Building Insecurity Lisa Kaiser

Transcription

1 Building Insecurity Lisa Kaiser Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

2 Insecurity How do I Specify it Buy it Test it Deploy it Regret it Apologize for it

3 Specifying Insecurity Ignore security entirely Specify inappropriate standards Use vagueness Demand particular technology solutions

4 Buying Insecurity Never mention security Don t put it in writing Listen when they say We ll secure it later Cheaper is always more secure New is more secure

5 Testing Insecurity Never test Check only sunny day scenarios Rely on vendor assurances Use only cheap security experts Use your firewalls

6 Deploying Insecurity Don t plan Use default passwords Bypass all the security Never do SAT Ignore security alarms and alerts Photo courtesy of Kristian Ovaska, 2003

7 Regretting Insecurity Begin with RFQ Ignore any breaches Shoot the Messenger Apply quick-fixes Use the Blame-game

8 Apologizing for Insecurity Leave the organization Distract customers Avoid responsibility Attack the messengers Use the press Blame us

9 However» If you re NOT trying to Building Insecurity, but instead which to Build In Security» Try this to achieve your goal:

10 Cyber Security Evaluation Tool (CSET ) R Stand-alone software application Self-assessment using recognized standards Tool for integrating cybersecurity into existing corporate risk management strategy CSET Download: 10

11 CSET Standards R Requirements Derived from Widely Recognized Standards NIST Special Publication Consensus Audit Guideline (CAG) NERC Critical Infrastructure Protection (CIP) Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls Criteria Evaluation Recommendations based upon National Security Association (NSA) Cyber Attack Phases Reliability Standards CIP-002 through CIP-009, Revisions 3 and 4 DoD Instruction Information Assurance Implementation, February 6, 2003 NIST Special Publication Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010 CFATS RBPS 8- Cyber Transportation Security Agency Pipeline Guidelines Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 Cyber, 6 CFR Part 27 DHS TSA guidance for the pipeline industry 11

12 CSET R Capabilities What the CSET CAN do: Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment Specify cybersecurity recommendations Report using standards-based information analysis Provide a baseline cybersecurity posture What the CSET CAN T do: Validate accuracy of user inputs Ensure compliance with organizational or regulatory cybersecurity policy & procedures Ensure implementation of cybersecurity enhancements or mitigation techniques Identify all known cybersecurity vulnerabilities 12

13 Assessment Team A TEAM of participants is required to perform a successful assessment Type of Participant Control Systems Engineer Configuration Manager Operations Manager IT Network Specialist IT Security Officer Risk Analyst or Insurance Specialist Knowledge Control systems Systems management Business operations IT infrastructure Policy & procedures Risk 13

14 Assessment Process Organize the Team Add Assessment Information Select the Mode and Standards Determine the Security Level Build the Network Diagram Answer Questions Analyze Results 14

15 Context Specific Help 15

16 Starting Screen 16

17 Assessment Info Main Window 17

18 Standards Screen Assessment Modes 18

19 Questions and Standards 19

20 Questions and Standards 20

21 General SAL Determination 21

22 NIST SAL Determination 22

23 Diagramming Tool 23

24 Diagram Maximized Screen Space 24

25 Questions Screen 25

26 Question Information 26

27 Comments, Marked and Alternates 27

28 Component Questions 28

29 Component Overrides 29

30 Analysis Screen 30

31 Analysis Detail Screens 31

32 Analysis Detail - Example 32

33 Question Filters 33

34 Hardcopy Reports 34

35 Resource Library 35

36 Resource Library - Search 36

37 CSET 6.0 Enhancements New/Updated Standards NEI Rev 6 NISTIR 7628 Ver 1 (August 2010) INGAA Ver 1 (January 31, 2011) NIST SP Appendix J Rev 4 NIST SP Rev 1 (May 2013) CNSSI ICS Overlay Update New Evaluation Capabilities Merging Comparison Aggregation Trending 37

38 Trending Sample Screen CSET Assessment Aggregation -- Trending Mode Overall Trends Top 5 Most Improved Areas Top 5 Areas of Decline Environmental Security Components Standards Overall Access Control Account Management Audit and Accountability Communication Protection Configuration Management Incident Response Info Protection Information and Document Management Maintenance Access Control Account Management Audit and Accountability Communication Protection Configuration Management Personnel Physical Security Plans Policies & Procedures General Privacy Procedures Risk Management and System Integrity System Protection System and Services Training

39 Aggregation Sample Screen CSET Assessment Aggregation Comparison Mode Site Total Questions Yes No Answered Site A Site B Site C Components Standards Overall Site C Site B Site A SAL Level Site A Site B Site C Access Control Account Management Audit and Communication Configuration Continuity Environmental Incident Response Info Protection Information and Portable/Mobile/Wir Privacy Procedures Remote Access Risk Management SIS Software System Integrity System Protection System and Training Site C Site B Site A Sort By Best Access Password Policies Procedures Access Password Policies Procedures Access Password Policies Procedures Site A 20 Site C Sort By Worst Site B

40 CSET 6.0 Enhancements (cont.) New/Updated Functionality Inventory Lists Security Plans YouTube Tutorials Updated Diagramming Tool 40

41 Key Contact Information Lisa Kaiser Download CSET 41

42