SlideShare a Scribd company logo

American Bar Assoc. ISC 2009

I
infracritical

Legal and IT Aspects of Securing Our Critical Infrastructures

1 of 18
Download to read offline
American Bar Association Section of Science and Technology Law Information Security Committee 2009 Annual Meeting – Lunch Presentation Wednesday, July 29, 2009 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Legal and IT Aspects of Securing Our Critical Infrastructures Creative Commons License v3.0. 1
What is a “critical infrastructure”? • Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1) • These assets include (but are not limited to): – Telecommunication systems – Energy distribution – Banking & financial systems – Transportation – Water treatment facilities – etc … there are a total of 14 infrastructure sectors. 1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 2
Reasons for addressing infrastructure issues • Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11. • Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and interlinked. • Improvements created new vulnerabilities(2) • Equipment failure • Human error • Natural causes (weather, drought, corrosion, locusts…) • Physical and computer-related attacks 2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 3
Issues with our critical infrastructures today • Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation. • Each infrastructure entity needs to have measures that assure information is valid and accurate (apply A-I-C principle); most are currently lacking. • Work should take holistic approach as systems are interdependent. (the Domino Principle). 4
Assure the systems that support the systems • The infrastructure assurance process should: – Provide a consistent testing and evaluation framework of each infrastructure sector. – Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect. – Expedite process to validate holistic systems. • Assurance processing applies to both public and private sectors. 5
Introducing SCADA and control systems … • Most control systems are computer based. • Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions. • Functions to provide safety controls and security. • Primary role to ensure operations continuity within a plant. • Control system abilities vary from simple to complex. 6
Introducing SCADA and control systems … • Two kinds of industrial control systems (ICS): – Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a smaller geographic area, possibly even a single site location. – SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3) 3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 7
What makes a control system different? • Conventional data systems (IT) are human oriented. • Control systems are machine / process oriented: – Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue. – However … there is more at stake than financial considerations; stopping ICS can introduce safety issues. – Availability and reliability are paramount. 8
Practical and legal considerations 1. Safety ALWAYS 2. Availability of the service 3. Security and access control 4. Regulation and compliance 9
Admiralty Law similarity: ICS practical concerns • You CANNOT stop operation of an infrastructure. • You CAN refer to federal investigation reports from NTSB, NRC, or CSB. • You CAN depose engineers, operators, and technicians once the emergency is no longer a threat. • You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system. • Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts. 10
Provenance of data is extremely important • Accurate timestamps and source matter are crucial. • Logs from ICS must be validated. • Instrumentation needs to be validated AFTER an incident, but before … – An expert is involved with a control systems background; and, – Has knowledge in information security w/certification and registration. • Control systems are NOT at all similar to “personal computers”: – Real Time Systems (RTS) are operated very differently (see orientation). – Process controllers are fundamentally similar to embedded systems. 11
Provenance of data is extremely important • Cryptographic signatures (if applicable, if possible). • Management methods must be documented. – Explaining ‘what’ and ‘how’. • Access to each system must be documented: – Answers ‘who’, ‘when’ and ‘where. • Protocols and code must be validated and documented. – Validates ‘why’. 12
Factors to consider with ICS • Latency of data events. – Timing delay between events. • Sequence of events. – Order of events. • Timing of events. – Duration and speed of events. • Time of when alarms were reported to plant operators. – When alarm is reported, that the event took place at its stated time. 13
Public standards for control system security • NERC CIP (not considered a complete specification by many). • NIST SP800-53: “Recommended Security Controls for Federal Information Systems“.(4) • NIST SP800-82: “Guide to Industrial Control Systems (ICS) Security”.(5) 4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2, “Recommended Security Control for Federal Information Systems”, December 2007; URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf. 5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft, “Guide to Industrial Control Systems (ICS) Security”, September 2008; URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14
Public standards for control system security • ISA-99 – Currently under complex development. – Coordinated with ISA-84 safety specifications. – Considered the most complete and extensive contributed input from the industry. • Beware of the compliance approach: being compliant is NOT the same as being secure.(6) • DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7) 6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html. 7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html. 15
CS2SAT NOTE: This particular version is distributed from Lofty Perch, Inc. 16
Public regulations for control systems security • Chemical Facility Anti-Terrorism Standards (CFATS).(8) • FISMA recommends NIST SP800-53.(9) • NERC CIP requires additional work before FERC utilizes it. 8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm. 9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html. 17
A copy of this presentation may be found at our web site: http://www.infracritical.com/papers/aba-isc-2009.zip Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 18

Recommended

Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies HyTrust
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
IPAS at Penn State
IPAS at Penn StateIPAS at Penn State
IPAS at Penn StateVince Verbeke
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapalibuildersreviews
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 

