Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Similar documents
MINIMUM SECURITY CONTROLS SUMMARY

Mapping of FedRAMP Tailored LI SaaS Baseline to ISO Security Controls

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

DoD Guidance for Reviewing System Security Plans and the NIST SP Security Requirements Not Yet Implemented This guidance was developed to

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

SAC PA Security Frameworks - FISMA and NIST

Critical Infrastructure Sectors and DHS ICS CERT Overview

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Security Control Mapping of CJIS Security Policy Version 5.3 Requirements to NIST Special Publication Revision 4 4/1/2015

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Building Secure Systems

The "Notes to Reviewers" in the February 2012 initial public draft of Revision 4 of SP states:

Why you should adopt the NIST Cybersecurity Framework

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

RIPE RIPE-17. Table of Contents. The Langner Group. Washington Hamburg Munich

Altius IT Policy Collection

Securing Industrial Control Systems

Because Security Gives Us Freedom

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Attachment 1 to Appendix 2 Risk Assessment Security Report for the Networx Security Plan

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

AUTHORITY FOR ELECTRICITY REGULATION

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

IC32E - Pre-Instructional Survey

The Common Controls Framework BY ADOBE

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Juniper Vendor Security Requirements

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

NW NATURAL CYBER SECURITY 2016.JUNE.16

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Evolving Cybersecurity Strategies

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Recommended Security Controls for Federal Information Systems and Organizations

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Critical Infrastructure Resilience

Ransomware. How to protect yourself?

Using Metrics to Gain Management Support for Cyber Security Initiatives

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 2 OF 3

NIST SP , Revision 1 CNSS Instruction 1253

NIST Cybersecurity Framework Based Written Information Security Program (WISP)

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

Cyber Security for Process Control Systems ABB's view

What s new in PI System Security?

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

HIPAA Security and Privacy Policies & Procedures

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

April Appendix 3. IA System Security. Sida 1 (8)

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Energy Assurance Plans

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

AWS alignment with Motion Picture of America Association (MPAA) Content Security Best Practices Application in the Cloud

Internet of Things Toolkit for Small and Medium Businesses

Cyber Security Requirements for Electronic Safety and Security

The Office of Infrastructure Protection

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Four Deadly Traps of Using Frameworks NIST Examples

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

NIST Special Publication

Firewalls (IDS and IPS) MIS 5214 Week 6

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

CRITICAL INFRASTRUCTURE AND CYBER THREAT CRITICAL INFRASTRUCTURE AND CYBER THREAT

Centralized Control System Architecture

Control Systems Cyber Security Awareness

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

How AlienVault ICS SIEM Supports Compliance with CFATS

Cyber Criminal Methods & Prevention Techniques. By

SYSTEMS ASSET MANAGEMENT POLICY

Standard CIP Cyber Security Electronic Security Perimeter(s)

Security+ SY0-501 Study Guide Table of Contents

The New Security Heroes. Alan Paller

Standard CIP Cyber Security Electronic Security Perimeter(s)

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Trust Services Principles and Criteria

CSAM Support for C&A Transformation

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

NIST Special Publication

Protecting productivity with Industrial Security Services

Rev.1 Solution Brief

NEN The Education Network

Office of Infrastructure Protection Overview

Cyber Security Standards Developments

Keys to a more secure data environment

READ ME for the Agency ATO Review Template

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Continuous Monitoring Strategy & Guide

Security Standards Compliance NIST SP Release 4 Trend Micro Products (Deep Security and SecureCloud) - Version 1.1

QuickBooks Online Security White Paper July 2017

Milestone Systems. XProtect VMS. Hardening Guide. XProtect Corporate XProtect Expert XProtect Professional+ XProtect Express+ XProtect Essential+

FISMA Compliance. with O365 Manager Plus.

Cyber Security What Do I Need to Do Now?

K12 Cybersecurity Roadmap

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Transcription:

SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor

16 Critical Infrastructure Sectors Presidential Policy Directive 21 (PPD-21) categorized U.S. critical infrastructure into the following 16 CI sectors. Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food & Agriculture Government Facilities Healthcare & Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system

Data Set - 20 Sources Critical Manufacturing 1 Dams 1 Energy 6 Government Facilities 2 Water Plants 10

CSET

Design Architecture Reviews

Network Architecture Verification & Validation NAVV Benefits: TCP Header Data Network Capture Point-to-Point Communication Verifications Data Flow Validation Network Perimeter Protection

10. AC-6 Least Privilege Mitigations Establish user accounts for Administrators Appropriate use of the escalate privilege function Review work requirements for necessary access requirements

9. CM-3 Configuration Change Control Mitigations Establish a solid configuration change control process Keep records / Use an automated software Have staff that know your ICS Keep patches for devices and applications current 8

8. PE-3 Physical Access Control Mitigations Access Alarms Video Surveillance Electronic Keys / RFID

7. AU-12 Audit Generation Mitigations Establish a process to collect logs Develop of system of processing logs to find events of interest Collect logs in a centralized location outside of data source 10

6. AT-2 Security Awareness Training Mitigations Establish annual training program to bring workers up to speed.

5. IA-5 Authenticator Management Mitigations Good Password Policies and Processes Use Account Management Software to enforce policy

4. SA-2 Allocation of Resources Mitigations Asset owners need more dedicated staff Staff on location

3. CM-7 Least Functionality Mitigations Determine needed services and deny all others Apply hardening as applicable Use whitelisting

2. IA-2 Identification and Authentication Mitigations Use good encryption for storage and transmission of credentials Uniquely identify personnel were possible Use multi-factor authentication for remote access and critical administrative access

