Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED
Implementing and Maintaining Cybersecurity for Industrial
Control Systems/Chemical Demilitarization Systems
24-26 May 2017
Presented to:
The 20th Annual International Chemical Weapons Demilitarisation Conference
Presented by:
Bobby D. Phillips
Chemist
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED
Agenda
2
Definition of a Control System
Evolution of Industrial Control Systems (ICS)
Vulnerability of Modern ICS
Protecting Chemical Demilitarization Control Systems
Implementation of the Risk Management Framework
Key Strategies
– Categorization and Control Selection– Network Monitoring– Data Analysis– Continuous Monitoring– Other Key Strategies
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 3
Definition of a Control System
Control systems manage, command, direct, or regulate the behavior of other devices or systems
Consists of four elements– Detector or sensor– Assessor– Effector– Communication
ICS – Programmable logic controllers (PLC)– Distributed control systems (DCS)– Supervisory control and data acquisition (SCADA) systems
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 4
Evolution of ICS
Relay controls used in manufacturing (early 1900)
– Relays, switches and timers
PLC began to replace relay logic control systems (1970s)– Linked to personal computers (PCs) (1986)
Modern control systems have integrated Information Technology (IT) capabilities
– Ethernet and TCP/IP for PLCs (1992)
– Interconnectivity
– Embedded web servers (2003)
– Increased vulnerabilities
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 5
Vulnerability of Modern ICS
2009 - 7,500 public-facing ICS were discovered
2014 - Estimated 27% of connected devices are ICS connected to the internet
2016 - 91% of all ICS components used insecure design protocols
– HTTP
– Telnet
– FTP
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 6
Vulnerability of Modern ICS (Cont.)
Source: Positive Technologies, SCADA Safety In Numbers, 2012
Discovered Vulnerabilities in Industrial Control Systems
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 7
Vulnerability of Modern ICS (Cont.)
Attacks have increased– Increase of 110% from 2015 - 2017
Notable ICS attacks– German steel-mill (2014) – Kemuri Water Company (March 2015)– Ukrainian Power Outage (December 2015)– New York Dam Attack (March 2016)
Potential consequences are much greater– Injury and death– Environmental issues– Equipment damage/production loss– Dangerous product
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 8
Protecting Chemical Demilitarization Control Systems
Department of Defense Instruction (DoDI) 8500.01– Requires the establishment of a cybersecurity program
DoDI 8510.01– Requires the use of the Risk Management Framework (RMF)
National Institute of Standards and Technology (NIST) provides specific instruction for implementation– NIST Special Publication (SP) 800-53 (Recommended Security
Controls)– NIST SP 800-53A (Security Control Assessment)– NIST SP 800-82 (Guidelines for ICS security)
Beginning in 2014, the PEO ACWA moved quickly to determine how to implement the DoDIs for the plant control systems– Contract modifications to require Systems Contractors to
implement RMF
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 9
Implementation of theRisk Management Framework
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 10
Categorization and Control Selection
Categorization and control selection
Critical first step
Categorization is based upon risk tolerance‒ Availability‒ Integrity‒ Confidentiality
System risk category based upon individual risk values
‒ System risk equal to highest risk of any category
Control selections are made based on system risk category‒ NIST 800-53‒ NIST 800-82‒ CNSSI 1253
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 11
Network Monitoring
ICS are often built on proven standards
– However, it is older technology
– Resistance to changes within the network
– Susceptible to delay and jitter
Light touch monitoring is key
– Passive network taps
– Agentless software
– Out-of-band data collection
Minimize impact to the network
Grassmarlin developed by NSA
– Software to passively map ICS/SCADA network topology
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 12
Data Analysis
Large amounts of data generated
– Network taps
– System logs
– Host and server logs
Centralize management and reporting
– Security Information and Event Management (SIEM)
Data Aggregators
– Software selection based on requirements
Still need human interaction and interpretation
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 13
Continuous Monitoring
Continuous monitoring is critical to continued success
– Includes data, people, and processes
Modify controls as necessary
– Implement and re-assess
Modify analytics as needed
Incident response plan
– Test regularly
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 14
Other Key Strategies
System Security Plans
– Establish security roles and responsibilities
– Document risk assessment and applied controls
– Establish expected behavior of users
– Provides procedure for incident response and recovery
“Defense in Depth” strategy
– Application of multiple countermeasures
– Layered from host to perimeter
Maintain configuration management
– Involve all levels of the organization
– Ensure all IT assets are included
– IT equipment parameters
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED 15
Other Key Strategies (Cont.)
Awareness and training
– Always an insider threat
• May be intentional or unintentional
Access control
– Control and monitor access to control systems
– Logical and Physical
System Hardening
– System isolation
– Disable unused ports
– Disable unnecessary applications and services
– Whitelisting
Patch management
– Keep updates current
– Test bed all patches
A Partnership for Safe Chemical Weapons Destruction
APPROVED FOR PUBLIC RELEASE – DISTRIBUTION UNLIMITED
www.pmacwa.army.mil
ACWA YouTube Channel
www.youtube.com/usaeacwaACWA Flickr Photostream
www.flickr.com/photos/acwa
ACWA Twitter Page
www.twitter.com/acwanews
ACWA Facebook Page
www.facebook.com/peoacwa
CONNECT WITH PEO ACWAwww.peoacwa.army.mil
16
ACWA Instagram
www.instagram.com/peoacwa
Questions ?