The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...
American Bar Assoc. ISC 2009
1. American Bar Association
Section of Science and Technology Law Information Security Committee
2009 Annual Meeting – Lunch Presentation
Wednesday, July 29, 2009
Bob Radvanovsky, CIFI, CISM, CIPS
Jacob Brodsky, PE
Legal and IT Aspects of Securing
Our Critical Infrastructures
Creative Commons License v3.0. 1
2. What is a
“critical infrastructure”?
• Represents “…assets of physical and computer-based
systems that are essential to the minimum operations
of the economy and government.”(1)
• These assets include (but are not limited to):
– Telecommunication systems
– Energy distribution
– Banking & financial systems
– Transportation
– Water treatment facilities
– etc … there are a total of 14 infrastructure sectors.
1. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
2
3. Reasons for addressing
infrastructure issues
• Critical infrastructures historically regarded physically and logically
interdependent systems … until 9/11.
• Advances in IT systems and efforts to improve efficiencies of these
systems, infrastructures have become increasingly automated and
interlinked.
• Improvements created new vulnerabilities(2)
• Equipment failure
• Human error
• Natural causes (weather, drought, corrosion, locusts…)
• Physical and computer-related attacks
2. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
3
4. Issues with our critical
infrastructures today
• Each infrastructure entity is responsible for protecting its
own infrastructure; little to no cross cooperation.
• Each infrastructure entity needs to have measures that
assure information is valid and accurate
(apply A-I-C principle); most are currently lacking.
• Work should take holistic approach as systems are
interdependent. (the Domino Principle).
4
5. Assure the systems that
support the systems
• The infrastructure assurance process should:
– Provide a consistent testing and evaluation framework of each
infrastructure sector.
– Perform vulnerability assessments regularly against physical
and computer systems to deter, prevent, detect, and protect.
– Expedite process to validate holistic systems.
• Assurance processing applies to both public and private sectors.
5
6. Introducing SCADA and
control systems …
• Most control systems are computer based.
• Used by several infrastructure sectors (and their industries) to
monitor and control sensitive processes and physical functions.
• Functions to provide safety controls and security.
• Primary role to ensure operations continuity within a plant.
• Control system abilities vary from simple to complex.
6
7. Introducing SCADA and
control systems …
• Two kinds of industrial control systems (ICS):
– Distributed Control Systems (DCS) are typically used
within a single process or plant, or used over a
smaller geographic area, possibly even a single site
location.
– SCADA systems are typically used for larger-scale
environments that may be geographically dispersed
in an enterprise-wide distribution operation.(3)
3. ”Critical Infrastructure: Homeland Security and Emergency Preparedness”, 1st Edition, Radvanovsky, 2006.
7
8. What makes a control
system different?
• Conventional data systems (IT) are human oriented.
• Control systems are machine / process oriented:
– Cannot be easily stopped - once stopped, takes a very long
time to re-start; stopping an ICS means loss of revenue.
– However … there is more at stake than financial
considerations; stopping ICS can introduce safety issues.
– Availability and reliability are paramount.
8
9. Practical and legal
considerations
1. Safety ALWAYS
2. Availability of the service
3. Security and access control
4. Regulation and compliance
9
10. Admiralty Law similarity:
ICS practical concerns
• You CANNOT stop operation of an infrastructure.
• You CAN refer to federal investigation reports from NTSB, NRC, or CSB.
• You CAN depose engineers, operators, and technicians once the emergency is no
longer a threat.
• You CANNOT confiscate original data without scheduled outage and/or without
having a duplicate, backup system.
• Prosecution of any offense should occur AFTER the event has been rendered safe,
investigations conducted, and results reported by recognized experts.
10
11. Provenance of data is
extremely important
• Accurate timestamps and source matter are crucial.
• Logs from ICS must be validated.
• Instrumentation needs to be validated AFTER an incident, but before …
– An expert is involved with a control systems background; and,
– Has knowledge in information security w/certification and registration.
• Control systems are NOT at all similar to “personal computers”:
– Real Time Systems (RTS) are operated very differently (see orientation).
– Process controllers are fundamentally similar to embedded systems.
11
12. Provenance of data is
extremely important
• Cryptographic signatures (if applicable, if possible).
• Management methods must be documented.
– Explaining ‘what’ and ‘how’.
• Access to each system must be documented:
– Answers ‘who’, ‘when’ and ‘where.
• Protocols and code must be validated and documented.
– Validates ‘why’.
12
13. Factors to consider
with ICS
• Latency of data events.
– Timing delay between events.
• Sequence of events.
– Order of events.
• Timing of events.
– Duration and speed of events.
• Time of when alarms were reported to plant operators.
– When alarm is reported, that the event took place at its stated time.
13
14. Public standards for
control system security
• NERC CIP (not considered a complete specification by many).
• NIST SP800-53:
“Recommended Security Controls for Federal Information Systems“.(4)
• NIST SP800-82:
“Guide to Industrial Control Systems (ICS) Security”.(5)
4. National Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 2,
“Recommended Security Control for Federal Information Systems”, December 2007;
URL: http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf.
5. National Institute of Standards and Technology (NIST) Special Publication 800-82, Final Draft,
“Guide to Industrial Control Systems (ICS) Security”, September 2008;
URL: http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf. 14
15. Public standards for
control system security
• ISA-99
– Currently under complex development.
– Coordinated with ISA-84 safety specifications.
– Considered the most complete and extensive contributed input from the industry.
• Beware of the compliance approach: being compliant is NOT the same as
being secure.(6)
• DHS’s CS2SAT tool is simply just that - only a tool; CS2SAT is NOT a
prosecutable document.(7)
6. “What’s the Difference Between Security and Compliance? - The Long Answers”, Control Global Magazine,
April 2009; URL: http://www.controlglobal.com/articles/2009/SCADAmoreAnswers0904.html.
7. U.S. Department of Homeland Security’s Control System Cyber Security Self-Assessment Tool (CS2SAT),
DHS Control Systems Security Program (CSSP); URL: http://csrp.inl.gov/Self-Assessment_Tool.html.
15
16. CS2SAT
NOTE: This particular
version is distributed
from Lofty Perch, Inc.
16
17. Public regulations for
control systems security
• Chemical Facility Anti-Terrorism Standards (CFATS).(8)
• FISMA recommends NIST SP800-53.(9)
• NERC CIP requires additional work before FERC utilizes it.
8. U.S. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards: Facility Inspections;
URL: http://www.dhs.gov/files/programs/gc_1177001576714.shtm.
9. National Institute of Standards and Technology, Computer Security Division, Computer Security Resource
Center; URL: http://csrc.nist.gov/groups/SMA/fisma/index.html.
17
18. A copy of this presentation may be found at our web site:
http://www.infracritical.com/papers/aba-isc-2009.zip
Bob Radvanovsky, (630) 673-7740
rsradvan@infracritical.com
Jacob Brodsky, (443) 285-3514
jbrodsky@infracritical.com
Creative Commons License v3.0. 18