Hurricane Katrina Conrol System Assistance

8/14/2019 Hurricane Katrina Conrol System Assistance

1/7

Hurricane Katrina Control SystemAssistance

DHS recognizes many critical infrastructure controlsystems were shutdown, damaged, or destroyed as aresult of Hurricane Katrina. This document providesassistance to owners and operators in rebuilding and

securely restarting those sensitive control systems.

US-CERT

Informational Paper

September 16, 2005

Produced by:United States Computer Emergency Readiness Team Control Systems Security Center


2/7


3/7

Hurricane Katrina Control System Assistance

CSSC Page 3 of 7 9/22/2005

United States Computer Emergency Readiness Team

cyber attacks as a result of Hurricane Katrina. Threats may come from a threat agentwho is targeting a specific system or may come from a virus, worm, Trojan or othermalicious software that has become commonplace in todays connected world.

III. Putting Control Systems Back Into Operation Safely and Securely

To assist owners and operators in bringing critical control systems back into operationsafely and securely, the US-CERT CSSC compiled a list of items for consideration. Thislist was produced through consolidation of input from a number of public and privatecontrol system security specialists.

These suggested items are not intended to replace a companys or facilitys DisasterRecovery Plans (DRP) or Continuity of Operations Plans (COOP), which should alreadybe in place and are likely already being executed in response to Hurricane Katrina.These items serve as reminders to ensure security is considered in a range of areas ascontrol systems are placed back into operation. It is expected that some form of

damage assessment has already been conducted to determine if control systems,associated components, and communications need to be restarted, repaired, orreplaced (rebuilt).

Owners, operators, vendors, or service providers can contact the US-CERT CSSC viathe contacts identified in the last section of this document for assistance with any of theitems listed below.

Establish Physical Security

Establish physical security at all sites, whether damaged or not, to preventanyone from altering or vandalizing equipment.

Determine which individuals require access to systems and components,including communications systems, and limit access to those individuals.

o Establish a method to authorize access.o Ensure control system, associated components, and communications

equipment accesses are logged and tracked. E.g.: Logs should be reviewed several times a day during this

recovery period as systems are being brought back into operation.

Establish Personnel Security

Ensure individuals who will have access to control systems come from trustedand reputable sources.

If the established personnel familiar with your local systems are not available,then seek the advice of operators in similarly configured facilities, retired staffmembers, contractors and other persons who may have knowledge of your site-specific conditions and procedures. The US-CERT CSSC can assist in locating

September 2005


4/7


CSSC Page 4 of 7 9/22/2005


individuals and entities that can help owners and operators return controlsystems to operation securely.

Establish Configuration Control

Maintain hardware and software configuration control and tracking to account for

replaced or modified components. There may be a tendency, in the rush to getsystems operational, to install parts that are not properly configured or patched(temporary fixes often become permanent solutions).

Monitor disposition of computer equipment and file storage systems that will beremoved. Ensure that hard-drives or data does not fall into hands where it maycompromise either sensitive operational information or access information (userIDs/passwords).

Ensure adequate policies and procedures are documented/implemented forsecure disposal and destruction of damaged equipment or software.

Verify Hardware

For replacement systems and components, utilize approved control devicesacquired from authorized dealers where possible (avoid possibility ofnefarious/covert capabilities being placed into system).

Perform system/equipment validation and calibration tests on all sensors (asappropriate), devices, IEDs, and controllers associated with the system undercontrol prior to placing the system into operation. Repair, calibrate, reconfigure,or replace as necessary.

Key components may have been looted, causing faulty operation of the overallsystem. Conduct a complete point-to-point checkout of the system to identify anymissing or damaged components. Conduct point-to-point conductivity test,power, I/O, interconnection, cable runs, etc.

Verify that power system is working adequately. If utilizing an uninterruptiblepower supply (UPS), attempt to get it working correctly before turning onanything else. If you have to by-pass the UPS, verify that circuits are adequate.Battery backup units could be exhausted; verify operability of backup power.

Power systems may lock in an on state and not be able to be turned off due tohidden shorts. Test or inspect for proper operation.

Ensure hardware has current firmware (with security updates) installed.

Ensure systems are set to fail in a safe mode.

Ensure hardware is configured in compliance with established security policiesand procedures.

If possible and where appropriate, manual operation of controlled equipment maybe appropriate to identify operational problems before automatic operation iscommenced.

September 2005


5/7


CSSC Page 5 of 7 9/22/2005


Verify Software

Loss of power (and battery backup power) can cause some control systems torevert to a manufacturer default state, including insecure default settings andpasswords. Check to ensure appropriate versions of programs are in place andthat all passwords are sufficiently secure.

Prior to restart, verify all firewall and router access lists are in effect.o Review settings to ensure unnecessary communications are not permitted

on networks (corporate networks or control system networks). Take advantage of this period of time while systems are off-line to ensure all

software (and hardware) upgrades, patches, and anti-virus programs arein place and operating correctly (particularly security upgrades andpatches).

o Patch and test existing systems.o Patch and test any new systems or components that will be installed.o Test that anti-virus software will not impact control system performance.

Ensure systems are set to fail in a safe mode.