Recommended

Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies Implementing ID Governance in Complex Environments-HyTrust & CA Technologies
Implementing ID Governance in Complex Environments-HyTrust & CA Technologies HyTrust
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
IPAS at Penn State
IPAS at Penn StateIPAS at Penn State
IPAS at Penn StateVince Verbeke
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
Ebook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsEbook: Splunk SANS - CIS Top 20 Critical Security Controls
Ebook: Splunk SANS - CIS Top 20 Critical Security ControlsDominique Dessy
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapali builders -- maroochy water-services-case-study briefing.pdf
amrapali builders -- maroochy water-services-case-study briefing.pdfamrapalibuildersreviews
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentationbsinger74
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmasterHafid CHEBRAOUI
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation Adlan Hussain
 
IPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port SecurityIPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port SecurityAdlan Hussain
 
CNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & GasCNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & GasAdlan Hussain
 
CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA Adlan Hussain
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malwareAyed Al Qartah
 

More Related Content

What's hot

Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementEnclaveSecurity
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceCoreTrace Corporation
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:CoreTrace Corporation
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentationbsinger74
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsBSides Delhi
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...John M. Willis
 
CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation Adlan Hussain
 
IPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port SecurityIPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port SecurityAdlan Hussain
 
CNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & GasCNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & GasAdlan Hussain
 
CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA Adlan Hussain
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar Nnull The Open Security Community
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...Power System Operation
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldJames McDonald
 

What's hot (20)

Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control Systems
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 ComplianceFeldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
Feldman-Encari: Malicious Software Prevention For NERC CIP-007 Compliance
 
Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:Malicious Software Prevention for NERC CIP-007 Compliance:
Malicious Software Prevention for NERC CIP-007 Compliance:
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
Bryan Singer S4 Presentation
Bryan Singer S4 PresentationBryan Singer S4 Presentation
Bryan Singer S4 Presentation
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
Cs cmaster
Cs cmasterCs cmaster
Cs cmaster
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...Extending the 20 critical security controls to gap assessments and security m...
Extending the 20 critical security controls to gap assessments and security m...
 
CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation CNL Software - IPSecurityCenter Presentation
CNL Software - IPSecurityCenter Presentation
 
IPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port SecurityIPSecurityCenterTM PSIM Enhancing Port Security
IPSecurityCenterTM PSIM Enhancing Port Security
 
CNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & GasCNL Software - PSIM for Energy, Oil & Gas
CNL Software - PSIM for Energy, Oil & Gas
 
CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA CNL Software White Paper - Driving Enterprise PSIM Through True SOA
CNL Software White Paper - Driving Enterprise PSIM Through True SOA
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
 
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
 
White Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc DonaldWhite Paper Aaci Data Center Physical Security Mc Donald
White Paper Aaci Data Center Physical Security Mc Donald
 

Similar to American Bar Assoc. ISC 2009

Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malwareAyed Al Qartah
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security PresentationFilip Maertens
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)Ivan Carmona
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Filip Maertens
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82majolic
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsJohn Gilligan
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)shanshicn
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxMahendraShukla27
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...PROFIBUS and PROFINET InternationaI - PI UK
 
Webinar 20111011
Webinar 20111011Webinar 20111011
Webinar 20111011Retired
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)TI Safe
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
 

Similar to American Bar Assoc. ISC 2009 (20)

Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Defending against industrial malware
Defending against industrial malwareDefending against industrial malware
Defending against industrial malware
 
SCADA Security Presentation
SCADA Security PresentationSCADA Security Presentation
SCADA Security Presentation
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C K
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
ICS security
ICS securityICS security
ICS security
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
Cyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed ActionsCyber Security: Threats and Needed Actions
Cyber Security: Threats and Needed Actions
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)
 
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptxCPSSecurityBITSWorkshopDec15.2012 (1).pptx
CPSSecurityBITSWorkshopDec15.2012 (1).pptx
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
 
Webinar 20111011
Webinar 20111011Webinar 20111011
Webinar 20111011
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
 

American Bar Assoc. ISC 2009

  • 1. American Bar Association Section of Science and Technology Law Information Security Committee 2009 Annual Meeting – Lunch Presentation Wednesday, July 29, 2009 Bob Radvanovsky, CIFI, CISM, CIPS Jacob Brodsky, PE Legal and IT Aspects of Securing Our Critical Infrastructures Creative Commons License v3.0. 1
  • 2. What is a “critical infrastructure”? • Represents “…assets of physical and computer-based systems that are essential to the minimum operations of the economy and government.”(1) • These assets include (but are not limited to): – Telecommunication systems – Energy distribution – Banking & financial systems – Transportation – Water treatment facilities – etc … there are a total of 14 infrastructure sectors. 1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 2
  • 3. Reasons for addressing infrastructure issues • Critical infrastructures historically regarded physically and logically interdependent systems … until 9/11. • Advances in IT systems and efforts to improve efficiencies of these systems, infrastructures have become increasingly automated and interlinked. • Improvements created new vulnerabilities(2) • Equipment failure • Human error • Natural causes (weather, drought, corrosion, locusts…) • Physical and computer-related attacks 2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 3
  • 4. Issues with our critical infrastructures today • Each infrastructure entity is responsible for protecting its own infrastructure; little to no cross cooperation. • Each infrastructure entity needs to have measures that assure information is valid and accurate (apply A-I-C principle); most are currently lacking. • Work should take holistic approach as systems are interdependent. (the Domino Principle). 4
  • 5. Assure the systems that support the systems • The infrastructure assurance process should: – Provide a consistent testing and evaluation framework of each infrastructure sector. – Perform vulnerability assessments regularly against physical and computer systems to deter, prevent, detect, and protect. – Expedite process to validate holistic systems. • Assurance processing applies to both public and private sectors. 5
  • 6. Introducing SCADA and control systems … • Most control systems are computer based. • Used by several infrastructure sectors (and their industries) to monitor and control sensitive processes and physical functions. • Functions to provide safety controls and security. • Primary role to ensure operations continuity within a plant. • Control system abilities vary from simple to complex. 6
  • 7. Introducing SCADA and control systems … • Two kinds of industrial control systems (ICS): – Distributed Control Systems (DCS) are typically used within a single process or plant, or used over a smaller geographic area, possibly even a single site location. – SCADA systems are typically used for larger-scale environments that may be geographically dispersed in an enterprise-wide distribution operation.(3) 3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006. 7
  • 8. What makes a control system different? • Conventional data systems (IT) are human oriented. • Control systems are machine / process oriented: – Cannot be easily stopped - once stopped, takes a very long time to re-start; stopping an ICS means loss of revenue. – However … there is more at stake than financial considerations; stopping ICS can introduce safety issues. – Availability and reliability are paramount. 8
  • 9. Practical and legal considerations 1. Safety ALWAYS 2. Availability of the service 3. Security and access control 4. Regulation and compliance 9
  • 10. Admiralty Law similarity: ICS practical concerns • You CANNOT stop operation of an infrastructure. • You CAN refer to federal investigation reports from NTSB, NRC, or CSB. • You CAN depose engineers, operators, and technicians once the emergency is no longer a threat. • You CANNOT confiscate original data without scheduled outage and/or without having a duplicate, backup system. • Prosecution of any offense should occur AFTER the event has been rendered safe, investigations conducted, and results reported by recognized experts. 10
  • 11. Provenance of data is extremely important • Accurate timestamps and source matter are crucial. • Logs from ICS must be validated. • Instrumentation needs to be validated AFTER an incident, but before … – An expert is involved with a control systems background; and, – Has knowledge in information security w/certification and registration. • Control systems are NOT at all similar to “personal computers”: – Real Time Systems (RTS) are operated very differently (see orientation). – Process controllers are fundamentally similar to embedded systems. 11
  • 12. Provenance of data is extremely important • Cryptographic signatures (if applicable, if possible). • Management methods must be documented. – Explaining ‘what’ and ‘how’. • Access to each system must be documented: – Answers ‘who’, ‘when’ and ‘where. • Protocols and code must be validated and documented. – Validates ‘why’. 12
  • 13. Factors to consider with ICS • Latency of data events. – Timing delay between events. • Sequence of events. – Order of events. • Timing of events. – Duration and speed of events. • Time of when alarms were reported to plant operators. – When alarm is reported, that the event took place at its stated time. 13
  • 14. Public standards for control system security • NERC CIP (not considered a complete specification by many). • NIST SP800-53: “Recommended Security Controls for Federal Information Systems“.(4) • NIST SP800-82: “Guide to Industrial Control Systems (ICS) Security”.(5) 4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2, “Recommended Security Control for Federal Information Systems”, December 2007; URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf. 5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft, “Guide to Industrial Control Systems (ICS) Security”, September 2008; URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14
  • 15. Public standards for control system security • ISA-99 – Currently under complex development. – Coordinated with ISA-84 safety specifications. – Considered the most complete and extensive contributed input from the industry. • Beware of the compliance approach: being compliant is NOT the same as being secure.(6) • DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a prosecutable document.(7) 6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine, April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html. 7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT), DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html. 15
  • 16. CS2SAT NOTE: This particular version is distributed from Lofty Perch, Inc. 16
  • 17. Public regulations for control systems security • Chemical Facility Anti-Terrorism Standards (CFATS).(8) • FISMA recommends NIST SP800-53.(9) • NERC CIP requires additional work before FERC utilizes it. 8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections; URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm. 9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html. 17
  • 18. A copy of this presentation may be found at our web site: http://www.infracritical.com/papers/aba-isc-2009.zip Bob Radvanovsky, (630) 673-7740 rsradvan@infracritical.com Jacob Brodsky, (443) 285-3514 jbrodsky@infracritical.com Creative Commons License v3.0. 18