Implementing and Maintaining Cybersecurity for Industrial

APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED

Control Systems/Chemical Demilitarization Systems

24-26 May 2017

Presented to:

The 20th Annual International Chemical Weapons Demilitarisation Conference

Presented by:

Bobby D. Phillips

Chemist

A Partnership for Safe Chemical Weapons Destruction

Agenda

Definition of a Control System

Evolution of Industrial Control Systems (ICS)

Vulnerability of Modern ICS

Protecting Chemical Demilitarization Control Systems

Implementation of the Risk Management Framework

Key Strategies

– Categorization and Control Selection– Network Monitoring– Data Analysis– Continuous Monitoring– Other Key Strategies

APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 3

Definition of a Control System

Control systems manage, command, direct, or regulate the behavior of other devices or systems

Consists of four elements– Detector or sensor– Assessor– Effector– Communication

ICS – Programmable logic controllers (PLC)– Distributed control systems (DCS)– Supervisory control and data acquisition (SCADA) systems

Evolution of ICS

Relay controls used in manufacturing (early 1900)

– Relays, switches and timers

PLC began to replace relay logic control systems (1970s)– Linked to personal computers (PCs) (1986)

Modern control systems have integrated Information Technology (IT) capabilities

– Ethernet and TCP/IP for PLCs (1992)

– Interconnectivity

– Embedded web servers (2003)

– Increased vulnerabilities

Vulnerability of Modern ICS

2009 - 7,500 public-facing ICS were discovered

2014 - Estimated 27% of connected devices are ICS connected to the internet

2016 - 91% of all ICS components used insecure design protocols

– HTTP

– Telnet

– FTP

Vulnerability of Modern ICS (Cont.)

Source: Positive Technologies, SCADA Safety In Numbers, 2012

Discovered Vulnerabilities in Industrial Control Systems

Vulnerability of Modern ICS (Cont.)

Attacks have increased– Increase of 110% from 2015 - 2017

Notable ICS attacks– German steel-mill (2014) – Kemuri Water Company (March 2015)– Ukrainian Power Outage (December 2015)– New York Dam Attack (March 2016)

Potential consequences are much greater– Injury and death– Environmental issues– Equipment damage/production loss– Dangerous product

Protecting Chemical Demilitarization Control Systems

Department of Defense Instruction (DoDI) 8500.01– Requires the establishment of a cybersecurity program

DoDI 8510.01– Requires the use of the Risk Management Framework (RMF)

National Institute of Standards and Technology (NIST) provides specific instruction for implementation– NIST Special Publication (SP) 800-53 (Recommended Security

Controls)– NIST SP 800-53A (Security Control Assessment)– NIST SP 800-82 (Guidelines for ICS security)

Beginning in 2014, the PEO ACWA moved quickly to determine how to implement the DoDIs for the plant control systems– Contract modifications to require Systems Contractors to

implement RMF

Implementation of theRisk Management Framework

Categorization and Control Selection

Categorization and control selection

Critical first step

Categorization is based upon risk tolerance‒ Availability‒ Integrity‒ Confidentiality

System risk category based upon individual risk values

‒ System risk equal to highest risk of any category

Control selections are made based on system risk category‒ NIST 800-53‒ NIST 800-82‒ CNSSI 1253

Network Monitoring

ICS are often built on proven standards

– However, it is older technology

– Resistance to changes within the network

– Susceptible to delay and jitter

Light touch monitoring is key

– Passive network taps

– Agentless software

– Out-of-band data collection

Minimize impact to the network

Grassmarlin developed by NSA

– Software to passively map ICS/SCADA network topology

Data Analysis

Large amounts of data generated

– Network taps

– System logs

– Host and server logs

Centralize management and reporting

– Security Information and Event Management (SIEM)

Data Aggregators

– Software selection based on requirements

Still need human interaction and interpretation

Continuous Monitoring

Continuous monitoring is critical to continued success

– Includes data, people, and processes

Modify controls as necessary

– Implement and re-assess

Modify analytics as needed

Incident response plan

– Test regularly

Other Key Strategies

System Security Plans

– Establish security roles and responsibilities

– Document risk assessment and applied controls

– Establish expected behavior of users

– Provides procedure for incident response and recovery

“Defense in Depth” strategy

– Application of multiple countermeasures

– Layered from host to perimeter

Maintain configuration management

– Involve all levels of the organization

– Ensure all IT assets are included

– IT equipment parameters

Other Key Strategies (Cont.)

