department of homeland security incident response and vulnerability analysis seán paul mcgurk...
TRANSCRIPT
Department of Homeland Department of Homeland SecuritySecurity
Incident response and Incident response and vulnerability analysisvulnerability analysis
Seán Paul McGurkSeán Paul McGurkNational Cybersecurity and CommunicationsNational Cybersecurity and CommunicationsIntegration CenterIntegration CenterU.S. Department of Homeland SecurityU.S. Department of Homeland Security
HomelandSecurity
Cyber Incident Response and AnalysisCyber Incident Response and Analysis
HomelandSecurity
ICS-CERTProvide operational support for critical infrastructure stakeholders to respond
and defend against emerging cyber threats
ICS-CERTProvide operational support for critical infrastructure stakeholders to respond
and defend against emerging cyber threats
Incident ResponseProvide on-site assistance
and off-site analysis to bridge information gap
Incident ResponseProvide on-site assistance
and off-site analysis to bridge information gap
Technical AnalysisPerform digital media
analysis for malware and consequences
Technical AnalysisPerform digital media
analysis for malware and consequences
Partnering Provide disclosure through
advisories, alerts, bulletins and information sharing
Partnering Provide disclosure through
advisories, alerts, bulletins and information sharing
Situational Awareness
Observe, identify, acquire, or receive relevant ICS
information
Situational Awareness
Observe, identify, acquire, or receive relevant ICS
information
• Awareness of emerging issues and threats• State of the art analysis capabilities specific to ICS• Incident response support for recovery and future defense• Established partnership for immediate support and guidance• ICS-CERT collaboration with other agencies and partners
Benefits to the ICS and Critical Infrastructure Community
HomelandSecurity
ICS-CERT: ProductsICS-CERT: Products
Alerts
Advisories Website & Portal
HomelandSecurity
ICS-CERT and the NCCICICS-CERT and the NCCIC
• The National Cybersecurity and Communications Integration Center is comprised of organizational components and operational liaisons
• Components refers to DHS organizations that have a major presence on the NCCIC floor
• Operational Liaisons refers outside agencies such as ISACs, Law Enforcement and Industry
• The execution of NCCIC’s mission relies on coordinated operations that contribute to all products and services
Law Enforcement Intelligence Community
D/A
SO
CIS
AC
sIndustry DHS NOC
NIC
CD
OD
NCSC
US-CERT
NCC
I&A
ICS-CERT
5
National Cybersecurity and Communications Integration Center
HomelandSecurity
• Assist asset-owners– Onsite “flyaway” teams– Network architecture– Data collection– Mitigation
• Offsite technical analysis teams– Analysis of collected data– Customer reporting
• Bridge threat awareness gap
Incident Response SupportIncident Response Support
HomelandSecurity
Incident Response ExampleIncident Response Example
Company-X request for assistance
Information package
ICS-CERT Operations
Pre-deploymentPre-deployment
HomelandSecurity
Incident Response ExampleIncident Response Example
Company-X ICS-CERT Operations
Drive Images
OnsiteOnsite
Technical Analysis
HomelandSecurity
Incident Response ExampleIncident Response Example
Company-XPost-deploymentPost-deployment
Technical Analysis
ICS-CERT Operations
HomelandSecurity
Fly-Away Team ObservationsFly-Away Team Observations
• Increase in control systems owner/operator’s desire to understand the threats to their systems and how to mitigate risks
• Increased security measures are needed not only to prevent cyber attacks, but to detect and respond to incidents and mitigate the overall risk
• Trends in the usage of USBs and other removable media have introduced and spread malware– USB thumb or flash drives have found their way into many networks
– USB drives offer malware authors an unprecedented ability to circumvent customary network access controls and protections
– Control systems are susceptible to attacks via USB drives since they tend to be isolated from the internet and business network and are, therefore, used to push out updates to the system
HomelandSecurity
Control System Vendor’s Response Control System Vendor’s Response
• Developing internal incident response teams or CERTs for triaging major issues
• Notifying their consumer base through increased advisories and communications
• Collaborating with ICS-CERT on vulnerability related issues, including testing of mitigations and workarounds
• Participating in working groups such as the Industrial Control Systems Joint Working Group (ICSJWG) to collaborate with other vendors and solicit feedback from owner/operators.
• Overwhelming response to participate in the Program’s week-long ICS advance cybersecurity training.
HomelandSecurity
Cyber Security Evaluation Tool (CSET)Cyber Security Evaluation Tool (CSET)
CSET Features• Assessment Covers Policy, Plans, and
Procedures in 10 Categories• Provides recommended solutions to
improve security posture • Allows for standards specific reports (e.g.,
NERC CIP, DOD 8500.2, NIST SP800-53)
Recent Accomplishments
• Issued Version 2.0 of the Tool– The embedded Global Assessment cross-
references multiple standards
• Version 3.0 in development – planned completion in Sept 2010
• Distributed over 1,000 copies since October 2009 to asset owners in 15 different sectors
HomelandSecurity
Assessments: On-Site SupportAssessments: On-Site Support
• CSSP used the CSET to assist critical infrastructure asset owners in conducting self-assessments– Completed 50 assessments in multiple sectors
• Assessments teams assisted infrastructure asset owners in 17 states and territories, including several remote locations where the control systems represent ‘single-point failures’ for the community
• CSSP encourages asset owners to identify their security gaps and implement the recommended mitigation strategies
HomelandSecurity
On-Site Assessment ObservationsOn-Site Assessment Observations
• Weak or nonexistent cybersecurity policies and practices. – Lack of a formal documented program and procedures – Need for an established cybersecurity team – Need for incident response and disaster recovery policies and/or
directives
• Insufficient control of remote logging and access. – Weak enforcement of remote login policies – Weak port security – Network architecture not well understood and internal networks
not segmented – Flat networks--devices not properly configured
HomelandSecurity
On-Site Assessment Observations On-Site Assessment Observations continuedcontinued
• Media protection and control. – Weak control of incoming and outgoing media – use
of USB drives
– Lack of encryption implementation
• Audit/logging events. – Insufficient methods for monitoring and control
network events
– Lack of understanding of disaster recovery techniques
• Weak Testing Environments. – Limited patch management abilities
– Weak backup and restore abilities
– Weak firewall rule sets
HomelandSecurity
Industrial Control Systems Joint Working Industrial Control Systems Joint Working Group (ICSJWG)Group (ICSJWG)
• Provides a vehicle for collaboration between government and private sector control systems stakeholders
– Government Coordinating Council – Sector Coordinating Council– Subject Matter Experts– International Community
• Fosters information sharing and coordination of activities and programs across government and private industry stakeholders involved in protecting CIKR
• Includes 6 subgroups – Volunteers welcome
Vendors Research and Development International ICS Roadmap Development Workforce Develop Information Sharing
HomelandSecurity
Contact InformationContact Information
Report Control Systems cyber incidents and vulnerabilities
– [email protected]– 877-776-7585
Report general cyber incidents and vulnerabilities – www.us-cert.gov or [email protected]– 703-235-5111, 888-282-0870
Sign up for cyber alerts – www.us-cert.gov
Learn more about Control Systems Security Program– www.us-cert.gov/control_systems– [email protected]
HomelandSecurity