Implementing and Maintaining Cybersecurity for Industrial

APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED

Implementing and Maintaining Cybersecurity for Industrial

Control Systems/Chemical Demilitarization Systems

24-26 May 2017

Presented to:

The 20th Annual International Chemical Weapons Demilitarisation Conference

Presented by:

Bobby D. Phillips

Chemist


A Partnership for Safe Chemical Weapons Destruction


Agenda

2

Definition of a Control System

Evolution of Industrial Control Systems (ICS)

Vulnerability of Modern ICS

Protecting Chemical Demilitarization Control Systems

Implementation of the Risk Management Framework

Key Strategies

– Categorization and Control Selection– Network Monitoring– Data Analysis– Continuous Monitoring– Other Key Strategies


APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 3

Definition of a Control System

Control systems manage, command, direct, or regulate the behavior of other devices or systems

Consists of four elements– Detector or sensor– Assessor– Effector– Communication

ICS – Programmable logic controllers (PLC)– Distributed control systems (DCS)– Supervisory control and data acquisition (SCADA) systems



Evolution of ICS

Relay controls used in manufacturing (early 1900)

– Relays, switches and timers

PLC began to replace relay logic control systems (1970s)– Linked to personal computers (PCs) (1986)

Modern control systems have integrated Information Technology (IT) capabilities

– Ethernet and TCP/IP for PLCs (1992)

– Interconnectivity

– Embedded web servers (2003)

– Increased vulnerabilities



Vulnerability of Modern ICS

2009 - 7,500 public-facing ICS were discovered

2014 - Estimated 27% of connected devices are ICS connected to the internet

2016 - 91% of all ICS components used insecure design protocols

– HTTP

– Telnet

– FTP



Vulnerability of Modern ICS (Cont.)

Source: Positive Technologies, SCADA Safety In Numbers, 2012

Discovered Vulnerabilities in Industrial Control Systems



Vulnerability of Modern ICS (Cont.)

Attacks have increased– Increase of 110% from 2015 - 2017

Notable ICS attacks– German steel-mill (2014) – Kemuri Water Company (March 2015)– Ukrainian Power Outage (December 2015)– New York Dam Attack (March 2016)

Potential consequences are much greater– Injury and death– Environmental issues– Equipment damage/production loss– Dangerous product



Protecting Chemical Demilitarization Control Systems

Department of Defense Instruction (DoDI) 8500.01– Requires the establishment of a cybersecurity program

DoDI 8510.01– Requires the use of the Risk Management Framework (RMF)

National Institute of Standards and Technology (NIST) provides specific instruction for implementation– NIST Special Publication (SP) 800-53 (Recommended Security

Controls)– NIST SP 800-53A (Security Control Assessment)– NIST SP 800-82 (Guidelines for ICS security)

Beginning in 2014, the PEO ACWA moved quickly to determine how to implement the DoDIs for the plant control systems– Contract modifications to require Systems Contractors to

implement RMF



Implementation of theRisk Management Framework



Categorization and Control Selection

Categorization and control selection

Critical first step

Categorization is based upon risk tolerance‒ Availability‒ Integrity‒ Confidentiality

System risk category based upon individual risk values

‒ System risk equal to highest risk of any category

Control selections are made based on system risk category‒ NIST 800-53‒ NIST 800-82‒ CNSSI 1253



Network Monitoring

ICS are often built on proven standards

– However, it is older technology

– Resistance to changes within the network

– Susceptible to delay and jitter

Light touch monitoring is key

– Passive network taps

– Agentless software

– Out-of-band data collection

Minimize impact to the network

Grassmarlin developed by NSA

– Software to passively map ICS/SCADA network topology



Data Analysis

Large amounts of data generated

– Network taps

– System logs

– Host and server logs

Centralize management and reporting

– Security Information and Event Management (SIEM)

Data Aggregators

– Software selection based on requirements

Still need human interaction and interpretation



Continuous Monitoring

Continuous monitoring is critical to continued success

– Includes data, people, and processes

Modify controls as necessary

– Implement and re-assess

Modify analytics as needed

Incident response plan

– Test regularly



Other Key Strategies

System Security Plans

– Establish security roles and responsibilities

– Document risk assessment and applied controls

– Establish expected behavior of users

– Provides procedure for incident response and recovery

“Defense in Depth” strategy

– Application of multiple countermeasures

– Layered from host to perimeter

Maintain configuration management

– Involve all levels of the organization

– Ensure all IT assets are included

– IT equipment parameters



Other Key Strategies (Cont.)

Awareness and training

– Always an insider threat

• May be intentional or unintentional

Access control

– Control and monitor access to control systems

– Logical and Physical

System Hardening

– System isolation

– Disable unused ports

– Disable unnecessary applications and services

– Whitelisting

Patch management

– Keep updates current

– Test bed all patches



www.pmacwa.army.mil

ACWA YouTube Channel

www.youtube.com/usaeacwaACWA Flickr Photostream

www.flickr.com/photos/acwa

ACWA Twitter Page

www.twitter.com/acwanews

ACWA Facebook Page

www.facebook.com/peoacwa

CONNECT WITH PEO ACWAwww.peoacwa.army.mil

16

ACWA Instagram

www.instagram.com/peoacwa

Questions ?

Documents

Implementing and Maintaining Cybersecurity for Industrial