The NIST SP 800-82 document provides guidance on establishing secure industrial control systems (ICS). It discusses ICS characteristics and security challenges. It recommends developing a comprehensive ICS security program that includes senior management support, risk assessments, defined policies and procedures, inventory of assets, and training. It also provides recommendations on network architecture design and implementing NIST SP 800-53 security controls for ICS environments.
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
ControlCase Discussed:
•What is ISO 27001
•How can companies get ready for ISO 27701 privacy standard
•What is the certification process to ISO 27701
•Common challenges
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Amazon Web Services
You might think it’s impossible to achieve NIST 800-53 high impact controls in your environment but with AWS and Trend Micro you can achieve this seemingly impossible mission, even in hybrid environments. Learn how to leverage AWS and Trend Micro security controls to retain logs, control access to systems or monitor changes and more and how to automate everything using technologies like AWS CloudFormation. Join this session and get a peek at the inner workings of the AWS & Trend Micro Quick Start Reference Deployment Guide for NIST 800-53 that can help you quickly deliver high-impact controls in an automated, repeatable fashion.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.
Operational technology (OT) and information technology (IT) security protect devices, networks, systems, and users. Cybersecurity has long been critical in IT and helps organizations keep sensitive data safe, ensure users connect to the internet securely, and detect and prevent potential cyberattacks.
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
ControlCase Discussed:
•What is ISO 27001
•How can companies get ready for ISO 27701 privacy standard
•What is the certification process to ISO 27701
•Common challenges
Mission (Not) Impossible: NIST 800-53 High Impact Controls on AWS | AWS Publi...Amazon Web Services
You might think it’s impossible to achieve NIST 800-53 high impact controls in your environment but with AWS and Trend Micro you can achieve this seemingly impossible mission, even in hybrid environments. Learn how to leverage AWS and Trend Micro security controls to retain logs, control access to systems or monitor changes and more and how to automate everything using technologies like AWS CloudFormation. Join this session and get a peek at the inner workings of the AWS & Trend Micro Quick Start Reference Deployment Guide for NIST 800-53 that can help you quickly deliver high-impact controls in an automated, repeatable fashion.
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016
LocusView Solutions, a Chicago-based subsidiary of the Gas Technology Institute (GTI), applied the NIST Cybersecurity Framework to pass penetration tests and compliance auditing in 2015.
LocusView provides a SaaS solutions to the natural gas industry, and wanted to go beyond standard regulatory compliance to save money and streamline the audit process.
As organizations spend more time and efforts to fight data breaches and fears of fallout from a data loss, IT teams like LocusView can begin comparing existing cybersecurity practices to the NIST Framework to quickly identify any gaps in pinpointing, assessing, and managing risks in their networks.
The NIST Framework was created for critical infrastructure — banking, aviation, defense — all organizations can easily apply the principles to their operations. While traditional audit-focused standards value policies and checklists, NIST’s risk-based approach focuses on business and customers.
As part of an in-depth audit, LocusView used the NIST Framework to ensure everything from customer data to cloud-based networks are truly secure.
Doug Landoll, CEO, Lantego
Four Deadly Traps in Using Information Security Frameworks
Frameworks can be used to effectively build or assess information security programs, but applied incorrectly and they effectively mask major program gaps. During this talk, Mr. Landoll will explain the four framework traps and how to avoid them and how to effectively utilize a framework to build or assess an information security program. Mr. Landoll will focus on the NIST 800-53 framework as an example.
Overview about smart grid projects in Brazil and how the security requiments have been considered in R&D projects. Results related to a smart metering security assessment project are presented.
Security is high on the list of concerns for many organizations as they evaluate their cloud computing options. This session will examine security in the context of the various forms of cloud computing. We'll consider technical and non-technical aspects of security, and discuss several strategies for cloud computing, from both the consumer and producer perspectives.
