ICS-SCADA testing and patching: Recommendations for Europe

Transcription

1 ICS-SCADA testing and patching: Recommendations for Europe Adrian Pauna European Union Agency for Network and Information Security

2 Agenda ENISA previous works on ICS SCADA security 2013 s projects Recommendations for Harmonized ICS Testing Capability in the EU Window of Exposure a real problem for SCADA systems? Q&A European Union Agency for Network and Information Security 2

3 1. ICS Security Study 2011 Aim/Scope of the Study ICS Security panorama Threats, risks, challenges National and pan-european initiatives Identification of gaps Recommendations Draft Report: ENISA Recommendations on ICS Security Workshop 16 Sep, 2011 ENISA Recommendations National and Pan-European ICS Security Strategies Good Practices Guide for ICS Security ICS Security Plan Templates Awareness and Training Common Test Bed or ICS Security Certification Framework National ICS CERTs Research in ICS Security The needs of research in the area of Patching and updating equipment without disruption of service and tools European Union Agency for Network and Information Security 3

4 2013 s projects in the area of ICS SCADA security Can we learn from SCADA security Incidents? Ex-post incident analysis aims primarily at investigating a security incident. This report attempts to cover some basic ground by providing recommendations towards the implementation of a proactive environment that will facilitate agile and integrated response to incidents and their ex post analysis. Recommendations for Harmonized ICS Testing Capability in the EU (cont.) Window of Exposure a real problem for SCADA systems(cont.) ICS certification(small study) European Union Agency for Network and Information Security 4

5 Recommendations for Harmonized ICS Testing Capability in the EU The objectives of the work (from ENISAs Tender P/26/12/TCD): Assess the need among the Member States for a national ICS-SCADA testing framework. Identify the gaps between different (if any) MSs and the challenges involved in developing ICS-SCADA testing capabilities. Produce guidance for both the development of new and harmonization of current ICS-SCADA test beds frameworks (if any) among Member States. Research and develop good practices on developing a European ICS- SCADA test bed program/framework. Desktop Research Questionnaires answered by experts for easy to analyse data Interviews for deeper understanding Questions categorized by Topics Experts categorised by «Stakeholder Type» and «Sector» Analysis of the results: Final Workshop and Review European Union Agency for Network and Information Security 5

6 Short introduction on the Status, Gaps and Challenges of ICS SCADA testing identified in the Report Key Findings grouped by the following categories : Current status of ICS Testing Objectives for a European ICS Testing Capability Consideration about the model and methodologies Overview of Available Resources Major Constraints, Risks, Threats and Limitations Relationships with other Stakeholders European Union Agency for Network and Information Security 6

7 Current status of ICS Testing Not harmonized situation for ICS Testing No real "ICS Security educational environment" in the EU Low Maturity Level of ICS Security Testing methodologies and initiatives in Europe Interest in a Certification Framework European Union Agency for Network and Information Security 7

8 Objectives for a European ICS Testing Capability Several drivers show the need of a European Testing Capability, being independent is the main one Political Will has been necessary in similar experiences abroad Get aligned with already existent standards is preferred to develop new ones Offer value to all stakeholders considered key for success A systemic or holistic approach is recommended but is more difficult to standardize Debate regarding the adequacy of making testing mandatory Means to enforce vulnerability resolutions to be considered European Union Agency for Network and Information Security 8

9 Consideration about the model and methodologies Need for both Testing facilities and a Certification Framework Debate concerning if Certification and Compliance are adequate for improving security Unclear which should be the subject of certification Stakeholder roles for definition and operation will require common agreement and public leadership "Acceptance of the results" and "Comprehensiveness of tests" are the best measure of success EU complexity makes desirable a "Distributed Model" with an Accreditation Organism on top Segmentation by business is the most recommended European Union Agency for Network and Information Security 9

10 Overview of Available Resources Public Private Partnership as the most accepted Financing Model Strong Initial Public Investment has been needed in similar initiatives abroad Multiple Reasons for Success identified in existing initiatives abroad Not advisable to publish product comparative charts Work in multidisciplinar teams needed Engage expertise from the industry recommended European Union Agency for Network and Information Security 10

11 Major Constraints, Risks, Threats and Limitations Achieve trust is the most challenging Organization Issue Strategies identified to grant trust are related with Test bed Independency Diversity is the biggest technical challenge Difficult agreement for testing methodologies is foreseen Complexity of the Legal environment among biggest challenges Need for an accurate Economic Model for Public Private Partnership European Union Agency for Network and Information Security 11

12 Relationships with other Stakeholders Representative Composition of the Executive Board Fluent communications with CERTs recommended Debate regarding Vulnerability Disclosures Handling Vulnerability Resolution Enforcement recommended by Security Test Lab Experts Involve stakeholders in dissemination activities Testing Environment useful for Educational purposes European Union Agency for Network and Information Security 12

13 Overview: 7 Recommendations European Union Agency for Network and Information Security 13

14 Recommendation 1: The creation of a Testing Capability under Public European ownership and leadership An entity called Supervisor, should foster Public Support for the initiative and involve other public and private organizations to cooperate in the early stages of the initiative. Quick Win 1: The Supervisor for the Testing Capability would become contact relevant Stakeholders and become a clear Point of Contact for any interested entity. European Union Agency for Network and Information Security 14

15 Recommendation 2: The establishment of a trusted and functional Executive Board Then, this stakeholders, by their representatives and always under the lead of the Supervisor, would create a Working Group that would become the Executive Board, able to define the strategy and further steps in the definition of the Testing Capability. Quick Win 2: The Supervisor would state clear participation rules for the Testing Capability. Quick Win 3: Stakeholder representatives would be engaged for the Executive Board working group. Quick Win 4: The Executive Board will define a common strategy for the Testing Capability. European Union Agency for Network and Information Security 15

