Human security and food security hunger, food insecurity and malnutrition
Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control...
Transcript of Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control...
![Page 1: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/1.jpg)
Building
Insecurity
Lisa Kaiser
Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT)
![Page 2: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/2.jpg)
Insecurity
How do I
� Specify it
� Buy it
� Test it
� Deploy it
� Regret it
� Apologize
for it
![Page 3: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/3.jpg)
Specifying Insecurity
Ignore security entirely
Specify inappropriate standards
Use vagueness
Demand particular technology solutions
![Page 4: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/4.jpg)
Buying Insecurity
� Never mention security
� Don’t put it in writing
� Listen when they say “We’ll
secure it later”
� Cheaper is always more
secure
� New is more secure
![Page 5: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/5.jpg)
Testing Insecurity
� Never test
� Check only
“sunny day”
scenarios
� Rely on vendor
assurances
� Use only cheap
security “experts”
� Use your firewalls
![Page 6: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/6.jpg)
Deploying Insecurity
� Don’t plan
� Use default passwords
� Bypass all the security
� Never do SAT
� Ignore security alarms
and alerts
Photo courtesy of Kristian Ovaska, 2003
![Page 7: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/7.jpg)
Regretting Insecurity
� Begin with RFQ
� Ignore any
breaches
� Shoot the
Messenger
� Apply quick-fixes
� Use the
“Blame-game”
![Page 8: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/8.jpg)
Apologizing for Insecurity
� Leave the organization
� Distract customers
� Avoid responsibility
� Attack the messengers
� Use the press
� Blame us
![Page 9: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/9.jpg)
However…
» If you’re NOT trying to Building Insecurity,
but instead which to Build In Security…
» Try this to achieve your goal:
![Page 10: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/10.jpg)
Cyber Security Evaluation Tool (CSET )
10
� Stand-alone software application
� Self-assessment using recognized standards
� Tool for integrating cybersecurity into existing corporate risk management strategy
CSET Download:http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
R
![Page 11: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/11.jpg)
CSET Standards
11
Requirements Derived from Widely Recognized Standards
R
NIST Special Publication 800-53Recommended Security Controls for Federal Information SystemsRev 3 and with Appendix I, ICS Controls
Consensus Audit Guideline (CAG)Criteria Evaluation Recommendations based upon National Security Association (NSA) Cyber Attack Phases
NERC Critical Infrastructure Protection (CIP)
Reliability Standards CIP-002 through CIP-009, Revisions 3 and 4
DoD Instruction 8500.2 Information Assurance Implementation, February 6, 2003
NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011
NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010
CFATS RBPS 8- CyberChemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 – Cyber, 6 CFR Part 27
Transportation Security Agency Pipeline Guidelines
DHS TSA guidance for the pipeline industry
![Page 12: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/12.jpg)
CSET Capabilities
12
What the CSETCAN do:
� Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment
� Specify cybersecurity recommendations
� Report using standards-based information analysis
� Provide a baseline cybersecurity posture
� Validate accuracy of user inputs
� Ensure compliance with organizational or regulatory cybersecurity policy & procedures
� Ensure implementation of cybersecurity enhancements or mitigation techniques
� Identify all known cybersecurity vulnerabilities
What the CSETCAN’T do:
R
![Page 13: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/13.jpg)
Assessment Team
13
A TEAM of participants is requiredto perform a successful assessment
Type of Participant Knowledge
Control Systems Engineer Control systems
Configuration Manager Systems management
Operations Manager Business operations
IT Network Specialist IT infrastructure
IT Security Officer Policy & procedures
Risk Analyst or Insurance Specialist Risk
![Page 14: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/14.jpg)
Assessment Process
14
Analyze Results
Answer Questions
Build the Network Diagram
Determine the Security Level
Select the Mode and Standards
Add Assessment Information
Organize the Team
![Page 15: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/15.jpg)
Context Specific Help
15
![Page 16: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/16.jpg)
Starting Screen
16
