American Bar AssociationSection of Science and Technology Law Information Security Committee2009 Annual Meeting – Lunch PresentationWednesday, July 29, 2009
Bob Radvanovsky, CIFI, CISM, CIPSJacob Brodsky, PE
Legal and IT Aspects of SecuringOur Critical Infrastructures
Creative Commons License v3.0. 1
What is a“critical infrastructure”?
• Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1)
1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
• These assets include (but are not limited to):– Telecommunication systems– Energy distribution– Banking & financial systems– Transportation– Water treatment facilities– etc … there are a total of 14 infrastructure sectors.
2
Reasons for addressinginfrastructure issues
• Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11.
• Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and systems, infrastructures have become increasingly automated and interlinked.
• Improvements created new vulnerabilities(2)
• Equipment failure• Human error• Natural causes (weather, drought, corrosion, locusts…)• Physical and computer-related attacks
2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.3
Issues with our criticalinfrastructures today
• Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation.
Each infrastructure entity needs to have measures that • Each infrastructure entity needs to have measures that assure information is valid and accurate(apply A-I-C principle); most are currently lacking.
• Work should take holistic approach as systems are interdependent. (the Domino Principle).
4
Assure the systems thatsupport the systems
• The infrastructure assurance process should:
– Provide a consistent testing and evaluation framework of each infrastructure sector.infrastructure sector.
– Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect.
– Expedite process to validate holistic systems.
• Assurance processing applies to both public and private sectors.
5
• Most control systems are computer based.
• Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions.
Introducing SCADA andcontrol systems …
monitor and control sensitive processes and physical functions.
• Functions to provide safety controls and security.
• Primary role to ensure operations continuity within a plant.
• Control system abilities vary from simple to complex.
6
• Two kinds of industrial control systems (ICS):
– Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a
Introducing SCADA andcontrol systems …
within a single process or plant, or used over a smaller geographic area, possibly even a single site location.
– SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3)
3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.7
• Conventional data systems (IT) are human oriented.
• Control systems are machine / process oriented:
What makes a controlsystem different?
– Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue.
– However … there is more at stake than financial considerations; stopping ICS can introduce safety issues.
– Availability and reliability are paramount.
8
1. Safety ALWAYS
2. Availability of the service
Practical and legalconsiderations
2. Availability of the service
3. Security and access control
4. Regulation and compliance
9
• You CANNOT stop operation of an infrastructure.
• You CAN refer to federal investigation reports from NTSB, NRC, or CSB.
Admiralty Law similarity:ICS practical concerns
• You CAN depose engineers, operators, and technicians once the emergency is no longer a threat.
• You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system.
• Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts.
10
• Accurate timestamps and source matter are crucial.
• Logs from ICS must be validated.
Provenance of data isextremely important
• Instrumentation needs to be validated AFTER an incident, but before …– An expert is involved with a control systems background; and,– Has knowledge in information security w/certification and registration.
• Control systems are NOT at all similar to “personal computers”:– Real Time Systems (RTS) are operated very differently (see orientation).– Process controllers are fundamentally similar to embedded systems.
11
• Cryptographic signatures (if applicable, if possible).
• Management methods must be documented.– Explaining ‘what’ and ‘how’.
Provenance of data isextremely important
– Explaining ‘what’ and ‘how’.
• Access to each system must be documented:– Answers ‘who’, ‘when’ and ‘where.
• Protocols and code must be validated and documented.– Validates ‘why’.
12
• Latency of data events.– Timing delay between events.
• Sequence of events.
Factors to considerwith ICS
• Sequence of events.– Order of events.
• Timing of events.– Duration and speed of events.
• Time of when alarms were reported to plant operators.– When alarm is reported, that the event took place at its stated time.
13
• NERC CIP (not considered a complete specification by many).
• NIST SP800-53:“Recommended Security Controls for Federal Information Systems“.(4)
Public standards forcontrol system security
“Recommended Security Controls for Federal Information Systems“.
• NIST SP800-82:“Guide to Industrial Control Systems (ICS) Security”.(5)
4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2,“Recommended Security Control for Federal Information Systems”, December 2007;URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.
5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft,“Guide to Industrial Control Systems (ICS) Security”, September 2008;URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14
• ISA-99– Currently under complex development.– Coordinated with ISA-84 safety specifications.– Considered the most complete and extensive contributed input from the industry.
Beware of the compliance approach: being compliant is NOT the same as
Public standards forcontrol system security
• Beware of the compliance approach: being compliant is NOT the same as being secure.(6)
• DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7)
6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html.
7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html.
15
CS2SAT
NOTE: This particular version is distributed from Lofty Perch, Inc.
16
• Chemical Facility Anti-Terrorism Standards (CFATS).(8)
• FISMA recommends NIST SP800-53.(9)
Public regulations forcontrol systems security
• NERC CIP requires additional work before FERC utilizes it.
8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm.
9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html.
17
A copy of this presentation may be found at our web site:http://www.infracritical.com/papers/aba-isc-2009.zip
Bob Radvanovsky, (630) [email protected]
Jacob Brodsky, (443) [email protected]
Creative Commons License v3.0. 18