Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017

Similar documents
Build Your Cybersecurity Program in Minutes: Click, Copy, Modify, Implement

Protecting Buildings Operational Technology (OT) from Evolving Cyber Threats & Vulnerabilities

DoD Terminology Decision In Progress: PIT, CS, PIT-CS, ICS,OT, SCADA, CPS, IoT, IIoT

Cybersecurity Overview

NW NATURAL CYBER SECURITY 2016.JUNE.16

Heavy Vehicle Cyber Security Bulletin

Cybersecurity in Acquisition

Security Standards for Electric Market Participants

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

Energy Control Systems Cybersecurity Considerations

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Medical Device Cybersecurity: FDA Perspective

Legal Issues Surrounding the Internet of Things and Other Emerging Technology

Cyber Security Requirements for Supply Chain. June 17, 2015

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Information Warfare Industry Day

Securing Industrial Control Systems

European Union Agency for Network and Information Security

ANATOMY OF AN ATTACK!

Statement for the Record

IoT & SCADA Cyber Security Services

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

IC32E - Pre-Instructional Survey

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Endpoint Protection : Last line of defense?

Section One of the Order: The Cybersecurity of Federal Networks.

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Cyber Attacks & Breaches It s not if, it s When

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Addressing Cybersecurity in Infusion Devices

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Control Systems Cyber Security Awareness

Cybersecurity & Privacy Enhancements

Smart Grid Standards and Certification

Education Network Security

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Internet of Things Toolkit for Small and Medium Businesses

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Security by Default: Enabling Transformation Through Cyber Resilience

INFORMATION ASSURANCE DIRECTORATE

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Cyber Hygiene: A Baseline Set of Practices

Cyber Security on Commercial Airplanes

Cybersecurity and Hospitals: A Board Perspective

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

Cybersecurity Today Avoid Becoming a News Headline

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

CYBERSECURITY RISK LOWERING CHECKLIST

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Cyber security tips and self-assessment for business

The Common Controls Framework BY ADOBE

NAVAL DISTRICT WASHINGTON SMARTSHORE CASE STUDY Jeff Johnson NDW CIO (N6)

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

IPM Secure Hardening Guidelines

Chapter X Security Performance Metrics

New Guidance on Privacy Controls for the Federal Government

Looking Forward: USACE MILCON Cybersecurity Integration

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Supply Chain (In)Security

TABLE OF CONTENTS. Section Description Page

PIPELINE SECURITY An Overview of TSA Programs

Cyber security for digital substations. IEC Europe Conference 2017

Cyber Insurance: What is your bank doing to manage risk? presented by

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Rethinking Cybersecurity from the Inside Out

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Information Governance, the Next Evolution of Privacy and Security

NEN The Education Network

CISO as Change Agent: Getting to Yes

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Department of Defense. Installation Energy Resilience

Cybersecurity Auditing in an Unsecure World

Risk Assessments, Continuous Monitoring & Intrusion Detection, Incident Response

NIST Security Certification and Accreditation Project

INFORMATION ASSURANCE DIRECTORATE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Service Provider View of Cyber Security. July 2017

Transcription:

Cybersecurity Basics for Energy Managers Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida

Smart Phones UNCLASSIFIED 2

Smart Medical Devices UNCLASSIFIED 3

Smart Home Devices UNCLASSIFIED 4

Smart Transportation Capability 5

Smart Energy Devices UNCLASSIFIED 6

Facility-Related Control Systems (FRCS) Definition: A subset of control systems that are used to monitor and control equipment and systems related to DoD real property facilities (e.g. building control systems, utility control systems, electronic security systems, and fire and life safety systems). DoD inventory: 500 Installations 4,000 Sites 250,000 Buildings 200,000 Structures Potentially 1,000s of FRCS in each building / structure 7

Cybersecurity Skills Crisis UNCLASSIFIED 8

SHODAN What s On You re Network? Smart Meters default password Default passwords commonly used in control systems 9

How Critical to Mission is Your System? YOU START HERE 10

Know Mission Dependencies to Assure Mission 11

Policy and Guidance UNCLASSIFIED ASD EIE memos 12, 14, 16 directs implementation plans DoDI 4170 Energy Management (update in progress) DoDI 8500 Cybersecurity; 8510 Risk Management Framework; 8530 Cybersecurity Activities Support (CIO) Cybersecuring Facility Related Control Systems Unified Facilities Criteria 4-010- 06 Risk Management Framework KS Portal; ESTCP/SERDP website Secretary of Defense Scorecard; National Defense Authorization Act 1650 https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines 12

Best Practices for Securing Control Systems Mission Assurance Senior Steering Group Control Systems Working Group Develop Password Policies Security Awareness and Training Patch Management Maintenance Activities Modem Connection Network Design Securing Host Systems Advanced Cyber ICS Tactics, Techniques, and Procedures Detection Routine Monitoring, Inspection, Identification of adversarial presence, Documentation, Notifications Mitigation Protect the information network, Acquire and protect data for analysis, Maintain operations during an active attack Recovery Identify mission priorities, Acquire and protect data for analysis, Systematically Recover each affected device, Systematically reintegrate devices, processes, and network segments, Test and verify system to ensure devices are not re-infected NSA 13

