activity report for dhs industrial control systems joint working group (icsjwg)
DESCRIPTION
Activity Report for DHS Industrial Control Systems Joint Working Group (ICSJWG). For OSGug Meeting – SG Security Knoxville, TN – 28 February 2012 Ralph Mackiewicz SISCO, Inc. What is ICSJWG?. - PowerPoint PPT PresentationTRANSCRIPT
Activity Report for DHS Industrial Control Systems Joint Working Group (ICSJWG)
For OSGug Meeting – SG Security Knoxville, TN – 28 February 2012
Ralph MackiewiczSISCO, Inc.
What is ICSJWG?• A collaborative and coordinating body operating under the Critical
Infrastructure Partnership Advisory Council (CIPAC) http://www.dhs.gov/files/committees/editorial_0843.shtm
• www.us-cert.gov/control_systems/icsjwg/index.html
• Primary means for private USA entities to interact with DHS on cyber security issues related to “industrial control systems” which is how energy control systems are classified.
• Meets twice a year face to face
• Working groups meet via telcon regularly
• Quarterly newsletter
Spring Meeting 2012
Spring 2012 Meeting Highlights• Savannah, GA:– May 7: working group meetings
– May 8-9: ICSJWG meeting (see site for agenda)
– May 10: International Partners Day – Information sharing with invited international partners.
• Idaho Falls, ID– May 14-18: INL Advanced Cybersecurity Training (Red/Blue
Team)
ICSJWG Subgroups• Sector coordinating council and government coordinating council
(GCC/SCC) *
• R&D
• International
• Workforce development *
• Information Sharing
• Roadmap **
• Vendor **
ICS Roadmap Subgroup• Develop the Cross-Sector Roadmap as a resource for
all sectors to provide a common lexicon and a set of ready to tailor models to develop sector specific roadmaps that incorporate cybersecurity and maturity of ICS as a supporting business model.
• Provide and ongoing review of the state of ICS across all sectors.
Cross Sector Roadmap
Cross-Sector Roadmap
• Cross Sector Roadmaphttps://cs.hsin.gov/C14/C1/RoadmapToSecureICS/Document%20Library/Cross%20Sector%20Roadmap/Final%20Roadmap%20-%20Post%202011%20Fall%20Conference/Cross-Sector%20Roadmap%20Sep%2030%202011-Final.pdf
• Goals and Gap Analysis
GOAL TITLE SECTOR SHORT/NEAR TERM MILESTONES (avg.0-3 yrs)
MID-TERMMILESTONES (avg.4-7 yrs)
LONG TERM MILESTONES (avg.7-10 yrs) OBJECTIVE1
Chemical
Establish an industry-driven awareness effort to communicate information relating to the cybersecurity thre ats, vulnerabilities, and risks and the availabil ity of recommended practices, tools, and training materials to the Chemical Sector
Metrics for benchmarking security posture are available and agreed upon
Asset owners and operators are performing self-assessments of their ICSs using consistent criteria
Real-time security state monitors for new and legacy systems are in use
Fully automated security state methodologies are in use
Create a risk matrix that balances threat, vulnerability, and consequence
Dams
Integration of se curity into all operational plans
Development of control system security recommended guidelines for use by the Dams Sector
Development of common risk assessment metrics and standards
Development of tools to assess security posture and compliance with pertinent regulations
Impleme ntation of training programs throughout the Dams Sector on the control system security recommended guidelines
Inte gration of control system security education, awareness, and outreach programs into Dams Sector operations
Impleme ntation of risk assessment tools throughout the Dams Sector – asset owners and operators begin performing self-assessme nts of their se curity postures
Update Dams SSP as appropriate
Development of fully automated security state monitors in most dam control systems networks
Industry-wide active assessment of ICS security profiles including benchmarks against other sectors
2006Energy
Baseline security methodologies available, self-assessments published, and training provided
50% of asse t owners and operators performing self-assessments of their control systems using consistent criteria
Common metrics available for benchmarking security posture (relative to peers)
90% of energy sector asset owners conducting inte rnal compliance audits
A real-time security state monitor for new and legacy systems commercially available
Fully-automated security state monitor and response systems are common in control system networks
Create an environment for securely sharing collected US Government information on threats and real-world attacks with utilities and vendors
Assess Risk Water
Develop ICS risk assessment and re porting guidelines, published and available throughout the water sector
Identify common metrics for benchmarking ICS risk (threat-vulnerabilities-consequence) in the water se ctor
Develop ICS risk assessment tools, such as end-to-end, thre at-vulnerabilities-consequence analysis capability for the water sector
Conduct sector-wide training on risk assessment tools
The water sector actively measures ICS security performance and benchmarks with other sectors
Create an ICS risk matrix that balances threat, vulnerability, and conseque nce
Chemical
Sector is participating in security training to available, qualified, and consistent control system security training materials
Secure connectivity between business systems and ICSs within corporate networks
Widespread implementation of mehtods for secure communication between remote access devices and control centers that are scalable and cost effective to deploy
Perform nondisruptive intrusion tests on ICSs to demonstrate the effectiveness of automated isolation and response
Se cure ICS architectures with built-in, end-to-end security are in all critical operating systems
Identify accepted practices for physical and cyber security control cente rs
Dams
Development of control system protection guidelines for existing ICS
Enablement of e xisting ICS access controls throughout the Dams Sector
Development and impleme ntation of security patches for legacy systems
Establishment of mechanisms to enhance information sharing between asset owners and operators and vendors
Identification and dissemination of best ICS security practices among Dams Sector stakeholders
Development of guidance and education material associated with applicable project regulations
Development of guidelines to secure or isolate ICS communications from public networks and communication infrastructures
Impleme ntation of new protective tools and appropriate training
Impleme ntation of secure interfaces between ICS and business systems
Identification, publication, and dissemination of best practices, including ones for securing connectivity with business networks and for providing physical and cybersecurity for re mote facilitie s
Development of high-performance, secure communications for legacy syste ms
Se cure integration of ICS and business systems
Goal 1
Measure and Assess Security Posture
Goal 2
Develop and Integrate Protective Measures
Vendor Subgroup
• Regular Telcons
• Main Activities– Vulnerability Disclosure Guidelines Whitepaper
– Improve Communications Subcommittee
Vulnerability Disclosure Whitepaper v3• 2. Executive Summary• 3. Document Purpose• 4. Document Expectations• 5. Software Vulnerabilities• 5.1 Types of Vulnerabilities• 5.2 Mechanisms for Identifying Vulnerabilities• 6. Types of Disclosure• 6.1 Private Customer Disclosure• 6.2 Public Disclosure• 6.3 Third-Party Disclosure• 7. Vulnerability Disclosure Policy Components• 7.1 Foundation Elements• 7.2 Policy Commitments• 7.2.1 Distribution• 7.2.2 Deliverables
• 7.2.3 Timelines• 7.2.4 Mitigations• 7.2.5 Resolution• 7.3 Customer Deliverables• 7.3.1 Summary of Disclosure Policy• 7.3.2 Vulnerability Disclosure Policy Statement• 7.4 External Publications.• 7.4.1 Vulnerability Disclosure Policy Statement.• 7.5 Contact Mechanisms• 7.5.1 Security Webpage• 7.5.2 Security Email Address• 7.5.3 Anonymous Submission Form• 7.6 Classification of Vulnerabilities• 8. Appendix A – Terminology• 9. Appendix B – Sample Disclosure Policy • 10. Appendix C - References
Improve Communications Subcommittee
• Formed in response to persistent comments about gaps in information sharing
• 2 areas of focus– Internal: communications among ICSJWG groups and
activities
– External: communications outside of ICSJWG
• Done by May 2012
Internal Communications
• Require status reports by groups
• Developing org chart and information flow diagrams
• Review and address prioritized improvements– Tier 1 – Biggest impact. Completed by May
– Tier 2 – Aditional improvements.
External ICSJWG Improvement Suggestions Identify the types of communications that needs to take place between stakeholders, developers, manufacturers, vendors, and users.
Priority Rating Low - 1 Med - 3 High - 9
** **** Identify a way to inform vendors about issues they may not be aware of.
Identify current communication types and paths being used and assess how well or poorly they currently work.
**** ** **** **
Identify incident handling communication strategies for vendor specific topics.
**
DHS to describe who, what and how information is shared with different stakeholders (e.g., vendors, asset owners, consultants) so everyone understands current policies and guidelines.
-Provide useful information to vendors who want to improve their product’s security posture. -Share information with vendors who’s products and solutions are used in critical infrastructure. * -Develop a way to share sensitive information with the vendor community.
* ****
** ****
Identify different types or scenarios of communication; examples were: protocol, device, software, and situational awareness.
Identify knowledge flows within the ICSJWG community.
***
***** * ***
External Communications Challenges• Terminology is a problem– “Sensitive” has an official meaning.
• There already is a well established process for information sharing of Protected Critical Infrastructure Information (PCII).– The PCII Program enhances information sharing
between the private sector and the government.
PCII Information Flow
ICS-CERT and other alerts
Legitimate Concerns
• PCII is shared with an understanding of confidentiality by those disclosing to DHS.
• Some PCII is pretty darn “sensitive”.
• Initial reaction to sharing PCII: “No #%$&#@! Way”
Need a Solution• This information can only benefit industry if those in
industry are given access and allowed to use it to improve security.
• There must be a way to qualify/accredit firms and people to receive more detailed information than that which is currently shared.
• Need to get government lawyers to understand the benefit.
Realistic?
Thank You
Ralph MackiewiczSISCO, Inc.
6605 19 1/2 Mile RoadSterling Heights, MI 48314 USATel: +1+586-254-0020 ext. 103
Fax: +1-586-254-0053Mobile: +1-586-260-2571