NISTs Industrial Control System (ICS) Security Project Presented at - - PowerPoint PPT Presentation

nist s industrial control system ics security project
SMART_READER_LITE
LIVE PREVIEW

NISTs Industrial Control System (ICS) Security Project Presented at - - PowerPoint PPT Presentation

Apr 08, 2024 358 likes •774 views

NISTs Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing in the Age of Globalization Workshop November 28, 2007 Stuart Katzke and Keith Stouffer National Institute of Standards and Technology

slide-1
SLIDE 1

National Institute of Standards and Technology

1

NIST’s Industrial Control System (ICS) Security Project Presented at the:

Secure Manufacturing in the Age of Globalization Workshop

November 28, 2007 Stuart Katzke and Keith Stouffer National Institute of Standards and Technology skatzke@nist.gov Keith.stouffer@nist.gov

slide-2
SLIDE 2

National Institute of Standards and Technology

2

Presentation Contents

  • NIST’s FISMA Implementation Project

– NIST Risk Management Framework – Draft Special Publication 800-39 – Special Publication 800-53, Revision 1

  • NIST Industrial Control System Project

– NIST Draft SP 800-53, Revision 2 for industrial control systems – NIST SP 800-82: Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security (2nd Draft)

slide-3
SLIDE 3

National Institute of Standards and Technology

3

NIST’s FISMA Implementation Project: Phase I (2003 – 2008) Phase II (2007 – 2010)

slide-4
SLIDE 4

National Institute of Standards and Technology

4

Phase I

§ Mission: Develop and propagate core set of security standards and guidelines for federal agencies and support contractors. § Timeline: 2003-2008 § Status: On track to complete final publications in FY08.

slide-5
SLIDE 5

National Institute of Standards and Technology

5

Phase II

§ Mission: Develop and implement a standards- based organizational credentialing program for public and private sector entities to demonstrate core competencies for offering security services to federal agencies. § Timeline: 2007-2010 § Status: Projected initiated; Draft NISTIR 7328.

slide-6
SLIDE 6

National Institute of Standards and Technology

6

Phase I Publications

§ FIPS Publication 199 (Security Categorization) § FIPS Publication 200 (Minimum Security Requirements) § NIST Special Publication 800-18 (Security Planning) § NIST Special Publication 800-30 (Risk Assessment) * * § NIST Special Publication 800-39 (Risk Management) ** ** § NIST Special Publication 800-37 (Certification & Accreditation) * * § NIST Special Publication 800-53 (Recommended Security Controls) § NIST Special Publication 800-53A (Security Control Assessment) ** ** § NIST Special Publication 800-59 (National Security Systems) § NIST Special Publication 800-60 (Security Category Mapping) * *

* Publications currently under revision.

** Publications currently under development.

slide-7
SLIDE 7

National Institute of Standards and Technology

7

Risk Management Framework

Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements)

SP 800-53A

ASSESS

Security Controls

Continuously track changes to the information system that may affect security controls and reassess control effectiveness

SP 800-37 / SP 800-53A

MONITOR

Security Controls

Document in the security plan, the security requirements for the information system and the security controls planned or in place

SP 800-18

DOCUMENT

Security Controls

SP 800-37

AUTHORIZE

Information System

Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation

SP 800-53 / SP 800-30

SUPPLEMENT

Security Controls

Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence

FIPS 200 / SP 800-53

SELECT

Security Controls

Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate Implement security controls; apply security configuration settings

IMPLEMENT

Security Controls

SP 800-70

Define criticality /sensitivity of information system according to potential impact of loss

FIPS 199 / SP 800-60

CATEGORIZE

Information System

Starting Point

Security ty L Life fe C Cycle

SP 800-39

slide-8
SLIDE 8

National Institute of Standards and Technology

8

A Unified Framework

Civil, D , Defe fense, In , Inte telligence C Community ty C Collaborati tion

Th

The G Generalized M Model

Common Information Security Requirements Unique Information Security Requirements The “Delta” Foundational Set of Information Security Standards and Guidance

  • Standardized security categorization (criticality/sensitivity)
  • Standardized security controls and control enhancements
  • Standardized security control assessment procedures
  • Standardized security certification and accreditation process

Intelligence Community Department of Defense Federal Civil Agencies

Nati tional s security ty a and n non n nati tional s security ty i info formati tion s syste tems

slide-9
SLIDE 9

National Institute of Standards and Technology

9

Special Publication 800-39

Managing Risk from Information Systems

An E Ente terprise P Perspecti tive

§ Extending the Risk Management Framework to enterprises. § Risk-based mission protection. § Common controls. § Trustworthiness of information systems. § Establishing trust relationships among enterprises. § Risk executive function. § Strategic planning considerations (defense-in-breadth).

slide-10
SLIDE 10

National Institute of Standards and Technology

10

Risk-based Mission Protection (1)

§ A Risk-based protection strategy requires the information system owner to:

§ Determine the appropriate balance between the risks from and the benefits of using information systems in carrying out their organizational missions and business functions § Carefully select, tailor, and supplement the safeguards and countermeasures (i.e., security controls) for information systems necessary to achieve this balance

slide-11
SLIDE 11

National Institute of Standards and Technology

11

Risk-based Mission Protection (2)

§ A Risk-based protection strategy requires the authorization official to:

§ Take responsibility for the information security solutions agreed upon and implemented within the information systems supporting the organization § Fully acknowledge and explicitly accept the risks to

  • rganizational operations, organizational assets,

individuals, other organizations, and the Nation that result from the operation and use of information systems to support the organization’s missions and business functions § Be accountable for the results of their information security-related decisions.

slide-12
SLIDE 12

National Institute of Standards and Technology

12

Common Controls

§ Categorize all information systems first, enterprise-wide. § Select common controls for all similarly categorized information systems (low, moderate, high impact). § Be aggressive; when in doubt, assign a common control. § Assign responsibility for common control development, implementation, assessment, and tracking (including documentation of where employed).

slide-13
SLIDE 13

National Institute of Standards and Technology

13

Common Controls

§ Ensure common control-related information (e.g., assessment results) is shared with all information system owners. § In a similar manner to information systems, common controls must be continuously monitored with results shared with all information system owners. § The more common controls an enterprise identifies, the greater the cost savings and consistency of security capability during implementation.

slide-14
SLIDE 14

National Institute of Standards and Technology

14

Business Relationships

Supply C Chain R Risks § Enterprises are becoming increasingly reliant on information system services and information provided by external providers to carry out important missions and business functions. § External service provider relationships are established in a variety

  • f ways—joint ventures, business partnerships, outsourcing

arrangements, licensing agreements, supply chain exchanges. § The growing dependence on external service providers and the relationships being forged with those providers present new challenges for enterprises, especially in the area of information security.

slide-15
SLIDE 15

National Institute of Standards and Technology

15

Supply Chain Uncertainty

Challenges with using external providers include: § Defining the types of services and information provided to the enterprise. § Describing how the services and information are protected in accordance with the security requirements of the enterprise. § Obtaining the necessary assurances that the risk to the enterprise resulting from the use of the services or information is at an acceptable level.

slide-16
SLIDE 16

National Institute of Standards and Technology

16

Information System Trustworthiness

§ Trustworthiness is a characteristic or property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality, integrity, and availability of the information being processed, stored, or transmitted by the system. § Trustworthiness defines the security state of the information system at a particular point in time and is measurable.

slide-17
SLIDE 17

National Institute of Standards and Technology

17

Information System Trustworthiness

§ Security functionality

§ Security-related functions or features of the system, for example, identification and authentication mechanisms, access control mechanisms, auditing mechanisms, and encryption mechanisms.

§ Quality of development and implementation

§ Degree to which the functionality is correct, always invoked, non bypassable, and resistant to tampering. § Well-defined security policy models, structured, disciplined, and rigorous hardware and software development techniques, and good system/security engineering principles and concepts.

