U.S. Department of Homeland Security s National Cybersecurity and Communications Integration Center

Transcription

1 U.S. Department of s National Cybersecurity and Communications Integration Center Rick Lichtenfels Director, Assist and Assess Branch National Cybersecurity and Communications Integration Center (NCCIC) U.S. Department of

2 18 Critical Infrastructure Sectors Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified & categorized U.S. Critical Infrastructure into the following 18 Critical Infrastructure & Key Resources Sectors 1. Agriculture & Food 2. Banking & Finance 3. Chemical 4. Commercial Facilities 5. Dams 6. Defense Industrial Base 7. Emergency Services 8. Energy 9. Government Facilities 10. Information Technology 11. National Monuments & Icons 12. Nuclear Reactors, Materials, & Waste 13. Postal & Shipping 14. Public Health & Healthcare 15. Telecommunications 16. Transportation 17. Water 18. Critical Manufacturing* * Critical Manufacturing was Announced as the 18 th Sector in April

3 CNCI Goals To establish a front line of defense against today s immediate threats by creating or enhancing shared situational awareness of network vulnerabilities, threats, and events within the Federal Government and ultimately with state, local, and tribal governments and private sector partners and the ability to act quickly to reduce our current vulnerabilities and prevent intrusions. To defend against the full spectrum of threats by enhancing U.S. counterintelligence capabilities and increasing the security of the supply chain for key information technologies. To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace.

4 Comprehensive National Cybersecurity Initiative Trusted Internet Connections (reduce and consolidate external access points) Deploy Passive Sensors Across Federal Systems (Einstein 2) Pursue Deployment of Intrusion Prevention System (Einstein 3) Coordinate and Redirect R&D Efforts Establish a front line of defense Connect Current Cyber Centers to Enhance Cyber Situational Awareness (National Cyber Center) Develop Government Wide Cyber Counterintelligence Plan Increase the of the Classified Networks Expand Education Demonstrate resolve to secure U.S. cyberspace & set conditions for long-term success Define and Develop Enduring Leap Ahead Technology, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Develop Multi-Pronged Approach for Global Supply Chain Risk Management Define the Federal Role for Extending Cybersecurity into Critical Infrastructure Domains Shape the future environment to demonstrate resolve to secure U.S. technological advantage and address new attack and defend vectors

5 Cyberspace Policy Review The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs a reliable, consistent mechanism for bringing all appropriate information together to form a common operating picture. -Cyberspace Policy Review 5

6 Cybersecurity Coordination

7 The NCCIC National-level effort led by the Office of Cybersecurity and Communications (CS&C) in the National Protection and Programs Directorate (NPPD), Department of Responsible for enhancing the security, resiliency and reliability of the nation's cyber and communications infrastructure Actively engages public and private sectors as well as international partners to prepare for, prevent and respond to cyber and communication incidents that could degrade or overwhelm these strategic assets 7

8 Participants NCCIC comprised of organizational components and operational partners Each organization maintains their own operating mission; NCCIC s mission relies on coordinated operations 8

9 Systematic approach to coordination

10 Nation Cyber and Communications COP What are the initial indicators? What is the extent of the incident? Watch and Warning What are we seeing on the networks and sensors? Analysis What are our capabilities to identify and respond? Assist and Assess What is the extent of the incident? Public/ Private/Both? Operations Common operational picture What are we receiving from external sources/press? Planning What are our response and detection capabilities? Alerts and warnings for D/A and Private Sector Liaison

11 Incident Response: Unique DHS Capability 1. Providing situational awareness through alerts and advisories to warn of cyber-based threats and vulnerabilities affecting critical infrastructure assets 2. Conducting technical analysis of malware, digital media, system vulnerabilities, and emerging exploits 3. Performing incident response to support asset owners with discovery, analysis, and recovery efforts 4. Partnering with the control system and IT community to coordinate risk management efforts and serve as the focal point for information exchange 11

12 Incident Response Support Assist asset-owners Onsite fly-away teams Network architecture Data collection Mitigation Offsite technical analysis teams Analysis of collected data Customer reporting Bridge threat awareness gap 12

13 Incident Response Team Observations A lack of established security practices and adequate awareness among company employees has resulted in compromised networks Apparent attacker knowledge and targeting of control systems Spear Phishing attacks are a common method of gaining footholds into corporate networks Demonstrated ability by attackers to penetrate networks, evade detection, move within/between networks, and maintain presence Increase sophistication in reconnaissance efforts by attackers Inadequate security measures applied to remote log-in capabilities 13

14 Risk Drivers: Modernization Connections between Information Technology and Control System networks (inheriting vulnerabilities) Shift from isolated systems to open protocols Access to remote sites through the use of modems, wireless, private, and public networks Shared or joint use systems for e-commerce

