The Office of Infrastructure Protection

Transcription

1 8/27/205 The Office of Infrastructure Protection National Protection and Programs Directorate Department of Protective Advisor Cyber Threat Actors / Risks DHS Cyber Resources Marty J. Smith Protective Advisor Orlando, FL Marty.J.Smith@hq.dhs.gov Protective Advisors 96 PSAs and Regional Directors, including 89 field deployed personnel, serve as critical infrastructure security specialists Deployed to 73 Districts in 50 states and Puerto Rico State, local, tribal, territorial, and private sector link to Department of (DHS) infrastructure protection resources Coordinate vulnerability assessments, training, and other DHS products and services Provide a vital link for information sharing in steady-state and incident response Assist facility owners and operators with obtaining security clearances During contingency events, PSAs support the response, recovery, and reconstitution efforts of the States by serving as pre-designated Infrastructure Liaisons (IL) and Deputy ILs at the Joint Field Offices 2 Florida Protective Advisors Tallahassee PSA Billy Sasser Tampa Bay PSA Ollie Gagnon Orlando PSA Marty Smith Miami PSA Gary Warren 3

2 8/27/205 Cyber Threat Actors DHS is concerned with the recent rise in targeted and successful malware campaigns against industrial control systems (ICSs). These campaigns were associated with sophisticated threat actors with demonstrated capabilities to compromise control system networks. The depth of intrusion into the control system network provided the threat actors with the ability to potentially: Manipulate control system settings Control the process Destroy data and/or equipment. Cyber Threats Pose an Enormous Challenge President Barack Obama: Speech at the National Cybersecurity and Communications Integration Center Jan 3, 205: It's one of the most serious economic and national security challenges we face as a nation. Foreign governments, criminals, and hackers probe America s computer networks every single day. President Obama also noted that protecting the nation s critical infrastructure is essential to public health and safety stating that, Neither government, nor the private sector can defend the nation alone. It s going to have to be a shared mission government and industry working hand in hand, as partners. Growing Concerns for Control Systems NSA Director, Admiral Michael Rogers Testimony to House Select Intelligence Committee Nov. 20, 204: There shouldn t be any doubt in our minds that there are nation-states and groups out there that have the capability to enter industrial control systems and to shut down [and] forestall our ability to operate our basic infrastructure. All of that leads me to believe it is only a matter of the when, not the if that we are going to see something dramatic. 2

3 8/27/205 jkw6 Examples: Havex and BlackEnergy Malware Havex: Sophisticated cyber threat actors have been probing for and compromising control systems worldwide since at least This malware campaign is known publicly as DragonFly, Crouching Yeti, Koala Team, and Energetic Bear. - Over 2,800 victims identified globally. BlackEnergy: A second sophisticated cyber threat group has obtained direct access to control system networks worldwide since at least This campaign has compromised dozens of control systems in the United States and hundreds globally. Water Utility Loses Control Event: Residents of a rural town experienced loss of water pressure Impact: Approximately 0,000 residents without water Specifics: Utility operator updated its HMI OS (Windows) with a direct connection to the Internet and evidence points to a virus infecting the SCADA system; causing it to crash. The ICS was outdated, not supported by the vendor, and not patched to current updates. Lacked a firewall between the business and control networks Lessons learned: Utilize DMZ to ensure isolation from business side and Internet Keep systems patched Establish and enforce sound security policies SCADA Accessed via Default Password Event: January Cyber researcher used SHODAN to identify an online remote access link to a utility company s SCADA system. The system was then accessed using default user name and passwords Impact: None, the researcher only looked around, but touched nothing Specifics: Key word internet searching revealed the default info Lessons learned: Change system default user names and passwords Avoid posting system details to public facing sites 3

4 Slide 7 jkw6 Notes:Bullet : Sent 2: "when then..." Doesn't make sense. jkwright, 3//205

5 8/27/205 Water System Infected Event: October 2006, Foreign hacker penetrated security at a water filtering plant. Impact: The intruder planted malicious software that was capable of affecting the plant s water treatment operations. Specifics: The infection occurred through the Internet and did not seem to be an attack that directly targeted the control system. Lessons learned: Secure remote computers Defense-in-depth strategies, firewalls & intrusion detection systems Critical patches and antivirus needs to be applied and updated regularly 0 Cyber Offerings for Critical Infrastructure National Cybersecurity and Communications Integration Center (NCCIC) US CERT Operations Center Remote and On Site Assistance Malware Analysis Incident Response Teams ICS CERT Operations Center ICS CERT Malware Lab Cyber Evaluation Tool Incident Response Teams NCATS Cyber Hygiene service Risk and Vulnerability Assessment US CERT NationalCyberAwareness System Vulnerability Notes Database Publications Control Systems Program Cybersecurity Training Information Products and Recommended Practices Cyber Exercise Program Cyber Evaluations Program Cyber Resilience Review Cyber Infrastructure Survey Tool Critical Infrastructure Cyber Community (C 3 ) DHS launched the C 3 Program in February 204 to complement the launch of the National Institute of Standards and Technology Cyber Framework (CSF). The C³ Voluntary Program helps sectors and organizations that want to use the CSF by connecting them to existing cyber risk management capabilities provided by DHS, other U.S. Government organizations and the private sector. The C3 website ( cert.gov/ccubedvp) describes the various programs DHS offers to critical infrastructure partners, including Federal, State, local, and private sector organizations 2 4

6 8/27/205 CYBER SECURITY EVALUATIONS SUMMARY Name Cyber Resilience Review Cyber Infrastructure Survey Supply Chain / External (CRR) Tool (C IST) Dependency Management (EDM) Review Onsite Cyber Evaluation Tool (CSET) Assessment Purpose Identify cyber security management capabilities and maturity To calculate a comparative analysis and valuation of protective measures in place Identify external dependencies and the risks associated Provides a detailed, effective, and repeatable methodology for assessing control systems security while encompassing an organization s infrastructure, policies, and procedures. Scope Critical Service view Critical Cyber Service view Organization / Business Unit Industrial Control Systems Time to Execute 8 Hours ( business day) 2 ½ to 4 Hours 2 to 2 ½ Hours 8 Hours ( Business Day) Information Sought Capabilities and maturity indicators in 0 security domains Protective measures in place Third party security requirements and contract management info Industrial control system s core functions, infrastructure, policies, and procedures Preparation Short, hour questionnaire plus planning call(s) Planning call to scope evaluation Planning call to scope evaluation Coordinated via . Planning call(s) if requested. Participants IT/ Manager, Continuity Planner, and Incident Responders IT/ Manager IT / Manager with Contract Management control system operators/engineers, IT, policy/management personnel, and subject matter experts. 3 CYBER SECURITY EVALUATIONS SUMMARY 2 Name ICS CERT Design Architecture Review (DAR) ICS Network Architecture Verification and Validation (NAVV) Network Risk and Vulnerability Assessment (RVA) Cyber Hygiene (CH) Evaluation Purpose Supports the cybersecurity design via investigative analysis, production, and maintenance of control systems and ICS components. Provides analysis and baselining of ICS communication flows, based upon a passive (non intrusive) collection of TCP Header Data. Perform penetration and deep technical analysis of enterprise IT systems and an organization s external resistance to specific IT risks Identify public facing Internet security risks, at a high level, through service enumeration and vulnerability scanning Scope Industrial Control Systems/Network Architecture Industrial Control Systems/Network Architecture/Network Traffic Organization / Business Unit / Network Based IT Service Public Facing, Network Based IT Service Time to Execute 2 Days (8 Hours Each Day) Variable (Hours to Days) Variable (Days to Weeks) Variable (Hours to Continuous) Information Sought Network design, configurations, interdependencies, and its applications. Network traffic header data to be analyzed with Sophia Tool. Low level options and recommendations for improving IT network and system security High level network service and vulnerability information Preparation Coordinated via . Planning call(s). Coordinated via . Planning call(s). Formal rules of engagement and extensive pre planning Formal rules of engagement and extensive pre planning Participants control system operators/ engineers, IT personnel, and ICS network, architecture, and topologies SMEs control system operators/ engineers, IT personnel, and ICS network, architecture, and topologies SMEs IT/ Manager and Network Administrators IT/ Manager and Network Administrators 4 CRRSelf Assessment Package Released in February 204 to complement the launch of the NIST CSF. The CRR Self Assessment Kit allows organizations to conduct a review without outside facilitation. Contains the same questions, scoring, and reporting as the facilitatedassessment. The kit containsthe followingresources: Method Description and User Guide CompleteCRR QuestionSet withguidance Self AssessmentPackage (automated toolset) CRR tonist CSF Crosswalk CRR Self AssessmentKitwebsite: cert.gov/ccubedvp/selfservice crr 5 5

7 8/27/205 Cyber Evaluation Tool (CSET R) Stand-alone software application Self-assessment using recognized standards Tool for integrating cybersecurity into existing corporate risk management strategy CSET Download: 6 Protected Critical Infrastructure Information Established under the Critical Infrastructure Information Act of 2002 Protects voluntarily submitted critical infrastructure information from: Freedom of Information Act State and local sunshine laws Civil litigation proceedings Regulatory usage 7 For more information visit: Marty J. Smith Protective Advisor - Orlando Marty.J.Smith@hq.dhs.gov 6