Cyber Infrastructure Security Presentation

Similar documents
SECURITY FOR TODAY S PHYSICAL NETWORK AND DATA TRAFFIC

GE Measurement & Control. Cyber Security for NEI 08-09

Physical & Network Security Infrastructure Solutions

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Security Issues with Integrated Smart Buildings

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Reliable, Repeatable, Measurable, Affordable

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Cyber Security for NERC CIP Version 5 Compliance

Dr. György Kálmán

Department of Defense

Interceptor Optical Network Security System. Design Guide. Chapter 4: INTERCEPTOR Optical Network Security System Alarmed Carrier PDS

Compliance Risk Management IT Governance Assurance

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Department of Defense INSTRUCTION

CHAIRMAN OF THE JOINT CHIEFS OF STAFF INSTRUCTION

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

Cybersecurity considerations for electrical distribution systems

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

How To Secure Your System From Cyber Attacks

Department of Defense INSTRUCTION

DIACAP Presentation. Presented by: Dennis Bailey. Date: July, 2007

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Meeting Cyber Security Challenges

DeltaV System Cyber-Security

Interceptor Optical Network Security System. Design Guide. Chapter 3: Choosing between Encryption or a Protected Distribution System (PDS)

A Model-based Methodology for Developing Secure VoIP Systems

DoD Strategy for Defending Networks, Systems, and Data

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Update On Smart Grid Cyber Security

U.S. DoD Physical Security Market

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Vindicator Security Solutions. Security for Mission-Critical Applications

The Comprehensive National Cybersecurity Initiative

Increase your network s security by making the right premise cabling decisions

Network Security Deployment (NSD)

NAVFAC EXWC Platform Information Technology (PIT) Cyber Security Initiatives

Information Security Policy

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

Using ISA/IEC Standards to Improve Control System Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Cybersecurity Converged Resilience :

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Architecture Overview

Network Management and Defense Telos offers a full range of managed services for:

Cloud Security for Federal Agencies

A Comprehensive Cyber Compliance Model for Tactical Systems

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Network & Information Security Policy

Data Security Concerns for the Electric Grid

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Security Testing in Critical Systems

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

CRITICAL INFRASTRUCTURE PROTECTION BUILDING ORGANIZATIONAL RESILIENCE

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Improvements Needed With Host-Based Intrusion Detection Systems

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Security in Space: Intelsat Information Assurance

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

How To Manage Security On A Networked Computer System

Security Policy JUNE 1, SalesNOW. Security Policy v v

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

EC Council Certified Ethical Hacker V8

IoT & SCADA Cyber Security Services

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Industrial Security Solutions

Enterprise Security Platform for Government

A Systems Approach to HVAC Contractor Security

Get Confidence in Mission Security with IV&V Information Assurance

Intel Enhanced Data Security Assessment Form

KeyLock Solutions Security and Privacy Protection Practices

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Security Policy for External Customers

Defending Against Data Beaches: Internal Controls for Cybersecurity

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Transcription:

Cyber Infrastructure Security Presentation Moderator: Col. Ron Torgerson, PE, PMP, CHS-V, F.SAME, USAF (Ret.), and Chair, Cyber Security Infrastructure Task Force (CSITF) Speakers: Gary Seifert, P.E. Mark Duszynski, Vice President, Johnson Controls Federal Systems Col. Steve Moes, USAF (Ret.), COO, LRS Federal Emmett McGrath, Secure IT Program Manager, Wesco

Building Systems Threats and Mitigation Measures Mark Duszynski VP Johnson Controls Federal Systems Cyber Infrastructure Security Presentation SAME JETC San Diego May 21, 2013

Current Federal standards and Industrial Control Systems (ICS) security requirements Federal ICS need to be approved based on a risk assessment process The risks are identified and mitigated until the risk is acceptable The risk assessment is now an on-going process through the lifecycle of the systems (continuous maintenance) because the threats are ever changing 2

In general, the following processes must be followed in order to gain Authority to Operate (ATO) DIACAP (DoD Information Assurance Certification and Accreditation Process) C&A process Air Force uses ETL; Navy DIACAP and Army DIACAP Risk Management Framework for civilian agencies Federal Information Security Management Act (FISMA) Risk Management Framework (RMF) 3

Industrial Control Systems (ICS) refers to a wide variety of controls systems typically found on DOD installations and civilian agency sites Building Automation Systems (BAS) Sometimes referred to as Energy Management Control Systems (EMCS), Utility Monitoring and Controls Systems (UMCS), HVAC controls or DDC Other ICS elements SCADA, security systems, metering, fire alarm systems, fuel distribution, water controls, wastewater controls, power generation, airfield controls, lighting controls, intrusion detection systems etc. 4

5

Control systems uniquely present two types of vulnerabilities: 1) Data and intellectual property theft of business networks and 2) Sabotage through normal control process disruptions 6

At one point, the penetration into the Chamber of Commerce was so complete that a Chamber thermostat was communicating with a computer in China. http://abcnews.go.com/international/chinese-hack-us-chamber-commerceauthorities/story?id=15207642 7

8

9

The inherent user-friendly design features of a BAS make them vulnerable Device and point naming standards are highly descriptive e.g. 5 th Floor Supply Air Fan Start/Stop Control All possible port/protocol configurations allowed Use of DoD Logon banners virtually unheard of Easy, open access to online Help files Widely available USB and RS232 ports Verbose and highly descriptive error messages Weak password controls Every control enclosure on an installations has the same key 10

11

The evolution of Building Automation Systems networks has also increased their vulnerabilities Originally were built on own proprietary networks By late 90s push to utilize business Ethernet LANs Today over 95% of all BAS reside on shared networks Use commercial operating systems & COTS components Follow IEEE and IT networking standards and client/server models Incorporate Web User Interfaces 12

13

ICS and Building Automation Systems cyber security risks and vulnerabilities are generally found in three vectors: 1. Physical Security 2. Network Security 3. ICS Operations Risk identification and corresponding mitigation steps should align and derive from these three general areas of vulnerability 14

Next few slides are an example of ICS network vulnerabilities and mitigation actions as identified by the Naval District Washington 15

16

17

18

19

The most basic network vulnerability mitigation measure is the construction of firewalls 20

21

Companies are developing secure BAS controllers that imbed firewalls & provide encryption Metasys Secured NAE-5510-2S NAE-S Program Phase 1 Exit, 04/12/2013 22

Mitigation is generally implemented through coincident EMCS modernization and cyber hardening projects A high percentage of DOD installations have diverse, aging buildings with disparate, out-dated automation systems makes it difficult to effectively operate and conserve energy increases vulnerabilities to cyber attack Modernization brings many benefits A more cyber secure EMCS or BAS increased energy efficiency and reduced operational costs enhanced energy security improved functionality (e.g. GHG reporting) better mission support 23

Many excellent resources are available for analyzing and designing building systems and ICS protections Standards and References are included in the areas of: Cyber Security Policy Planning and Preparation, Establishing Network Segmentation, Firewalls and DMZs, Control System Security Procurement Requirements Specifications, etc. 24

25

26

For additional information contact: Mark Duszynski VP Johnson Controls Federal Systems mark.m.duszynski@jci.com 414-524-4234 27

Utility Subcommittee Steve Moes Col (Ret), USAF LRS Federal, LLC

Utility Subcommittee Members Pat Coullahan COE AK Dave Maharrey LSU Irv Lee City of Tampa Dan Clairmont UT Austin Joe Okes AOC Steve Scott SEPI Engineering and Construction

Definition Utility cybersecurity is the protection of the utility systems (Water and Waste Water) operation and the information the system collects. Information includes equipment info, usage data, etc. The protection of the system is both external (blocking ports) and internal such as programs that search for anomalies or other traces of cyber attackers.

Typical Installation Utility Systems Vulnerabilities Identification is inherent at any Military Installation for systems they own Prioritized facilities/systems Mitigation Contingency Plans Local Operational Inspections and Exercises Continue the Mission

W/WWT Systems-Water Sector Specific Plan EPA is the Federal lead for coordinating and assisting in protecting the Nation s critical Water Sector infrastructure > 153,000 public drinking water systems > 16,500 publicly owned treatment works

Drinking Water Systems Physical Elements Water Source Conveyance Raw Water Storage Treatment Finished Water Storage Distribution System Monitoring System Cyber Elements Supervisory Control and Data Acquisition (SCADA) System Human Elements Employees and Contractors Waste Water Utilities Physical Elements Collection Raw Influent Storage Treatment Treated Water Storage Effluent Discharge Monitoring System Cyber Elements SCADA Human Elements Employees and Contractors

Goals Sustain protection of public health and the environment Recognize and reduce risks Maintain a resilient infrastructure Increase communication, outreach, and public confidence Assess Risk Consequence, Threat and Vulnerability Assessments Screening Infrastructure Assessing Consequences

Prioritize Population served Amount of chlorine gas stored on site Economic impact Critical customers served Implement Focus is on high-density population systems (> 100,000 people) Develop templates for detection, response and recovery plans Update emergency response and recovery plans Increase public and political understanding of denial-of-service impacts

Potential Opportunities with Sequestration?