1. SC-7 Boundary Protection Mitigations Logically segment networks Establish strong firewall rules to route traffic Isolate security and support functions Deny traffic by default Remote Access Use access points/jump servers for remote access Prevent split tunneling

Remote Access / Monitoring External Routers VPN Web Servers Business Servers E-mail Server DNS Server Workstations Remote monitoring Two-factor authentication required Jump Host VPN Business Network HMI Remote access The Internet Remote Connectivity Best Practices 1. Understand your data flows. Who should be talking to whom? Two-factor authentication required Control DMZ 1 (remote access) Restricted Comm Flows Data Acquisition Server Database Server Control DMZ 2 (remote monitoring) One-way traffic only Configuration Engineering Server Workstations HMI (Read Only!) 2. Never allow any machine on the control network to talk directly to a machine on the business network or Internet Control System Network Field Controllers 3. Configure firewalls to allow only specific IP/ports to talk to one another through the firewall. Everything else is blocked by default. Primary HMI HMI Field Devices Safety System

Observed Vulnerabilities Top 11 1 SC-7 Boundary Protection 16.22% 2 IA-2 Identification and Authentication (Organizational Users) 7.34% 3 CM-7 Least Functionality 6.56% 4 SA-2 Allocation of Resources 4.63% 5 IA-5 Authenticator Management 4.25% 6 AT-2 Security Awareness Training 4.25% 7 AU-12 Audit Generation 4.25% 8 PE-3 Physical Access Control 4.25% 9 CM-3 Configuration Change Control 4.25% 10 AC-6 Least Privilege 4.25% 11 CP-9 Information System Backup 4.25% 64.48%

Top 11 by Sector Energy Gov Fac Water Total SC-7 Boundary Protection 32.50% 25.00% 20.88% 25.15% IA-2 Identification and Authentication (Organizational Users) 12.50% 10.00% 10.99% 11.38% CM-7 Least Functionality 15.00% 10.00% 8.79% 10.18% SA-2 Allocation of Resources 10.00% 5.00% 5.49% 7.19% IA-5 Authenticator Management 2.50% 15.00% 6.59% 6.59% CM-3 Configuration Change Control 10.00% 10.00% 4.40% 6.59% AT-2 Security Awareness Training 2.50% 5.00% 8.79% 6.59% PE-3 Physical Access Control 0.00% 15.00% 7.69% 6.59% AC-6 Least Privilege 7.50% 0.00% 6.59% 6.59% AU-12 Audit Generation 5.00% 5.00% 8.79% 6.59% CP-9 Information System Backup 2.50% 0.00% 10.99% 6.59% Grand Total 100.00% 100.00% 100.00% 100.00%

Operation Controls CM-7 Least Functionality 14.29% CP-9 Information System Backup 9.24% PE-3 Physical Access Control 9.24% AT-2 Security Awareness Training 9.24% CM-3 Configuration Change Control 9.24% CM-2 Baseline Configuration 7.56% AT-3 Role-Based Security Training 7.56% SI-4 Information System Monitoring 7.56% CM-6 Configuration Settings 7.56% MA-2 Controlled Maintenance 6.72% MP-7 Media Use 5.88% CM-4 Security Impact Analysis 5.88% Grand Total (12) 100.00%

Management Controls SA-2 Allocation of Resources 25.00% SA-3 System Development Life Cycle 18.75% SA-4 Acquisition Process 8.33% PL-2 System Security Plan 8.33% RA-5 Vulnerability Scanning 6.25% CA-5 Plan of Action and Milestones 6.25% PL-1 Security Planning Policy and Procedures 6.25% CA-2 Security Assessments 6.25% CA-3 System Interconnections 4.17% SA-11 Developer Security Testing and Evaluation 2.08% SA-8 Security Engineering Principles 2.08% SA-12 Supply Chain Protection 2.08% CA-7 Continuous Monitoring 2.08% RA-3 Risk Assessment 2.08% Grand Total (14) 100.00%

Technical Controls SC-7 Boundary Protection 28.97% IA-2 Identification and Authentication (Organizational Users) 13.10% IA-5 Authenticator Management 7.59% AU-12 Audit Generation 7.59% AC-6 Least Privilege 7.59% AC-2 Account Management 6.90% SC-8 Transmission Confidentiality and Integrity 5.52% AC-17 Remote Access 4.83% SC-28 Protection of Information at Rest 4.14% AC-20 Use of External Information Systems 3.45% AC-18 Wireless Access 3.45% AC-4 Information Flow Enforcement 3.45% AC-19 Access Control for Mobile Devices 3.45% Grand Total (14) 100%

Questions?

11. CP-9 Information System Backup Examples No backup servers No testing of backups or backup media No offsite storage Mitigations Determine what should be backed up Implement a backup solution Test backups Keep an offsite copy for disaster recovery 24

Observed Vulnerabilities Top 12-22 12 AC-2 Account Management 3.86% 13 CM-2 Baseline Configuration 3.47% 14 SA-3 System Development Life Cycle 3.47% 15 SI-4 Information System Monitoring 3.47% 16 AT-3 Role-Based Security Training 3.47% 17 CM-6 Configuration Settings 3.47% 18 SC-8 Transmission Confidentiality and Integrity 3.09% 19 MA-2 Controlled Maintenance 3.09% 20 CM-4 Security Impact Analysis 2.70% 21 AC-17 Remote Access 2.70% 22 MP-7 Media Use 2.70% 35.52% 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback