (e.g. expert hackers, nation states) - Often requires knowledge of the system (this is why protection of the system design information and code is important)

12 Understanding vulnerabilities Vulnerabilities are access points that enable attackers to get in. Examples include: Software bugs (e.g. code that leaves a connection open, that shows password as they are typed or that stores them in memory in the clear) System design errors (e.g. no authentication on Modbus/TCP) Inadequate input validation (e.g. that allows buffer overflows to occur, a user interface that allows an invalid value to be used)

13 Implementation process Develop policies and processes in compliance to IEC Applies ISO/IEC and to Industrial Automation Train personnel on policies and processes Communicate policies to suppliers/vendors Ensure suppliers/vendors have supply chain practices in place Ensure integrators and maintenance providers are IEC compliant Ensure product suppliers use an SDLC to develop their products - Ensures security requirements - Ensures secure by design and implementation - Ensures security testing has been performed

14 IEC Maturity Level Managed Security program developed and documented, but not yet prac:ced IniLal (Entry Level) Only adhoc procedures, not necessarily consistent or repeatable across implementa:ons Improving Applica:on of lessons learned, documented prac:ces updated Defined Prac:ced and repeatable, following documented prac:ces

15 Maturity Level contribution to effectiveness Site operation (IEC ) ü More confidence placed on sites with security policies and procedures ü Quality of security effectiveness related to maturity of development processes, and: System integration and maintenance (IEC ) ü More confidence placed on vendors who have integrated security into their deployment and maintenance processes ü Quality of delivery related to maturity of development processes Product development (IEC ) ü More confidence placed on products designed, implemented, and tested with security in mind ü Quality of product security related to maturity of development processes

16 MANAGING AND ADMINISTERING CYBER SECURITY

17 Putting it all together Evaluation involves identifying suspicious activities at interfaces and finding evidence of potential breaches. Activities include: Security testing and assessment During integration (e.g. FAT, SAT) After commissioning Periodically during operation Scanning (discovering) Unauthorized devices Unauthorized open ports Unauthorized software Misconfigurations

18 Putting it all together Monitoring (watching) Unauthorized traffic (e.g. attempts to reach an unauthorized node/port) Unusual network traffic (e.g. using an IDS) Login activity Remote access activity Logging (recording) Security violations (invalid login attempts, rejected packets) Access to privileged resources (files, registry, configuration data, administrative processes and data) Startup processes (to ensure configurations are correct) Reviewing (analyzing) Significant security violations (repeated login attempt failures) Correlations of events (suspicious activities)

19 Challenges v Culture Change ü Perhaps the biggest challenge ü Requires change in work practices and awareness ü Requires acceptance of necessity of security practices ü Requires change in behavior v Technology deficiencies ü Technical requirements not known to asset owner/operator until security program is established ü Required technical capabilities not always present, especially for monitoring and logging v Supply chain security ü Establish a program to qualify suppliers ü Gain support from suppliers (you may not be an important enough customer for some)

20 THANK YOU Wurldtech is a trademark of the General Electric Company. All other trademarks are the property of their respective owners. Wurldtech reserves the right to make changes in specifications and features shown herein, or discontinue the product described at any time without notice or obligation. All values are design or typical values when measured under laboratory conditions Wurldtech Security Technologies Inc. All rights reserved.