Protecting Networks in the Age of Light and Air Cyber-attacks From the Physical Infrastructure Standpoint Emmett McGrath, Wesco

Light and Air Communication Infrastructure from Inside Plant to Outside Plant Vulnerabilities of Wired/Wireless Communications Networks Available Technologies to Protect Physical Infrastructure Department of Defense is Driving Information Assurance Protecting Everything

Drivers Internet Users in North America Growth: 153.3% from 2000-2012 273 million Internet Users in North America 327 million US Mobile Phone Users 58.4% of all American Homes Subscribe to Cable TV 80% of all US Phone Calls Traverse Passive Optical Equipment 30% of all US Mobile Calls Traverse Passive Optical Equipment 22.6 million Homes in the US are Fiber to the Home (13% growth)

Vulnerabilities Fiber and Copper Wireless Tapping Denial of Service (DoS) Blind Trust of Senders (MAC Addresses) Denial of Service (DoS) Encryption Based Attacks

Available Technologies Methods Harden Pipe, Concrete, Boxes, Locks, Welding etc Inspection Constant or Periodic Visual Inspection Alarm External Monitors Internal Monitors

Designed for data infrastructure security Makes the entire cable a sensor - Use a pair of fibers inside the cable being protected - When any component of the cable is abnormally handled, the monitored fibers sense the disturbance Event discrimination technology - Learns the ambient state of the network and differentiates between benign events and real threats - False alarms eliminated - If an INTERCEPTOR alarms, there is a problem (perhaps not a threat) Standard fibers intrinsic to (inside) the cables being protected are used to monitor intrusions into the cables themselves

Passive Start Junction Rack mounted Sensing Controller Inactive leadin cable fiber optic sensing cable Passive Terminator A SM fiber optic cable is used as a distributed sensor Steady CW laser light is sent down the fiber When any motion or vibration acts on the fiber, or anything the fiber is attached to or buried in, the lightwave is affected and this change is detected and the event is classified using patented FFT technology

Securing Wireless Networks There are three primary areas for concern: Confidentiality, Accessibility, Integrity Implement strong encryption algorithms with stringent password requirements. Wireless Intrusion Detection Systems (WIDS) monitor network traffic and analyze it for various known attack patterns. WIDS can be Signature based (also called misuse detection) and anomaly based detection. In signature based detection, a database of known abnormal patterns must be compiled and maintained. Thus, this approach is weak against attacks that are have not been seen before. In anomaly based detection, the system is trained on normal network activity so that when it experiences activity that is different from what is expected, it alerts system administrators of possible network intrusions. This approach will yield a high false-positive rate if the training set is not exhaustive.

Department of Defense Defense Information Systems Agency (DISA) A Combat Support Agency, provides, operates, and assures command and control, information sharing capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters, National level leaders, and other mission and coalition partners across the full spectrum of operations. Information Assurance (IA) National Security Agency (NSA) NSA's Information Assurance Mission focuses on protecting National Security Information and Information Systems Certified TEMPEST Technical Authority (CTTA) "TEMPEST Countermeasures for Facilities," establishes guidelines and procedures that shall be used by departments and agencies to determine the applicable TEMPEST countermeasures for national security systems.

Datacenter & SAN Infrastructure Solutions (Pre-terminated cables, cabinets, etc) Physical Network Security & Information Assurance Solutions (PDS, Fiber Security, Intelligent Patching) OSP/LAN Networks (Cable, Connectivity, Pathway, Racks/Cabinets) Secure/C4ISR Network & SCIF Infrastructure (SIPRNET/JWICS, DODIIS) Physical Security & Life Safety (Access Control, CCTV, Paging, Notification) Tactical & Deployable Solutions (Mobile Command Centers, Integrated Cross Talk over multiple platforms)

Protecting Everything National: Border Security Perimeters: Airports Perimeters: Restricted Areas Military: Counter IED Military: Choke Points Perimeters: High Value Assets Perimeters: Power Stations Railways: Track Damage Railways: Cable Tampering Perimeters: Vandalism

Conclusion Secure(it) Program Most Comprehensive Collection of Products and Solutions Developed Specifically for Reducing the Cost and Complexity of SIPRNet Networks Proven Approved Bundled Solutions from Industry Leading Manufacturers Exclusive to CSC Products and Solutions Design and Consulting Services Available Complete Security For Confidential, Secret, Top Secret, Sensitive Compartmented Information (SCI), Special Access Programs (SAP) The Most Experienced Team in The Industry.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information