Presentation introduces Chief Security Officers (CSO's) and others with responsibility for protecting companies and their customers to what they need to know about the coming Smart Grid
COBIT 5 IT Governance Model: an Introductionaqel aqel
This lecture provides quick and direct insight about Information technologies governance using COBIT 5 framework. COBIT 5 in its fifth edition released by information systems audit and control association (www.isaca.org) in 2012 to supersede the version 4.1 / 2007. It also included ISACA’s VAL-IT model that aimed to manage the financial perspective of IT as well as RISK-IT framework.
The lecture was part of ISACA- Riyadh chapter activities in April 2015 under the sponsorship of Al-Fisal University.
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security.
Key Takeaways:
1. Gain perspective regarding common security threats facing industrial networks.
2. Learn about the relevant standards governing industrial cyber security.
3. Increase understanding of some best practices for securing industrial networks.
Presentation from the EPRI-Sandia Symposium on Secure and Resilient Microgrids: Cyber Security R&D for Microgrids, presented by Jason Stamp, Sandia National Laboratories, Baltimore, MD, August 29-31, 2016.
This presentation discusses why cybersecurity is an issue for safety instrumented systems and will examine example architectures when communicating with the SIS.
Security concepts in OT (Operational Technology) refer to the principles, practices, and measures implemented to protect critical infrastructure and industrial control systems from cyber threats and unauthorized access. OT systems are used in various industries such as energy, manufacturing, transportation, and healthcare, and they play a crucial role in the operation and control of physical processes.
1. Importance of Security in OT:
Security in OT is of paramount importance due to the potential impact of cyber attacks on critical infrastructure. Breaches in OT systems can lead to disruptions in essential services, financial losses, and even endanger human safety. Therefore, implementing robust security measures is essential to ensure the integrity, availability, and confidentiality of OT systems.
2. Key Security Concepts:
There are several key security concepts that are important in the context of OT:
Risk Assessment: Conducting regular risk assessments helps identify vulnerabilities and potential threats to OT systems. This allows organizations to prioritize security measures and allocate resources effectively.
Access Control: Implementing strong access control mechanisms ensures that only authorized personnel can access and modify OT systems. This includes measures such as user authentication, role-based access control, and physical security controls.
Network Segmentation: Segmenting OT networks into isolated zones helps contain the impact of a security breach and prevents lateral movement of attackers within the network. This can be achieved through the use of firewalls, VLANs (Virtual Local Area Networks), and other network segmentation techniques.
Intrusion Detection and Prevention: Deploying intrusion detection and prevention systems (IDPS) helps monitor network traffic and detect any suspicious or malicious activities. These systems can automatically block or alert administrators about potential threats.
Secure Communication: Ensuring the confidentiality and integrity of communication between OT devices and systems is crucial. This can be achieved through the use of encryption protocols, secure communication channels, and secure configuration of network devices.
Patch Management: Regularly applying security patches and updates to OT systems helps address known vulnerabilities and protect against exploits. Patch management should be done carefully to minimize disruptions to critical operations.
3. Challenges in OT Security:
Securing OT systems presents unique challenges compared to traditional IT systems. Some of the challenges include:
Legacy Systems: Many OT systems are based on legacy technologies that were not designed with security in mind. Upgrading or securing these systems can be complex and costly.
Operational Constraints: OT systems often have strict operational requirements, such as real-time response and high availability. Implementing security measures without impacting these requirements can be challenging.
ICSA 2019 Architectural Security Weaknesses in Industrial Control SystemsDanielleGonzalez25
Architectural Security Weaknesses in Industrial Control Systems; An Empirical Study Based on Disclosed Software Vulnerabilities
Presented March 2019 at the IEEE International Conference on Software Architecture (ICSA) in Hamburg, Germany
The session with highlight Intel’s vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
Learn what makes SCADAguardian (the Nozomi Networks flagship technology) so unique and powerful. From enterprise IT, to OT, we enable scalable security strategies for ICS.
Slides from panel talk at the annual IEEE Power and Energy Society meeting on Power System Cybersecurity.
