Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014
-
Upload
icsisac -
Category
Presentations & Public Speaking
-
view
310 -
download
0
Transcript of Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014
![Page 2: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/2.jpg)
What Paths Are We Pursuing?
![Page 3: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/3.jpg)
• Research and Find…– LOTS!– [insert vendor] [insert product] [insert vuln count]
• The Answer:– Get vendors to fix all vulnerabilities– Get asset owns to apply all patches
Vulnerabilities
![Page 4: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/4.jpg)
• Flat Networks, Single Points of Failure
• The Answer:– Get asset owners to re-architect all networks
Architectures
![Page 5: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/5.jpg)
• Operators, Architects and Coders Lack Skills
• The Answer:– Train all Users to Control Behavior– Educate all System Designers– Train all vendor engineers to build Secure-By-Design
Training
![Page 6: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/6.jpg)
• Shodan / Project Shine– 1,000,000 connected networks
• The Answer:– Air Gaps!– Forbid Remote Access
Isolation
![Page 7: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/7.jpg)
• ~6,000 Electric Utilities
• 55,000 Substations
• 100,000 EHV Transformers
• 200,000 Miles of Transmission Lines
• 2.2 Million Miles of Distribution Lines
• 300,000 Electric Engineers
Let’s Talk Scale…
![Page 8: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/8.jpg)
• ~50,000 Water Utilities
• 1 Million Miles of Water Pipes
• 400B Gallons Potable Water Per Day
• 80B Gallons of Wastewater Per Day
Let’s Talk Scale…
![Page 9: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/9.jpg)
• 150 Oil Refineries
• 6.5B Barrels Annually
• 120,000 Gas Stations
• 2,000 Offshore Oil Rigs
• 1,000,000 Oil Wells
• 40,000 Petroleum Engineers
Let’s Talk Scale…
![Page 10: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/10.jpg)
• 200 Natural Gas Utilities
• 300,000 Miles of Gas Transmission Pipelines
• 2.4 Million Miles of Distribution Pipes
• 2T Cubic Feet Annually
• 600,000 Gas Sector Employees
Let’s Talk Scale…
![Page 11: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/11.jpg)
• 28,000 Food Processing Facilities
• 2,200,000 Farms
• 1B Tons of Food Products Annually
Let’s Talk Scale…
![Page 12: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/12.jpg)
• 100 Urban Rail Systems
• 25,000 Locomotives
• 1.3M Cars
• 200,000 Rail Crossings
• 140,000 Miles of Freight Rail
• 1.5T Ton-Miles of Freight
Let’s Talk Scale…
![Page 13: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/13.jpg)
• 300,000 Manufacturing Plants
• 17.4M Jobs
• $2T in Manufactured Goods
Let’s Talk Scale…
![Page 14: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/14.jpg)
• Metals and Mining
• Aviation
• Maritime
• Ports
• Highways
• … … … … …
Let’s Talk Scale…
![Page 15: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/15.jpg)
• To Find All Vulnerabilities?
• To Apply All Patches?
• To Create All New Devices?
• To Re-Architect All Networks?
• To Train Everyone?
How Long Will All That Take?
![Page 16: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/16.jpg)
• Infrastructure Vulnerable to Every Day Zero
• Network Segments That Still Fail
• Insider Threats that Succeed
What Would We Gain?
![Page 17: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/17.jpg)
• The Same Thing Operators Use Now:
Visibility• At the Facility
• Across Sectors
• Nationally
• Internationally
What is Achievable?
![Page 18: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/18.jpg)
Shared Knowledge Network
Private Centers
PublicCenters
Service Providers Knowledge
Data & Information
![Page 19: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/19.jpg)
Resilience of Shared Situational Awareness
ICS-ISAC
Integrators
CERTs
SharingNode
Knowledge Source
Service Providers
Trade Organizations
Knowledge Centers
Asset Owner
![Page 20: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/20.jpg)
• Who We Are
• What We Have
• What it is Doing
• How To Share
We Need to Know:
![Page 21: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/21.jpg)
• Tools and Process For Visibility
• Common Language for Sharing
• Compatible Plumbing
• Local, State, National and Global Structures
Pieces Falling Into Places
![Page 22: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/22.jpg)
A Common Language for Sharing
![Page 23: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/23.jpg)
Automated Knowledge Sharing
TAXII™ defines a set of services and message
exchanges that, when implemented, enable
sharing of actionable cyber threat information
across organization and product/service
boundaries.
![Page 24: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/24.jpg)
Project Avalanche
• Open Source Sharing Platform
• STIX Repository
• TAXII Server
• Pilot Operational
• Open Source Summer 2014
![Page 25: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/25.jpg)
• Identity– “Who are we?”
• Inventory– “What do we have?”
• Activity– “What is it doing?”
• Sharing– “How do we communicate with others?”
Situational Awareness Ref Arch (SARA)
![Page 26: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/26.jpg)
• Reference Architecture for Shared Visibility
• Guide
• Network
• Open Source Toolset
• ICS-ISAC.org/sara
SARA Overview
![Page 27: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/27.jpg)
• Foundation for Rational Decisions– What capabilities do we have?– How do we make decisions?– What is our structure?
• Existing Methodologies– all.net/Arch/index.html– CSET
Identity
![Page 28: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/28.jpg)
• Create and Maintain Inventory– Control System Components– Process Equipment– System Topology– Device Configurations
• Open Source Tools– Snort, nmap, ossim
Inventory
![Page 29: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/29.jpg)
• Behavior Baseline– Device Relationships– Approved Patterns– Change Control
• Anomaly Detection– Did Something Change?
Activity
![Page 30: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/30.jpg)
• Inbound– Receiving and Utilizing External Knowledge
• Outbound– Deriving– Anonymizing
• Communication– Schemas and Transports (STIX, TAXII, IODef, CIF…)– Policies and Practices
Sharing
![Page 31: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/31.jpg)
• Data– Atomic: syslog messages, device configurations…
• Information– Aggregate: Lots of Data
• Knowledge– Actionable, Sharable
Information Types
![Page 32: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/32.jpg)
Switch
Schemas and TransportsActiveMQ, STIX, TAXII
Message Bus
ICS-ISAC
PLC
HMI
SCADA ServerSARA Server
Internet
Process Equipment
SARA Pilot
Enernex LABFirewall/VPN
Palo Alto
Palo Alto
Tripwire
Tripwire
Vendors
GE
Service Providers
![Page 33: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/33.jpg)
SCADA ServerSARA Server
DNP3 VisibilityService
Providers
ICS-ISAC
DNP3 Command Traffic
![Page 34: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/34.jpg)
Act!
● Know Yourself
● Know Your Stuff
● Know What You Do
● Learn How to Share
![Page 36: Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014](https://reader035.fdocuments.in/reader035/viewer/2022062513/554bd9f3b4c9058f6c8b544b/html5/thumbnails/36.jpg)
Thank you for your time