Cyber Security Procurement Language for Control Systems

Similar documents
Critical Controls for Cyber Security.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

CONTROL SYSTEM VENDOR CYBER SECURITY TRENDS INTERIM REPORT

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

NSTB. LESSONS LEARNED FROM CYBER SECURITY ASSESSMENTS OF SCADA AND ENERGY MANAGEMENT SYSTEMS Raymond K. Fink David F. Spencer Rita A.

INCIDENT RESPONSE CHECKLIST

locuz.com Professional Services Security Audit Services

Standard: Web Application Development

CYBER SECURITY. Is your Industrial Control System prepared?

Global Partner Management Notice

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Locking down a Hitachi ID Suite server

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

imagepress CR Server A7000 Powered by Creo Color Server Technology For the Canon imagepress C7000VP/C6000VP/ C6000

Architecture Overview

Implementing Security Update Management

Medical Device Security Health Group Digital Output

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Cyber Security nei prodotti di automazione

External Supplier Control Requirements

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

IT Security and OT Security. Understanding the Challenges

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Cyber Security Implications of SIS Integration with Control Networks

Vulnerability Testing of Industrial Network Devices

Network Security: A Practical Approach. Jan L. Harrington

How To Manage Security On A Networked Computer System

Enterprise Computing Solutions

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Detecting rogue systems

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

05.0 Application Development

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

New Era in Cyber Security. Technology Development

FIREWALL POLICY DOCUMENT

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Reducing Application Vulnerabilities by Security Engineering

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Columbia University Web Security Standards and Practices. Objective and Scope

IBM Security Strategy

GFI Product Manual. Administration and Configuration Manual

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

SANS Top 20 Critical Controls for Effective Cyber Defense

The Electronic Arms Race of Cyber Security 4.2 Lecture 7

Running head: USING NESSUS AND NMAP TOOLS 1

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Security Testing in Critical Systems

Streamlining Web and Security

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Designing a security policy to protect your automation solution

NERC CIP Version 5 and the PI System

Database Security Guide

A Decision Maker s Guide to Securing an IT Infrastructure

NSTB LESSONS LEARNED FROM CYBER SECURITY ASSESSMENTS OF SCADA AND ENERGY MANAGEMENT SYSTEMS. Raymond K. Fink David F. Spencer Rita A.

The Protection Mission a constant endeavor

Concierge SIEM Reporting Overview

The Bomgar Appliance in the Network

LEARNING SOLUTIONS website milner.com/learning phone

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Critical Security Controls

How to Integrate NERC s Requirements in an Ongoing Automation and Integration Project Framework

Recommended IP Telephony Architecture

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

SAST, DAST and Vulnerability Assessments, = 4

HoneyBOT User Guide A Windows based honeypot solution

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

13 Ways Through A Firewall

Hosts HARDENING WINDOWS NETWORKS TRAINING

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

AN OVERVIEW OF VULNERABILITY SCANNERS

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Enterprise Security Tactical Plan

Intrusion Detection Systems (IDS)

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

For more information or call

CMPT 471 Networking II

Windows 7, Enterprise Desktop Support Technician

Managing internet security

Transcription:

Cyber Security Procurement Language for Control Systems Rita Wells Idaho National Laboratory Program Sponsor: National Cyber Security Division Control Systems Security Program

Cyber Security Procurement Language for Control Systems Background Foundation How to Use Department of Homeland Security: Cyber Security Procurement Language for Control Systems August 2008 Content

Procurement Language for Control Systems Main Contributors: Department of Homeland Security NCSD/CSSP Department of Energy NSTB Idaho National Laboratory Asset Owners, Vendors New York State SANS U.S. Department of Energy Office of Electricity Delivery and Energy Reliability Latest Release August 2008 Version 2.0 http://www.us-cert.gov/control_systems

Risk Reduction Work with public and private sectors to reduce vulnerabilities and minimize the severity of cyber attacks Software Assurance A Strategic Initiative to Promote Integrity, Security, and Reliability in Software Procurement Specification for Control Systems Initiative to develop procurement language for control systems (hardware and software)

Project Goal & Scope Goal Develop common procurement requirements and contractual language that the owners can use to ensure control systems they are buying or maintaining have the best available security Scope New control systems Maintenance of systems Legacy systems Information and personnel security

