A boundary protection device

advertisement
The boss says that security is extremely important and top priority.
That is, unless it makes something inconvenient.
U.S. Government Impact on Cyber Security
4
Energy Independence and Security Act (EISA) of 2007
Title XIII, Section 1305. Smart Grid
Interoperability Framework
NIST has “primary responsibility to coordinate the
development of” an interoperability framework, in
cooperation with DOE and other stakeholders.
The Framework:
“The framework…shall align policy, business, and technology approaches [to] enable… an
efficient, reliable electricity network.”
“a framework that includes protocols and… standards for information management to achieve
interoperability of smart grid devices and systems.”
What standards are being used to
implement Smart Grid controls
NIST SP 800-53 Rev 3 - Guideline
NIST SP 800-82 - Guideline
DHS Catalog of Controls - Guideline
NIST IR 7628 - Guideline
NERC CIP-002 through 009 - Standard
SANS TOP 20 Critical Controls - Best Practices
NIST SP 800-30 Risk Assessment
Risk Assessment Activities
- Threat-source motivation
- Threat capacity
- Nature of vulnerability
- Current controls
- Hardware
- Software
- System Interfaces
- Data & Information
- People
- System Mission
Task 4.
Control Analysis
- Current controls
- Planned controls
- List of current & planned controls
- Reports from prior risk assessment
- Any audit comments
- Security requirement
- Security test results
Task 1.
System Characterization
- System boundary
- System functions
- System & data criticality
- System & data sensitivity
- History of system attack
- Data from intelligence agencies,
NIPC, OIG, FedCIRC, mass media
Task 5.
Likelihood Determination
- Likelihood rating
Task 3.
Vulnerability Identification
Task 2.
Threat Identification
- List of potential vulnerabilities
- Threat statement
- Mission impact analysis
- Asset criticality assessment
- Data criticality
- Data sensitivity
- Likelihood of threat exploitation
- Magnitude of impact
- Adequacy of planned or current controls
Task 6.
Impact Analysis
Loss of Integrity, Availability, Confidentiality
- Impact rating
Task 7.
Risk Determination
Task 8.
Control Recommendations
- Risks & associated risk levels
Task 9.
Results Documentation
- Recommended controls
Legend:
Risk Assessment Activities:
Input:
Output:
* Task 2, 3, 4, and 6 can be conducted in parallel after Task 1 has been completed.
- Risk assessment report
Develop a System Security Architecture
Developing a security Architecture involves determining how each security requirement will be meet
through management, operational and technical controls.
NIST IR 7628 - Smart Grid Cyber Security
Strategy and Requirements
• 1St Draft September 2009
• 2nd Draft February 2010
• 3rd Draft August 2010
The NIST IR 7628 draft document contains the overall security strategy for the
Smart Grid.
Contents include:
Development of vulnerability classes, identification of well-understood
security problems that need to be addressed, selection and development of
security-relevant use cases, initial privacy impact assessment, identification
and analysis of interfaces identified in six functional priority areas, advanced
metering infrastructure (AMI) security requirements, and selection of a suite
of security documents that will be used as the base for determining and
tailoring security requirements.
NIST IR 7628 - Figure 2.1 Unified Logical
Architecture for the Smart Grid
NERC/NIST Direction
What does this
mean?
11
NIST Security Risk Management Framework
12
Government’s Push to Secure the Grid
North American Electric Reliability Corporation
Risk Based Methodology Review of Critical Assets and Critical Cyber Assets:
–
April 7, 2009 - Michael Assante Vice President and Chief Security Officer of NERC expressed
concerns with data submitted regarding Critical Asset and Critical Cyber Assets identification.
NERC developed a set of Security Guidelines for the Electricity Sector to assist in
the review process of:
–
Categorizing Cyber Systems – July 2009
–
Identifying Critical Assets – Sept 2009
–
Identifying Critical Cyber assets – Nov 2009
NERC is advising all registered entities about the sufficiency of evidence supporting Critical Asset
identifications where all substations and generating facilities are excluded. They believe that a
finding of non-compliance is highly probable absent such evidence to the NIST 800-30 Risk
Assessment.
Ultimately, self regulation has lead to increased
definition and accountability from FERC.
13
Smart Grid is coming into Scope with changes in
CIP-002 v1-3 and CIP-002 V4
CIP-011-1 Electronic Boundary
A boundary protection device – is “(a) device with appropriate
mechanisms that: (i) facilitates the adjudication of different
interconnected system security policies (e.g., controlling the flow of
information into or out of an interconnected system0; and/or (II)
monitors and controls communication at the external boundary of the
information system to prevent and detect malicious and other
unauthorized communications.
A boundary protection device include such components as proxies,
gateways, routers, firewalls, guards, and encryption tunnels
Proxy Server – Computer system or an application that acts as and
intermediary.
Gateways is an interface providing a capability
between networks by
converting transmission speeds, protocols, codes or
security measures
Router is a hardware device or software program
that forwards network traffic between computer
networks
Firewall is a network device or system running
special software that controls the flow of network
traffic between networks or between a host and a
network
Encryption Tunnel To encrypt information means to
transform the information (referred to as plaintext)
using an algorithm (called cipher) to make it
unreadable to anyone except those possessing
special knowledge, usually referred to as a key.
SANS TOP 20 Controls
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Critical Control 1: Inventory of Authorized and Unauthorized Devices
Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
Critical Control 4: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based on Need to Know
Critical Control 10: Continuous Vulnerability Assessment and Remediation
Critical Control 11: Account Monitoring and Control
Critical Control 12: Malware Defenses
Critical Control 13: Limitation and Control of Network Ports, Protocols, and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Loss Prevention
Critical Control 16: Secure Network Engineering
Critical Control 17: Penetration Tests and Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training to Fill Gaps
Appendix
Department of Homeland Security (DHS)
Catalog of Control Systems Security: Recommendations for
Standards Developers
• 1St Draft September 2009
• 2nd Draft June 2010
The DHS catalog presents a compilation of practices that various industry
bodies have recommended to increase the security of control systems from
both physical and cyber attacks. The recommendations in the catalog are
grouped into 19 families, or categories.
The catalog is not limited for use by a specific industry sector but can be used
by all sectors to develop a framework needed to produce a sound cyber
security program. The DHS catalog should be viewed as a collection of
recommendations to be considered and judiciously employed, as appropriate,
when reviewing and developing cyber security standards for control systems.
The recommendations in the catalog are intended to be broad enough to
provide any industry using control systems the flexibility needed to develop
sound cyber security standards specific to their individual security needs.
NIST SP 800-30 Risk Assessment
The purpose of this risk assessment is to evaluate the adequacy of the system
security. This risk assessment provides a structured qualitative assessment of
the operational environment. It addresses sensitivity, threats, vulnerabilities,
risks and safeguards. The assessment recommends cost-effective safeguards
to mitigate threats and associated exploitable vulnerabilities.
The objective of performing risk management is to enable the organization to
accomplish its mission(s):
(1) by better securing the IT systems that store, process, or transmit
organizational information;
(2) by enabling management to make well-informed risk management
decisions to justify the expenditures that are part of an IT budget; and
(3) by assisting management in authorizing (or accrediting) the IT systems on
the basis of the supporting documentation resulting from the performance of
risk management.
NIST SP 800-82
• Initial public draft released September 2007
NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security provides
guidance on securing Industrial Control Systems (ICS), including Supervisory
Control and Data Acquisition (SCADA) systems, Distributed Control Systems
(DCS), and other control system configurations while addressing the
performance, reliability, and safety requirements of each.
The document provides an overview of ICS and typical system topologies,
identifies typical threats and vulnerabilities to these systems, and provides
recommended security countermeasures to mitigate the associated risks.
CIP-011-1 Boundary Protection (R20-R22)
NERC CIP 2 unchanged, 9 new, 4 changes requirements
SANS TOP 20 Controls
Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines
•
•
•
The Twenty Critical Security Controls have already begun to transform security in government
agencies and other large enterprises by focusing their spending on the key controls that block
known attacks and find the ones that get through. These controls allow those responsible for
compliance and those responsible for security to agree, for the first time, on what needs to be
done to make systems safer. No development in security is having a more profound and far
reaching impact.
These Top 20 Controls were agreed upon by a powerful consortium brought together by John
Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices
of the Center for Strategic and International Studies. Members of the Consortium include NSA, US
Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD
Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the
banking and critical infrastructure communities.
The automation of these Top 20 Controls will radically lower the cost of security while improving
its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated
more than 80% reduction in "measured" security risk through the rigorous automation and
measurement of the Top 20 Controls.
Download