evaluating how an operator has effectively …
TRANSCRIPT
EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM
Wurldtech Security Technologies
Objectives
Discuss how to: • Evaluation of effectiveness
Ø How do we define and measure effectiveness?
• Implementation of cyber-security policies Ø What policies do we need to implement?
• Management and administration of cyber security Ø How do we ensure we are complying with policies?
EVALUATING EFFECTIVENESS
Effectiveness
Complicated topic for a number of reasons. Here are but a few:
• How do you define effectiveness?
• How do you measure effectiveness?
• Is saying that security measures are “effective” the same as having “assurance/confidence” that the system is secure?
• How do you measure unknown vulnerabilities that lead to zero-day attacks?
• Does it have to consider the environment in which the system is installed? Does it have to consider all threats or only applicable threats?
Can the same system’s security features be effective in one environment but not another?
Product effectiveness criteria
Was the product developed using a commonly accepted Secure Development Life Cycle (SDLC) process?
• If so, what is the maturity of the process used? • Is supply chain security practiced? • Was a security risk assessment performed on the product design? By a third
party? • Does the product implement applicable IEC 62443-3-3 security capabilities? • Was the product thoroughly tested? Requirements testing, vulnerability
testing, penetration testing? Were tests performed by a third party? • Were the product developers trained in secure development? • Can the product be configured to meet a variety of customer security policies/
requirements? • Are the product’s security patches validated?
*SDLC examples: Microso4 SDLC, BSIMM, Security by Design with CMMI for Development, IEC 62443-‐4-‐1 (currently being balloted among NaLonal CommiMees)
Integration/maintenance effectiveness criteria
Was the system integrated (installed) and maintained using a qualified secure process?
• What is the maturity of this process?
• Was a security risk assessment performed on the system design? By a third party?
• Were the integrators and maintenance providers trained in ICS security?
• Was the system properly segmented? (e.g. Level 2/3, wireless, SIS)
• Were system security capabilities configured to meet customer policies and requirements?
• Can it be configured to meet a variety of customer security policies/requirements?
• Are all devices and portable media free of known malware?
*Qualified Secure IntegraLon and Maintenance Process example: IEC 62443-‐2-‐4 cerLficaLon
Asset owner/operator effectiveness criteria
Does the site have a Security Management System in place?
• Are all the appropriate security policies and processes in place and have they been communicated to vendors?
• What is the maturity of these policies and processes? • Have the security policies associated with security mechanisms
(e.g. password policies) defined a Security Level as specified in IEC 62443-3-3?
• Have personnel been trained on security policies and processes? • Are change management, patch management, event management,
and backup/restore processes in place? • Is a security incident response team active? • Was a security risk assessment performed on the site that covers
policy and system design decisions? By a third party?
* Security Management System examples: IEC 62443-‐2-‐1 and ISO/IEC 27002
IMPLEMENTING CYBER-SECURITY POLICIES
Understanding the environment
Remote users • Human users (e.g. operation & maintenance) • Application processes (e.g. historian) Remote access • Process control system/components in one location • Client applications in another location What is in between? • Plant/enterprise network • Public network (Internet, public or private communications
lines)
Understanding threats
What are they trying to do? • Malware insertion (run the attackers code) • Change/steal system parameters using existing system code How do they get in? • Network interfaces
• Software interfaces (e.g. TCP/UDP Ports, Named Pipes) by: - Authorized devices (usually infected) - Unauthorized devices (e.g. laptops)
• Local interfaces • USB and portable media interfaces • Configuration & Maintenance ports
• User interfaces
Unintentional and intentional attacks
Unintentional attacks • Accidental actions by users
• Improper operational values • Improper configuration • Failure to do a required action
• Bugs in the system (is this really a security issue?) Intentional attacks • Misuse of the system (e.g. by disgruntled personnel or malicious
attacker) • Not specifically targeted to the system (e.g. viruses, worms, …) • Targeted attacks
• Semi-sophisticated (e.g. canned Metasploit users, Shodan users) • Sophisticated (e.g. expert hackers, nation states)
- Often requires knowledge of the system (this is why protection of the system design information and code is important)
Understanding vulnerabilities
Vulnerabilities are access points that enable attackers to get in. Examples include:
• Software bugs (e.g. code that leaves a connection open, that shows password as they are typed or that stores them in memory in the clear)
• System design errors (e.g. no authentication on Modbus/TCP)
• Inadequate input validation (e.g. that allows buffer overflows to occur, a user interface that allows an invalid value to be used)
Implementation process
Develop policies and processes in compliance to IEC 62443-2-1 • Applies ISO/IEC 27001 and 27002 to Industrial Automation
Train personnel on policies and processes Communicate policies to suppliers/vendors
• Ensure suppliers/vendors have supply chain practices in place • Ensure integrators and maintenance providers are IEC 62443-2-4
compliant • Ensure product suppliers use an SDLC to develop their products
- Ensures security requirements - Ensures secure by design and implementation - Ensures security testing has been performed
IEC 62443 Maturity Level
IniLal (Entry Level) Only adhoc procedures, not necessarily consistent or repeatable across implementa:ons
Managed Security program developed and documented, but not yet prac:ced
Defined Prac:ced and repeatable, following documented prac:ces
Improving Applica:on of lessons learned, documented prac:ces updated
Maturity Level contribution to effectiveness
Site operation (IEC 62443-2-1) ü More confidence placed on sites with security policies and
procedures ü Quality of security effectiveness related to maturity of development
processes, and:
• System integration and maintenance (IEC 62443-2-4) ü More confidence placed on vendors who have integrated security
into their deployment and maintenance processes ü Quality of delivery related to maturity of development processes
• Product development (IEC 62443-4-1) ü More confidence placed on products designed, implemented, and
tested with security in mind ü Quality of product security related to maturity of development
processes
MANAGING AND ADMINISTERING CYBER SECURITY
Putting it all together
Evaluation involves identifying suspicious activities at interfaces and finding evidence of potential breaches. Activities include:
Security testing and assessment
• During integration (e.g. FAT, SAT) • After commissioning • Periodically during operation
Scanning (discovering)
• Unauthorized devices • Unauthorized open ports • Unauthorized software • Misconfigurations
Putting it all together
Monitoring (watching) • Unauthorized traffic (e.g. attempts to reach an unauthorized node/port) • Unusual network traffic (e.g. using an IDS) • Login activity • Remote access activity
Logging (recording)
• Security violations (invalid login attempts, rejected packets) • Access to privileged resources (files, registry, configuration data,
administrative processes and data) • Startup processes (to ensure configurations are correct)
Reviewing (analyzing)
• Significant security violations (repeated login attempt failures) • Correlations of events (suspicious activities)
Challenges
v Culture Change ü Perhaps the biggest challenge ü Requires change in work practices and awareness ü Requires acceptance of necessity of security practices ü Requires change in behavior
v Technology deficiencies ü Technical requirements not known to asset owner/operator until security
program is established ü Required technical capabilities not always present, especially for monitoring
and logging
v Supply chain security ü Establish a program to qualify suppliers ü Gain support from suppliers (you may not be an important enough customer
for some)
THANK YOU
Wurldtech is a trademark of the General Electric Company. All other trademarks are the property of their respective owners. Wurldtech reserves the right to make changes in specifications and features shown herein, or discontinue the product described at any time without notice or obligation. All values are design or typical values when measured under laboratory conditions. © 2016 Wurldtech Security Technologies Inc. All rights reserved.