14

15

16

What Does it Take to Cybersecure FRCS? Inventory Network Segregation and Segmentation User and Password Management Vulnerability Management Host-based Security Non-essential Hardware & Software removed Access Control Encryption Situational Awareness Routine Patching 17 More than Hope! If Not You re Job. Who s? Backups Connectivity Remote Maintenance On-site Maintenance Disposal Response and Recovery Physical Access Training/Awareness Continuous Monitoring Cloud Services Tactics, Techniques, and Procedures Preventing Exploitation?

Need a Patch? Wait 150 Days.. Research revealed SCADA vendors take ~ 150 days to release security patches Most ICS CERT advisories were easily preventable with better coding and fit in four main categories Memory corruption (20%) Credential management (19%) Authentication issues (23%) Code injection (9%) Urged to adopt the more secure development practices now widely used by mainstream OS and app developers Basic fuzzing techniques, or auditing for banned APIs could help improve security Highlights importance of operational testing prior to patching. Many FRCS do not have maintenance contracts or warranties with vendors and if those do exist, they don t include patching or testing patches. Many legacy FRCS were not designed for cybersecurity and are intended (and budgeted) to be in place for many years. 18

Target Data Breach 2013 UNCLASSIFIED Breach cost Target over $200M Hackers stole 40M credit card #s Exploit via HVAC contractor access to Target s network How similar to Office of Personnel Management (OPM) breach? SSNs of 21.5M individuals stolen 19.7M individuals that applied for background investigation 1.8M non-applicants, primarily spouses or co-habitants of applicants; 5.6M fingerprints Usernames and passwords for their forms also stolen Who ensures DoD energy, facility, & utility privatization contracts don t inadvertently allow similar via smart meters and control systems? 19

Ransomware UNCLASSIFIED 'WannaCry' affecting multiple global entities Increase our collective defenses across the Department and Federal networks: Do not click on links or download files in emails unless you know for sure they are intended for you Ensure your personal devices are updated and patched Backup your data so you can recover your systems if they become infected Microsoft released a patch in March; Not Implemented by Many 20

Vaping & e-cigarettes A Cyber Threat? Smoking-cessation aids can be used to hack An e-cigarette could be used to intercept network traffic or control the computer by making it think the e-cig is a keyboard Many e-cigarettes can be charged over USB, and takes just a few simple tweaks to the vaporizer enabling ability to download malicious payloads from the web Limitation: e-cigs don t have much memory, so complex code is a no-go Many enterprises today block the use of USB ports, which would prevent an attack like this but some do not, so users should beware FRCS: if logical blocking USB ports isn t feasible, physical means should be used to secure access (e.g., locked, tamper-evident cabinets/enclosures in secured facilities, 21 glue-on port blockers for unused ports). Do not use USB port to charge a battery.

Fish Tank Hacks Casino UNCLASSIFIED Hackers attempted to acquire data from a North American casino via an Internetconnected fish tank Tank had sensors connected to a PC that regulated temperature, food and cleanliness Educate yourselves about IoT products Use security protection product offers Use latest operating systems and software and constantly update them 22

23

Key Takeaways UNCLASSIFIED Identify mission dependency on your system Connect with IT, operations, INTEL experts Verify hardware and software configurations, update schedule, sustainment requirements Ensure all new / updated energy projects use Unified Facilities Criteria (UFC) as a guide (& ESTCP website) Include cyber language in contracts Identify & verify how you handle energy data Ensure basic cyber hygiene: PASSWORD, Access, Patches, etc. 24

Who has the first question? Backups: Examples & Resources 25

A mysterious botnet has hijacked 300,000 devices, but nobody knows why (April 26, 2017) The Hajime botnet has so far infected 300,000 internetconnected devices since its inception, bringing digital video recorders, webcams, and routers under its control -- though it's careful not to target several specific networks, including the US Dept. of Defense Energy Managers can REACTIVELY look up (or ensure security staff are on it) what systems are affected and what the detection/mitigations are. For Hajime, it s blocking certain TCP ports, and UDP packet and Telnet session content. To be PROACTIVE, they need to apply the basic security practice of removing all unused code/applications/software, such as telnet, and employ a deny-all policy on hosts (in this case, IP cameras, DVRs, CCTV) and networking equipment (routers, firewalls and switches). Host-based firewalls are a good, additional layer of defense here to augment network protections. Energy managers can make sure suppliers/admins are applying host-based protections. 26