Foundation Analyzed 54 Assessments: Assessments funded by DHS, DOE, Industry, and Assetowners Each assessment ranges from 275-800 hours of cyber security researcher and additional efforts for control system and network engineers 20 in-lab and 18 on-site assessments Identified common vulnerabilities Also identified unique defensive architectures

When to Use: New Systems Request for Proposal Proposal Submittal Bid Review Contract Award Statement of Work Design Review Document Review Factory Acceptance Testing Site Acceptance Testing Maintenance Procurement Language FAT Measurements SAT Measurements Maintain

When to Use: Legacy Systems Negotiating a new maintenance contract Applying Upgrades Accepting Updates Applying security add-ons Procurement Language FAT Measurements SAT Measurements Maintain

How to Use: Security Culture Not a cut and paste Still need to engineer system and understand the architecture, functional requirements and operational constraints Does your company have past experience: Need for an ongoing security program (not a one time project) Strong security culture or outsource? Accustom to providing adequate funding for security Have adequate security staff for support

How to use: Functional Architecture Procurement Language Aggressive project designed to provide a buyers tool kit Provide security requirements for inclusion into RFPs Use common, grounded and valuable language Support Bid Reviews (gauge responsiveness) Provide the detail required to support SOW development and Design Creation & Review Starting with greatest risk that can be addressed Procurement Language FAT Measurements SAT Measurements Maintain

Factory Acceptance Test Measurements Linked to the procurement requirement Provides language to include in Factory Acceptance Testing requirements and specifications Designed to validate the requirement has been met Allows for rigorous security testing in an isolated environment Gives the vendor the opportunity to verify the product meets the security requirements prior to installation in the field. Procurement Language FAT Measurements SAT Measurements Maintain

Site Acceptance Test Measurements Linked to the procurement requirement Provides language to include in Site Acceptance Testing requirements and specifications Designed to validate the risk reducing requirement is not lost during implementation in the Asset Owners environment Important step that requires an understanding of why it was delivered that way First hand-off from the procurement / provider team to the actual operator and maintainer Procurement Language FAT Measurements SAT Measurements Maintain

Maintenance Language & Operating Guidance Linked to the procurement requirement Provides language to include in maintenance contracts Designed to further reduce the risk to control systems during their life-time Critical step to ensure the benefits of the security requirements are not lost during the technologies operational lifespan Requires an understanding of why it was delivered that way Procurement Language FAT Measurements SAT Measurements Maintain

Procurement Language Topics System Hardening Removal of Unnecessary Services and Programs Host Intrusion Detection systems Changes for File Systems and OS Permissions Hardware Configurations Heartbeat Signals Installing OS applications and 3 rd party software Perimeter Protection Firewalls Network Intrusion Detection Systems Canaries Account Management Disabling, Removing or Modifying Well-Known or Guest Accounts Session Management Password/Authentication Policy and Management Account audit and Logging Role-based Access Control Single Sign-on Separation Agreement Coding Practices Coding for Security Department of Homeland Security: Cyber Security Procurement Language for Control Systems August 2008 Flaw remediation Notification and Documentation from Vendor Problem Reporting Malware Detection and Protection Host Name Resolution Network Addressing and Name Resolution

Procurement Language Topics - continued End Devices Intelligent electronic Devices Remote Terminal Units Programmable Logic Controllers Sensors, Actuators and Meters Remote Access Dial up Modems Dedicated Line Modems TCP/IP Web-based Interfaces Virtual Private Networks Serial Communications Physical Security Access of Cyber Components Perimeter Access Manual Override Control Intra-perimeter Communications Network Partitioning Network Devices Network Architecture Department of Homeland Security: Cyber Security Procurement Language for Control Systems August 2008

A Page From the Tool Kit: Format Procurement Topic Security Risk or Basis Description Language Guidance Procurement Language Factory Acceptance Test Measurements Site Acceptance Test Measurements Maintenance and Operations Guidance References or Standards Dependencies

