industrial control system ics security an overview of
play

Industrial Control System (ICS) Security: An Overview of Emerging - PowerPoint PPT Presentation

Nov 01, 2022 •439 likes •947 views

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and Implementation Activities . Joe Weiss, PE, CISM Executive Consultant Applied Control Solutions, LLC (408) 253-7934 joe.weiss@realtimeacs.com Stuart

  1. Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and Implementation Activities . Joe Weiss, PE, CISM Executive Consultant Applied Control Solutions, LLC (408) 253-7934 joe.weiss@realtimeacs.com Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards and Technology (301) 975-4768 skatzke@nist.gov National Institute of Standards and Technology 1

  2. What Makes ICS Different than IT • Deterministic systems with VERY high reliability constraints – Priority is availability, integrity, then confidentiality (AIC) rather than CIA • Generally utilize a combination of COTS (Windows, etc) and proprietary RTOS • Often are resource and bandwidth constrained – Block encryption generally does not work National Institute of Standards and Technology 2

  3. Need for Private Sector ICS Standards • IT security standards are not fully adequate – Need unique standards for field devices with proprietary RTOS – Need to be coordinated with IT • Private industry ICS security requirements are different than for general IT – Performance more important than security • Lack of metrics and design requirements for industrial ICS National Institute of Standards and Technology 3

  4. Example Differences Between IT and ICS • Passwords • Passwords – Unique, complex, – Role-based, defaults changed frequently often unchanged • Patching • Patching – Timely with automated – May not be timely, no tools automation • Administrator • Administrator – Central administrator – Control system engineer National Institute of Standards and Technology 4

  5. Why the Need to Extend NIST SP 800-53 • NIST SP 800-53 was developed for the traditional IT environment • It assumes ICSs are information systems • When organizations attempted to utilize SP 800-53 to protect ICSs, it led to difficulties in implementing SP 800-53 counter- measures because of ICS-unique needs National Institute of Standards and Technology 5

  6. FISMA Legislation Overview “Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source…” -- Federal Information Security Management Act of 2002 National Institute of Standards and Technology 6

  7. Current State of Affairs � Continuing serious attacks on federal information systems, large and small; targeting key federal operations and assets. � Significant exfiltration of critical and sensitive information and implantation of malicious software. � Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated. � Adversaries: nation states, terrorist groups, hackers, criminals, and any individuals or groups with intentions of compromising a federal information system. � Increasing number of trusted employees taking dangerous and imprudent actions with respect to organizational information systems . National Institute of Standards and Technology 7

  8. FISMA Project Strategic Vision � We are building a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and technical guidance. � We are institutionalizing a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies. � We are establishing a fundamental level of “security due diligence” for federal agencies and their contractors based on minimum security requirements and security controls. National Institute of Standards and Technology 8

  9. FISMA Project Characteristics � The NIST Risk Management Framework and the associated security standards and guidance documents provide a process that is: � Disciplined � Flexible “Building information security into the infrastructure of the organization… � Extensible so that critical enterprise missions and � Repeatable business cases will be protected.” � Organized � Structured National Institute of Standards and Technology 9

  10. Key Standards and Guidelines � FIPS Publication 199 (Security Categorization) � FIPS Publication 200 (Minimum Security Requirements) � NIST Special Publication 800-18 (Security Planning) � NIST Special Publication 800-30 (Risk Management) � NIST Special Publication 800-37 (Certification & Accreditation) � NIST Special Publication 800-53 (Recommended Security Controls) � NIST Special Publication 800-53A (Security Control Assessment) � NIST Special Publication 800-59 (National Security Systems) � NIST Special Publication 800-60 (Security Category Mapping) Many other FIPS and NIST Special Publications provide security standards and guidance supporting the FISMA legislation… National Institute of Standards and Technology 10

  11. Risk Management Framework Starting Point FIPS 199 / SP 800-60 SP 800-37 / SP 800-53A FIPS 200 / SP 800-53 CATEGORIZE MONITOR SELECT Information System Security Controls Security Controls Define criticality /sensitivity of information system according to Continuously track changes to the information Select baseline (minimum) security controls to potential impact of loss system that may affect security controls and protect the information system; apply tailoring reassess control effectiveness guidance as appropriate SP 800-37 SP 800-53 / SP 800-30 AUTHORIZE SUPPLEMENT Information System Security Controls Use risk assessment results to supplement the Determine risk to agency operations, agency tailored security control baseline as needed to assets, or individuals and, if acceptable, authorize information system operation ensure adequate security and due diligence SP 800-53A SP 800-18 SP 800-70 ASSESS DOCUMENT IMPLEMENT Security Controls Security Controls Security Controls Determine security control effectiveness (i.e., Document in the security plan, the security Implement security controls; apply controls implemented correctly, operating as requirements for the information system and security configuration settings intended, meeting security requirements) the security controls planned or in place National Institute of Standards and Technology 11