After a 8 hour tutorial and a panel talk, there were a number of consistent themes and challenges that surfaced. The two that concern me the most are: a) blocking engineers from discussing security approaches at technical conferences and b) treating power system cybersecurity as only a compliance issue for the IT, legal, and compliance departments. With the hopes that this sparks a bigger conversation, I’m sharing a copy of my slides from our panel talk. Thoughts and comments are welcomed.
1. Industrial Control System Security
NIST SP 800-82
NIST Industrial Control System
Cyber Security Workshop
23 October 2009
2. NIST SP 800-82
• Initial public draft released September 2006 - public comment period
through December 2006
• Second public draft released September 2007 - public comment
period through December 2007
• Final public draft released September 2008 - public comment period
through December 2008
• Final document should be released by end of 2009
• Downloaded over 750,000 times since initial release and is heavily
referenced by the industrial control community
• Current document available at:
– http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-
fpd.pdf
2
3. NIST Special Publication 800-82: Guide to Industrial
Control Systems (ICS) Security
Executive Summary
1. Introduction
2. Overview of Industrial Control Systems
3. ICS Characteristics, Threats and Vulnerabilities
4. ICS Security Program Development and Deployment
5. Network Architecture
6. ICS Security Controls
List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary of Terms
Appendix C— Current Activities in Industrial Control System Security
Appendix D— Emerging Security Capabilities
Appendix E— Industrial Control Systems in the FISMA Paradigm
Appendix F— References
3
4. 1. Introduction
1.1 Authority
1.2 Purpose and Scope
• Purpose: Provide guidance for establishing secure ICS,
including implementation guidance for SP 800-53 controls
• Scope: SCADA, DCS, RTU, other control systems
1.3 Audience
• Control engineers, integrators and architects when designing
and implementing secure SCADA and/or ICS
• System administrators, engineers and other IT professionals
when administering, patching, securing SCADA and/or ICS
• Security consultants when performing security assessments
of SCADA and/or ICS
• Managers responsible for SCADA and/or ICS
• Researchers and analysts who are trying to understand the
unique security needs of SCADA and/or ICS
• Vendors developing products that will be deployed in SCADA
and/or ICS
1.4 Document Structure
4
5. 2. Overview of Industrial Control Systems
2.1 Overview of SCADA, DCS, and PLCs
2.2 ICS Operation
2.3 Key ICS Components
2.3.1 Control Components
2.3.2 Network Components
2.4 SCADA Systems
2.5 Distributed Control Systems
2.6 Programmable Logic Controllers
2.7 Industrial Sectors and Their Interdependencies
5
6. Industrial Control Systems (ICS)
• Industrial Control System (ICS) is a general term that
encompasses several types of control systems including:
– Supervisory Control and Data Acquisition (SCADA) systems
– Distributed Control Systems (DCS)
– Other control system configurations such as skid-mounted
Programmable Logic Controllers (PLC)
• ICS are specialized Information Systems that physically
interact with the environment
• Many ICS are components of the Critical Infrastructure
6
7. SCADA Examples
SCADA systems are used in the
electricity sector, oil and gas pipelines,
water utilities, transportation networks
and other applications requiring remote
monitoring and control.
7
8. Typical Control Room Layout
Control room provides
network status,
enables remote control,
optimizes system
performance, facilitates
emergency operations,
dispatching repair crews and
coordination with other
utilities.
8
9. Typical Operator Interface
Displays real-time network status on
Geographic and schematic maps
Provides control of circuit breakers,
switches, etc.
Displays dynamic coloring to show
real-time changes
Provides alarm status
Provides optimization functions and
decision making support
9
10. Typical RTU Hardware
Gathers data from sensors
(pressure, flow, voltage, etc.)
and controls local actuators
(pumps, valves, breakers, etc.)