Awareness and training

– Always an insider threat

• May be intentional or unintentional

Access control

– Control and monitor access to control systems

– Logical and Physical

System Hardening

– System isolation

– Disable unused ports

– Disable unnecessary applications and services

– Whitelisting

Patch management

– Keep updates current

– Test bed all patches

www.pmacwa.army.mil

ACWA YouTube Channel

www.youtube.com/usaeacwaACWA Flickr Photostream

www.flickr.com/photos/acwa

ACWA Twitter Page

www.twitter.com/acwanews

ACWA Facebook Page

www.facebook.com/peoacwa

CONNECT WITH PEO ACWAwww.peoacwa.army.mil

ACWA Instagram

www.instagram.com/peoacwa

Questions ?

Implementing and Maintaining Cybersecurity for Industrial

Documents

Cybersecurity Challenges - nist.gov · Cybersecurity Challenges Protecting DoD’s Unclassified Information Implementing DFARS Clause 252.204-7012, Safeguarding Covered Defense Information

6236 Implementing and Maintaining Microsoft SQL Server 2008 Reporting Services

Implementing Board Oversight of Cybersecurity · 4 Implementing Board Oversight of Cybersecurity Introduction Many well-known and well-respected companies, when hit by hackers, have

HOLISTIC EDUCATION: IMPLEMENTING AND MAINTAINING A ... · HOLISTIC EDUCATION: IMPLEMENTING AND MAINTAINING A HOLISTIC TEACHING PRACTICE ... IMPLEMENTING AND MAINTAINING A HOLISTIC

General Guidance for Developing, Documenting, Implementing, Maintaining, and …€¦ · · 2017-11-15General Guidance for Developing, Documenting, Implementing, Maintaining, and

SQL 2008 Maintaining and Implementing

Texas Cybersecurity Strategic Plan...As stewards of cybersecurity in the public sector, state cybersecurity professionals have the important responsibility of maintaining the public’s

Implementing and Maintaining ISO 14000

Implementing and Maintaining Microsoft SQL Server 2008

Protecting Local Government Digital Resources Cybersecurity...CYBERSECURITY: PROTECTING LOCAL GOVERNMENT DIGITAL RESOURCES iii Contents Foreword ..... iv ... implementing new software

Where to start implementing organizational cybersecurity

General Guidance for Developing, Documenting, Implementing, Maintaining… · 2019. 9. 19. · documenting, implementing and maintaining an SQF System using the SQF Code, edition

Implementing & Maintaining the QUASAR Package

CHAPTER THREE Planning, Implementing, and Maintaining a ...ptgmedia.pearsoncmg.com/images/0789736195/samplechapter/05_… · Chapter 3: Planning, Implementing, and Maintaining a Network

Cybersecurity Framework Development Overview - csrc.nist.rip · 15/05/2013 · Cybersecurity Framework Development Overview . NIST’s Role in Implementing Executive Order 13636

Implementing and Maintaining an ISP Backbone Kevin Butler

6234A_01 Implementing and Maintaining Microsoft SQL Server 2008

Implementing and Maintaining The Digital Geospatial ...gisweb.dotd.la.gov/webdata/topographicmapping/DOTD-LaRS48-36... · Implementing and Maintaining The Digital Geospatial Database

TESTING THE DEFENSES CYBERSECURITY DUE ......to maintaining sound cybersecurity. Knowledgeable personnel is key. Given the velocity at which cybersecurity trends evolve, it is essential

Implementing and Maintaining an ISP Backbone