![Page 17: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/17.jpg)
Assessment Info – Main Window
17
![Page 18: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/18.jpg)
Standards Screen – Assessment Modes
18
![Page 19: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/19.jpg)
Questions and Standards
19
![Page 20: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/20.jpg)
Questions and Standards
20
![Page 21: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/21.jpg)
General SAL Determination
21
![Page 22: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/22.jpg)
NIST SAL Determination
22
![Page 23: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/23.jpg)
Diagramming Tool
23
![Page 24: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/24.jpg)
24
Diagram – Maximized Screen Space
![Page 25: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/25.jpg)
25
Questions Screen
![Page 26: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/26.jpg)
26
Question Information
![Page 27: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/27.jpg)
27
Comments, Marked and Alternates
![Page 28: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/28.jpg)
28
Component Questions
![Page 29: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/29.jpg)
29
Component Overrides
![Page 30: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/30.jpg)
30
Analysis Screen
![Page 31: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/31.jpg)
31
Analysis Detail Screens
![Page 32: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/32.jpg)
32
Analysis Detail - Example
![Page 33: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/33.jpg)
33
Question Filters
![Page 34: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/34.jpg)
34
Hardcopy Reports
![Page 35: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/35.jpg)
35
Resource Library
![Page 36: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/36.jpg)
36
Resource Library - Search
![Page 37: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/37.jpg)
New/Updated Standards
� NEI 08-09 Rev 6
� NISTIR 7628 Ver 1 (August 2010)
� INGAA Ver 1 (January 31, 2011)
� NIST SP800-53 Appendix J Rev 4
� NIST SP800-82 Rev 1 (May 2013)
� CNSSI ICS Overlay Update
37
CSET 6.0 Enhancements
New Evaluation Capabilities
• Merging
• Comparison
• Aggregation
• Trending
![Page 38: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/38.jpg)
CSET Assessment Aggregation -- Trending Mode
Overall Trends
Components
Standards
Overall
20
30
50
80
50
20
30
80
30
80
20
30
50
80
20
30
25
30
45
65
45
25
30
65
30
65
25
30
45
65
25
30
80
80
75
80
75
80
80
80
80
80
80
80
75
80
80
80
0 20 40 60 80 100
Training
System and Services…
System Protection
System Integrity
Risk Management and…
Procedures
Privacy
Policies & Procedures General
Plans
Physical Security
Personnel
Configuration Management
Communication Protection
Audit and Accountability
Account Management
Access Control
2013 2012 2011
0
20
40
60
80
2011 2012 2013
Top 5 Areas of DeclineEnvironmentalSecurity
Incident Response
Info Protection
Information andDocumentManagementMaintenance
0
10
20
30
40
50
60
2011 2012 2013
Top 5 Most Improved AreasAccess Control
Account Management
Audit and Accountability
CommunicationProtection
ConfigurationManagement
Trending Sample Screen
![Page 39: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/39.jpg)
CSET Assessment Aggregation – Comparison Mode
71
65
66
75
75
76
70
70
81
Overall
Standards
Components
Site C Site B Site A
0 50 100
Training
System and…
System Protection
System Integrity
Software
SIS
Risk Management…
Remote Access…
Procedures
Privacy
Portable/Mobile/Wir…
Information and…
Info Protection
Incident Response
Environmental…
Continuity
Configuration…
Communication…
Audit and…
Account Management
Access Control
Site C Site B Site ASite A Site B Site C
SAL Level
Sort By BestSort By Worst
20
30
50
60
0 50 100
Procedures
Policies
Password…
Access…
Site C
20
30
50
80
0 50 100
Procedures
Policies
Password…
Access…
Site A
1
2
3
25
0 50 100
Procedures
Policies
Password…
Access…
Site B
Site Total Questions Answered
Yes No
Site A 560 300 260
Site B 342 300 42
Site C 268 152 116
Aggregation Sample Screen
![Page 40: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/40.jpg)
New/Updated Functionality
� Inventory Lists
� Security Plans
� YouTube Tutorials
� Updated Diagramming Tool
40
CSET 6.0 Enhancements (cont.)
![Page 41: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/41.jpg)
Key Contact Information
Lisa Kaiser
Download CSET
http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
41
![Page 42: Building Insecurity · 1/6/2014 · NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for](https://reader033.fdocuments.in/reader033/viewer/2022060703/606facc80bcf5973211c5cc5/html5/thumbnails/42.jpg)