Subjects Version 2.0 System Hardening Removal of Unnecessary Services and Programs Host Intrusion Detection systems Changes for File Systems and OS Permissions Hardware Configurations Heartbeat Signals Installing OS applications and 3 rd party software Type Port Issue and Fix Security Issues and Fixes: 1.2.3.4 Informational netbios-ssn (139/tcp) An SMB server is running on this port Nessus ID : 15071 Informational netbios-ns (137/udp) Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain... The remote host has the following MAC address on its adapter : 00:0e:0e:b1:08:d9 CVE : CVE-1999-0671 Other references : OSVDB:13577 Nessus ID : 10490 Address of Host 1.2.3.4 1.2.3.4 Port/Service netbios-ssn (139/tcp) netbios-ns (137/udp) Analysis of Host Issue regarding Port Security notes found Security notes found From a Nessus Scan 1.2.3.4 ldap (389/tcp) Security notes found

Subjects Version 2.0 Perimeter Protection Firewalls Network Intrusion Detection Systems Canaries

Subjects Version 2.0 Account Management Disabling, Removing or Modifying Well-Known or Guest Accounts Session Management Password/Authentication Policy and Management Account audit and Logging Role-based Access Control Single Sign-on Separation Agreement User: dopey Password: badpassword

Subjects Version 2.0 Coding Practices Coding for Security Rating System Description of weaknesses Simplicity Impact A Database Software; SQL non-parametric query allows for SQL attacks B C Perl scripts taintness option not enabled - allowed for the uploading and execution of arbitrary code SQL Injection vulnerabilities used to exploit server on DMZ D Miscellaneous Client software, database connections, SQL injection E Real time database, SQL forward, IPSec can be disabled F Application point of failure, several variable overflows, ICCP, 3 rd party security product G Proprietary file share server, data listener, input output handler H Database and application server key logger attack I Input output handler, 3 rd party log monitor tool, OS scheduling utility proprietary listener J Proprietary listener and database OllyDbg

Subjects Version 2.0 Flaw Remediation Notification and Documentation from Vendor Problem Reporting 1988 Clear Text Vulnerability Impact EXAMPLE (CVE-2006-3942) Simplicity Exposure Deployment

Subjects Version 2.0 Malware Detection and Protection SANS.org Internet Storm Center

Subjects Version 2.0 Host Name Resolution Network Addressing and Name Resolution Allowed Network Flows Host 1 Host 2 Port Host A Host B TCP 80 Host C Host D TCP 123 Alert on all other flows

New Subjects Version 2.0 End Devices Intelligent electronic Devices Remote Terminal Units Programmable Logic Controllers Sensors, Actuators and Meters Control Valves Remote Terminal Unit Sensors Smart Meters Programmable Logic Controllers (PLC)

New Subjects Version 2.0 Remote Access Dial up Modems Dedicated Line Modems TCP/IP Web-based Interfaces Virtual Private Networks Serial Communications

New Subjects Version 2.0 Physical Security Access of Cyber Components Perimeter Access Manual Override Control Intra-perimeter Communications

New Subjects Version 2.0 Network Partitioning Network Devices Network Architecture

Vendors Audience is for asset owners or buyers of systems Support the vendors by addressing technology security problems they deal with as buyers of components - Important trend: Control System company is an integration & software effort Provide value to vendors which will pass on to asset owners, start the security dialog in a common language

International Outreach Pressure from multiple markets Europe & Asia International participation & interest 15 countries UK & Australia taking leadership role European Union discussions

Participant Creation Develop an Open Contribution framework Shift drafting from drafting team to participants Need to set up quality review process and rules 190+ asset owner members Multiple stakeholder communities Allow other programs to support (CPNI, AUS Gov, etc.) Sectors take ownership to apply sections needed unique to architectures System Integrators use as baseline Vendors use as discussion points

Vendor Response Map requirements to product offerings Distinguish what is provided to what is not No one entity will be able to provide all requirements Categorize the not provided functions to want to in the future or not needed because of other functions or architecture makes the requirement not relevant Start the dialog: Use the we don t provide that to open the discussion with the customers on why not or alternatives that work better for the functional needs

Discussion Gary J. Finco Idaho National Laboratory gary.finco@inl.gov 208-526 7048 Rita Wells Idaho National Laboratory rita.wells@inl.gov 208-526 3179

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information