National Cyber Security Strategies for Critical ...

National Cyber Security Strategies for Critical Infrastructure Protection Scott Jasper, CAPT, USN (ret) 21 August 2014 The Author views expressed within do not necessarily represent the US Government

Transcript of National Cyber Security Strategies for Critical ...

National Cyber Security Strategiesfor

Critical Infrastructure Protection

Scott Jasper, CAPT, USN (ret) 21 August 2014

The Author views expressed within do not necessarily represent the US Government

Consisting of the interdependent network of information technology infrastructures and resident data, including the Internet,

telecommunications networks, computer systems, and embedded processors and controllers.

• All sectors of modern society rely on cyber networks, systems, and services

• They are essential to national defense including conduct of military operations

A Global Domain

Information and Communication Technology (ICT) is the business aspect (free flow of information, commerce, crime, espionage etc.) and Industrial Control Systems (ICS)

is the part that if it fails, damage to property and loss of life may occur.

Hostile actors seek to exploit, disrupt, deny, and degrade the networks and systems our societies and militaries depend upon.

Four scenarios are most concerning:

• Theft of data (Criminal)

• Exploitation of data (Espionage)

• Disruption or denial of access or service (Protest)

• Destructive action incl corruption, manipulation, or direct activity (Damage)

Advanced Persistent Threat (APT) class malware attacks (targeted, zero-day, stealthy)

complicate cyber defense strategies.

...Aggression is Relentless

Theft of Data(Target Corporation)

The retail giant Target confirmed some 70 million customer credit and debit accounts were compromised in December 2013.

Account numbers, expiration dates, cardholder names and credit verification value (CVV) were compromised plus encrypted debit card PINs were stolen.

• Attackers installed a Hybrid of Kaptoxa and Reedum

malware on Point of Service (card reader) machines.

• The malware (a memory scraper) gathers magnetic strip data

that is temporarily stored unencrypted in memory.

• Reedum nearly identical to BlackPOS sold on crime forums.

• The PINs are encrypted with Triple-DES (Data Encryption

Standard) – somewhat vulnerable to brute force cracking.

tools. information was exfiltrated over two weeks. Data Breach costs $61M in expenses and resulted in loss of $700M of revenue from loss of consumer confidence to shop at Target.

Exploitation of Data(Operation Night Dragon)

Starting in Nov 2009, cyber attacks were conducted against global oil, energy and petrochemical companies, in addition to spear-phishing of mobile employees, techniques included:

• Compromise perimeter security controls, through SQL injection exploits of extranet web servers to gain system level access.

• Upload Hacker tools, including Remote Administration Tools (zwShell), onto compromised servers, allowing control over sensitive desktops.

• Dump account hashes with gsecdump and use the Cain & Abel tool to crack the hashes and gain usernames and passwords.

• Authenticate access and copy files on operational oil and gas field production systems and documents related to field exploration and bidding.

ICS-CERT reported that reported that 256 attacks had been mounted in 2013 against companies in critical infrastructure sectors

(151 alone in energy)

Denial of Service(US Banks)

The websites of Bank of America, JPMorgan Chase, Wells Fargo, US Bank and PNC Bank suffered day long slowdowns or

inaccessible periods in September 2012.

Denial of Service attacks – huge amounts of traffic directed at a website to make it crash – were the largest ever recorded.

• The aim of the attacks was to temporarily knock down the

banks’ public facing websites

• No data was stolen from the banks and transactional systems,

like ATM networks, remained unaffected.

A hacktivist group, Cyber fighters of Izz ad-din Al aqssam, vowed to attack financial institutions in retaliation for the

release of the Innocence of Muslim mockery film

Destructive Action(SK Banks and Media)

South Korean Banks (Shinhan and NongHyup) and Television media outlets (YTN, MBC, and KBS) targeted in March 2013.

Destructive malware wiped the hard drives and attached drives of infected machines at 2PM local time; data lost and unable to reboot.

• The machines were defaced with a message by “The Whols Team”

• Originated from a legitimate Korean website that housed malware.

• Security firm found several Chinese words and clues in malware.

• Malware resembles Shamoon in overwriting Master Boot Record.

Turns out the high profile data annihilation attacks that wiped the hard drives of tens of thousands of computers were actually the conclusion of

a covert espionage campaign.

Exploitation/DestructiveCapability (Dragonfly)

Cyber espionage campaign compromised energy sector organizations and achieved sabotage capabilities in 2013/14.

Targets were energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industrial controls system (ICS) equipment providers:

• Malware sent in phishing emails to personnel in target firms

• Compromised likely websites for Water hole attacks

• Trojanized legitimate software bundles belonging to three

different ICS equipment manufacturers for customer down load

Majority of victims located in United States, Spain, France, Italy, Germany, Turkey, and Poland.

Recent US Initiatives for Securing Critical Infrastructure

Presidential Policy Directive 21 (PPD-21): Critical Infrastructure

Security and Resilience (12 Feb 13)

• Identifies 16 Critical Infrastructure Sectors Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems


• Establishes national policy and strategic imperatives to drive an integrated, holistic approach

• Clarifies roles and responsibilities for Secretary of Homeland Security and Sector Specific Agencies

• Directs an update to National Infrastructure Protection Plan (NIIP)

• Sector-Specific Plans that detail how the NIPP risk management framework is applied to Sector characteristics and risk landscape can be found at:

Executive Order 13636: Improving Critical Infrastructure

Cybersecurity (12 Feb 13)

“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a

cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business

confidentiality, privacy, and civil liberties”

President Barack Obama

• Directs the development of a Cybersecurity Framework that reduces cyber risk to critical infrastructure.

• Directs the expansion of programs and products that increase the volume, timeliness and quality of cyber threat information shared with U.S. private sector entities.


Based on the Executive Order, the Cybersecurity Framework Must...

• Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks

• Incorporate international voluntary consensus standards and industry best practices to the fullest extent possible

• Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk

• Identify areas for improvement to be addressed by collaboration with particular sectors and standards-developing organizations


Framework Components

Framework Core• Cybersecurity activities common across critical infrastructure sectors

and organized around particular outcomes with informative references• Enables communication of cyber risk across an organization

Framework Implementation Tiers• Describes how cybersecurity risk is managed by an organization• Describes degree to which an organization’s cybersecurity risk

management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive)

Framework Profile• Aligns industry standards and best practices to a particular

implementation scenario • Supports prioritization and measurement of progress toward the

Target Profile, while factoring in other business needs— including cost-effectiveness and innovation 13

Framework CoreFunctions and Categories


Develop understanding to manage cyber security riskAsset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy

Implement safeguards to ensure critical infrastructure servicesAccess Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology

Identify the occurrence of cyber security eventAnomalies and Events, Security Continuous Monitoring, and Detection Processes

Activities to take action regarding a detected cyber security eventResponse Planning, Communications, Analysis, Mitigation, and Improvements

Restore capabilities/services impaired due to a cyber security event Recovery Planning, Improvements, and Communications


Framework Core Informative References

COBIT – Control Objectives for Information and Related Technology

ISACA’s framework for managing and governing information technology. Bridges control requirements, technical issues and business risks.

CCS CSC – Council on CyberSecurity Top 20 Critical Security Controls

Subset of controls in NIST SP 800-53, prioritizing those that are effective against Advanced Targeted Threats by emphasizing “what works.”

ANSI/ISA-62443-2-1 (99.02.01)-2009 – Securityfor Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program

ANSI/ISA’s standard on cybersecurity focused on industrial automation and control systems.

ANSI/ISA-62443-3-3 (99.032.03)-2013 – Securityfor Industrial Automation and Control Systems: System Security Requirements and Security Levels

ANSI/ISA’s standard on cybersecurity focused on industrial automation and control systems.

ISO/IEC 27001:2013 – Information technology– Security techniques – Information security management systems – Requirements:

ISO/IEC’s international standard on cybersecurity focused on industrial automation and control systems.

NIST SP 800-53 Rev. 4 – Security and Privacy Controls for Federal Information Systems and Organizations

NIST’s catalog of security controls for all U.S. federal information systems except those used in national security.


Framework Core Sample

Function Category Subcategory Informative References



Asset Management (ID.AM): The data, personnel, devices, systems, and

facilities that enable the organization to achieve business purposes are

identified and managed consistent with their relative importance to

business objectives and the organization’s risk strategy.

ID.AM-1: Physical devices and systems within the organization are inventoried


· COBIT 5 BAI09.01, BAI09.02

· ISA 62443-2-1:2009

· ISA 62443-3-3:2013 SR 7.8

· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

• NIST SP 800-53 Rev. 4 CM-8

ID.AM-2: Software platforms and applications within the organization are inventoried


· COBIT 5 BAI09.01, BAI09.02, BAI09.05

· ISA 62443-2-1:2009

· ISA 62443-3-3:2013 SR 7.8

· ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

• NIST SP 800-53 Rev. 4 CM-8

ID.AM-3: Organizational communication and data flows are mapped


• COBIT 5 DSS05.02

· ISA 62443-2-1:2009

· ISO/IEC 27001:2013 A.13.2.1

· NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

ID.AM-4: External information systems are catalogued• COBIT 5 APO02.02

· ISO/IEC 27001:2013 A.11.2.6

· NIST SP 800-53 Rev. 4 AC-20, SA-9

ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value

· COBIT 5 APO03.03, APO03.04, BAI09.02

· ISA 62443-2-1:2009

· ISO/IEC 27001:2013 A.8.2.1

· NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14

ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

· COBIT 5 APO01.02, DSS06.03

· ISA 62443-2-1:2009

· ISO/IEC 27001:2013 A.6.1.1

Framework Profiles

• The Profile aligns Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources.

17Diagram Source: Cyphort

Version 1.0 released on Feb. 12, 2014

The Framework is designed to complement existing business and cybersecurity operations, and can be used to:

• Understand security status• Establish / Improve a cybersecurity program• Communicate cybersecurity requirements with

stakeholders, including partners and suppliers• Identify opportunities for new or revised standards• Identify tools and technologies to help organizations

use the Framework• Integrate privacy and civil liberties considerations into a

cybersecurity program

Available at:

Executive Order 13636: Support Sharing of Cyber Threat Information

Expands the DHS Enhanced Cybersecurity Services program operated by the NCCIC to share info with qualified Commercial Services

Providers to protect Critical Infrastructure entities.

DHS collaborates with Interagency Partners as well as Industry Partners, like Information Sharing and Analysis Centers (ISACs):

• In 2012, DHS identified campaign of intrusions targeting natural gas pipeline companies; alerted community, deployed teams, and conducted briefings to 100s of private sector individuals providing warnings and mitigation strategies.

• During 2013 Bank DDoS attacks; working with the Financial Services ISAC, DHS provided 100Ks of related IP addresses to financial institutions, deployed on-site technical assistance, and conducted briefings to 100s of IT specialists.

The Retail Cyber Intelligence Sharing Center (R-CISC) was launched in May 2014 – participating companies

include Target, J.C. Penney, Nike and Lowe’s.