Security Implications Associated with Mass Notification Systems

Similar documents
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Passing PCI Compliance How to Address the Application Security Mandates

Thick Client Application Security

Protecting Your Organisation from Targeted Cyber Intrusion

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Data Security Concerns for the Electric Grid

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Critical Controls for Cyber Security.

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

05.0 Application Development

Using Foundstone CookieDigger to Analyze Web Session Management

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

A Systems Engineering Approach to Developing Cyber Security Professionals

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

USB Portable Storage Device: Security Problem Definition Summary

What is Web Security? Motivation

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Security Issues with Integrated Smart Buildings

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

External Supplier Control Requirements

What is Really Needed to Secure the Internet of Things?

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Check list for web developers

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Application Intrusion Detection

Client Server Registration Protocol

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

The monsters under the bed are real World Tour

Taxonomic Modeling of Security Threats in Software Defined Networking. Jennia Hizver PhD in Computer Science

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Security Goals Services

Facilitated Self-Evaluation v1.0

Data Protection: From PKI to Virtualization & Cloud

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Cybersecurity Health Check At A Glance

The Protection Mission a constant endeavor

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Security Controls for the Autodesk 360 Managed Services

Potential Targets - Field Devices

Cyber Security Risk Mitigation Checklist

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Chapter 6: Fundamental Cloud Security

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Critical Security Controls

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

FERPA: Data & Transport Security Best Practices

DeltaV System Cyber-Security

SANS Top 20 Critical Controls for Effective Cyber Defense

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Chap. 1: Introduction

Standard CIP 007 3a Cyber Security Systems Security Management

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Basics of Internet Security

Penetration Testing Report Client: Business Solutions June 15 th 2015

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Bellevue University Cybersecurity Programs & Courses

Securing Data on Microsoft SQL Server 2012

2012 Data Breach Investigations Report

PCI DSS Requirements - Security Controls and Processes

Network Security 101 Multiple Tactics for Multi-layered Security

HIPAA Privacy & Security White Paper

future data and infrastructure

FISMA / NIST REVISION 3 COMPLIANCE

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Windows Remote Access

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Defending Against Data Beaches: Internal Controls for Cybersecurity

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Taxonomic Modeling of Security Threats in Software Defined Networking

Guideline on Auditing and Log Management

MySQL Security: Best Practices

Information Security Services

Standard CIP Cyber Security Systems Security Management

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Global Partner Management Notice

Foundstone ERS remediation System

GE Measurement & Control. Cyber Security for NEI 08-09

90% of data breaches are caused by software vulnerabilities.

Seven Strategies to Defend ICSs

Best Practices for Privileged User PIV Authentication

MS-55096: Securing Data on Microsoft SQL Server 2012

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Chapter 1 The Principles of Auditing 1

The Business Case for Security Information Management

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Application Security Testing. Generic Test Strategy

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Transcription:

Security Implications Associated with Mass Notification Systems

Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems; networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure. 1 Cover Cyber risk challenges Components of security strategy MNS Security concerns Mechanisms that may be deployed to mitigate the risks to an MNS system. UL 2572 security measures Example : Electrical Grid recent cybersecurity history 1 National Infrastructure Protection Plan 2

Cyber Risk Challenges 2013 Target s Hack HVAC Service company s authorized network access 3

Cyber Risk Challenges At Blackhat USA 2013, several presentations were made of hacking into an automated home. Hacking Z-Wave Home Automation Systems - Behrang Fouladi and Sahand Ghanoun 4

Cyber Risk Challenges Feb 2013, the emergency alert system at KRTV-TV in Great Falls, Montana was hacked during the "The Steve Wilkos Show" to send out a message that zombies were getting up and residents should not try and apprehend them" in several counties. 5

Why Security? Why did we put brakes in a car? Primary impulse answer: Another answer: TO STOP TO GO FASTER Cybersecurity measures are like brakes, they can advance the use of products in a safe and secure manner. The boundary of one thing is the beginning of another Leonardo DaVinci 6

Threats, Vulnerabilities and Risks Threat A threat is any action whether intended or not, to infiltrate the workings of a system A general understanding of who might attack what assets Nation-States Professional Usually performing theft, espionage or malicious activity Hobbyist Hack into products and systems without the intent to perform criminal or malicious activity outside of the hacking act itself. Malware automated attack software. Employees Risk Opportunity The asset to be appropriated Vulnerability Control center control Device control Access to private/personal data A defined flaw in security measures whether by design or how the product or service is implemented that can be exploited. Unpatched published vulnerabilities Remote control protocols Web services Buffer overflows Weak or improper Authentication mechanisms Improper Authorization (access control) Credential control Messaging manipulation and injection SQL injection into data historians 7