15 Cybersecurity Challenges SECURITY TOPIC INFORMATION TECHNOLOGY CONTROL SYSTEMS Anti-virus & Mobile Code Countermeasures Support Technology Lifetime Common & widely used Uncommon and can be difficult to deploy 3-5 years Up to 20 years Outsourcing Common/widely used Rarely used (vendor only) Application of Patches Regular/scheduled Slow (vendor specific) Change Management Regular/scheduled Legacy based unsuitable for modern security Time Critical Content Delays are usually accepted Critical due to safety Availability Delays are usually accepted 24 x 7 x 365 x forever Awareness Good in both private and public sector Generally poor regarding cyber security Testing/Audit Scheduled and mandated Occasional testing for outages / audit for event recreation Physical Secure Very good but often remote and unmanned

16 Risk is Elevated in Converged & Interconnected Systems Technology has blurred the line between the physical machine and the electronic machine driving our infrastructure.

17 Polish Trains Event: January 2008, a Polish teenager modifies a TV remote and hacks Lodz Tram system. Impact: 12 people injured, 4 derailments. Specifics: The 14-year-old modified a TV remote control so that it could be used to change track points. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank. Lessons learned: Do not rely on protocol obscurity for security Apply appropriate access controls to all field devices

18 DaimlerChrysler Manufacturing Event: August 2005, Internet worms infect DaimlerChrysler s systems. Impact: Workers were idle as infected Microsoft Windows systems were patched. Specifics: A round of Internet worms knocked 13 of DaimlerChrysler s U.S. automobile manufacturing plants offline. Recovery time: Took manufacturing plants offline for one hour Lessons learned: Critical patches need to be applied Provide adequate network segmentation between control and business networks Place controls between segments to limit congestion and cascading effects

19 Davis-Besse Nuclear Power Plant Event: August 2003, Slammer worm infects plant. Impact: Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC). Specifics: Worm started at contractors site. Lessons learned: Secure remote (trusted) access channels Ensure defense-in-depth strategies with appropriate procurement requirements Critical patches need to be applied

20 Duke Energy A/C Event: July 28, 2009, Duke Energy sends incorrect signal to 18,000 air conditioning units. Impact: 18,000 households participating in Duke Energy's energy saving program are without power for three hours. Specifics: An erroneous message was broadcast by Duke Energy, shutting down 18,000 air conditioning units for three hours. Human error was the blame for the incident and all units were restored by 8:30 pm. Lessons learned: Consider all design parameters when implementing broad control. (load shedding versus peak load conservation) Identify controls to minimize the consequences from human error

21 Dallas Texas Hospital Cyber Attack Event: April June, 2009 Insider attack leveraging his position (contracted security guard) to transmit malicious code and manipulated the HVAC control system. Impact: Modify and impair medical exams, diagnoses and treatments. Damage HVAC to pharmaceutical storage and stressed the health of patients within the facility. Specifics: Posted video of hack on YouTube Planned Attack: DDoS Attack July 4 th, Devil s Day Arrested by the FBI Lessons learned: Do not underestimate the insider threat Ensure access controls Policies and Procedure, background checks

22 Northwest Hospital and Medical Facility Event: January 2005, a botnet attack victimized computers at Northwest Hospital and Medical Facility in Seattle, WA. Impact: The increase in computer traffic affected the hospital s systems in numerous ways: doors to the operating rooms did not open, doctor pagers did not work and computers in the intensive care unit shut down. Specifics: The hospital was the primary victim of an extensive botnet attack that infected over 100 of the hospitals computers, as well as some DoD systems. Lessons learned: Ensure use of anti-virus software and maintain patch management policies Defense-in-depth strategies, firewalls

23 NASA Space Station Event: Aug. 2008, Viruses intended to steal passwords and send them to a remote server infected laptops in the International Space Station (again). Impact: Created a nuisance to noncritical space station laptops. Specifics: The virus did make it onto more than one laptop suggesting that it spread via some sort of intranet on the space station or via a thumb drive. Lessons learned: Due to the human factor there is no true airgap (e.g., thumb drives, laptop connection, modems, VPN, CD/DVD, etc.)

24 Workforce Development and Training Web-based Training Cyber for Control Systems Engineers and Operators OPSEC for Control Systems Instructor-led Courses Introduction to Industrial Control Systems Cybersecurity Intermediate Course for ICS Cyber Advanced Training and Workshop (Red/ Blue Team) 24

25 Cyber Evaluation Tool (CSET) Assessment Covers Policy, Plans, and Procedures in 10 Categories Creates baseline security posture Provides recommended solutions to improve security posture Allows for standards specific reports (e.g., NERC CIP, DOD , NIST SP800-53)

26 Contact Information Report Control Systems cyber incidents and vulnerabilities Report general cyber incidents and vulnerabilities or , Sign up for cyber alerts Learn more about Control Systems Program 26

27 27