Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
American Bar Association
             Section of Science and Technology Law Information Security Committee
             20...
What is a
                           “critical infrastructure”?

• Represents “…assets of physical and computer-based
  sy...
Reasons for addressing
                           infrastructure issues

• Critical infrastructures historically regarded ...
Issues with our critical
                 infrastructures today

• Each infrastructure entity is responsible for protectin...
Assure the systems that
                  support the systems

• The infrastructure assurance process should:

   – Provid...
Introducing SCADA and
                  control systems …

• Most control systems are computer based.

• Used by several i...
Introducing SCADA and
                           control systems …

• Two kinds of industrial control systems (ICS):

    ...
What makes a control
                 system different?

• Conventional data systems (IT) are human oriented.

• Control s...
Practical and legal
             considerations

1. Safety ALWAYS

2. Availability of the service

3. Security and access ...
Admiralty Law similarity:
                      ICS practical concerns

•   You CANNOT stop operation of an infrastructure...
Provenance of data is
                     extremely important

•   Accurate timestamps and source matter are crucial.

• ...
Provenance of data is
                   extremely important

• Cryptographic signatures (if applicable, if possible).

• ...
Factors to consider
                     with ICS

•   Latency of data events.
     – Timing delay between events.

•   Se...
Public standards for
                             control system security

•    NERC CIP (not considered a complete specif...
Public standards for
                            control system security

•    ISA-99
      – Currently under complex deve...
CS2SAT




         NOTE: This particular
         version is distributed
         from Lofty Perch, Inc.


              ...
Public regulations for
                            control systems security

• Chemical Facility Anti-Terrorism Standards ...
A copy of this presentation may be found at our web site:
    http://www.infracritical.com/papers/aba-isc-2009.zip




   ...
Upcoming SlideShare
Loading in …5
×

American Bar Assoc. ISC 2009

389 views

Published on

Legal and IT Aspects of Securing
Our Critical Infrastructures

  • Be the first to comment

  • Be the first to like this

American Bar Assoc. ISC 2009

  1. 1. American Bar Association Section of Science and Technology Law Information Security Committee 2009 Annual Meeting – Lunch Presentation Wednesday, July 29, 2009 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Legal and IT Aspects of Securing Our Critical Infrastructures Creative Commons License v3.0. 1
  2. 2. What is a “critical infrastructure”? • Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1) • These assets include (but are not limited to): – Telecommunication systems – Energy distribution – Banking & financial systems – Transportation – Water treatment facilities – etc … there are a total of 14 infrastructure sectors. 1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 2
  3. 3. Reasons for addressing infrastructure issues • Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11. • Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and interlinked. • Improvements created new vulnerabilities(2) • Equipment failure • Human error • Natural causes (weather, drought, corrosion, locusts…) • Physical and computer-related attacks 2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 3
  4. 4. Issues with our critical infrastructures today • Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation. • Each infrastructure entity needs to have measures that assure information is valid and accurate (apply A-I-C principle); most are currently lacking. • Work should take holistic approach as systems are interdependent. (the Domino Principle). 4
  5. 5. Assure the systems that support the systems • The infrastructure assurance process should: – Provide a consistent testing and evaluation framework of each infrastructure sector. – Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect. – Expedite process to validate holistic systems. • Assurance processing applies to both public and private sectors. 5
  6. 6. Introducing SCADA and control systems … • Most control systems are computer based. • Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions. • Functions to provide safety controls and security. • Primary role to ensure operations continuity within a plant. • Control system abilities vary from simple to complex. 6
  7. 7. Introducing SCADA and control systems … • Two kinds of industrial control systems (ICS): – Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a smaller geographic area, possibly even a single site location. – SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3) 3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 7
  8. 8. What makes a control system different? • Conventional data systems (IT) are human oriented. • Control systems are machine / process oriented: – Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue. – However … there is more at stake than financial considerations; stopping ICS can introduce safety issues. – Availability and reliability are paramount. 8
  9. 9. Practical and legal considerations 1. Safety ALWAYS 2. Availability of the service 3. Security and access control 4. Regulation and compliance 9
  10. 10. Admiralty Law similarity: ICS practical concerns • You CANNOT stop operation of an infrastructure. • You CAN refer to federal investigation reports from NTSB, NRC, or CSB. • You CAN depose engineers, operators, and technicians once the emergency is no longer a threat. • You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system. • Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts. 10
  11. 11. Provenance of data is extremely important • Accurate timestamps and source matter are crucial. • Logs from ICS must be validated. • Instrumentation needs to be validated AFTER an incident, but before … – An expert is involved with a control systems background; and, – Has knowledge in information security w/certification and registration. • Control systems are NOT at all similar to “personal computers”: – Real Time Systems (RTS) are operated very differently (see orientation). – Process controllers are fundamentally similar to embedded systems. 11
  12. 12. Provenance of data is extremely important • Cryptographic signatures (if applicable, if possible). • Management methods must be documented. – Explaining ‘what’ and ‘how’. • Access to each system must be documented: – Answers ‘who’, ‘when’ and ‘where. • Protocols and code must be validated and documented. – Validates ‘why’. 12
  13. 13. Factors to consider with ICS • Latency of data events. – Timing delay between events. • Sequence of events. – Order of events. • Timing of events. – Duration and speed of events. • Time of when alarms were reported to plant operators. – When alarm is reported, that the event took place at its stated time. 13
  14. 14. Public standards for control system security • NERC CIP (not considered a complete specification by many). • NIST SP800-53: “Recommended Security Controls for Federal Information Systems“.(4) • NIST SP800-82: “Guide to Industrial Control Systems (ICS) Security”.(5) 4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2, “Recommended Security Control for Federal Information Systems”, December 2007; URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf. 5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft, “Guide to Industrial Control Systems (ICS) Security”, September 2008; URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14
  15. 15. Public standards for control system security • ISA-99 – Currently under complex development. – Coordinated with ISA-84 safety specifications. – Considered the most complete and extensive contributed input from the industry. • Beware of the compliance approach: being compliant is NOT the same as being secure.(6) • DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7) 6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html. 7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html. 15
  16. 16. CS2SAT NOTE: This particular version is distributed from Lofty Perch, Inc. 16
  17. 17. Public regulations for control systems security • Chemical Facility Anti-Terrorism Standards (CFATS).(8) • FISMA recommends NIST SP800-53.(9) • NERC CIP requires additional work before FERC utilizes it. 8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm. 9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html. 17
  18. 18. A copy of this presentation may be found at our web site: http://www.infracritical.com/papers/aba-isc-2009.zip Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 18

×