Energy Provider Community of InterestBuild Team and Energy Provider Community Meeting29 June 2016

Securing Networked Infrastructure for the Energy Sector

2

ENERGY PROVIDER COMMUNITY

Agenda

§ NCCoE news

§ Current projects

§ Situational Awareness (SA) project update

§ Identity and Access Management (IdAM) project update

§ SA Build Team introduction and overview

§ Open discussion

3

NCCOE NEWS

NCCoE Out and About:

§ Attended conferences

§ UTC & Technology (May) – Nate Lesser spoke

§ ICS JWG (May) – Jim McCarthy spoke

§ Upcoming planned conferences

§ APPA National Conference (June)

§ Webinar with AlertEnterprise (June)

§ Cybersecurity for Oil & Gas Summit (June) – Jim McCarthy speaking

§ EnergySec (August)

§ Power Grid Cyber Security Exchange (August)

§ ICS Cyber Security Conference Sacramento (October)

§ GridSecCon (October) – potential workshop

§ World Congress on Industrial Control Systems Security (WCICSS) (December)

ImprovingCriticalInfrastructureCybersecurity

•“ItisthepolicyoftheUnitedStatestoenhancethesecurityandresilienceoftheNation’scritical

infrastructureandtomaintainacyberenvironmentthatencouragesefficiency,innovation,andeconomic

prosperitywhilepromotingsafety,security,businessconfidentiality,privacy,andcivilliberties”

•PresidentBarackObama•ExecutiveOrder13636,12February2013

5

DevelopmentoftheFramework

Engage the Framework

Stakeholders

Collect, Categorize, and

Post RFI Responses

Analyze RFI Responses

Identify Framework Elements

Prepare and Publish

Framework

EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013

Completed – April 08, 2013Identify Common Practices/Themes – May 15, 2013

2nd Framework Workshop at CMU – May 2013Draft Outline of Preliminary Framework – June 2013

3rd Workshop at UCSD – July 20134th Workshop at UT Dallas – Sept 2013

5th Workshop at NC State – Nov 2013Published Framework – Feb 2014

Ongoing Engagement:

Open public comment and review encouraged

and promoted throughout the

process…and to this day

FrameworkCoreCybersecurityFrameworkComponent

Whatprocessesandassetsneedprotection?

Whatsafeguardsareavailable?

Whattechniquescanidentifyincidents?

Whattechniquescancontainimpactsof

incidents?

Whattechniquescanrestorecapabilities?

CoreCybersecurityFrameworkComponent

7

Function Category ID

Identify

AssetManagement ID.AMBusinessEnvironment ID.BEGovernance ID.GVRiskAssessment ID.RARiskManagementStrategy ID.RM

Protect

AccessControl PR.ACAwarenessandTraining PR.ATDataSecurity PR.DSInformationProtectionProcesses&Procedures PR.IP

Maintenance PR.MAProtectiveTechnology PR.PT

Detect

AnomaliesandEvents DE.AESecurityContinuousMonitoring DE.CM

DetectionProcesses DE.DP

Respond

ResponsePlanning RS.RPCommunications RS.COAnalysis RS.ANMitigation RS.MIImprovements RS.IM

RecoverRecoveryPlanning RC.RPImprovements RC.IMCommunications RC.CO

Subcategory Informative ReferencesID.BE-1: Theorganization’sroleinthesupplychainisidentifiedandcommunicated

COBIT5APO01.02,DSS06.03ISA62443-2-1:20094.3.2.3.3ISO/IEC27001:2013A.6.1.1NISTSP800-53Rev.4CP-2,PS-7,PM-11

ID.BE-2:Theorganization’splaceincriticalinfrastructureanditsindustrysectorisidentifiedandcommunicated

COBIT5APO08.04,APO08.05,APO10.03,APO10.04,APO10.05ISO/IEC27001:2013A.15.1.3,A.15.2.1,A.15.2.2NISTSP800-53Rev.4CP-2,SA-12

ID.BE-3:Prioritiesfororganizationalmission,objectives,andactivitiesareestablishedandcommunicated

COBIT5APO02.06,APO03.01NISTSP800-53Rev.4PM-8

ID.BE-4:Dependenciesandcriticalfunctionsfordeliveryofcriticalservicesareestablished