  12. Six Essential Activities � FIPS 199 security categorizations � Identification of common controls � Application of tailoring guidance for FIPS 200 and SP 800-53 security controls � Effective strategies for continuous monitoring of security controls (assessments) � Security controls in external environments � Use restrictions National Institute of Standards and Technology 12

  13. Security Categorization � The most important step in the Risk Management Framework. � Affects all other steps in the framework from selection of security controls to level of effort in assessing control effectiveness. � Expect the distribution of categorized federal information systems to look like a normal or Bell- curve centered on moderate-impact. National Institute of Standards and Technology 13

  14. Security Categorization � Important change in SP 800-53, Revision 1, security control RA-2. � FIPS 199 security categorizations consider both agency, other organizations, and national impacts. � New language: “The organization also considers potential impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level impacts in categorizing the information system.” National Institute of Standards and Technology 14

  15. Common Controls � Categorize all information systems first, enterprise- wide. � Select common controls for all similarly categorized information systems (low, moderate, high impact). � Be aggressive; when in doubt, assign a common control. � Assign responsibility for common control development, implementation, assessment, and tracking (or documentation of where employed). National Institute of Standards and Technology 15

  16. Common Controls � Ensure common control-related information (e.g., assessment results) is shared with all information system owners. � In a similar manner to information systems, common controls must be continuously monitored with results shared with all information system owners. � Information system owners must supplement the common portion of the security control with system specific controls as needed to complete security control coverage. National Institute of Standards and Technology 16

  17. Common Controls � The more common controls an organization identifies, the greater the cost savings and consistency of security capability during implementation. � Common controls can be assessed by organizational officials (other than the information system owner), thus taking responsibility for effective security control implementation. National Institute of Standards and Technology 17

  18. Tailoring Guidance � FIPS 200 and SP 800-53 provide significant flexibility in the security control selection and specification process—if organizations choose to use it. � Includes: � Scoping guidance; � Compensating security controls; and � Organization-defined security control parameters. National Institute of Standards and Technology 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What

Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What

Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What is ICS and SCADA Industrial Control Systems (ICS): Chemical, water, gas processing. Transportation, electricity, nuclear systems.

331 views • 7 slides
Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and Implementation Activities . Joe Weiss, PE, CISM Executive Consultant KEMA, Inc. (408) 253-7934 joe.weiss@kema.com Stuart Katzke, Ph.D. Senior

764 views • 40 slides
NISTs Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing

NISTs Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing

NISTs Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing in the Age of Globalization Workshop November 28, 2007 Stuart Katzke and Keith Stouffer National Institute of Standards and Technology

767 views • 40 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control

Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control

A Resilient Algorithm for Power System Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control System Security (ICSS) Workshop, December 6 th 2016 Outline Introduction Background and Problem

425 views • 30 slides
Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor Manufacturing Sector Malek Ben Salem Accenture Technology Labs NIST Workshop on Cyber-Security for Cyber-physical Devices April 23 rd , 2012 Outline

837 views • 37 slides
Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2 Part 2 Introduction to centralized control Independent joint decentralized control may prove inadequate when the user requires high task

673 views • 36 slides
yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

7/11/2011 Why this presentation? This is an emerging and important area of information assurance that of cyber physical systems. CPS instantiated in the industrial world can be view as control system security or sometimes called

130 views • 10 slides
Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1 Will the followings only be seen in movies? Movies: Cyber

510 views • 28 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control Systems Research Philipp Mieden & Rutger Beltman, 2020 Supervisor: Bartosz Czaszynski, Deloitte Industrial Network VS Corporate Network 2

379 views • 35 slides
NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H

Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H

Programming and Automation Ltd. www.proconingenieros.com Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H Granada. info@proconingenieros.com Automation and control Industrial I.T. - Industrial

304 views • 19 slides
Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019

Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019

3/8/2019 Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019 Davenport GICSP 1848 What are ICS Networks? 1 3/8/2019 What are ICS Networks? ICS, or Industrial Controls Systems, is a generic