10
11. DCS Examples
Manufacturing
Electric Power Generation
Refineries
11
12. 3. ICS Characteristics, Threats and
Vulnerabilities
3.1 Comparing ICS and IT Systems
3.2 Threats
3.3 Potential ICS Vulnerabilities
3.3.1 Policy and Procedure Vulnerabilities
3.3.2 Platform Vulnerabilities
3.3.3 Network Vulnerabilities
3.4 Risk Factors
3.4.1 Standardized Protocols and Technologies
3.4.2 Increased Connectivity
3.4.3 Insecure and Rogue Connections
3.4.4 Public Information
3.5 Possible Incident Scenarios
3.6 Sources of Incidents
3.7 Documented Incidents 12
13. Industrial Control System Security
Challenges
• Real time constraints - IT security technology can impact
timing, inhibit performance (response times are on the
order of ms to s)
• Balancing of performance, reliability, flexibility, safety,
security requirements
• Difficulty of specifying requirements and testing
capabilities of complex systems in operational
environments
• Security expertise and domain expertise required, but
are often separated
13
14. Major ICS Security Objectives
• Restricting logical access to the ICS network and
network activity
– This includes using a demilitarized zone (DMZ) network
architecture with firewalls to prevent network traffic from passing
directly between the corporate and ICS networks, and having
separate authentication mechanisms and credentials for users of
the corporate and ICS networks. The ICS should also use a
network topology that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
• Restricting physical access to the ICS network and
devices
– Unauthorized physical access to components could cause
serious disruption of the ICS’s functionality. A combination of
physical access controls should be used, such as locks, card
readers, and/or guards.
14
15. Major ICS Security Objectives (Cont.)
• Protecting individual ICS components from
exploitation
– This includes deploying security patches in as expeditious a
manner as possible, after testing them under field conditions;
disabling all unused ports and services; restricting ICS user
privileges to only those that are required for each person’s role;
tracking and monitoring audit trails; and using security controls
such as antivirus software and file integrity checking software
where technically feasible to prevent, deter, detect, and mitigate
malware.
• Maintaining functionality during adverse conditions
– This involves designing the ICS so that each critical component
has a redundant counterpart. Additionally, if a component fails, it
should fail in a manner that does not generate unnecessary
traffic on the ICS or other networks, or does not cause another
problem elsewhere, such as a cascading event.
15
16. 3.1 Comparing ICS and IT Systems
• Performance Requirements
• Availability Requirements
• Risk Management Requirements
• Architecture Security Focus
• Physical Interaction
• Time-Critical Responses
• System Operation
• Resource Constraints
• Communications
• Change Management
• Managed Support
• Component Lifetime
• Access to Components
16
17. Information Technology vs. Industrial
Control Systems
Different Performance Requirements
Information Technology Industrial Control
Non-Realtime Realtime
Response must be reliable Response is time critical
High throughput demanded Modest throughput acceptable
High delay and jitter accepted High delay and/or jitter is a
serious concern
17
18. Information Technology vs. Industrial
Control Systems
Different Reliability Requirements
Information Technology Industrial Control
Scheduled operation Continuous operation
Occasional failures tolerated Outages intolerable
Beta testing in the field acceptable Thorough testing expected
18
19. Information Technology vs. Industrial
Control Systems
Different Risk Management Requirements:
Delivery vs. Safety
Information Technology Industrial Control
Data integrity paramount Human safety paramount
Risk impact is loss of data, loss of Risk Impact is loss of life,
business operations equipment or product,
environmental damage
Recover by reboot Fault tolerance essential
These differences create huge differences in
acceptable security practice
19
20. 3.3.3 Network Vulnerabilities
Table 3-10. Network Perimeter Vulnerabilities
Vulnerability Description
No security perimeter If the control network does not have a security perimeter clearly
defined defined, then it is not possible to ensure that the necessary security
controls are deployed and configured properly. This can lead to
unauthorized access to systems and data, as well as other problems.
Firewalls nonexistent or A lack of properly configured firewalls could permit unnecessary data
improperly configured to pass between networks, such as control and corporate networks.
