This document summarizes a presentation given to the American Bar Association on securing critical infrastructures. It defines critical infrastructures as physical and digital systems essential to the economy and government. It notes that advances in IT have increased interdependence between infrastructures, creating new vulnerabilities. The presentation discusses issues like lack of cooperation between infrastructure owners, need for regular vulnerability assessments, and taking a holistic approach. It introduces SCADA and control systems, noting differences from conventional IT systems in prioritizing availability over security. The presentation covers legal and practical considerations for securing control systems and standards for control system security.

1. American Bar Association
Section of Science and Technology Law Information Security Committee
2009 Annual Meeting – Lunch Presentation
Wednesday, July 29, 2009
Bob Radvanovsky, CIFI, CISM, CIPS
Jacob Brodsky, PE
Legal and IT Aspects of Securing
Our Critical Infrastructures
Creative Commons License v3.0. 1

2. What is a
“critical infrastructure”?
• Represents “…assets of physical and computer-based
systems that are essential to the minimum operations
of the economy and government.”(1)
• These assets include (but are not limited to):
– Telecommunication systems
– Energy distribution
– Banking & financial systems
– Transportation
– Water treatment facilities
– etc … there are a total of 14 infrastructure sectors.
1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
2

3. Reasons for addressing
infrastructure issues
• Critical infrastructures historically regarded physically and logically
interdependent systems … until 9/11.
• Advances in IT systems and efforts to improve efficiencies of these
systems, infrastructures have become increasingly automated and
interlinked.
• Improvements created new vulnerabilities(2)
• Equipment failure
• Human error
• Natural causes (weather, drought, corrosion, locusts…)
• Physical and computer-related attacks
2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
3

4. Issues with our critical
infrastructures today
• Each infrastructure entity is responsible for protecting its
own infrastructure; little to no cross cooperation.
• Each infrastructure entity needs to have measures that
assure information is valid and accurate
(apply A-I-C principle); most are currently lacking.
• Work should take holistic approach as systems are
interdependent. (the Domino Principle).
4

5. Assure the systems that
support the systems
• The infrastructure assurance process should:
– Provide a consistent testing and evaluation framework of each
infrastructure sector.
– Perform vulnerability assessments regularly against physical
and computer systems to deter, prevent, detect, and protect.
– Expedite process to validate holistic systems.
• Assurance processing applies to both public and private sectors.
5

6. Introducing SCADA and
control systems …
• Most control systems are computer based.
• Used by several infrastructure sectors (and their industries) to
monitor and control sensitive processes and physical functions.
• Functions to provide safety controls and security.
• Primary role to ensure operations continuity within a plant.
• Control system abilities vary from simple to complex.
6

7. Introducing SCADA and
control systems …
• Two kinds of industrial control systems (ICS):
– Distributed Control Systems (DCS) are typically used
within a single process or plant, or used over a
smaller geographic area, possibly even a single site
location.
– SCADA systems are typically used for larger-scale
environments that may be geographically dispersed
in an enterprise-wide distribution operation.(3)
3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
7

8. What makes a control
system different?
• Conventional data systems (IT) are human oriented.
• Control systems are machine / process oriented:
– Cannot be easily stopped - once stopped, takes a very long
time to re-start; stopping an ICS means loss of revenue.
– However … there is more at stake than financial
considerations; stopping ICS can introduce safety issues.
– Availability and reliability are paramount.
8

9. Practical and legal
considerations
1. Safety ALWAYS
2. Availability of the service
3. Security and access control
4. Regulation and compliance
9

10. Admiralty Law similarity:
ICS practical concerns
• You CANNOT stop operation of an infrastructure.
• You CAN refer to federal investigation reports from NTSB, NRC, or CSB.
• You CAN depose engineers, operators, and technicians once the emergency is no
longer a threat.
• You CANNOT confiscate original data without scheduled outage and/or without
having a duplicate, backup system.
• Prosecution of any offense should occur AFTER the event has been rendered safe,
investigations conducted, and results reported by recognized experts.
10

11. Provenance of data is
extremely important
• Accurate timestamps and source matter are crucial.
• Logs from ICS must be validated.
• Instrumentation needs to be validated AFTER an incident, but before …
– An expert is involved with a control systems background; and,
– Has knowledge in information security w/certification and registration.
• Control systems are NOT at all similar to “personal computers”:
– Real Time Systems (RTS) are operated very differently (see orientation).
– Process controllers are fundamentally similar to embedded systems.
11

12. Provenance of data is
extremely important
• Cryptographic signatures (if applicable, if possible).
• Management methods must be documented.
– Explaining ‘what’ and ‘how’.
• Access to each system must be documented:
– Answers ‘who’, ‘when’ and ‘where.
• Protocols and code must be validated and documented.
– Validates ‘why’.
12

13. Factors to consider
with ICS
• Latency of data events.
– Timing delay between events.
• Sequence of events.
– Order of events.
• Timing of events.
– Duration and speed of events.
• Time of when alarms were reported to plant operators.
– When alarm is reported, that the event took place at its stated time.
13

14. Public standards for
control system security
• NERC CIP (not considered a complete specification by many).
• NIST SP800-53:
“Recommended Security Controls for Federal Information Systems“.(4)
• NIST SP800-82:
“Guide to Industrial Control Systems (ICS) Security”.(5)
4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2,
“Recommended Security Control for Federal Information Systems”, December 2007;
URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.
5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft,
“Guide to Industrial Control Systems (ICS) Security”, September 2008;
URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14

15. Public standards for
control system security
• ISA-99
– Currently under complex development.
– Coordinated with ISA-84 safety specifications.
– Considered the most complete and extensive contributed input from the industry.
• Beware of the compliance approach: being compliant is NOT the same as
being secure.(6)
• DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a
prosecutable document.(7)
6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine,
April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html.
7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT),
DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html.
15

16. CS2SAT
NOTE: This particular
version is distributed
from Lofty Perch, Inc.
16

17. Public regulations for
control systems security
• Chemical Facility Anti-Terrorism Standards (CFATS).(8)
• FISMA recommends NIST SP800-53.(9)
• NERC CIP requires additional work before FERC utilizes it.
8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections;
URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm.
9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource
Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html.
17

18. A copy of this presentation may be found at our web site:
http://www.infracritical.com/papers/aba-isc-2009.zip
Bob Radvanovsky, (630) 673-7740
rsradvan@infracritical.com
Jacob Brodsky, (443) 285-3514
jbrodsky@infracritical.com
Creative Commons License v3.0. 18