Ensure software (applications and programs) are configured in compliance withestablished security policies and procedures.

Systems should be secured before being attached to a network. Softwaredownloads should be performed from systems trusted to be secure.

Secure Remote Support

Analyze need for remote support from vendors, integrators, and others whoassist with equipment installs, repairs, or maintenance.

o If remote access is required, ensure is it is implemented securely(including secure identification/authentication, authorization, andencryption) and logs are maintained and monitored.

o Allow authorized remote support connections to occur only for specifiedperiods of time from specified system/locations.

o Intrusion Prevention Systems (IPS) and/or Intrusion Detection Systems(IDS) are recommended to monitor these remote connections.

Secure Communication Paths

Secure external communications to/from control systems.o Protect/segregate control networks from Internet and corporate networks

to the extent possible.o The control system and any associated networks should initially have no,

or very limited, external communications before restart.o Identify each external connection requirement, analyze, and gain

appropriate approval.o Develop and implement mechanisms for secure external communication.

September 2005


6/7


CSSC Page 6 of 7 9/22/2005


o Ensure all external communications are securely filtered through a firewallor some equivalent device.

o Monitor external communications with an IPS and/or IDS and review logson regular basis.

o Assess business, vendor, and regulatory connections; they may have

been compromised or affected by events and could potentially containmalicious code that could spread to your system.

Secure all telephone/modem connections to control system networks andequipment.

o Allow authorized, securely configured, modem connections to occur onlyfor specified periods of time from specified systems/locations.

Secure wireless connections.o If wireless systems are going to be implemented to replace or augment

hard-wired connectivity for control systems and components, ensureappropriate wireless cyber security measures are implemented.

If backup communications paths are being utilized instead of normal operationscommunications paths (e.g. backup T1 connection which does not pass througha firewall and was never secured), ensure appropriate security controls areimplemented.

Secure control network internal communications.o Ensure communications equipment (routers, switches, firewalls, VPN

devices, etc.) and control systems and associated components aresecured in accordance with established security policies.

Safely and Securely Start Control Processes

Ensure for all systems and components repaired or replaced (control systems,actuators, sensors, routers, firewalls, etc.) that an individual was assignedresponsibility and implemented appropriate security measures.

Ensure safety systems are in place and operating properly before attempting torestart control process.

Equipment grounding and grounding protection equipment should be inspected,tested, and repaired as necessary. This is critical for equipment and hardwaretorn loose from high winds or flood water debris, or exposed to excessivemoisture, chemicals, or toxins which could corrode or degrade their ability tohandle short circuit faults.

If emergency power supplies or generators are utilized to supply temporarypower to components of the control system, ensure proper emergency shutdownprotection and interlocks are enabled.

Restart process.o Put extra eyes on watching safety and control system displays during

restart.o Watch for any indication of out-of-the-ordinary performance.

September 2005


7/7


CSSC Page 7 of 7 9/22/2005


If out-of the-ordinary conditions arise, stop safely, retest,reconfigure, and re-build as necessary.

After everything checks-out OK, establish necessary external communicationssecurely as described in section on Secure Communication Paths.

Taking notes during the recovery process can prove valuable for lessons learnedinitiatives and for updating relevant DRP, COOP, policy, guidance, and proceduredocuments. It is recommended that a risk assessment, which includes a vulnerabilityassessment, be conducted to identify any vulnerabilities which may have arisen as aresult of changes made to the control system and surrounding environment.

IV. Control System Assistance Points of Contacts

The DHS US-CERT CCSSC was established to bring together control system owners,operators, Information Sharing and Analysis Centers (ISACs), vendors, industryassociations, and subject matter experts to address control systems cyber

vulnerabilities and to develop and implement programs aimed at reducing the likelihoodof success and severity of impact of a cyber attack against a critical infrastructure. TheUS-CERT CSSC works to enhance the cyber security of the Nations criticalinfrastructure by coordinating government and industry activities and has relationshipswith relevant federal agencies, National Laboratories, private sector control systementities and subject matter experts to ensure the best available facilities and minds areaddressing the critical task of protecting our Nations control systems used in criticalinfrastructure.

The US-CERT CSSC would like owners and operators to work with their Sector SpecificAgencies (SSAs), Sector Coordinating Councils, and sector ISACs to provide status

and share information, lessons learned, and data that can be utilized to develop timelysituational awareness on the health of critical infrastructure sectors in the areasimpacted by Hurricane Katrina.

DHS would like to inform the control system community that the US-CERT CSSC canprovide assistance in ensuring control systems are brought back into operation in a safeand secure manner. The US-CERT CSSC can assist in locating individuals and entitiesthat can help owners and operators return systems to operation and can assist ownersand operators with cyber security issues. Requests for assistance from the US-CERTCSSC can be made by contacting the US-CERT via telephone at (888) 282-0870 or bysending an email to [email protected]. Information about the US-CERT can be found on

its web site (http://www.us-cert.gov).

September 2005
mailto:[email protected]://www.us-cert.gov/http://www.us-cert.gov/mailto:[email protected]

Hurricane Katrina Conrol System Assistance

Documents

Transcript of Hurricane Katrina Conrol System Assistance