Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement

Similar documents
Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Energy Control Systems Cybersecurity Considerations

DoD Terminology Decision In Progress: PIT, CS, PIT-CS, ICS,OT, SCADA, CPS, IoT, IIoT

Looking Forward: USACE MILCON Cybersecurity Integration

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Statement for the Record

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Your Control Systems Have Been Hacked, Now What?

Air Force Civil Engineer Center. Director s View. Randy Brown Director 4 May Battle Ready Built Right! 1

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

DoD Environmental Security Technology Certification Program (ESTCP) Tim Tetreault DoD August 15, 2017

Critical Infrastructure Sectors and DHS ICS CERT Overview

United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System.

Welcome to the Second Annual Intelligence & National Security Forum

DoD Advanced Control Systems Tactics, Techniques and Procedures

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Cyber Security What Do I Need to Do Now?

ICS Breach, what to do after oh no, frameworks and issues of IM/IT. Dr. Samuel Liles

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

DFARS Defense Industrial Base Compliance Information

Smart Grid Standards and Certification

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Vulnerability Disclosure

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

Cybersecurity & Privacy Enhancements

Industrial Control Systems November 18, 2015

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

The Water Sector Approach to Cybersecurity

ISA 201 Intermediate Information Systems Acquisition

NAVAL DISTRICT WASHINGTON SMARTSHORE CASE STUDY Jeff Johnson NDW CIO (N6)

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Safety System Cyber Security A Practical Approach

Awareness as a Cyber Security Vulnerability. Jack Whitsitt Team Lead, Cyber Security Awareness and Outreach TSA Office of Information Technology

ICS-CERT Year in Review

Securing Industrial Control Systems

ISA99 - Industrial Automation and Controls Systems Security

playbook OpShield for NERC CIP 5 sales PlAy

Incident response to a breach: Right of boom you find ashes

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Introduction to ICS Security

Managing Supply Chain Risks for SCADA Systems

Updates to the NIST Cybersecurity Framework

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

Federal Mobility: A Year in Review

PIPELINE SECURITY An Overview of TSA Programs

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Cyber Resilience. Think18. Felicity March IBM Corporation

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Maintaining Efficiency using Your Building Controls and Automation

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

INFORMATION ASSURANCE DIRECTORATE

Cyber Attacks & Breaches It s not if, it s When

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

Cybersecurity Challenges

Securing Buildings & Facilities From Emerging Cyber Threats

Appendix 2B. Supply Chain Risk Management Plan

CISO as Change Agent: Getting to Yes

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Cybersecurity in Acquisition

Navigate IT Security with a Framework as Your Guide

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

You knew the job was dangerous when you took it! Defending against CS malware

CYBERSECURITY FEDERAL UPDATE. NCSL Cybersecurity Task Force

TEL2813/IS2820 Security Management

Addressing Cybersecurity in Infusion Devices

DHS Cybersecurity Services and Resources

Bird of a Feather Automated Responses

DEFENSE LOGISTICS AGENCY

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Effective Practices for the Protection of Transportation Infrastructure from Cyber Incidents. Transportation Research Board Webinar November 17, 2015

Cyber Security Maturity Model

Industrial Defender ASM. for Automation Systems Management

2017 SAME Small Business Conference

Rethinking Cybersecurity from the Inside Out

June 5, 2018 Independence, Ohio

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Addressing Challenges in Federal Facilities from Cyber Risk to Operational Performance

New Guidance on Privacy Controls for the Federal Government

HPH SCC CYBERSECURITY WORKING GROUP

IoT & SCADA Cyber Security Services

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Securing Privileged Access Securing High Value Assets Datacenter Security Information Protection Information Worker and Device Protection

TEL2813/IS2621 Security Management

David Missouri VP- Governance ISACA

THE ISACA CURACAO CHAPTER IS ORGANIZING FOLLOWING INFORMATION SECURITY AND TECHNOLOGY SESSIONS ON MAY 15-MAY :

Transcription:

FEMP Cybersecurity Program Review Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida

https://www.serdp-estcp.org/investigator-resources/estcp- Resources/Demonstration-Plans/Cybersecurity-Guidelines 2

3

4

Which Best Practice is Right for You? a security patch caused monitoring equipment in a large engineering oven to stop running, resulting in a fire that destroyed spacecraft hardware inside the oven. The computer reboot caused by the software upgrade also impeded alarm activation, leaving the fire undetected for 3.5 hours before it was discovered. 5

DHS ICS-CERT Cyber Security Evaluation Tool 8.0

Training UNCLASSIFIED Web - Based Training available on the ICS-CERT Virtual Learning Portal Operational Security (OPSEC) for Control Systems (100W) - 1 hour Cybersecurity for Industrial Control Systems (210W) - 15 hours Instructor Led Format - Introductory Level Introduction to Control Systems Cybersecurity (101) - 1 day or 8 hrs Instructor Led Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (201), lecture only - 1 day or 8 hrs Hands-On Format - Intermediate Level Intermediate Cybersecurity for Industrial Control Systems (202), with lab/exercises - 1 day or 8 hrs Hands-On Format - Technical Level ICS Cybersecurity (301) 5 days https://ics-cert.us-cert.gov/training-available-through-ics-cert 7

