FEMP Cybersecurity Program Review Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida
https://www.serdp-estcp.org/investigator-resources/estcp- Resources/Demonstration-Plans/Cybersecurity-Guidelines 2
3
4
Which Best Practice is Right for You? a security patch caused monitoring equipment in a large engineering oven to stop running, resulting in a fire that destroyed spacecraft hardware inside the oven. The computer reboot caused by the software upgrade also impeded alarm activation, leaving the fire undetected for 3.5 hours before it was discovered. 5
DHS ICS-CERT Cyber Security Evaluation Tool 8.0
Training UNCLASSIFIED Web - Based Training available on the ICS-CERT Virtual Learning Portal Operational Security (OPSEC) for Control Systems (100W) - 1 hour Cybersecurity for Industrial Control Systems (210W) - 15 hours Instructor Led Format - Introductory Level Introduction to Control Systems Cybersecurity (101) - 1 day or 8 hrs Instructor Led Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (201), lecture only - 1 day or 8 hrs Hands-On Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (202), with lab/exercises - 1 day or 8 hrs Hands-On Format - Technical Level ICS Cybersecurity (301) 5 days https://ics-cert.us-cert.gov/training-available-through-ics-cert 7
Other Training and Much More!! SANS ICS http://ics.sans.org ICS410: ICS/SCADA Security Essentials ICS515: ICS Active Defense and Incident Response CYBATI https://cybati.org ISA (International Society of Automation) https://www.isa.org ISA Red Tiger Security http://redtigersecurity.com YouTube (ISA) Wireless Security for Water/Waste Water Networks https://youtu.be/yftaortecho Joe Weiss' lecture at Stanford http://www.youtube.com/watch?v=s3yyv53dz5a 8
NDAA 18 Selected DRAFT Proposed Bills DHS: Cyber Vulnerability Disclosure Reporting Act Cyber Training and Talent Management (increased training for cyber protection of critical infrastructure) Pilot Projects to Streamline DoD Authorization of ICS and Nontraditional IT Devices New Collar Jobs Act (re-educate workforce in cyber) Measuring DoD Compliance Cybersecurity Requirements for Securing ICS (SECDEF Scorecard) Kaspersky Lab Product Ban 9
Simplified System Model & Mission Heat Map Fuel System Fire and Alarm System Water System HVAC Automatic Metering Lighting Control System LMR Physical Security Threat LOE High Low 1 Low High Mission Impact
Sample LoE & Mission Impact Chart 1 Threat LOE High Low Low High Mission Impact
Illustrative Scenario: Disruption Fuel System 1. Phishing attack via the Internet 2. Reconnaissance on NIPRNet to identify PLC controller of pump 3. Persistent normal PLC shutdown commands stop fuel delivery Specific Attack: Internet phishing attack targets unpatched system Level of Effort: Script Kiddies to access CS systems Impact: Lack of ability to execute MISSION
Illustrative Scenario: Fuel System Dependency Model 13
Illustrative Scenario Mitigation: Fuel System 14
Cyber Trust Rating What s Yours? Rating # Correlates to Breach Potential Detailed Event and Configuration Information via External Parties 15
Which Companies Will You Trust? Analysis of 27,458 companies reveals companies with ratings >400 are 5X more likely to have experienced a publicly disclosed breach 16
Discussion UNCLASSIFIED Reinventing the wheel is sometimes the right thing, when the result is the radial tire. Jonathan Gilbert 17
Resources UNCLASSIFIED Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology Certification Program (ESTCP) [info & funding solicitations] https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines Risk Management Framework (RMF) Knowledge Service (KS) -DoD's official site for enterprise RMF policy and implementation guidelines https://rmfks.osd.mil/ Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1, 2017: https://www.cybercom.mil/pages/publications.aspx UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept 2016 https://wbdg.org/ffc/dod/unified-facilities-criteria-ufc/ufc-4-010-06 UFGS-25 50 00.00 20 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Feb 2017 http://www.wbdg.org/ffc/dod/unified-facilities-guide-specificationsufgs/ufgs-25-50-00-00-20 DoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-day Building Control System Cyber Resilience Forum in Nov '15. http://sites.nationalacademies.org/deps/ffc/deps_166792 DoDI 5000.02 Cybersecurity in the Defense Acquisition System Jan 2017 http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Installation Energy (IE) http://www.acq.osd.mil/eie/ie/fep_index.html IEC 62443 STANDARDS AND ISASECURER CERTIFICATION: APPLICABILITY TO BUILDING CONTROL SYSTEMS www.isasecure.org https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/index.cfm: each subpage offers a PDF document: https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/assess-the-mess.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/a-framework-for-assessing-and-improving-the-security-posture.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securely-managing-ics-networks.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securing-assets-within-closed-ics-network-perimeter.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/seven-steps-to-effectively-defend-ics.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/guidelines-for-application-whitelisting-industrial-control-systems.cfm Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure (IG-17-011) https://oig.nasa.gov/audits/reports/fy17/ig-17-011.pdf Whole Building Design Guide website cyber references http://www.wbdg.org/resources/cybersecurity National Initiative for Cybersecurity Careers and Studies - free cyber training https://niccs.us-cert.gov/ Industrial Control Systems Joint Working Group (ICSJWG) https://ics-cert.us-cert.gov/industrial-control-systems-joint-working-group-icsjwg DHS Cyber Security Evaluation Tool: https://ics-cert.us-cert.gov/downloading-and-installing-cset DoDI 8500.01 Cybersecurity 14 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf DoDI 8510.01 Risk Management Framework 12 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DoDI 8530.01 Cybersecurity Activities Support to DoD Information Network Operations 7 March 2016 http://www.dtic.mil/whs/directives/corres/pdf/853001p.pdf NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security May 2015 http://csrc.nist.gov/publications/pubsdrafts.html#800-82r2 GAO 15-749 Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning http://www.gao.gov/products/gao-15-749 GAO 15-6 DHS and GSA Should Address Cyber Risk to Building and Access Control Systems http://www.gao.gov/products/gao-15-6 GAO-14-404SU Defense Cybersecurity: DOD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Increased Oversight (For Official Use Only) Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal 18