§ Security assurance

§ Grounds for confidence that the claims made about the functionality and quality of the system are being met. § Evidence brought forward regarding the design and implementation of the system and the results of independent assessments.

slide-18
SLIDE 18

National Institute of Standards and Technology

18

Elements of Trust

§ Trust is earned by prospective service providers/partners:

§ Identifying the common g goals a and o

  • bjecti

tives for the provision of services or information sharing; § Agreeing upon the risk risk associated with the provision of such services

  • r information sharing;

§ Agreeing upon the degree of tr trustw tworth thiness needed to adequately mitigate the risk; § Determining if the information systems are worth thy o

  • f b

f being tr truste ted to

  • perate within the agreed-upon levels of risk; and

§ Providing ongoing monito toring a and o

  • versight to ensure that the trust

relationship is being maintained.

slide-19
SLIDE 19

National Institute of Standards and Technology

19

Trust Relationships

Security ty V Visibility ty A Among B Business/M /Mission P Partn tners

Determining risk to the enterprise’s

  • perations and assets, individuals, other
  • rganizations, and the nation; and the

acceptability of such risk. The objective is to achieve visibility into prospective business/mission partners information security programs…establishing a trust relationship based on the trustworthiness of information systems.

Enterprise One INFORMATION SYSTEM

Plan of Action and Milestones Security Assessment Report System Security Plan Business / Mission Information Flow Security Information Plan of Action and Milestones Security Assessment Report System Security Plan

Enterprise Two INFORMATION SYSTEM

Determining risk to the enterprise’s

  • perations and assets, individuals, other
  • rganizations, and the nation; and the

acceptability of such risk.

slide-20
SLIDE 20

National Institute of Standards and Technology

20

Risk Executive Function

§

Managing Risk at the Enterprise Level

Coordinate ted r risk and s security ty- relate ted a acti tiviti ties; ; ente terprise-wide view s supporti ting mission/b /business fu functi tions.

Mission / Business Processes Mission / Business Processes

Information system-specific considerations

Information system Information system Information system Information system

§ Ente terprise i info formati tion s security ty p prioriti ties; a ; allocati tion o

  • f r

f resources. . § S Syste temic w weaknesses a and d defi ficiencies a addressed a and c correcte ted. . § G Guidance o

  • n ta

tailoring a acti tiviti ties. . § O Oversight o t of s f security ty c cate tegorizati tions. . § C Common s security ty c contr trols i identi tifi fied a and a assignment o t of r f responsibiliti ties. . § C Common s security ty c contr trol i inherita tance d defi fined fo for i info formati tion s syste tems. . § M Mandato tory s security ty c confi figurati tion s setti ttings e esta tablished a and a applied. .

slide-21
SLIDE 21

National Institute of Standards and Technology

21

Strategic Planning Considerations

Defe fense-in B Breadth th

§ Diversify information technology assets. § Reduce information system complexity. § Consider vulnerabilities of new information technologies before deployment. § Apply a balanced set of management,

  • perational, and technical security controls in

a defense-in-depth approach.

slide-22
SLIDE 22

National Institute of Standards and Technology

22

Strategic Planning Considerations

Defe fense-in B Breadth th

§ Detect and respond to breaches of information system boundaries. § Reengineer business/mission processes.

slide-23
SLIDE 23

National Institute of Standards and Technology

23

NIST’s Industrial Control Systems (ICS) Project

slide-24
SLIDE 24

National Institute of Standards and Technology

24

Industrial Control Systems - ICS

  • What are ICS?

– Supervisory Control and Data Acquisition (SCADA) Systems – Distributed Control Systems (DCS) – Programmable Logic Controllers (PLC) – Intelligent Field devices

  • Used in all process control and manufacturing

processes including electric, water, oil/gas, chemicals, auto manufacturing, etc

slide-25
SLIDE 25

National Institute of Standards and Technology

25

Federal Agency Challenges (1 of 2)

  • Federal agencies required to apply NIST SP 800-53

Recommended Security Controls for Federal Information Systems (general IT security requirements) to their ICSs

  • Federal agencies that own/operate electric power-

related ICSs could potentially have to meet 2 standards (FIPS 200/NIST SP 800-53 and Federal Energy Regulatory Commission--FERC standards*) * Most mature industry candidate is the NERC Critical Infrastructure Protection

(CIP) standards

slide-26
SLIDE 26

National Institute of Standards and Technology

26

Federal Agency Challenges (2 of 2)

  • Such agencies include:

– Bonneville Power Administration (BPA) – Southwestern Power Administration (SWPA) – Western Area Power Administration (WAPA) – Tennessee Valley Administration (TVA) – DOI Bureau of Reclamation – Post Office – FAA

slide-27
SLIDE 27

National Institute of Standards and Technology

27

CSD/ITL-ISD/MEL ICS Project (1 of 3)

  • Cooperative relationship between the Computer Security Division

(CSD) & Intelligent Systems Division (ISD) goes back about 6 years with start of the Process Control Security Requirements Forum (PCSRF--Stu Katzke & Al Wavering).

– CSD: IT security expertise – ISD: ICS experience & ICS community recognition

  • Federal agencies required to apply SP 800-53 to their ICSs
  • Immediate (short term) focus on improving the security of ICSs

that are part of the USG’s critical infrastructure (CI).

  • Longer term focus on fostering convergence

convergence of approaches/ standards in government & private sectors

ITL ITL: In : Info formati tion Te Technology L Laborato tory MEL: M : Manufa factu turing E Engineering L Laborato tory

slide-28
SLIDE 28

National Institute of Standards and Technology

28

CSD/ITL-ISD/MEL ICS Project (2 of 3)

  • “ICS” augmentation to SP 800-53, Revision 1

– Develop bi-directional mappings of 800-53 to NERC CIPs * – Hold workshops (3) to

  • Explore the applicability of FIPS 199, FIPS 200, and NIST SP 800-53

to federally owned/operated ICSs.

  • Get U.S. Government (USG) stake holder's inputs/experience
  • Develop a comparison of SP 800-53 to the NERC CIPs
  • Develop the ICS version in cooperation with USG stakeholders
  • Validate the “ICS” version through implementation by USG stake

holders and case studies (e.g., Bellingham Cyber Incident)

  • NIST SP 800-82: A guidance document on how to

secure ICSs

*In In a anti ticipati tion o

  • f p

f possible Fe Federal E Energy R Regulato tory C Commission’s ( (FE FERC) adopti tion o

  • f th

f the N North th A American E Electr tric R Reliability ty C Corporati tion ‘ ‘s ( (NERC) Criti tical In Infr frastr tructu ture P Prote tecti tion S Sta tandards ( (CIP IPs)

slide-29
SLIDE 29

National Institute of Standards and Technology

29

CSD/ITL-ISD/MEL ICS Project (3 of 3)

  • Assist/support FERC, DHS, and DOE/National

Labs in their missions/roles to protect the government’s energy/power critical infrastructure from intentional (e.g., cyber attacks) and unintentional events (e.g., natural disasters).

  • Foster convergence

convergence of approaches/standards in all government & private sectors that use/depend

  • n all ICSs.
slide-30
SLIDE 30

National Institute of Standards and Technology

30

SP 800-53/NERC CIPs Mapping Findings (1 of 2)

  • Generally, conforming to moderate baseline in SP

800-53 complies with the management, operational and technical security requirements of the NERC CIPs; the converse is not true.

  • NERC contains requirements that fall into the

category of business risk reduction

– High level business-oriented requirements – Demonstrate that enterprise is practicing due diligence – SP 800-53 does not contain analogues to these types of requirements as SP 800-53 focuses on information security controls (i.e., management, operational, and technical) at the information system level.

slide-31
SLIDE 31

National Institute of Standards and Technology

31

SP 800-53/NERC CIPs Mapping Findings (2 of 2)

  • NERC approach is to define critical assets first and their cyber

components second

– Definition of critical asset vague – Non-critical assets not really addressed

  • FIPS 199 specifies procedure for identifying security impact levels

based on a worst case scenario (called security categorization)

– applies to all information and the information system – Considers impact to the organization, potential impacts to other

  • rganizations and, in accordance with the Patriot Act and Homeland

Security Presidential Directives, potential national-level impacts – Confidentiality, availability, and integrity evaluated separately – Possible outcomes are low, moderate, and high – Highest outcome applies to system (High Water Mark)

  • Documentation requirements differ; more study required
slide-32
SLIDE 32

National Institute of Standards and Technology

32

Mapping Table Extract

R1.

  • R1. Cr

Critical A Asset I Identification R2.

  • R2. Cr

Critical A Asset I Identification R3.

  • R3. Cr

Critical Cy Cyber A Asset I Identification R4.

  • R4. A

Annual A Approval R1.

  • R1. Cy

Cyber S Security P Policy R2.

  • R2. L

Leadership R3.

  • R3. E

Exceptions R4.

  • R4. I

Information P Protection R5.

  • R5. A

Access Co Control R6.

  • R6. Ch

Change Co Control a and Co Confgn Mg Mgmt R1.

  • R1. A

Awareness R2.

  • R2. Tr

Training R3.

  • R3. P

Personnel Ri Risk A Assessment R4.

  • R4. A

Access R1.

  • R1. E

Electronic S Security P Perimeter R2.

  • R2. E

Electronic A Access Co Controls R3.

  • R3. Mo

Monitoring E Electronic A Access R4.

  • R4. Cy

Cyber V Vulnerability A Assessment R5.

  • R5. Do

Documentation Re Review a and R1.

  • R1. P

Physical S Security P Plan R2.

  • R2. P

Physical A Access Co Controls R3.

  • R3. Mo

Monitoring P Physical A Access R4. R4.Logging P Physical A Access R5.

  • R5. A

Access L Log Re Retention R6.

  • R6. Ma

Maintenance a and Te Testing R1.

  • R1. Te

Test P Procedures R2.

  • R2. P

Ports a and S Services R3.

  • R3. S

Security P Patch Ma Management R4.

  • R4. Ma

Malicious S Software P Prevention R5.

  • R5. A

Account Ma Management R6.

  • R6. S

Security S Status Mo Monitoring R7. R7. Di Disposal o

  • r Re

Redeployment R8.

  • R8. Cy

Cyber V Vulnerability A Assessment R9.

  • R9. Do

Documentation Re Review a and R1.

  • R1. Cy

Cyber S Security I Incident Re Response R2.

  • R2. Cy

Cyber S Security I Incident R1.

  • R1. Re

Recovery P Plans R2.

  • R2. E

Exercises R3.

  • R3. Ch

Change Co Control R4.

  • R4. B

Backup a and Re Restore R5.

  • R5. Te

Testing B Backup Me Media 2 3 2 11 11 2 2, 2, 7 2 18 18 12 12 19 19 ,2 ,2 21 21 21 21 23 23 Co Count 1 2 2 2 5 3 1 1 2 AC- C-1 Access Co Control P P & & P P 4 8 8 13 13 13 13 AC- C-2 Account Ma Management 3 13 13 17 17 13 13 AC- C-3 Access E Enforcement AC- C-4 In Information Fl Flow E Enforcement AC- C-5 Separation o

  • f Du

Duties AC- C-6 Least P Privilege 3 17 17 13 13 13 13 AC- C-7 Un Unsuccessful L Logon A Attempts AC- C-8 System Us Use No Notification 1 8 AC- C-9 Previous L Logon No Notification AC- C-10 Co Concurrent S Session Co Control AC- C-11 Session L Lock AC- C-12 Session Te Termination AC- C-13 Supervision a and Re Review—A —A C C AC- C-14 Permitted A Actions w without I I o

  • r A

A AC- C-15 Automated Ma Marking AC- C-16 Automated L Labeling AC- C-17 Rem Remote A Access 3 12 12 9 8 AC- C-18 Wireless A Access Re Restrictions 3 7 17 17 17 17 AC- C-19 Access Co Control f for P Portable a and Mobile S Systems 2 17 17 17 17 AC- C-20 Personally O Owned I Information Sy Systems Access Co Control CIP CIP-00

  • 009

CIP CIP-00

  • 008

CIP CIP-00

  • 002

CIP CIP-00

  • 003

CIP CIP-00

  • 004

CIP CIP-00

  • 005

CIP CIP-00

  • 007

CIP CIP-00

  • 006

NERC CIP NERC CIP FINA FINAL Ot Other - No

  • Notes

SP 8 800-53

  • 53 Re

Rev. . 1 Co Controls 22 22

LEGEND High baseline (no shading) Moderate baseline (12.5% grey shading) Low baseline (25% grey shading) Not in baseline (50% grey shading)

Codes

8 NERC req ≅ SP

800-53 controls

9 NERC more

specific than SP 800-53 control

13 NERC ⊂ SP

800-53 control

17 NERC less

specific than SP 800-53 control

slide-33
SLIDE 33

National Institute of Standards and Technology

33

NIST Comments to FERC

  • n

FERC's Preliminary Assessment of the NERC CIPs (Issued December 11, 2007; Docket RM06-22-000)

Filed by NIST on February 9, 2007

  • NERC CIPs do not provide levels of protection

commensurate with the mandatory federal standards prescribed by NIST (in FIPS 200/SP 800-53) for protecting non-national security information and information systems

slide-34
SLIDE 34

National Institute of Standards and Technology

34

NIST Comments to FERC (Cont.)

  • NIST recommends FERC consider issuing

interim cyber security standards for the bulk electric system that:

– Are a derivative of the NERC CIPs (e.g., NERC CIPs; NERC CIPs appropriately modified, enhanced, or strengthened), and – Would allow for planned transition (say in two to three years) to cyber security standards that are identical to, consistent with or based on SP 800-53 and related NIST standards and guidelines (as interpreted for ICSs).

slide-35
SLIDE 35

National Institute of Standards and Technology

35

SP 800-53, Revision 2

  • Currently posted for public comment
  • Does not change SP 800-53, Rev. 1
  • Is an augmentation to Rev. 1

– Appendix I replaced

  • For ICS-related controls, recommends:

– Scoping guidance – Compensating controls – Adds ICS supplemental guidance & ICS enhancements

slide-36
SLIDE 36

National Institute of Standards and Technology

36

NIST SP 800-82

  • Guide to Supervisory Control and Data Acquisition (SCADA) and

Industrial Control Systems Security

– Provide guidance for establishing secure SCADA and ICS, including the security of legacy systems

  • Content

– Overview of ICS – ICS Characteristics, Threats and Vulnerabilities – ICS Security Program Development and Deployment – Network Architecture – ICS Security Controls – Appendixes

  • Current Activities in Industrial Control System Security
  • Emerging Security Capabilities
  • ICS in the Federal Information Security Management Act (FISMA) Paradigm
  • Second public draft released September 2007
  • http://csrc.nist.gov/publications/drafts.html
slide-37
SLIDE 37

National Institute of Standards and Technology

37

SP 800-82 Audience

  • Control engineers, integrators and architects when designing

and implementing secure SCADA and/or ICS

  • System administrators, engineers and other IT professionals

when administering, patching, securing SCADA and/or ICS

  • Security consultants when performing security assessments of

SCADA and/or ICS

  • Managers responsible for SCADA and/or ICS
  • Researchers and analysts who are trying to understand the

unique security needs of SCADA and/or ICS

  • Vendors developing products that will be deployed in SCADA

and/or ICS

slide-38
SLIDE 38

National Institute of Standards and Technology

38

FY 2008 NIST Plans

  • Products/Deliverables

– ICS augmentation of SP 800-53 (Revision 2) – SP 800-82: Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security – Bellingham Cyber Incident case study (plus others)

  • Continue working with the federal ICS stakeholders

– Including FERC, Department of Homeland Security (DHS), Department of Energy (DOE), the national laboratories, and federal agencies that own, operate, and maintain ICSs

  • Continue working with private sector ICS stakeholders,

including standards committees

slide-39
SLIDE 39

National Institute of Standards and Technology

39

NIST ICS Security Project Contact Information

Project L t Leaders Keith th S Sto touffe ffer

  • Dr. S

. Stu tu K Katz tzke (301) 9 975-3877 (301) 9 975-4768 keith th.s .sto touffe ffer@n @nist.g t.gov skatz tzke@n @nist.g t.gov sec-ics@n @nist.g t.gov Web P Pages Fe Federal In Info formati tion S Security ty M Management A t Act ( t (FIS FISMA) Im Implementa tati tion P Project http ttp://c ://csrc.n .nist.g t.gov/s /sec-cert NIS IST IC T ICS S Security ty P Project http ttp://c ://csrc.n .nist.g t.gov/s /sec-cert/i t/ics

slide-40
SLIDE 40

National Institute of Standards and Technology

40

Questions