Vulnerability Disclosure

Similar documents
Statement for the Record

Control Systems Cyber Security Awareness

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Summary of Cyber Security Issues in the Electric Power Sector

2011 North American SCADA & Process Control Summit March 1, 2011 Orlando, Fl

DHS Cybersecurity: Services for State and Local Officials. February 2017

Improving SCADA System Security

Critical Infrastructure Partnership

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Department of Management Services REQUEST FOR INFORMATION

Cyber Security & Homeland Security:

Language for Control Systems

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

The Office of Infrastructure Protection

Cyber Attacks & Breaches It s not if, it s When

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

CALIFORNIA CYBERSECURITY TASK FORCE

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

CERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University

Bird of a Feather Automated Responses

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

RBS of 6

You knew the job was dangerous when you took it! Defending against CS malware

Navigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

Defining Computer Security Incident Response Teams

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

The Office of Infrastructure Protection

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Medical Device Vulnerability Management

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

The Office of Infrastructure Protection

Monthly Cyber Threat Briefing

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cybersecurity, safety and resilience - Airline perspective

Synology Security Whitepaper

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Vulnerability Assessments and Penetration Testing

ISAO SO Product Outline

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Industry role moving forward

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

Power Grid Resilience, Reliability and Security Research at Idaho National Laboratory

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

Firewalls (IDS and IPS) MIS 5214 Week 6

CHIME and AEHIS Cybersecurity Survey. October 2016

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Chapter X Security Performance Metrics

National Policy and Guiding Principles

Forecast to Industry Program Executive Office Mission Assurance/NetOps

White Paper. View cyber and mission-critical data in one dashboard

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Implementing Executive Order and Presidential Policy Directive 21

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Competency Definition

Transportation Security Risk Assessment

Cybersecurity Overview

CIP-014. JEA Compliance Approach. FRCC Fall Compliance Workshop Presenter Daniel Mishra

RiskSense Attack Surface Validation for IoT Systems

Critical Infrastructure Protection Version 5

Securing Industrial Control Systems

IPC2018 Industrial PC (IPC) Secure Deployment Guide

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

Threat and Vulnerability Assessment Tool

American Association of Port Authorities. Navigating the Cyber Domain. Homeland Security UNCLASSIFIED

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity & Privacy Enhancements

Why you should adopt the NIST Cybersecurity Framework

TERRORISM LIAISON OFFICER OUTREACH PROGRAM - (TLOOP)

Cybersecurity and Hospitals: A Board Perspective

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

PIPELINE SECURITY An Overview of TSA Programs

Critical Infrastructure Sectors and DHS ICS CERT Overview

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Regional Resilience: Prerequisite for Defense Industry Base Resilience

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

RFC 2350 YOROI-CSDC. Expectations for Computer Security Incident Response. Date 2018/03/26. Version 1.0

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

TEL2813/IS2621 Security Management

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

ENCS The European Network for Cyber Security

Awareness as a Cyber Security Vulnerability. Jack Whitsitt Team Lead, Cyber Security Awareness and Outreach TSA Office of Information Technology

Detection and Analysis of Threats to the Energy Sector (DATES)

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Updates to the NIST Cybersecurity Framework

An Update on Security and Emergency Preparedness Standards for Utilities

CYBERSMART BUILDINGS. Securing Your Investments in Connectivity and Automation

Transcription:

Vulnerability Disclosure Rita Wells National SCADA Test Bed DoE-OE September 09, 2008

Department of Energy-Office of Electricity Delivery and Energy Reliability: National SCADA Test Bed Program Mission Support industry and government efforts to enhance control systems cyber security in the energy infrastructure Key INL activities are cyber Vulnerability Assessments (testing) and Industry Outreach (including training) Over 22 assessments in lab and on site ranging from 275 to 800 hours of cyber security researchers in addition to control systems and network engineer hours per each assessment Common vulnerabilities analyzed

National SCADA Test Bed DOE multi-laboratory program designed to: Support industry and government efforts to enhance control systems cyber security across the energy infrastructure PNL INL SNL ANL NIST Key Program Areas Assess and mitigate energy control systems vulnerabilities Develop advanced secure control systems technologies Support development of standards and best practices Conduct outreach and awareness

Vulnerability Disclosure Government Sponsored Time to public disclosure for CERT/Coordinating Center (CERT/CC) is normally 45 days More serious vulnerabilities are coordinated with US-CERT for disclosure[1] Trending of Vulnerabilities [1] CERT/CC Vulnerability Disclosure Policy, http://www.cert.org/kb/vul_disclosure.html From the FAQ: Our work is funded primarily by the U.S. Department of Defense and the Department of Homeland Security, along with a number of other federal civil agencies.

Vulnerability Disclosure Government Sponsored - continuted The US-CERT time to disclose varies for control systems based vulnerabilities US-CERT provides a more timely alert to control system vulnerabilities to users that register for through the secure portal While other more IT centric vulnerabilities are publish the same day as public disclosure The CitectSCADA buffer overflow (VU#476345) vulnerability it was one month from public disclosure to US- CERT published notes http://www.kb.cert.org/cert_web/services/vulnotes.nsf/id/476345

Vulnerability Discovery - Who Security Firms Core Security discovered two Citect vulnerabilities and one Wonderware vulnerability this year http://www.coresecurity.com/index.php5?module=contentmod&action=item&id=2312 Hackers OPC vulnerability at BlackHat 2007 http://www.eweek.com/c/a/security/hole-found-in-protocol-handling-vital-national- Infrastructure/ Protected Entities DHS-NCSD-CSSP Control System Security Program and DOE-OE National SCADA Test Bed and others Vendor Rarely disclosed prior to release notes End User Disclosed to Vendor

Stakeholders Perspectives Discoverer wants disclosure or not Vendor varies on culture normally all share with customers after fix Government Want to promote better secure systems while protecting infrastructure owned by private entities End User want to know prior to mitigations developed to apply defense in depth or other temporary protections

Responsible Disclosure Context and vulnerability issue are coupled

Responsible Disclosure Vulnerability Issue gets more attention and strays from context

Vulnerability Characterization Attack Surface Example Impact (Medium) will cause a denial of service (crash) if successfully exploited Exposure (High) can be exploited by an unauthenticated attacker having network access only Deployment (Medium) exists in a configuration that is present in some U.S. critical infrastructure control system applications Simplicity (Moderately High) has its exploit code publicly available for use with automated exploit tools Impact EXAMPLE (CVE-2006-3942) Simplicity Exposure Deployment

Concluding Recommendations Use discloser process that includes context and characterization of the vulnerability Asset owners need to do their own characterization of vulnerabilities specific to architectures Mine the large knowledge base of vulnerabilities for control systems Create more independent and open testing facilities Require government co-sponsored testing to open up information after aged Analyzed aged information for trending back to asset owners

Resources Available

Contact Information Dave Kuipers National SCADA Test Bed INL Program Manager 208-526-4038 david.kuipers@inl.gov Rita Wells 208-526-3179 rita.wells@inl.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback