Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014

791 views

Published on

  • Be the first to comment

  • Be the first to like this

Shared Situational Awareness: The Achievable Path. ICSJWG Spring 2014

  1. 1. Chris Blask ICS-ISAC Chair chris@ics-isac.org Shared Situational Awareness: The Achievable Path
  2. 2. What Paths Are We Pursuing?
  3. 3. • Research and Find… – LOTS! – [insert vendor] [insert product] [insert vuln count] • The Answer: – Get vendors to fix all vulnerabilities – Get asset owns to apply all patches Vulnerabilities
  4. 4. • Flat Networks, Single Points of Failure • The Answer: – Get asset owners to re-architect all networks Architectures
  5. 5. • Operators, Architects and Coders Lack Skills • The Answer: – Train all Users to Control Behavior – Educate all System Designers – Train all vendor engineers to build Secure-By-Design Training
  6. 6. • Shodan / Project Shine – 1,000,000 connected networks • The Answer: – Air Gaps! – Forbid Remote Access Isolation
  7. 7. • ~6,000 Electric Utilities • 55,000 Substations • 100,000 EHV Transformers • 200,000 Miles of Transmission Lines • 2.2 Million Miles of Distribution Lines • 300,000 Electric Engineers Let’s Talk Scale…
  8. 8. • ~50,000 Water Utilities • 1 Million Miles of Water Pipes • 400B Gallons Potable Water Per Day • 80B Gallons of Wastewater Per Day Let’s Talk Scale…
  9. 9. • 150 Oil Refineries • 6.5B Barrels Annually • 120,000 Gas Stations • 2,000 Offshore Oil Rigs • 1,000,000 Oil Wells • 40,000 Petroleum Engineers Let’s Talk Scale…
  10. 10. • 200 Natural Gas Utilities • 300,000 Miles of Gas Transmission Pipelines • 2.4 Million Miles of Distribution Pipes • 2T Cubic Feet Annually • 600,000 Gas Sector Employees Let’s Talk Scale…
  11. 11. • 28,000 Food Processing Facilities • 2,200,000 Farms • 1B Tons of Food Products Annually Let’s Talk Scale…
  12. 12. • 100 Urban Rail Systems • 25,000 Locomotives • 1.3M Cars • 200,000 Rail Crossings • 140,000 Miles of Freight Rail • 1.5T Ton-Miles of Freight Let’s Talk Scale…
  13. 13. • 300,000 Manufacturing Plants • 17.4M Jobs • $2T in Manufactured Goods Let’s Talk Scale…
  14. 14. • Metals and Mining • Aviation • Maritime • Ports • Highways • … … … … … Let’s Talk Scale…
  15. 15. • To Find All Vulnerabilities? • To Apply All Patches? • To Create All New Devices? • To Re-Architect All Networks? • To Train Everyone? How Long Will All That Take?
  16. 16. • Infrastructure Vulnerable to Every Day Zero • Network Segments That Still Fail • Insider Threats that Succeed What Would We Gain?
  17. 17. • The Same Thing Operators Use Now: Visibility • At the Facility • Across Sectors • Nationally • Internationally What is Achievable?
  18. 18. Shared Knowledge Network Private Centers Public Centers Service Providers Knowledge Data & Information
  19. 19. Resilience of Shared Situational Awareness ICS-ISAC Integrators CERTs Sharing Node Knowledge Source Service Providers Trade Organizations Knowledge Centers Asset Owner
  20. 20. • Who We Are • What We Have • What it is Doing • How To Share We Need to Know:
  21. 21. • Tools and Process For Visibility • Common Language for Sharing • Compatible Plumbing • Local, State, National and Global Structures Pieces Falling Into Places
  22. 22. A Common Language for Sharing
  23. 23. Automated Knowledge Sharing TAXII™ defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries.
  24. 24. Project Avalanche • Open Source Sharing Platform • STIX Repository • TAXII Server • Pilot Operational • Open Source Summer 2014
  25. 25. • Identity – “Who are we?” • Inventory – “What do we have?” • Activity – “What is it doing?” • Sharing – “How do we communicate with others?” Situational Awareness Ref Arch (SARA)
  26. 26. • Reference Architecture for Shared Visibility • Guide • Network • Open Source Toolset • ICS-ISAC.org/sara SARA Overview
  27. 27. • Foundation for Rational Decisions – What capabilities do we have? – How do we make decisions? – What is our structure? • Existing Methodologies – all.net/Arch/index.html – CSET Identity
  28. 28. • Create and Maintain Inventory – Control System Components – Process Equipment – System Topology – Device Configurations • Open Source Tools – Snort, nmap, ossim Inventory
  29. 29. • Behavior Baseline – Device Relationships – Approved Patterns – Change Control • Anomaly Detection – Did Something Change? Activity
  30. 30. • Inbound – Receiving and Utilizing External Knowledge • Outbound – Deriving – Anonymizing • Communication – Schemas and Transports (STIX, TAXII, IODef, CIF…) – Policies and Practices Sharing
  31. 31. • Data – Atomic: syslog messages, device configurations… • Information – Aggregate: Lots of Data • Knowledge – Actionable, Sharable Information Types
  32. 32. Switch Schemas and Transports ActiveMQ, STIX, TAXII Message Bus ICS-ISAC PLC HMI SCADA Server SARA Server Internet Process Equipment SARA Pilot Enernex LAB Firewall/VPN Palo Alto Palo Alto Tripwire Tripwire Vendors GE Service Providers
  33. 33. SCADA Server SARA Server DNP3 Visibility Service Providers ICS-ISAC DNP3 Command Traffic
  34. 34. Act! ● Know Yourself ● Know Your Stuff ● Know What You Do ● Learn How to Share
  35. 35. Thanks to our Membership
  36. 36. Thank you for your time

×