Components of a Security Strategy Identify the security objectives of an MNS system Availability disruption of access to information from an MNS Integrity unauthorized modification of information from an MNS Confidentiality unauthorized disclosure of information from an MNS Defense in depth 8

MNS Security Concerns Communication s Protocol Design Vulnerabilities in products Implementation Vulnerabilities in use of products Availability and Integrity Secure Communications Internal Infrastructure Attacks External Infrastructure Attacks 9

Mass Notification Security Concerns Common Design Vulnerabilities Sensors/actuators have no inherent security. Control panels have limited untested security. Remote accessibility to control panels and server software. Non-secure firmware updates. Open ports on devices and services. Tamper detection and/or resistance is minimal Web services Poor coding practices Communication s Protocol Common Counter Measures Disable unused physical and logical ports. Fuzz testing on all ports. All ports should require authentication. Test factory defaults while in operation. No hard coded passwords. Firmware upgrades must be secure - Digital signatures. Include tamper detection technologies. Enforce secure coding practices. Perform an independent security source code audit. Obfuscation 10

Mass Notification Security Concerns Implementation Vulnerabilities Limited patching and testing of new patches Use of default passwords Incorrect configuration use Networks are now connected to the outside world Common Counter Measures Patch management Secure workstations, servers with known IT practices and policies Whitelisting and blacklisting Auditing trails with alerts Network penetration testing Review of audit logs, security policies Independent vulnerability and cyber-security assessments Intrusion detection and prevention reviews Communication s Protocol 11

Mass Notification Security Concerns Communications Communication lines allow for Line Sniffing(Eavesdropping) Man in the middle injection Denial of Service Spoofing/Masquerading Record and replay Credentials that are not secured Common Counter Measures Cryptography and Credential security Test and implement against known standards FIPS 140 Secure Authentication/Non Repudiation Data filtering and discarding Communication s Protocol 12

UL 2572 Data Security Measures 1. Security and Data Protection Evidence of a certificate of compliance - Security functions shall be one or more of the following: Symmetric key encryption functions. Asymmetric key signature functions. Message Authentication functions. Hashing functions. 2. Communication Security Communication Security Level 1 - Independent Dedicated Network. Communication Security Level 2 - Non-Dedicated Private Network. Communication Security Level 3 - Non-Dedicated Public Network. 3. Stored Data Security Passwords. DRMNS contact data. System configuration data. Audit logs and reports. ECS/MNS messages. The stored data shall be protected by minimum security functions 4. Access Control Security Password/PIN with a minimum of 1000 combinations. Password/PIN minimum length of 8 characters, each of at least 10 options. Password/PIN minimum length of 12 characters, each of at least 10 options, or equivalent means (such as 2 factor authentication). The security means shall have a time out feature ("auto-log-out") The system shall disable a user account after a maximum of 5 unsuccessful consecutive login attempts. 13

Password Example Passwords are stored: Username KEN Password PASSWORD Plaintext PASSWORD Hash form PASSWORD MD5 A3eeF%4zz5JJd Salted hashes PASSWORD + <unique> MD5 bbgtee$5%fglopp Encrypted PASSWORD AES sf$%^&aq Passwords are attacked via: Brute force guessing dependent on the system responding with a yes or no Password cracking offline processing of a hash (approx hundreds of millions password guesses a second) Precomputed hash attack rainbow and lookup tables of all possible hashes are searched Pass the hash gain access to the hash or alter the hash MD5, SHA1 SHA 512 : good hash algorithm for integrity in a short time, but can be easily identify all hashes possible 14

Common Attack Pattern Enumeration and Classification http://capec.mitre.org/ 15

Example Smart Grid Advanced Security Acceleration Project - SG Description: Develop system-level security requirements for smart grid technology Approach: Architectural team produce material Usability Analysis team assess effectiveness NIST, UtiliSec review, approve Deliverables: Strategy & Guiding Principles white paper Security Profile Blueprint 6 Security Profiles AMI Security Profile Usability Analysis Schedule: June 2009 June 2012 Budget: $3M/year ($1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE, EPRI Release Path: NIST, UCAIug 16

THANK YOU. Ken Modeste Security and Global Communications Underwriters Laboratories Inc. Ken.modeste@ul.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information