Control Systems Cyber Security Awareness

Similar documents
Statement for the Record

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Chapter X Security Performance Metrics

PIPELINE SECURITY An Overview of TSA Programs

Chapter X Security Performance Metrics

National Policy and Guiding Principles

DHS Cybersecurity: Services for State and Local Officials. February 2017

Summary of Cyber Security Issues in the Electric Power Sector

ISAO SO Product Outline

Cybersecurity Overview

Language for Control Systems

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Critical Infrastructure Sectors and DHS ICS CERT Overview

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Medical Device Cybersecurity: FDA Perspective

Office of Infrastructure Protection Overview

Vulnerability Disclosure

The Office of Infrastructure Protection

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

The Office of Infrastructure Protection

The Office of Infrastructure Protection

U.S. Chemical Sector Cyber Security Strategy Edition. Chemical Sector Cyber Security Program

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

June 5, 2018 Independence, Ohio

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Securing Industrial Control Systems

How AlienVault ICS SIEM Supports Compliance with CFATS

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Ensuring System Protection throughout the Operational Lifecycle

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Bradford J. Willke. 19 September 2007

Department of Management Services REQUEST FOR INFORMATION

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

Cyber Resilience. Think18. Felicity March IBM Corporation

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

RiskSense Attack Surface Validation for IoT Systems

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Chapter X Security Performance Metrics

The Office of Infrastructure Protection

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

The Office of Infrastructure Protection

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Implementing Executive Order and Presidential Policy Directive 21

The Office of Infrastructure Protection

Illinois Cyber Navigator Program

Cyber Security & Homeland Security:

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Cyber Security. June 2015

California Cybersecurity Integration Center (Cal-CSIC)

The Australian Government s Approach to Critical Infrastructure Resilience

Innovation policy for Industry 4.0

ABB Process Automation, September 2014

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Industry role moving forward

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

STATEMENT GEORGE FORESMAN UNDERSECRETARY FOR PREPAREDNESS U.S. DEPARTMENT OF HOMELAND SECURITY

Incident Response Services

Department of Homeland Security Science and Technology Directorate

Continuous protection to reduce risk and maintain production availability

Security Standards for Electric Market Participants

Critical Information Infrastructure Protection Law

The Connected Water Plant. Immediate Value. Long-Term Flexibility.

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Why you should adopt the NIST Cybersecurity Framework

Defining Computer Security Incident Response Teams

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

American Association of Port Authorities. Navigating the Cyber Domain. Homeland Security UNCLASSIFIED

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Overview of the Federal Interagency Operational Plans

National Cyber Incident Response - Architectural Concepts

Long-Term Power Outage Response and Recovery Tabletop Exercise

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Section One of the Order: The Cybersecurity of Federal Networks.

Cyber risk management into the ISM Code

TSA/FTA Security and Emergency Management Action Items for Transit Agencies

Cyber Attacks & Breaches It s not if, it s When

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Digital Wind Cyber Security from GE Renewable Energy

NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE

NERCPI Regional Cyber Disruption Planning.

HPH SCC CYBERSECURITY WORKING GROUP

End-to-End Trust, Segmentation and Segregation in the IIoT

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Transcription:

Control Systems Cyber Security Awareness US-CERT Informational Focus Paper July 7, 2005 Produced by:

I. Purpose Focus Paper Control Systems Cyber Security Awareness The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC) is taking this opportunity to remind the control systems community of the importance of cyber security for control systems. This focus paper on Control Systems Cyber Security Awareness is the first installment in a series of papers intended to provide relevant cyber security information to the control systems community. The control systems community encompasses those entities that have a vested interest in the security of control systems to include critical infrastructure owners and operators; standards and regulatory bodies; federal, state, and local governments; associations; academia; control systems manufacturers; vendors; and various service providers. This initial focus paper raises cyber security awareness through discussion of control system cyber security trends and provides information on DHS and federal partner programs designed to enhance the cyber security posture of control systems within critical infrastructures. It also provides contact information on where control systems owners and operators can report, and obtain assistance with, control systems cyber security incidents and vulnerabilities. Future control systems cyber security focus papers will present information on topics covering control system cyber threats, indications and warnings of control systems cyber attacks, recommendations for improving control systems security, ongoing control system cyber security initiatives by government agencies and private industry, and other relevant control systems cyber security topics. II. Background Our Nation depends on the continuous and effective performance of a vast infrastructure to sustain our modern way of life. Control systems, which are integral components of this critical infrastructure, monitor and control sensitive processes and functions including electricity generation, transmission, and distribution; natural gas production and distribution; petroleum products refining; transportation systems monitoring and control; water supply; wastewater treatment; chemical processing; discrete manufacturing; and numerous other critical operations upon which our Nation depends. A control system is defined as the combination of computers, process control equipment, process interface systems and associated applications which work in concert to monitor the variables of a technical process and manage the process of interest. Names often used to identify control systems are supervisory control and data 2

acquisition (SCADA), distributed control system (DCS), process control system (PCS), energy management system (EMS), safety instrumented system (SIS), and manufacturing and control system (M&CS). III. Trends Historically, control systems that monitored and controlled critical infrastructure processes were operated in an isolated or stand-alone environment where computer systems and devices communicated with each other exclusively, and typically did not communicate or share information with systems not directly connected to the control system network. These control systems were typically comprised of proprietary hardware, software, and protocols designed specifically for control system operations. Knowledge of these proprietary applications and protocols was limited to a small population. Proprietary control system protocols and data were not readily available to the general population and significant effort and resources would have been required to acquire the proprietary information, understand the control system, discover vulnerabilities in the control system, develop the tools to exploit the identified vulnerabilities, and gain sufficient access to the control system so that vulnerabilities could be exploited to carry out unauthorized or malicious activities. For the reasons presented, in particular because access to control systems was greatly limited, critical infrastructure control system security efforts were primarily focused on protecting control systems from physical attacks. More recently, with the vast information technology expansion and the drive towards having information readily available from any location, many previously stand-alone control systems are being transitioned to the always connected world, where real-time control system information can be readily and easily accessed remotely by vendors, engineers, maintenance personnel, business managers, and others via corporate networks, the Internet, telephone lines, and various wireless devices. To reduce operational costs and improve performance, control system vendors and critical infrastructure owners and operators have been transitioning from proprietary systems to less expensive standardized technologies, operating systems, and protocols currently prevalent on the Internet. These widely accepted technologies, protocols, and operating systems, such as Ethernet, IP, Microsoft Windows, and web technologies, have a large number of known cyber vulnerabilities, and new vulnerabilities are reported on a daily basis. Exploitation tools, worms, and how-to papers are often readily available shortly after the announcement of a new vulnerability. Significant information on control systems is now publicly available, including design and maintenance documents, technical standards for the component interconnections, and standards for communicating between devices. In addition, control system security concerns are 3

elevated because control systems are typically not up-to-date with the latest security patches, fixes and best practices due to concerns with taking real-time systems off-line and concerns over making system modifications, which might affect the time sensitive operations of the control system or potentially affect existing agreements with control system vendors or others. In addition, the control systems commonly utilized in the United States are often sold and used in adversarial countries, providing adversaries an insider view of system components and software. Adversaries could dedicate time and resources to discovering vulnerabilities and developing exploits and then attempt to remotely gain access to critical U.S. control systems through an increasing number of potential control system access points. IV. Supporting Data The Group for Advanced Information Technology (GAIT) at the British Columbia Institute of Technology (BCIT) maintains a security incident tracking system, known as the Industrial Security Incident Database (ISID), designed to record incidents of a cyber security nature that directly affect control systems. This database contains events such as accidental cyber-related incidents, as well as deliberate events such as external hacks, denial-of-service (DOS) attacks, and virus/worm infiltrations. ISID data is collected through research into publicly known incidents and from private reporting. BCIT researchers ascertained the reliability of each reported control system incident by verifying its details using standard investigative techniques. Records for incidents with a reliability of unknown or unlikely were not used in the analysis. ISID data was collected for the period of 1982 through 2004. One significant ISID finding identified from analysis of incident reports for the period between 1994 and 2004 was a five-fold increase in the annual control system incident rate (average 12 incidents per year) for 2002 to 2004, as compared to the period between 1994 and 2001 (average 2.4 incidents per year). It appears that sometime between 2001 and 2002 there was a significant increase in identified control system incidents. This finding could, to some extent, be due to an increase in reporting, an increase in the ability to identify and gather incident information, or an increase in the number of widespread worms and viruses. The BCIT ISID data also indicated that a majority of identified incidents have occurred in North America (United States and Canada) and that the petroleum, transportation, power, and utilities industries represented the majority of incidents for the period 1982 through 2004. Industries that had lower numbers of incidents identified included chemical, pulp and paper, water/waste water, electronic manufacturing, food and 4