New Russian Cyber Weapon Industroyer / CrashOverRide Targeting ICS Capable of causing power failures. Biggest threat to ICS since Stuxnet. It s the culmination of over a decade of theory and attack scenarios, Caltagirone warned. It s a game changer. This attack targets electric grids. It s really important to account for all system components and have complete network diagrams/scans to be aware of interconnections and evaluate security. Physical and logical isolation of FRCS is best, plus whitelisting especially application whitelisting so that unauthorized programs cannot be executed. FRCS must be monitored! This attack tool collapses the timeline from access to impact. Quick detection is a must. 27

Hackers Are Targeting Nuclear Facilities The hackers appeared determined to map out computer networks for the future. The origins of the hackers are not known. But the report indicated that an advanced persistent threat actor was responsible, which is the language security specialists often use to describe hackers backed by governments. This attack is early in the cyber kill chain where nuclear facilities are being targeted to gather intelligence of the systems and networks. Phishing emails are sent with attachments with malicious code, so cybersecurity awareness training for all FRCS operators (anyone with credentials) is critical to prevent unauthorized access. Again, it s crucial to monitor to detect unauthorized traffic/access and isolation of FRCS/networks, and to ensure there are no pivot points from corporate/operations networks to FRCS. 28

Remotely Hacking Ships UNCLASSIFIED The configuration of certain ships' satellite antenna systems leaves them wide open to attack. Anyone who gained access to the system in question could manually change a ship's GPS coordinates or possibly even brick the boat's navigation system entirely by uploading new firmware. The default login credentials, which are easily found online, remain unchanged on at least some devices. 29

Devil s Ivy UNCLASSIFIED "Devil's Ivy" is a vulnerability in a piece of code called gsoap widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. A patch has been released, however patching can be so spotty in the internet of things that it could persist unfixed in a large swath of devices. 30

Experts are calling the WannaCry ransomware incident the largest cyber-attack in history WannaCry takes over computer systems, shutting them down and demanding a ransom payment of $300 in bitcoin to have the computer unlocked. The ransomware attack hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses. XP is still in use in energy control systems. Patches should be identified, tested and applied on these systems. Testing is particularly important, as patches may impact system operations. An assessment with passive scanning should be done to ensure there are not connections to other networks or the internet. XP systems should only be used as standalone or in physically air-gapped networks. 31

Resources UNCLASSIFIED Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology Certification Program (ESTCP) [info & funding solicitations] https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines Risk Management Framework (RMF) Knowledge Service (KS) -DoD's official site for enterprise RMF policy and implementation guidelines https://rmfks.osd.mil/ Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1, 2017: https://www.cybercom.mil/pages/publications.aspx UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept 2016 https://wbdg.org/ffc/dod/unified-facilities-criteria-ufc/ufc-4-010-06 UFGS-25 50 00.00 20 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Feb 2017 http://www.wbdg.org/ffc/dod/unified-facilities-guide-specificationsufgs/ufgs-25-50-00-00-20 DoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-day Building Control System Cyber Resilience Forum in Nov '15. http://sites.nationalacademies.org/deps/ffc/deps_166792 DoDI 5000.02 Cybersecurity in the Defense Acquisition System Jan 2017 http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Installation Energy (IE) http://www.acq.osd.mil/eie/ie/fep_index.html IEC 62443 STANDARDS AND ISASECURER CERTIFICATION: APPLICABILITY TO BUILDING CONTROL SYSTEMS www.isasecure.org https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/index.cfm: each subpage offers a PDF document: https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/assess-the-mess.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/a-framework-for-assessing-and-improving-the-security-posture.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securely-managing-ics-networks.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securing-assets-within-closed-ics-network-perimeter.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/seven-steps-to-effectively-defend-ics.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/guidelines-for-application-whitelisting-industrial-control-systems.cfm Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure (IG-17-011) https://oig.nasa.gov/audits/reports/fy17/ig-17-011.pdf Whole Building Design Guide website cyber references http://www.wbdg.org/resources/cybersecurity National Initiative for Cybersecurity Careers and Studies - free cyber training https://niccs.us-cert.gov/ Industrial Control Systems Joint Working Group (ICSJWG) https://ics-cert.us-cert.gov/industrial-control-systems-joint-working-group-icsjwg DHS Cyber Security Evaluation Tool: https://ics-cert.us-cert.gov/downloading-and-installing-cset DoDI 8500.01 Cybersecurity 14 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf DoDI 8510.01 Risk Management Framework 12 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DoDI 8530.01 Cybersecurity Activities Support to DoD Information Network Operations 7 March 2016 http://www.dtic.mil/whs/directives/corres/pdf/853001p.pdf NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security May 2015 http://csrc.nist.gov/publications/pubsdrafts.html#800-82r2 GAO 15-749 Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning http://www.gao.gov/products/gao-15-749 GAO 15-6 DHS and GSA Should Address Cyber Risk to Building and Access Control Systems http://www.gao.gov/products/gao-15-6 GAO-14-404SU Defense Cybersecurity: DOD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Increased Oversight (For Official Use Only) Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback