American Bar AssociationSection of Science and Technology Law Information Security Committee2009 Annual Meeting – Lunch PresentationWednesday, July 29, 2009

Bob Radvanovsky, CIFI, CISM, CIPSJacob Brodsky, PE

Legal and IT Aspects of SecuringOur Critical Infrastructures

Creative Commons License v3.0. 1

What is a“critical infrastructure”?

• Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1)

1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.

• These assets include (but are not limited to):– Telecommunication systems– Energy distribution– Banking & financial systems– Transportation– Water treatment facilities– etc … there are a total of 14 infrastructure sectors.

2

Reasons for addressinginfrastructure issues

• Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11.

• Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and systems, infrastructures have become increasingly automated and interlinked.

• Improvements created new vulnerabilities(2)

• Equipment failure• Human error• Natural causes (weather, drought, corrosion, locusts…)• Physical and computer-related attacks

2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.3

Issues with our criticalinfrastructures today

• Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation.

Each infrastructure entity needs to have measures that • Each infrastructure entity needs to have measures that assure information is valid and accurate(apply A-I-C principle); most are currently lacking.

• Work should take holistic approach as systems are interdependent. (the Domino Principle).

4

Assure the systems thatsupport the systems

• The infrastructure assurance process should:

– Provide a consistent testing and evaluation framework of each infrastructure sector.infrastructure sector.

– Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect.

– Expedite process to validate holistic systems.

• Assurance processing applies to both public and private sectors.

5

• Most control systems are computer based.

• Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions.

Introducing SCADA andcontrol systems …

monitor and control sensitive processes and physical functions.

• Functions to provide safety controls and security.

• Primary role to ensure operations continuity within a plant.

• Control system abilities vary from simple to complex.

6

• Two kinds of industrial control systems (ICS):

– Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a

Introducing SCADA andcontrol systems …

within a single process or plant, or used over a smaller geographic area, possibly even a single site location.

– SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3)

3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.7

• Conventional data systems (IT) are human oriented.

• Control systems are machine / process oriented:

What makes a controlsystem different?

– Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue.

– However … there is more at stake than financial considerations; stopping ICS can introduce safety issues.

– Availability and reliability are paramount.

8

1. Safety ALWAYS

2. Availability of the service

Practical and legalconsiderations

2. Availability of the service

3. Security and access control

4. Regulation and compliance

9

• You CANNOT stop operation of an infrastructure.

• You CAN refer to federal investigation reports from NTSB, NRC, or CSB.

Admiralty Law similarity:ICS practical concerns

• You CAN depose engineers, operators, and technicians once the emergency is no longer a threat.

• You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system.

• Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts.

10

• Accurate timestamps and source matter are crucial.

• Logs from ICS must be validated.

Provenance of data isextremely important

• Instrumentation needs to be validated AFTER an incident, but before …– An expert is involved with a control systems background; and,– Has knowledge in information security w/certification and registration.

• Control systems are NOT at all similar to “personal computers”:– Real Time Systems (RTS) are operated very differently (see orientation).– Process controllers are fundamentally similar to embedded systems.

11

• Cryptographic signatures (if applicable, if possible).

• Management methods must be documented.– Explaining ‘what’ and ‘how’.

Provenance of data isextremely important

– Explaining ‘what’ and ‘how’.

• Access to each system must be documented:– Answers ‘who’, ‘when’ and ‘where.

• Protocols and code must be validated and documented.– Validates ‘why’.

12

• Latency of data events.– Timing delay between events.

• Sequence of events.

Factors to considerwith ICS

• Sequence of events.– Order of events.

• Timing of events.– Duration and speed of events.

• Time of when alarms were reported to plant operators.– When alarm is reported, that the event took place at its stated time.

13

• NERC CIP (not considered a complete specification by many).

• NIST SP800-53:“Recommended Security Controls for Federal Information Systems“.(4)

Public standards forcontrol system security

“Recommended Security Controls for Federal Information Systems“.

• NIST SP800-82:“Guide to Industrial Control Systems (ICS) Security”.(5)

4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2,“Recommended Security Control for Federal Information Systems”, December 2007;URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.

5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft,“Guide to Industrial Control Systems (ICS) Security”, September 2008;URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14

• ISA-99– Currently under complex development.– Coordinated with ISA-84 safety specifications.– Considered the most complete and extensive contributed input from the industry.

Beware of the compliance approach: being compliant is NOT the same as

Public standards forcontrol system security

• Beware of the compliance approach: being compliant is NOT the same as being secure.(6)

• DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7)

6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html.

7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html.

15

CS2SAT

NOTE: This particular version is distributed from Lofty Perch, Inc.

16

• Chemical Facility Anti-Terrorism Standards (CFATS).(8)

• FISMA recommends NIST SP800-53.(9)

Public regulations forcontrol systems security

• NERC CIP requires additional work before FERC utilizes it.

8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm.

9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html.

17

A copy of this presentation may be found at our web site:http://www.infracritical.com/papers/aba-isc-2009.zip

Bob Radvanovsky, (630) 673-7740rsradvan@infracritical.com

Jacob Brodsky, (443) 285-3514jbrodsky@infracritical.com

Creative Commons License v3.0. 18