Other Training and Much More!! SANS ICS http://ics.sans.org ICS410: ICS/SCADA Security Essentials ICS515: ICS Active Defense and Incident Response CYBATI https://cybati.org ISA (International Society of Automation) https://www.isa.org ISA Red Tiger Security http://redtigersecurity.com YouTube (ISA) Wireless Security for Water/Waste Water Networks https://youtu.be/yftaortecho Joe Weiss' lecture at Stanford http://www.youtube.com/watch?v=s3yyv53dz5a 8

NDAA 18 Selected DRAFT Proposed Bills DHS: Cyber Vulnerability Disclosure Reporting Act Cyber Training and Talent Management (increased training for cyber protection of critical infrastructure) Pilot Projects to Streamline DoD Authorization of ICS and Nontraditional IT Devices New Collar Jobs Act (re-educate workforce in cyber) Measuring DoD Compliance Cybersecurity Requirements for Securing ICS (SECDEF Scorecard) Kaspersky Lab Product Ban 9

Simplified System Model & Mission Heat Map Fuel System Fire and Alarm System Water System HVAC Automatic Metering Lighting Control System LMR Physical Security Threat LOE High Low 1 Low High Mission Impact

Sample LoE & Mission Impact Chart 1 Threat LOE High Low Low High Mission Impact

Illustrative Scenario: Disruption Fuel System 1. Phishing attack via the Internet 2. Reconnaissance on NIPRNet to identify PLC controller of pump 3. Persistent normal PLC shutdown commands stop fuel delivery Specific Attack: Internet phishing attack targets unpatched system Level of Effort: Script Kiddies to access CS systems Impact: Lack of ability to execute MISSION

Illustrative Scenario: Fuel System Dependency Model 13

Illustrative Scenario Mitigation: Fuel System 14

Cyber Trust Rating What s Yours? Rating # Correlates to Breach Potential Detailed Event and Configuration Information via External Parties 15

Which Companies Will You Trust? Analysis of 27,458 companies reveals companies with ratings >400 are 5X more likely to have experienced a publicly disclosed breach 16

Discussion UNCLASSIFIED Reinventing the wheel is sometimes the right thing, when the result is the radial tire. Jonathan Gilbert 17

Resources UNCLASSIFIED Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology Certification Program (ESTCP) [info & funding solicitations] https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines Risk Management Framework (RMF) Knowledge Service (KS) -DoD's official site for enterprise RMF policy and implementation guidelines https://rmfks.osd.mil/ Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1, 2017: https://www.cybercom.mil/pages/publications.aspx UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept 2016 https://wbdg.org/ffc/dod/unified-facilities-criteria-ufc/ufc-4-010-06 UFGS-25 50 00.00 20 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Feb 2017 http://www.wbdg.org/ffc/dod/unified-facilities-guide-specificationsufgs/ufgs-25-50-00-00-20 DoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-day Building Control System Cyber Resilience Forum in Nov '15. http://sites.nationalacademies.org/deps/ffc/deps_166792 DoDI 5000.02 Cybersecurity in the Defense Acquisition System Jan 2017 http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Installation Energy (IE) http://www.acq.osd.mil/eie/ie/fep_index.html IEC 62443 STANDARDS AND ISASECURER CERTIFICATION: APPLICABILITY TO BUILDING CONTROL SYSTEMS www.isasecure.org https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/index.cfm: each subpage offers a PDF document: https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/assess-the-mess.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/a-framework-for-assessing-and-improving-the-security-posture.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securely-managing-ics-networks.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securing-assets-within-closed-ics-network-perimeter.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/seven-steps-to-effectively-defend-ics.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/guidelines-for-application-whitelisting-industrial-control-systems.cfm Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure (IG-17-011) https://oig.nasa.gov/audits/reports/fy17/ig-17-011.pdf Whole Building Design Guide website cyber references http://www.wbdg.org/resources/cybersecurity National Initiative for Cybersecurity Careers and Studies - free cyber training https://niccs.us-cert.gov/ Industrial Control Systems Joint Working Group (ICSJWG) https://ics-cert.us-cert.gov/industrial-control-systems-joint-working-group-icsjwg DHS Cyber Security Evaluation Tool: https://ics-cert.us-cert.gov/downloading-and-installing-cset DoDI 8500.01 Cybersecurity 14 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf DoDI 8510.01 Risk Management Framework 12 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DoDI 8530.01 Cybersecurity Activities Support to DoD Information Network Operations 7 March 2016 http://www.dtic.mil/whs/directives/corres/pdf/853001p.pdf NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security May 2015 http://csrc.nist.gov/publications/pubsdrafts.html#800-82r2 GAO 15-749 Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning http://www.gao.gov/products/gao-15-749 GAO 15-6 DHS and GSA Should Address Cyber Risk to Building and Access Control Systems http://www.gao.gov/products/gao-15-6 GAO-14-404SU Defense Cybersecurity: DOD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Increased Oversight (For Official Use Only) Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback