Cybersecurity Basics For Energy Managers Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Michael Mylrea Manager, Cybersecurity & Energy Technology Pacific Northwest National Lab August 15, 2017 Tampa Convention Center Tampa, Florida
Case Studies & Lessons Learned Ukraine Grid Cyber Attack The Industrial Control System Cyber Kill Chain. Michael J. Assante and Robert M. Lee October 2015 Lessons Learned Know and Monitor Your Critical Cyber Assets Do Not Run A Flat Network - Segregate & Secure IT/OT Networks Cyber Policies Can Reduce Human Error Hackers Often Use Very Basic Tactics to Hack Very Vulnerable Systems Implement Password Management Controls, Firewalls, Encryption & Configuration Policies 2
Case Studies & Lessons Learned Devil s Ivy MIRAI SHODAN RESEARCH Lessons Learned Cybersecurity starts with smart procurement and provisioning of devices Though it is easy to find vulnerabilities, you can make it tough to exploit them Patch early, Patch often, Patch Smart Security is a continuous process that requires active management of cyber risk 3
Case Study: DOE Integrated Joint Cybersecurity Coordination Center Cyber Physical ECC www.cf.labworks.org http://www.bc2m2.pnnl.gov/ Buildings Cybersecurity Framework 3 Open Source Tools to Help Protect Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities Lessons Learned & Recommendations Government lacks clear cybersecurity requirements for buildings and OT cybersecurity Insider attacks, social engineering & physical access can defeat cybersecurity defenses Establish clear roles and responsibilities for buildings cybersecurity 4
IJC3 Lessons Learned Applying Facility OT Cyber Assessment Tools & Methodologies Security is a Continuous Process Fostering a Culture of Security is Imperative. The following are a couple of easy to use tools to facilitate this process Procedures Organizational Level tools DOE Buildings Cybersecurity Framework Provides an actionable framework for establishing OT building and facility specific OT cybersecurity PROCEDURES -Implements new executive order for cybersecurity for critical infrastructure Policies DOE Cybersecurity Maturity Model Provides high level baseline and guidance for developing cybersecurity POLICIES for buildings OT Adapted from over 50 cyber best practices to assess buildings/facilities IT and OT Measuring policies and procedures in place INL/DHS CSET Helps assess the policies and procedures that are in place against industry and government best practices Systems level Assessment Facility Level tools COTS Cyber Tools/Vendor Solutions There are are many COTS, each with their own strengths and weaknesses.but no panacea. Limitations: Cost, know-how and risk of causing damage - scanning legacy buildings controls
Buildings Cybersecurity Framework https://cf.labworks.org
BCF Realizes Goals of the Recent Executive Order Requiring Implementation of the NIST Cyber Framework The executive order encourages implementation of the NIST Framework which is the core of BCF and holds cabinet secretaries and agency directors responsible for the security of their organizations' information assets, as is the current law. "Agency heads will be held accountable by the president for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification or destruction of information or systems," the revised draft order states. Domains are logical groupings of cybersecurity practices, based on the foundation of National Institute of Standards and Technology (NIST) Framework.
Organization of the BCF Framework Framework Based on NIST Cybersecurity Framework and existing best practices Domains Framework contains 5 domains Building Blocks Three or more per domain. Unique to each domain Each Domain Includes a Checklist & Security Indicator Level (SIL) Security Level 1 Security Level 2 Security Level 3
BCF Webtool Features https://cf.labworks.org 9
References SANS Institute 20 Critical Security Controls ISA 62443-3-3:2013 ISO/IEC 27001:2013 Michael Chipley; Daryl Haegley; And Eric J. Nickel, Your Building Control Systems Have Been Hacked. Now What? DOE Cybersecurity Capability Maturity Model (C2M2) DOE Buildings Cybersecurity Maturity Model (B-C2M2) DOE EERE BTO Buildings Cybersecurity Whitepaper (forthcoming) DOE EERE Building Cybersecurity Framework Overview (forthcoming) DOE s U.S. Department of Defense, United Facilities Criteria: Cybersecurity of Facility-Related Control Systems (UFC) DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) DoD Facility-Related Control Systems Cybersecurity Guidelines Executive Order 13636 and 13800 (May 2017) Michael J. Assante and Robert M. Lee. The Industrial Control System Cyber Kill Chain. October 2015 National Institute of Standards and Technology Special Publication 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations 2013 National Institute of Standards and Technology Special Publication 800-82 R2 Guide to Industrial Control Systems (ICS) Security 2015 National Institute of Standards and Technology Special Publication SP 800-115 United Facilities Criteria 3-410-02 Direct Digital Control for HVAC and Other Building Control Systems Government Accountability Office Report 15-6 Federal Facility Cybersecurity 2014 10
Contact Info Michael Mylrea Pacific Northwest National Lab michael.mylrea@pnnl.gov 11