16 Recommendation 3: On the creation or involvement of working groups for specific activities The Executive Board then would create or engage already existing experts in order to create thematic Working Groups for technical, financial, legal, research, educational or communications issues. Quick Win 5: Current initiatives in ICS Security Testing will be officialy contacted in order to stablish more specific cooperation tasks. Quick Win 6: Working Groups would define the testing methodologies and criteria that are more alligned with the strategy. European Union Agency for Network and Information Security 16

17 Recommendation 4: The definition of a Financial Model realistic with the European situation The working group in charge of the Financial Model, by now called Advisory Financial Board would have to create a realistic business definition able to guarantee both sustainability and independence. Quick Win 7: Involved working groups will identify potential sources of funding and develop a business plan. European Union Agency for Network and Information Security 17

18 Recommendation 5: Making a study of feasibility for a Distributed Model Within the responsibilities of the Technical Board, supported by the Executive Board, it would be the study of feasibility of a distributed model of operation. Test methodologies and standards, and a clear accreditation model designed to engage current test beds and certification institutions would have to be developed. Quick Win 8: ICS Security Testing accreditation criteria will be defined. European Union Agency for Network and Information Security 18

19 Recommendation 6: Establish collaboration agreements with other organisations dealing with ICS security Other entities such as CERTs, other international ICS Security Testing initiatives and, in general, any stakeholder has to have clear communication processed with the Testing Capability. The communications group would have design these protocols and operate them Quick Win 9: Non Disclosure Agreements and other legal requirements will be elaborated. Quick Win 10: Current CERTs would be contacted for specific cooperation, including Vulnerability Disclosures and incident response. European Union Agency for Network and Information Security 19

20 Recommendation 7: Establish a knowledge management programme Knowledge and expertise in ICS security testing is still scarce and has to be fostered by involving professionals from the industry, research and education. This can be addressed altogether under an umbrella of Knowledge Management programmes. Quick Win 11: Experts from the industry would be engaged. Quick Win 12: A base of knowledge with testing cases will be created. European Union Agency for Network and Information Security 20

21 Window of exposure a real problem for SCADA systems? The Window of exposure is considered to be the time between the moment a vulnerability is disclosed and the moment a patch is available. From the perspective of an organization the moment a window of exposure is closed, is considered to be the moment all the affected systems have been patched. DISCOVERY DISCLOSURE Patch Available Patch Installed EXPLOIT Window of exposure Window of exposure (organization level) European Union Agency for Network and Information Security 21

22 Status The need of research in the area of Patching and updating equipment without disruption of service and tools (ENISA s 2011 report on Protecting Industrial Control Systems) In 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products. (Kevin Hemsley ICS-CERT) <50% of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time. (SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride) A draft of ISA-TR : Patch Management in the IACS Environment was released for review. (ISA 99) European Union Agency for Network and Information Security 22

23 Paradigm EU level Different approaches for the patching analysis. Different patching management strategies/methodologies in place. Existing ICS-SCADA patch management programs used. Different issues which affect the ICS-SCADA patching process and at least one way to mitigate them. Legal issues of patching/non-patching an ICS-SCADA system. European Union Agency for Network and Information Security 23

24 ENISA - Expectations Provide the reader with examples and good practices for key technical aspects; Different patching techniques and standards, relationships between them and gaps; The role of virtualization in the patching process, Key elements of an ICS-SCADA patching management methodology; Good practice on developing a patching management methodology for ICS and SCADA systems; The validation of the results will be based on the feedback taken by the experts who participated in the consultation European Union Agency for Network and Information Security

25 Challenges related to SCADA patching: A. Procedural challenges: Appropriate boundaries for the service agreement Vulnerabilities are rated with the use of the classic IT scoring method CVSS Patch confidentiality Vulnerability discovery B.Technical challanges Transferring and obtaining patches Patch deployment intervals Legacy systems C.Legal challenges : International business - Most SCADA vendors serve a worldwide market Use of open source software (OSS) Vendor warranty Asset management - Asset management is an important part of patch management Procurement and design for patch ability European Union Agency for Network and Information Security

26 Good practices and recommendations A. Compensating controls : Create awareness and understanding in the organizations as to what failure of the SCADA systems could mean Hardening the SCADA systems, hardening the system means removing unnecessary features Firewalls should be configured in a way that only allows connections between trusted machines to trusted ports. Increase defense in depth through network segmentation. Conducting regular risk and security assessments to reduce potential security risks. Application White Listing (AWL) to compensate for malware code injection and execution B. Establishing a patch management program and service contract: Asset owners should establish a patch management program Asset owners should have a well-designed policy in place so to reduce the effort of patch management and the risk of making mistakes Asset owners should also establish a patch management service contract European Union Agency for Network and Information Security

27 Good practices and recommendations (cont.) C. Testing patches : Asset owners should always conduct their own tests. The test environment should closely simulate the operational environment Redundant systems could be used to deploy the patch on D. Distributing patches : Locate the patch management within an enclave that already has open Internet access The patch management system is responsible for downloading and testing patches If required, implement two instances of the patch management system Evaluate patches and updates in a test environment in order to asses the risk of deployment Utilize digital signatures on patches or do hash verification where possible/feasible E. Patch scheduling: Patch scheduling and deployment can be done after a patch has been tested thoroughly Depending on the chosen distribution method the approval of production managers is necessary Preferably the deployment is incorporated into regular maintenance schedules, European Union Agency for Network and Information Security

28 Thank you! Q&A European Union Agency for Network and Information Security 28

29 Thank you for your attention Follow ENISA: European Union Agency for Network and Information Security