This could cause several problems, including allowing attacks and
malware to spread between networks, making sensitive data
susceptible to monitoring/eavesdropping on the other network, and
providing individuals with unauthorized access to systems.
Control networks used for Control and non-control traffic have different requirements, such as
non-control traffic determinism and reliability, so having both types of traffic on a single
network makes it more difficult to configure the network so that it
meets the requirements of the control traffic. For example, non-control
traffic could inadvertently consume resources that control traffic needs,
causing disruptions in ICS functions.
Control network services not Where IT services such as Domain Name System (DNS),and/or
within the control network Dynamic Host Configuration Protocol (DHCP) are used by control
networks, they are often implemented in the IT network, causing the
ICS network to become dependent on the IT network that may not
have the reliability and availability requirements needed by the ICS. 20
22. Key Take Away to Securing ICS
The most successful method for securing an ICS is
to:
• Gather industry recommended practices
• Engage in a proactive, collaborative effort between
management, the controls engineer and operator, the IT
department, the physical security department, and a
trusted automation advisor
• Draw upon the wealth of information available from
ongoing federal government, industry group, vendor and
standards organizational activities.
22
23. 4. ICS Security Program Development and
Deployment
4.1 Business Case for Security
4.1.1 Benefits
4.1.2 Potential Consequences
4.1.3 Key Components of the Business Case
4.1.4 Resources for Building Business Case
4.1.5 Presenting the Business Case to Leadership
4.2 Developing a Comprehensive Security Program
4.2.1 Senior Management Buy-in
4.2.2 Build and Train a Cross-Functional Team
4.2.3 Define Charter and Scope
4.2.4 Define ICS Specific Security Policies and Procedures
4.2.5 Define and Inventory ICS Systems and Networks Assets
4.2.6 Perform Risk and Vulnerability Assessment
4.2.7 Define the Mitigation Controls
4.2.8 Provide Training and Raise Security Awareness
23
24. 5. Network Architecture
5.1 Firewalls
5.2 Logically Separated Control Network
5.3 Network Segregation
5.3.1 Dual-Homed Computer/Dual Network Interface Cards (NIC)
5.3.2 Firewall between Corporate Network and Control Network
5.3.3 Firewall and Router between Corporate Network and Control Network
5.3.4 Firewall with DMZ between Corporate Network and Control Network
5.3.5 Paired Firewalls between Corporate Network and Control Network
5.3.6 Network Segregation Summary
5.4 Recommended Defense-in-Depth Architecture
5.5 General Firewall Policies for ICS
5.6 Recommended Firewall Rules for Specific Services
5.6.1 Domain Name System (DNS)
5.6.2 Hypertext Transfer Protocol (HTTP)
5.6.3 FTP and Trivial File Transfer Protocol (TFTP)
5.6.4 Telnet
5.6.5 Simple Mail Transfer Protocol (SMTP)
5.6.6 Simple Network Management Protocol (SNMP)
5.6.7 Distributed Component Object Model (DCOM)
5.6.8 SCADA and Industrial Protocols
5.7 Network Address Translation (NAT)
5.8 Specific ICS Firewall Issues
5.8.1 Data Historians
5.8.2 Remote Support Access
5.8.3 Multicast Traffic
5.9 Single Points of Failure
5.10 Redundancy and Fault Tolerance
5.11 Preventing Man-in-the-Middle Attacks
24
25. 6. ICS Security Controls
(From SP 800-53 Control Families)
6.1 Management Controls
6.1.1 Risk Assessment
6.1.2 Planning
6.1.3 System and Services Acquisition
6.1.4 Certification, Accreditation, and Security Assessments
6.1.5 Program Management (New in SP 800-53, Rev 3)
6.2 Operational Controls
6.2.1 Personnel Security
6.2.2 Physical and Environmental Protection
6.2.3 Contingency Planning
6.2.4 Configuration Management
6.2.5 Maintenance
6.2.6 System and Information Integrity
6.2.7 Media Protection
6.2.8 Incident Response
6.2.9 Awareness and Training
6.3 Technical Controls
6.3.1 Identification and Authentication
6.3.2 Access Control
6.3.3 Audit and Accountability
6.3.4 System and Communications Protection
25
26. Control Family Sections
(Examples)
6.3 Technical Controls
• Identification and Authentication (IA): the process of verifying the
identity of a user, process, or device, through the use of specific
credentials (e.g., passwords, tokens, biometrics), as a prerequisite
for granting access to resources in an IT system.
• Access Control (AC): the process of granting or denying specific
requests for obtaining and using information and related information
processing services for physical access to areas within the
information system environment.
• Audit and Accountability (AU): independent review and
examination of records and activities to assess the adequacy of
system controls, to ensure compliance with established policies and
operational procedures, and to recommend necessary changes in
controls, policies, or procedures.
• System and Communications Protection (SC): mechanisms for
protecting both system and data transmission components.
26
27. Control Family Sections
(Examples continued)
6.3.1 Identification and Authentication
• Description of I &A Family (in general IT sense)
• Supplemental Guidance
– NIST SP 800-12 provides guidance on security policies and procedures [39].
– NIST SP 800-63 provides guidance on remote electronic authentication [54].
– NIST SP 800-73 provides guidance on interfaces for personal identity verification
[50].
– NIST SP 800-76 provides guidance on biometrics for personal identity verification
[51].
• ICS Specific Recommendations and Guidance
Systems in ICS environments typically rely on traditional passwords for
authentication. Control system suppliers often supply systems with default
passwords. These passwords are factory set and are often easy to guess or are
changed infrequently, which creates additional security risks. Also, protocols
currently used in ICS environments generally have inadequate or no network service
authentication. There are now several forms of authentication available in addition to
traditional password techniques being used with ICS. Some of these, including
password authentication, are presented in the following sections with discussions
regarding their use with ICS.
27
28. NIST Special Publication 800-82: Guide to Industrial
Control Systems (ICS) Security
Executive Summary
1. Introduction
2. Overview of Industrial Control Systems
3. ICS Characteristics, Threats and Vulnerabilities
4. ICS Security Program Development and Deployment
5. Network Architecture
6. ICS Security Controls
List of Appendices
Appendix A— Acronyms and Abbreviations
Appendix B— Glossary of Terms
Appendix C— Current Activities in Industrial Control System Security
Appendix D— Emerging Security Capabilities
Appendix E— Industrial Control Systems in the FISMA Paradigm
Appendix F— References
28
29. Appendix C— Current Activities in Industrial
Control System Security
• American Gas Association (AGA) Standard 12, “Cryptographic Protection of SCADA
Communications”
• American Petroleum Institute (API) Standard 1164, “Pipeline SCADA Security”
• Center for Control System Security at Sandia National Laboratories (SNL)
• Chemical Sector Cyber Security Program
• Chemical Industry Data Exchange (CIDX)
• DHS Control Systems Security Program (CSSP)
• DHS CSSP Recommended Practices
• DHS Process Control Systems Forum (PCSF)
• Electric Power Research Institute (EPRI)
• Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Institute for Information Infrastructure Protection (I3P)
• International Electrotechnical Commission (IEC) Technical Committees 65 and 57
• ISA99 Industrial Automation and Control Systems Security Standards
• ISA100 Wireless Systems for Automation
• ISO 17799 Security Techniques – Code of Practice for Information Security Management
• ISO 27001 Information technology – Security techniques – Information security
management systems – Requirements
• International Council on Large Electric Systems (CIGRE)
• LOGI2C – Linking the Oil and Gas Industry to Improve Cyber Security
• National SCADA Test Bed (NSTB)
• NIST 800 Series Security Guidelines
• NIST Industrial Control System Security Project
• NIST Industrial Control Security Testbed
• North American Electric Reliability Council (NERC)
• SCADA and Control Systems Procurement Project
• US-CERT Control Systems Security Center (CSSC) 29