control system self assessment tools and methods · pcsf self assessment wg • rationale: 2005 -...
TRANSCRIPT
Standards
Certification
Education & Training
PublishingConferences & Exhibits
ISA EXPO 2008
Control System Self Assessment Tools and Methods
Welcome
• Presenter: Carol Muehrcke, Cyber Defense Agency LLC– Co-chair SCADA Cyber Self Assessment Working Group (WG) under
Process Control System Forum (PCSF)– Computer security R&D since 1992
• Topics:– WG background– Requirements for IACS cyber security self assessment– Survey of available tools and methods– Planning a self assessment
IACS: Industrial Automation and Control System (ISA term)
PCSF Self Assessment WG
• Rationale: 2005 - pressing need to understand IACS cyber security readiness
• Charter: Enable the development and use of the best possible next generation of self administered tools and methodologies for the assessment of the cyber security readiness of process control systems.
• Deliverables:– IACS self-assessment requirements list– Gaps: Requirements unmet by existing tools and
methodologies• Final report: on PCSF web site
https://www.pcsforum.org/groups/13/
Self Assessment WG Core Team• Garill Coles
Pacific Northwest National Laboratory [email protected]
• Mark C. Morgen 3M - Optical Systems Division [email protected]
• Carol Muehrcke (Co-chair) Cyber Defense Agency, LLC cmuehrcke@cyberdefense agency.com
• Matt Earley Decisive Analytics Corporation [email protected]
• Ron Melton Pacific Northwest National Laboratory [email protected]
• Candace Sands EMA [email protected]
• Brian Isle (Chair) Adventium Labs brian.isle@adventiumlab s.org
• Cliff Glantz Pacific Northwest National Laboratory [email protected]
• Mary S. Hester Intelligent System Solutions [email protected]
Self Assessment Requirements Categories
• Importance of Cyber Security in Business
• Scope of the Cyber Security Management System
• Security Policy• Personnel Security• Organizational Security• Compliance• Physical and Environmental
Security• Access Control**• Information and Document
Management• Identifying Vulnerabilities**• Risk Identification, Classification
and Assessment**
• Risk Management and Implementation
• Incident Planning and Response• Infrastructure-Related Operations
and Change Management• Staff Training and Security
Awareness**• System Development and
Maintenance• Monitoring and Reviewing the
Cyber Security Management System
• Maintaining and Implementing Improvements
Key: Covered; Gaps in some Sectors; Gaps in all sectors ** Highest WG priority
Example – Access Control
General: • Principle of least privilege, controlled management of accounts, coverage of
personnel and third parties IACS Specific:• Administrative vs. control access• Critical vs. non-critical operator functions and platforms • Stronger authentication for remote access• Team passwords• Approval of privileges by personnel familiar with control tasks• Complementary physical access controls (e.g. unattended logged in
terminals)• Control risks due to denial of service: forgotten passwords, expiring
passwords, account lockout on login failures, screen savers blocking status information, authentication using remote servers or LAN/WAN elements
• Operation during modification of access controls
Type and Scope for Tools and Methodologies
Risk Vulnerability
Cyber Physical
IACS IT
StandardSoftware Tool
Step by Step Method
Questionnaire
Tools and Methods Analyzed
Name Type Sector Scope
API 1164 Standard Appendices A-B
Questionn aire & cyber security plan
Refining and Petrochemic al
Risk & Vulnerability, Cyber, IACS
API SVA - Security Vulnerability Analysis
Methodol ogy
Refining and Petrochemic al
Risk, Physical & Cyber, Generic
Industry Participant Tool - Proprietary
Excel- based tool
Refining & Petrochemic al
Vulnerability, Cyber, IACS
CIDX Guidance for Address. Cyber Security in Chem. Industry V 3.0 – App. 1
Questionn aire
Chemical Vulnerability; cyber, IT & some IACS
PHAWorks – Primatech, w/ cyber guidance doc
Software Tool
Refining, Petrochemic al & Chemical
Risk, Physical and Cyber, Generic
Tools and Methods Analyzed (cont.)
Name Type Sector Scope
RAM-W Risk Assessment Methodology-Water
Methodol ogy
Water/Wast ewater
Risk, Physical & Cyber, Generic
VSATVulnerability Self Assessment Tool
Software Tool
Water/Wast ewater
Risk, Physical & Cyber, high level IT and IACS
CS2SATCyber Security Self Assessment Tool
Software Tool
Cross- sector, tailorable to a sector
Vulnerability & some Risk, Cyber, IACS
DHS NCSD Questionnaire
Question naire
Cross- sector
Vulnerability, Cyber, Generic
WG Results - Highlights
• The score:– 3 IACS specific (one proprietary)– 2 some unique IACS content– 4 no unique IACS content
• Much sector material applicable cross-sector• Risk specific to IACS treated at high level or via consequence
– VSAT: IACS as one element of enterprise, probability is user input– API 1164:
– application consequence categories determine requirements– Some guidance on ranking interfaces by value and susceptibility
– CS2SAT: consequence as proxy for risk– Need fundamental R&D and data gathering
• CS2SAT: most depth for IACS vulnerabilities, access control• Staff Awareness and Training Category
– Tools and methods not success driver– Unique to sectors and enterprises– Sector groups have role providing guidance– Nuclear initiative
Planning a Self Assessment
• Study and address all 18 categories– Standards typically touch most of them
• Choosing tools and methods:– Unlikely you will find a comprehensive self-assessment tool or method– Software tool functionality: standards compliance tracking vs. technical features– Consider organizational structure (IT and IACS, Cyber and Physical Security)– Other characteristics (cost, ease of use) covered in WG analyses
• Address both risk and vulnerability• Little detailed guidance available on risk specific to IACS• World class organizations treat all risks under same structure (physical, IT
cyber, IACS cyber)• As first steps:
– Coordinate with physical security assessments– Reuse IT work on vulnerabilities (risk and mitigations less applicable)
Sample Resources
Requirement Category
Tool or Method Comments
Security Policy American Petroleum Institute 1164 Appendix B
Sample security plan
Information and Document Management
American Petroleum Institute 1164 and Appendix A
List of IACS documents requiring protection
Access Control, Vulnerabilities
CS2SAT Create model of network, then examine, host by host
Risk Identification, Classification and Assessment
VSAT Systematic approach to prioritizing risks
Review
• Start with understanding of self assessment requirements• Tools and methods specific to IACS are few, new• Tool or method may be helpful although not IACS-specific• One way to find useful tools and methods - WG Final Report
matrix of methods and tools vs. requirements• Consider resources from other sectors• Look for improvements in treatment of risk
Q & A
• Any questions?
Backup Slides
Example – Personnel Security
General: • Employees and contractors are screened upon employment and
job changes, based on criticality of job. Job responsibilities for security clearly defined.
IACS Specific:• Guidance on defining job criticality for control system personnel• Guidance on security responsibilities of control room and other
control system personnel.• Third party contracts related to control room have provisions for
cyber security.
Example – Risk Identification, Classification and Assessment
General: • Identify threats, vulnerabilities, consequences, probability of
occurrence for realization of threats identified IACS Specific:• Consider when defining criticality: how long can you operate
without control, without visibility? How fast do you need alerts, alarms, and to be able to start, stop or modify a process?
• Enumeration and characteristics/preferences of threat sources (e.g. terrorist, activists, employees, criminals)
• Guidance for assessing probability of control system security incidents
• Guidance on assessing consequences • Consider: interdependencies and cascading effects• List of control system specific vulnerabilities…
Example – Staff Training and Awareness
General: • Need for timely awareness and specific technical cyber security
training plus periodic updates IACS Specific:• Awareness and training for control system personnel tailored to
specific needs• Guidance on training needs for control system personnel