Building Insecurity Lisa Kaiser



Similar documents
Cybersecurity Guidance for Industrial Automation in Oil and Gas Applications

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Roadmaps to Securing Industrial Control Systems

CYBERSECURITY RISK MANAGEMENT

CS 2 SAT: The Control Systems Cyber Security Self-Assessment Tool

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Keeping the Lights On

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Risk Management in Practice A Guide for the Electric Sector

NIST Cybersecurity Framework What It Means for Energy Companies

CONCEPTS IN CYBER SECURITY

Homeland Security Lessons Learned: An Analysis from Cyber Security Evaluations

Supplemental Tool: NPPD Resources to Support Vulnerability Assessments

DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response

Cyber Security and Privacy - Program 183

NERC CIP VERSION 5 COMPLIANCE

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

A Regulatory Approach to Cyber Security

TRIPWIRE NERC SOLUTION SUITE

Cyber Security Controls Assessment : A Critical Discipline of Systems Engineering

Resilient and Secure Solutions for the Water/Wastewater Industry

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

SCADA Security Training

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Designing & Building an Information Security Program. To protect our critical assets

Logging In: Auditing Cybersecurity in an Unsecure World

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

The Importance of Cybersecurity Monitoring for Utilities

Presented by Evan Sylvester, CISSP

I n f o r m a t i o n S e c u r i t y

Which cybersecurity standard is most relevant for a water utility?

Industrial Cyber Security 101. Mike Spear

Utility-Scale Applications of Microgrids: Moving Beyond Pilots Cyber Security

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Designing Compliant and Sustainable Security Programs 1 Introduction

Industrial Control Systems Security Guide

NIST Cybersecurity Framework Manufacturing Implementation

NERC CIP Compliance with Security Professional Services

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Department of Homeland Security Federal Government Offerings, Products, and Services

Click to edit Master title style

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Effective Use of Assessments for Cyber Security Risk Mitigation

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

STREAM Cyber Security

Safe Network Integration

ISACA rudens konference

THE TOP 4 CONTROLS.

CERIAS Tech Report Mapping Water Sector Cyber-Security Vulnerabilities by James H. Graham, Jeffrey L. Hieb and J. Chris Foreman Center for

Spreading the Word on Nuclear Cyber Security

Department of Management Services. Request for Information

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Managing Cyber Risks to Transportation Systems. Mike Slawski Cyber Security Awareness & Outreach

Assessing the Effectiveness of a Cybersecurity Program

An International Perspective on Security and Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Testing Control Systems

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Attachment A. Identification of Risks/Cybersecurity Governance

Cyber Security Compliance (NERC CIP V5)

The U.S. Nuclear Regulatory Commission s Cyber Security Regulatory Framework for Nuclear Power Reactors

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Information Shield Solution Matrix for CIP Security Standards

Information Blue Valley Schools FEBRUARY 2015

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Seven Strategies to Defend ICSs

External Supplier Control Requirements

U.S. NUCLEAR REGULATORY COMMISSION January 2010 REGULATORY GUIDE OFFICE OF NUCLEAR REGULATORY RESEARCH. REGULATORY GUIDE 5.71 (New Regulatory Guide)

Standard CIP Cyber Security Systems Security Management

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Cyber Security & Compliance Briefing

LogRhythm and NERC CIP Compliance

Frequently Asked Questions about the HITRUST Risk Management Framework

The Anatomy of an Effective Cyber Security Solution: Regulatory Guidelines and the Technology Required for Compliance

Policy on Information Assurance Risk Management for National Security Systems

Transcription:

Building Insecurity Lisa Kaiser Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Insecurity How do I Specify it Buy it Test it Deploy it Regret it Apologize for it

Specifying Insecurity Ignore security entirely Specify inappropriate standards Use vagueness Demand particular technology solutions

Buying Insecurity Never mention security Don t put it in writing Listen when they say We ll secure it later Cheaper is always more secure New is more secure

Testing Insecurity Never test Check only sunny day scenarios Rely on vendor assurances Use only cheap security experts Use your firewalls

Deploying Insecurity Don t plan Use default passwords Bypass all the security Never do SAT Ignore security alarms and alerts Photo courtesy of Kristian Ovaska, 2003

Regretting Insecurity Begin with RFQ Ignore any breaches Shoot the Messenger Apply quick-fixes Use the Blame-game

Apologizing for Insecurity Leave the organization Distract customers Avoid responsibility Attack the messengers Use the press Blame us

However» If you re NOT trying to Building Insecurity, but instead which to Build In Security» Try this to achieve your goal:

Cyber Security Evaluation Tool (CSET ) R Stand-alone software application Self-assessment using recognized standards Tool for integrating cybersecurity into existing corporate risk management strategy CSET Download: http://ics-cert.us-cert.gov/downloading-and-installing-cset 10