360 views • 20 slides
DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL

DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL

DEVELOPING INDUSTRIAL ROBOT USING POLYMERIC MATERIALS & ADAPTIVE SYSTEM CONTROL GENERAL INFORMATION: Studying and developing of an industrial robot-manipulator using polymeric materials and adaptive system control. Cybernation and

194 views • 15 slides
Towards a Secure and Resilient Industrial Control System Using Software-Defined Networking Dong

Towards a Secure and Resilient Industrial Control System Using Software-Defined Networking Dong

Towards a Secure and Resilient Industrial Control System Using Software-Defined Networking Dong (Kevin) Jin 1 Who am I? CS faculty, Ph.D., University of Illinois at Urbana- Champaign (UIUC), http://cs.iit.edu/~djin/ Research:

851 views • 52 slides
Workshop AA New & Emerging Water Management Issues Ohio Water Quality, Permitting,

Workshop AA New & Emerging Water Management Issues Ohio Water Quality, Permitting,

Workshop AA New & Emerging Water Management Issues Ohio Water Quality, Permitting, Regulatory Initiatives, Compliance & Enforcement Developments Wednesday, March 27, 2019 8:00 a.m. to 9:15 p.m. Biographical Information William H.

810 views • 46 slides
Recovery Support Function Working Groups Recovery Support Functions RSF 1: Community Planning

Recovery Support Function Working Groups Recovery Support Functions RSF 1: Community Planning

Recovery Support Function Working Groups Recovery Support Functions RSF 1: Community Planning & Capacity Building RSF 2: Economic RSF 3: Health & Social Services RSF 4: Housing RSF 5: Infrastructure RSF 6: Natural

421 views • 16 slides
H Canyon Facility Operations MTR, HFIR, and TRM Rick Burns Facility Manager Savannah River

H Canyon Facility Operations MTR, HFIR, and TRM Rick Burns Facility Manager Savannah River

H Canyon Facility Operations MTR, HFIR, and TRM Rick Burns Facility Manager Savannah River Nuclear Solutions, LLC March 2019 SRNS-STI-2019-00127 H Canyon Background Has operated since 1955 SRS has never had an uncontrolled criticality

412 views • 23 slides
REDS TONE GATE 9 PROJECT Joe Ritch Mike Ward Greg Hall Craig Northridge February 12,2019

REDS TONE GATE 9 PROJECT Joe Ritch Mike Ward Greg Hall Craig Northridge February 12,2019

REDS TONE GATE 9 PROJECT Joe Ritch Mike Ward Greg Hall Craig Northridge February 12,2019 About Redstone Arsenal Marion Giles Lincoln Franklin Diverse Federal campus focused primarily Lauderdale Madison Jackson research &

462 views • 14 slides
GASB 67 and 68 The New World of Public Pension Plan Accounting Presented by Mark Olleman, FSA,

GASB 67 and 68 The New World of Public Pension Plan Accounting Presented by Mark Olleman, FSA,

GASB 67 and 68 The New World of Public Pension Plan Accounting Presented by Mark Olleman, FSA, EA, MAAA Daniel Wade, FSA, EA, MAAA TERS Retirement Board Meeting October 10, 2013 Agenda Timing Notable Issues for TERS Overview

495 views • 37 slides
Marine Energy Conversion Technologies: Lowering the Levelized Cost of Energy through Control

Marine Energy Conversion Technologies: Lowering the Levelized Cost of Energy through Control

Marine Energy Conversion Technologies: Lowering the Levelized Cost of Energy through Control Systems, Materials Research and Systems Engineering Peter H. Kobos, Vincent S. Neary, Ryan G. Coe, Bernadette A. Hernandez-Sanchez Sandia National

329 views • 31 slides
Tying Retention to Initial Aid Offers Jason Black Emily Coleman Dean of Admission Senior Vice

Tying Retention to Initial Aid Offers Jason Black Emily Coleman Dean of Admission Senior Vice

Retaining Students Before They Enroll: Tying Retention to Initial Aid Offers Jason Black Emily Coleman Dean of Admission Senior Vice President for Enrollment Management Services Samford University Maguire Associates Michael Keane Jennifer

788 views • 23 slides
generation workforce Alex Holly, Head of HR, WECA What is WECA and what do we do? The West of

generation workforce Alex Holly, Head of HR, WECA What is WECA and what do we do? The West of

Recruiting and retaining a mixed- generation workforce Alex Holly, Head of HR, WECA What is WECA and what do we do? The West of England Combined Authority was formed in 2017 and a new Regional Mayor was elected We cover Bristol, Bath

473 views • 18 slides

More recommend