American Bar Assoc. ISC 2009


Published on

Legal and IT Aspects of Securing
Our Critical Infrastructures

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

American Bar Assoc. ISC 2009

  1. 1. American Bar Association Section of Science and Technology Law Information Security Committee 2009 Annual Meeting – Lunch Presentation Wednesday, July 29, 2009 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Legal and IT Aspects of Securing Our Critical Infrastructures Creative Commons License v3.0. 1
  2. 2. What is a “critical infrastructure”? • Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1) • These assets include (but are not limited to): – Telecommunication systems – Energy distribution – Banking & financial systems – Transportation – Water treatment facilities – etc … there are a total of 14 infrastructure sectors. 1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 2
  3. 3. Reasons for addressing infrastructure issues • Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11. • Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and interlinked. • Improvements created new vulnerabilities(2) • Equipment failure • Human error • Natural causes (weather, drought, corrosion, locusts…) • Physical and computer-related attacks 2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 3
  4. 4. Issues with our critical infrastructures today • Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation. • Each infrastructure entity needs to have measures that assure information is valid and accurate (apply A-I-C principle); most are currently lacking. • Work should take holistic approach as systems are interdependent. (the Domino Principle). 4
  5. 5. Assure the systems that support the systems • The infrastructure assurance process should: – Provide a consistent testing and evaluation framework of each infrastructure sector. – Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect. – Expedite process to validate holistic systems. • Assurance processing applies to both public and private sectors. 5
  6. 6. Introducing SCADA and control systems … • Most control systems are computer based. • Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions. • Functions to provide safety controls and security. • Primary role to ensure operations continuity within a plant. • Control system abilities vary from simple to complex. 6
  7. 7. Introducing SCADA and control systems … • Two kinds of industrial control systems (ICS): – Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a smaller geographic area, possibly even a single site location. – SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3) 3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 7
  8. 8. What makes a control system different? • Conventional data systems (IT) are human oriented. • Control systems are machine / process oriented: – Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue. – However … there is more at stake than financial considerations; stopping ICS can introduce safety issues. – Availability and reliability are paramount. 8
  9. 9. Practical and legal considerations 1. Safety ALWAYS 2. Availability of the service 3. Security and access control 4. Regulation and compliance 9
  10. 10. Admiralty Law similarity: ICS practical concerns • You CANNOT stop operation of an infrastructure. • You CAN refer to federal investigation reports from NTSB, NRC, or CSB. • You CAN depose engineers, operators, and technicians once the emergency is no longer a threat. • You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system. • Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts. 10
  11. 11. Provenance of data is extremely important • Accurate timestamps and source matter are crucial. • Logs from ICS must be validated. • Instrumentation needs to be validated AFTER an incident, but before … – An expert is involved with a control systems background; and, – Has knowledge in information security w/certification and registration. • Control systems are NOT at all similar to “personal computers”: – Real Time Systems (RTS) are operated very differently (see orientation). – Process controllers are fundamentally similar to embedded systems. 11
  12. 12. Provenance of data is extremely important • Cryptographic signatures (if applicable, if possible). • Management methods must be documented. – Explaining ‘what’ and ‘how’. • Access to each system must be documented: – Answers ‘who’, ‘when’ and ‘where. • Protocols and code must be validated and documented. – Validates ‘why’. 12
  13. 13. Factors to consider with ICS • Latency of data events. – Timing delay between events. • Sequence of events. – Order of events. • Timing of events. – Duration and speed of events. • Time of when alarms were reported to plant operators. – When alarm is reported, that the event took place at its stated time. 13
  14. 14. Public standards for control system security • NERC CIP (not considered a complete specification by many). • NIST SP800-53: “Recommended Security Controls for Federal Information Systems“.(4) • NIST SP800-82: “Guide to Industrial Control Systems (ICS) Security”.(5) 4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2, “Recommended Security Control for Federal Information Systems”, December 2007; URL: 5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft, “Guide to Industrial Control Systems (ICS) Security”, September 2008; URL: 14
  15. 15. Public standards for control system security • ISA-99 – Currently under complex development. – Coordinated with ISA-84 safety specifications. – Considered the most complete and extensive contributed input from the industry. • Beware of the compliance approach: being compliant is NOT the same as being secure.(6) • DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7) 6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: 7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: 15
  16. 16. CS2SAT NOTE: This particular version is distributed from Lofty Perch, Inc. 16
  17. 17. Public regulations for control systems security • Chemical Facility Anti-Terrorism Standards (CFATS).(8) • FISMA recommends NIST SP800-53.(9) • NERC CIP requires additional work before FERC utilizes it. 8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: 9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: 17
  18. 18. A copy of this presentation may be found at our web site: Bob Radvanovsky, (630) 673-7740 Jacob Brodsky, (443) 285-3514 Creative Commons License v3.0. 18