CSET Standards R Requirements Derived from Widely Recognized Standards NIST Special Publication 800-53 Consensus Audit Guideline (CAG) NERC Critical Infrastructure Protection (CIP) Recommended Security Controls for Federal Information Systems Rev 3 and with Appendix I, ICS Controls Criteria Evaluation Recommendations based upon National Security Association (NSA) Cyber Attack Phases Reliability Standards CIP-002 through CIP-009, Revisions 3 and 4 DoD Instruction 8500.2 Information Assurance Implementation, February 6, 2003 NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011 NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010 CFATS RBPS 8- Cyber Transportation Security Agency Pipeline Guidelines Chemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 Cyber, 6 CFR Part 27 DHS TSA guidance for the pipeline industry 11

CSET R Capabilities What the CSET CAN do: Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment Specify cybersecurity recommendations Report using standards-based information analysis Provide a baseline cybersecurity posture What the CSET CAN T do: Validate accuracy of user inputs Ensure compliance with organizational or regulatory cybersecurity policy & procedures Ensure implementation of cybersecurity enhancements or mitigation techniques Identify all known cybersecurity vulnerabilities 12

Assessment Team A TEAM of participants is required to perform a successful assessment Type of Participant Control Systems Engineer Configuration Manager Operations Manager IT Network Specialist IT Security Officer Risk Analyst or Insurance Specialist Knowledge Control systems Systems management Business operations IT infrastructure Policy & procedures Risk 13

Assessment Process Organize the Team Add Assessment Information Select the Mode and Standards Determine the Security Level Build the Network Diagram Answer Questions Analyze Results 14

Context Specific Help 15

Starting Screen 16

Assessment Info Main Window 17

Standards Screen Assessment Modes 18

Questions and Standards 19

Questions and Standards 20

General SAL Determination 21

NIST SAL Determination 22

Diagramming Tool 23

Diagram Maximized Screen Space 24

Questions Screen 25

Question Information 26

Comments, Marked and Alternates 27

Component Questions 28

Component Overrides 29

Analysis Screen 30

Analysis Detail Screens 31

Analysis Detail - Example 32

Question Filters 33

Hardcopy Reports 34

Resource Library 35

Resource Library - Search 36

CSET 6.0 Enhancements New/Updated Standards NEI 08-09 Rev 6 NISTIR 7628 Ver 1 (August 2010) INGAA Ver 1 (January 31, 2011) NIST SP800-53 Appendix J Rev 4 NIST SP800-82 Rev 1 (May 2013) CNSSI ICS Overlay Update New Evaluation Capabilities Merging Comparison Aggregation Trending 37

Trending Sample Screen CSET Assessment Aggregation -- Trending Mode 60 50 40 30 20 10 0 80 60 40 20 0 Overall Trends Top 5 Most Improved Areas 2011 2012 2013 Top 5 Areas of Decline 2011 2012 2013 Environmental Security Components Standards Overall Access Control Account Management Audit and Accountability Communication Protection Configuration Management Incident Response Info Protection Information and Document Management Maintenance Access Control Account Management Audit and Accountability Communication Protection Configuration Management Personnel Physical Security Plans Policies & Procedures General Privacy Procedures Risk Management and System Integrity System Protection System and Services Training 80 30 30 80 25 20 80 65 80 75 45 50 80 30 30 80 25 20 80 65 80 80 30 30 80 65 80 80 30 30 80 25 20 75 45 50 80 65 80 75 45 50 80 30 30 80 25 20 0 20 40 60 80 100 2013 2012 2011

Aggregation Sample Screen CSET Assessment Aggregation Comparison Mode Site Total Questions Yes No Answered Site A 560 300 260 Site B 342 300 42 Site C 268 152 116 Components Standards Overall Site C Site B Site A SAL Level 66 81 76 70 75 65 Site A Site B Site C 70 75 71 Access Control Account Management Audit and Communication Configuration Continuity Environmental Incident Response Info Protection Information and Portable/Mobile/Wir Privacy Procedures Remote Access Risk Management SIS Software System Integrity System Protection System and Training 0 50 100 Site C Site B Site A Sort By Best Access Password Policies Procedures Access Password Policies Procedures Access Password Policies Procedures Site A 20 Site C 20 30 30 Sort By Worst 50 50 60 80 0 50 100 0 50 100 Site B 3 2 1 25 0 50 100

CSET 6.0 Enhancements (cont.) New/Updated Functionality Inventory Lists Security Plans YouTube Tutorials Updated Diagramming Tool 40

Key Contact Information Lisa Kaiser Lisa.Kaiser@dhs.gov Download CSET http://ics-cert.us-cert.gov/downloading-and-installing-cset 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information