COBIT5APO02.01,APO02.06,APO03.01ISA62443-2-1:20094.2.2.1,4.2.3.6NISTSP800-53Rev.4PM-11,SA-14

ID.BE-5:Resiliencerequirementstosupportdeliveryofcriticalservicesareestablished

ISO/IEC27001:2013A.11.2.2,A.11.2.3,A.12.1.3NISTSP800-53Rev.4CP-8,PE-9,PE-11,PM-8,SA-14

Exemplar:CSFMappingforIDAMReferenceSolution

8

Situational Awareness Project –Installation Update

10

Operations

DellR620Server

MONITORING / DATA COLLECTION BUILD STATUS

VMware

DragosSecurityCyberLensSensor

OSISoftPiHistorian(Operation

s)

SchneiderElectricCitect

SiemensRUGGEDCOM

RX1500

Cisco2950Switch

TdiTechnologiesConsoleWorks(Operations)

VPNtoEnterprise

WaterfallUnidirectionalSecurityGatewayHardware

Tx

Rx

RS2DoorController

Radiflow iSIM

Syslog Syslog

ICSNetworkTAPs

HistorianData

WaterfallSecureBypass

SchneiderElectricTofino

Firewall

ServerTDi TechnologiesConsoleWorks

(OperationsManagement)

ICSNetworkTap

Syslog

TAPs

Radiflow 3180Firewall

Dooropen/closeevents

iSIMWebinterface

CyberLens SensorData

ServerOSIsoft CitectInterface

Complete InProcess

11

INSTALLS / INTEGRATIONS COMPLETED

§ NCCoE is able to receive data from UMd ICS Network to an OSIsoft Pi historian

§ CyberLens Sensor is installed and able to send data through Unidirectional Security Gateway

§ ConsoleWorks functioning as a log collector and sending data through Unidirectional Security Gateway

§ Network taps are capturing packet data and sending it to Vmwarenetwork

§ Not yet sending data to CyberLens or iSID

§ Door sensor is sending data over the VPN to RS2 AccessIT!

12

FINAL TEST CASES

TestCase1

EventCorrelation- OT&PACS:Technicianaccessessub-station/control-stationandOTdevicegoesdown.AlertofanomalousconditionandsubsequentcorrelationtoPACStoseewhoaccessedfacility.

TestCase2EventCorrelation- OT&IT:Enterprise(IT)javaapplicationcommunicationwithOTdevice(Historian)andusedasavectorforSQLinjection(SQLi)

TestCase3

EventCorrelation- OT&IT/PACS-OT:UnauthorizedaccessattemptsdetectedandalertstriggeredbasedonconnectionrequestsfromadeviceontheSCADAnetworkdestinedforanIPthatisoutsideoftheSCADAIPrange.ThistestcasefocusesonthepossibilityofamaliciousactorattemptingtogainaccesstoanOTdeviceviatheEnterprise(IT)network.ThistestcaseisalsorelevantinaPACS-OTscenario,inwhichsomeonehasphysicalaccesstoanOTdevicebutlacksthenecessaryaccesstoperformchangestothedevice,andalertsaresentbasedonnumerousfailedloginattempts.

TestCase4

DataExfiltrationAttempts:examinebehaviorofsystems;configureSIEMtoalertonbehaviorwhichisoutsidethenormalbaseline.AlertscanbecreatedemanatingfromOT,ITandPACS.Thistestcaseseeksalertingbasedonbehavioralanomalies,ratherthanrecognitionofIPaddresses.

TestCase5

ConfigurationManagement:unauthorized(inadvertentormalicious)uploadingofanICSnetworkdeviceconfiguration.AlertwillbecreatedtonotifySIEMthishasoccurred.Detectionmethodwillbeprimarilybasedoninherentdevicecapability(i.e.logfiles).

TestCase6RogueDeviceDetection:alertsaretriggeredbytheintroductionofanydeviceontotheICSnetwork,thathasnotbeenregisteredwiththeassetmanagementcapabilityinthebuild.

13

‣ Use Case published: http://nccoe.nist.gov/sites/default/files/nccoe/NCCoE_ES_Situational_Awareness.pdf

‣ Build team kickoff: 10/20/2015

‣ Components installed in lab: 12/2015

‣ Systems integration in new lab: 1/2016 – 3/2016

‣ Completed build: 05/2016

‣ Draft Practice Guide release: late June - early July, 2016

‣ Early adoption: 06/2016 and ongoing

‣ Demonstrations: 06/2016 and ongoing

‣ Final Practice Guide release: Fall 2016

SA PROJECT MILESTONES

14

PROJECT PARTNERS

DRAGO SECURITY ™

15

CURRENT PROJECTS

Identity and Access Management (IdAM) Use Case:

§ Provides a reference solution to:

§ Authenticate individuals and systems

§ Enforce authorization control policies

§ Unify IdAM services

§ Protect generation, transmission and distribution

§ Improve awareness and management of visitor accesses

§ Simplify the reporting process

§ Draft guide is online at https://nccoe.nist.gov/projects/use_cases/idam

§ Final Guide publication pending final approvals

§ Demonstrations and adoption support available

16

IdAM Adoption Activities

‣ Continue to seek early adoption opportunities

‣ NYPA adoption – projected start is June 2016

‣ Collaborating with MITRE for usability study of IdAM Practice Guide

‣ Opportunities for COI members:

‣ Demonstration of solution for your organization

‣ Solution feasibility discussions

‣ Industry vendor/ integrator introductions

‣ COI outreach support

CURRENT PROJECTS

Contactusformoreinformation!

17

CONTACT US

energy_nccoe@nist.gov301-975-0200

9700GreatSenecaHwy,Rockville,MD20850

http://nccoe.nist.gov/forums/energy

Thank You

100BureauDrive,MailStop2002,Gaithersburg,MD20899

ABOUT THE NCCOE

19

FOUNDERS

Information Technology Laboratory

20

WHO WE ARE AND WHAT WE DO

GOAL 1PROVIDE PRACTICAL CYBERSECURITYHelp people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable

VISIONADVANCE CYBERSECURITYA secure cyber infrastructure that inspires technological innovation and fosters economic growth

MISSIONACCELERATE ADOPTION OF SECURE TECHNOLOGIESCollaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs

GOAL 2INCREASE RATE OFADOPTIONEnable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption

GOAL 3ACCELERATE INNOVATIONEmpower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment

21

BUSINESS MODEL

The NCCoE seeks problems that are:

‣ Broadly applicable across much of a sector, or across sectors

‣ Addressable through one or more reference designs built in our labs

‣ Complex enough that our reference designs will need to be based on a combination of multiple commercially available technologies

Reference designs address:

‣ Sector-specific use cases that focus on a business-driven cybersecurity problem facing a particular sector (e.g., health care, energy, financial services)

‣ Technology-specific building blocks that cross sector boundaries (e.g., roots of trust in mobile devices, trusted cloud computing, software asset management, attribute based access control)

22

TENETS

Standards-based Apply relevant local, national and international standards to each security implementation and account for each sector’s individual needs; demonstrate reference designs for new standards

ModularDevelop reference designs with individual components that can be easily substituted with alternates that offer equivalent input-output specifications

UsableDesign usable blueprints that end users can easily and cost-effectively adopt and integrate into their businesses without disrupting day-to-day operations

RepeatableEnable anyone to recreate the NCCoE builds and achieve the same results by providing a complete practice guide including a reference design, bill of materials, configuration files, relevant code, diagrams, tutorials and instructions

Open and transparentUse open and transparent processes to complete work, and seek and incorporate public comments on NCCoEdocumentation, artifacts and results

Commercially availableWork with the technology community to identify commercially available products that can be brought together in reference designs to address challenges identified by industry

23

PROJECT LIFECYCLESituational

Awareness – we are here

Pre-ProcessWestrategicallyidentify,select,andprioritizeprojectsthatalignwithourmission.

P1:ConceptAnalysis

Wepartnerwithindustrytodefine,

validate,andbuildbusinesscasesforthe

mostchallengingcybersecurity

issues.

P2:DevelopUseCaseUsinga

collaborativemethodwithindustry

partners,wedevelopafullUseCasethatoutlinesaplanfortacklingtheissue.

P3:FormBuildTeamWeuniteindustry

partnersandtechnologycompaniesto

buildaqualifiedteamtoexecutetheUseCase.

P4:Design&Build

TheUseCaseteamplans,designs,andbuildsthesystemina

labenvironment

anddocumentsitinthePractice

Guide.

P5:Integrate&Test

Theteamtestthesystemandmakerefinementsasnecessary.Thesystemmaybe

validatedbyourpartners.Thefinalsolutionsystemis

documentedinthePractice

Guide.

P6:Publish&Adopt

We,alongsideourpartners,

publish,publicizeanddemonstratethePracticeGuide.Thissolutionprovidesareference

architecturethatmaybeimplementedinwholeorin

part.

IconCredits(righttoleft):TalkingbyJuanPabloBravo;TestTubebyOlivierGuin;CollaborationbyKrisada;TeambyWilsonJoseph;BrainstormbyJessicaLock;NetworkbyMatthewHawdon;ArrowbyJamisonWieser;allfromtheNounProject.

IdAM – we are here