beverage, aerospace, metals, and others. BCIT reported that during 2005, chemical companies have contributed a number of control system incidents, balancing the list and adding them to the petroleum, transportation, power, and utilities industries as industries representing the majority of incidents. Another significant area to highlight from analysis of the BCIT ISID data for the period 1982 through 2004 is incident type. The six incident-type categories identified for ISID data were external, accidental, internal, audit, other, and unknown. For the period between 1982 and 2001, 29% of incidents were labeled as external, 50% accidental, and 21% internal. For the period from 2002 to 2004, a dramatically different 66% were labeled as external, 22% accidental, 3% internal, and 9% fell into the audit, other, and unknown incident type categories. This finding represents a significant shift from a majority internal and accidental control system incident types to a majority of external incident types. Again, this may be partially due to exposure of control systems to worms and viruses as control systems migrate to an accessible from anywhere world. The change in the Nation s critical infrastructure control systems environment has resulted in an increase in the number of vulnerabilities available to exploit, the available avenues for cyber attack, and the number of people capable of successfully executing a cyber attack. In other words, the attack tools (cyber weapons) are mature enough to cause significant harm, and are readily available to and usable by individuals with limited knowledge of control systems and associated architectures. Those with intent to cause harm have a ready-made selection of easy-to-use tools and exploits for execution. The Department of Homeland Security and other federal partners understand the importance of control systems to our Nation and have acknowledged the increased risks presented to our Nation through control system changes that are taking place at plants and facilities throughout our Nation and around the world. A number of programs have been established by DHS, and its federal partners, to address and enhance the cyber security posture of control systems within our Nation s critical infrastructures. Some of these initiatives are presented below. IV. Ongoing Programs to Secure Control Systems (US-CERT) Control System Security Center CSSC) The DHS National Cyber Security Division (NCSD) established the US-CERT as a public-private partnership among DHS, government agencies, and academia to improve the Nation s cyber security posture. The US-CERT is charged with protecting our 5

Nation s Internet and critical infrastructures by coordinating defense against and response to cyber attacks. To respond to the growing concerns over the cyber security of control systems within the national critical infrastructure and to address the National Strategy to Secure Cyberspace, the US-CERT Control Systems Security Center (CSSC) was established in June 2004. The US-CERT CSSC is a specialized US-CERT resource established to bring together control system owners, operators, Information Sharing and Analysis Centers (ISACs), vendors, industry associations, and subject matter experts to address control systems cyber vulnerabilities and to develop and implement programs aimed at reducing the likelihood of success and severity of impact of a cyber attack against a critical infrastructure. The US-CERT CSSC enhances the cyber security of the Nation s critical infrastructure by coordinating government and industry activities to identify and mitigate control systems vulnerabilities and perform vulnerability assessments; to build a security culture within the control system community through training, outreach, and awareness; and to provide a national response capability for control system threats, vulnerabilities, and incidents. The US-CERT CSSC utilizes DHS resources; Idaho National Laboratory; other relevant federal agencies and National Laboratories; and private sector control system entities and subject matter experts to ensure the best available facilities and minds are addressing the critical task of protecting our Nation s control systems used in critical infrastructure. National SCADA Testbed (NSTB) The Department of Energy (DOE) has launched a multi-laboratory partnership to implement the National SCADA Testbed (NSTB) to test control system vulnerabilities and security hardware and software. Working in conjunction with DHS, other federal agencies, and the private sector, the NSTB strives to identify and remediate SCADA vulnerabilities and recommend security standards to protect the critical energy infrastructure SCADA systems. Together with the US-CERT CSSC, the NSTB offers the government and industry a fullscale infrastructure suite of facilities for assessing and validating control systems technologies, standards, and vulnerability reduction efforts across all critical infrastructure sectors. Process Control Systems Forum DHS has established the Process Control Systems Forum (PCSF). The PCSF is a unified DHS Science & Technology (S&T) Directorate and NCSD effort to form a natural bridge between government and industry. The stated purpose of the Process Control 6

Systems Forum is to accelerate the development of technology that will enhance the security, safety, and reliability of process control and SCADA systems by providing a single venue for technologists from all sectors, from all vendors, and from academia to work together in evaluating, developing, refining, specifying, and testing new technologies and improving the security of legacy control systems. The PCSF is not a standards body and is not intended to replace any existing activities in the PCS and SCADA community. The PCSF builds upon the existing body of work in this subject area, and establishes links with others in industry and government to arrive at a common underlying architecture for process control systems that offers security, reliability, resiliency, and continuity in the face of disruptions and major incidents. The PCSF serves as a channel for industry to engage with DHS and its various programs that promote control systems security. The success of the forum will help ensure that DHS and its federal partners are meeting the needs of the control systems community. To this end, DHS and DOE both encourage active industry participation in the PCSF. Please see www.pcsforum.org for more details. V. Contacting US-CERT CSSC for Control System Incidents and Vulnerabilities The US-CERT, through utilization of its CSSC resources, has the capability and subject matter expertise to assist control system owners and operators with control system cyber incidents and with managing control system vulnerabilities. The US-CERT web site (http://www.us-cert.gov) provides useful cyber security information for control system owners and operators. In the near future, the US-CERT will have web pages specifically dedicated to control systems security. These control system web pages will provide information about the CSSC program and will serve as the one-stop resource for information concerning control system cyber security. Control system incidents and vulnerabilities can be reported to the US-CERT via its web site (http://www.us-cert.gov) by clicking on the Report an Incident or Report a Vulnerability buttons and then entering the requested information. Control system incidents and vulnerabilities can also be reported via telephone at (703) 235-5110. The US-CERT can also accept electronic submissions of protected critical infrastructure information (PCII). For more information on PCII or to gather additional information concerning the CSSC program, send an email to soc@us-cert.gov. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback