Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Energy Provider Community of InterestBuild Team and Energy Provider Community Meeting29 June 2016
Securing Networked Infrastructure for the Energy Sector
2
ENERGY PROVIDER COMMUNITY
Agenda
§ NCCoE news
§ Current projects
§ Situational Awareness (SA) project update
§ Identity and Access Management (IdAM) project update
§ SA Build Team introduction and overview
§ Open discussion
3
NCCOE NEWS
NCCoE Out and About:
§ Attended conferences
§ UTC & Technology (May) – Nate Lesser spoke
§ ICS JWG (May) – Jim McCarthy spoke
§ Upcoming planned conferences
§ APPA National Conference (June)
§ Webinar with AlertEnterprise (June)
§ Cybersecurity for Oil & Gas Summit (June) – Jim McCarthy speaking
§ EnergySec (August)
§ Power Grid Cyber Security Exchange (August)
§ ICS Cyber Security Conference Sacramento (October)
§ GridSecCon (October) – potential workshop
§ World Congress on Industrial Control Systems Security (WCICSS) (December)
ImprovingCriticalInfrastructureCybersecurity
•“ItisthepolicyoftheUnitedStatestoenhancethesecurityandresilienceoftheNation’scritical
infrastructureandtomaintainacyberenvironmentthatencouragesefficiency,innovation,andeconomic
prosperitywhilepromotingsafety,security,businessconfidentiality,privacy,andcivilliberties”
•PresidentBarackObama•ExecutiveOrder13636,12February2013
5
DevelopmentoftheFramework
Engage the Framework
Stakeholders
Collect, Categorize, and
Post RFI Responses
Analyze RFI Responses
Identify Framework Elements
Prepare and Publish
Framework
EO 13636 Issued – February 12, 2013 NIST Issues RFI – February 26, 20131st Framework Workshop – April 03, 2013
Completed – April 08, 2013Identify Common Practices/Themes – May 15, 2013
2nd Framework Workshop at CMU – May 2013Draft Outline of Preliminary Framework – June 2013
3rd Workshop at UCSD – July 20134th Workshop at UT Dallas – Sept 2013
5th Workshop at NC State – Nov 2013Published Framework – Feb 2014
Ongoing Engagement:
Open public comment and review encouraged
and promoted throughout the
process…and to this day
FrameworkCoreCybersecurityFrameworkComponent
Whatprocessesandassetsneedprotection?
Whatsafeguardsareavailable?
Whattechniquescanidentifyincidents?
Whattechniquescancontainimpactsof
incidents?
Whattechniquescanrestorecapabilities?
CoreCybersecurityFrameworkComponent
7
Function Category ID
Identify
AssetManagement ID.AMBusinessEnvironment ID.BEGovernance ID.GVRiskAssessment ID.RARiskManagementStrategy ID.RM
Protect
AccessControl PR.ACAwarenessandTraining PR.ATDataSecurity PR.DSInformationProtectionProcesses&Procedures PR.IP
Maintenance PR.MAProtectiveTechnology PR.PT
Detect
AnomaliesandEvents DE.AESecurityContinuousMonitoring DE.CM
DetectionProcesses DE.DP
Respond
ResponsePlanning RS.RPCommunications RS.COAnalysis RS.ANMitigation RS.MIImprovements RS.IM
RecoverRecoveryPlanning RC.RPImprovements RC.IMCommunications RC.CO
Subcategory Informative ReferencesID.BE-1: Theorganization’sroleinthesupplychainisidentifiedandcommunicated
COBIT5APO01.02,DSS06.03ISA62443-2-1:20094.3.2.3.3ISO/IEC27001:2013A.6.1.1NISTSP800-53Rev.4CP-2,PS-7,PM-11
ID.BE-2:Theorganization’splaceincriticalinfrastructureanditsindustrysectorisidentifiedandcommunicated
COBIT5APO08.04,APO08.05,APO10.03,APO10.04,APO10.05ISO/IEC27001:2013A.15.1.3,A.15.2.1,A.15.2.2NISTSP800-53Rev.4CP-2,SA-12
ID.BE-3:Prioritiesfororganizationalmission,objectives,andactivitiesareestablishedandcommunicated
COBIT5APO02.06,APO03.01NISTSP800-53Rev.4PM-8
ID.BE-4:Dependenciesandcriticalfunctionsfordeliveryofcriticalservicesareestablished
COBIT5APO02.01,APO02.06,APO03.01ISA62443-2-1:20094.2.2.1,4.2.3.6NISTSP800-53Rev.4PM-11,SA-14
ID.BE-5:Resiliencerequirementstosupportdeliveryofcriticalservicesareestablished
ISO/IEC27001:2013A.11.2.2,A.11.2.3,A.12.1.3NISTSP800-53Rev.4CP-8,PE-9,PE-11,PM-8,SA-14
Exemplar:CSFMappingforIDAMReferenceSolution
8
Situational Awareness Project –Installation Update
10
Operations
DellR620Server
MONITORING / DATA COLLECTION BUILD STATUS
VMware
DragosSecurityCyberLensSensor
OSISoftPiHistorian(Operation
s)
SchneiderElectricCitect
SiemensRUGGEDCOM
RX1500
Cisco2950Switch
TdiTechnologiesConsoleWorks(Operations)
VPNtoEnterprise
WaterfallUnidirectionalSecurityGatewayHardware
Tx
Rx
RS2DoorController
Radiflow iSIM
Syslog Syslog
ICSNetworkTAPs
HistorianData
WaterfallSecureBypass
SchneiderElectricTofino
Firewall
ServerTDi TechnologiesConsoleWorks
(OperationsManagement)
ICSNetworkTap
Syslog
TAPs
Radiflow 3180Firewall
Dooropen/closeevents
iSIMWebinterface
CyberLens SensorData
ServerOSIsoft CitectInterface
Complete InProcess
11
INSTALLS / INTEGRATIONS COMPLETED
§ NCCoE is able to receive data from UMd ICS Network to an OSIsoft Pi historian
§ CyberLens Sensor is installed and able to send data through Unidirectional Security Gateway
§ ConsoleWorks functioning as a log collector and sending data through Unidirectional Security Gateway
§ Network taps are capturing packet data and sending it to Vmwarenetwork
§ Not yet sending data to CyberLens or iSID
§ Door sensor is sending data over the VPN to RS2 AccessIT!
12
FINAL TEST CASES
TestCase1
EventCorrelation- OT&PACS:Technicianaccessessub-station/control-stationandOTdevicegoesdown.AlertofanomalousconditionandsubsequentcorrelationtoPACStoseewhoaccessedfacility.
TestCase2EventCorrelation- OT&IT:Enterprise(IT)javaapplicationcommunicationwithOTdevice(Historian)andusedasavectorforSQLinjection(SQLi)
TestCase3
EventCorrelation- OT&IT/PACS-OT:UnauthorizedaccessattemptsdetectedandalertstriggeredbasedonconnectionrequestsfromadeviceontheSCADAnetworkdestinedforanIPthatisoutsideoftheSCADAIPrange.ThistestcasefocusesonthepossibilityofamaliciousactorattemptingtogainaccesstoanOTdeviceviatheEnterprise(IT)network.ThistestcaseisalsorelevantinaPACS-OTscenario,inwhichsomeonehasphysicalaccesstoanOTdevicebutlacksthenecessaryaccesstoperformchangestothedevice,andalertsaresentbasedonnumerousfailedloginattempts.
TestCase4
DataExfiltrationAttempts:examinebehaviorofsystems;configureSIEMtoalertonbehaviorwhichisoutsidethenormalbaseline.AlertscanbecreatedemanatingfromOT,ITandPACS.Thistestcaseseeksalertingbasedonbehavioralanomalies,ratherthanrecognitionofIPaddresses.
TestCase5
ConfigurationManagement:unauthorized(inadvertentormalicious)uploadingofanICSnetworkdeviceconfiguration.AlertwillbecreatedtonotifySIEMthishasoccurred.Detectionmethodwillbeprimarilybasedoninherentdevicecapability(i.e.logfiles).
TestCase6RogueDeviceDetection:alertsaretriggeredbytheintroductionofanydeviceontotheICSnetwork,thathasnotbeenregisteredwiththeassetmanagementcapabilityinthebuild.
13
‣ Use Case published: http://nccoe.nist.gov/sites/default/files/nccoe/NCCoE_ES_Situational_Awareness.pdf
‣ Build team kickoff: 10/20/2015
‣ Components installed in lab: 12/2015
‣ Systems integration in new lab: 1/2016 – 3/2016
‣ Completed build: 05/2016
‣ Draft Practice Guide release: late June - early July, 2016
‣ Early adoption: 06/2016 and ongoing
‣ Demonstrations: 06/2016 and ongoing
‣ Final Practice Guide release: Fall 2016
SA PROJECT MILESTONES
14
PROJECT PARTNERS
DRAGO SECURITY ™
15
CURRENT PROJECTS
Identity and Access Management (IdAM) Use Case:
§ Provides a reference solution to:
§ Authenticate individuals and systems
§ Enforce authorization control policies
§ Unify IdAM services
§ Protect generation, transmission and distribution
§ Improve awareness and management of visitor accesses
§ Simplify the reporting process
§ Draft guide is online at https://nccoe.nist.gov/projects/use_cases/idam
§ Final Guide publication pending final approvals
§ Demonstrations and adoption support available
16
IdAM Adoption Activities
‣ Continue to seek early adoption opportunities
‣ NYPA adoption – projected start is June 2016
‣ Collaborating with MITRE for usability study of IdAM Practice Guide
‣ Opportunities for COI members:
‣ Demonstration of solution for your organization
‣ Solution feasibility discussions
‣ Industry vendor/ integrator introductions
‣ COI outreach support
CURRENT PROJECTS
Contactusformoreinformation!
17
CONTACT US
9700GreatSenecaHwy,Rockville,MD20850
http://nccoe.nist.gov/forums/energy
Thank You
100BureauDrive,MailStop2002,Gaithersburg,MD20899
ABOUT THE NCCOE
19
FOUNDERS
Information Technology Laboratory
20
WHO WE ARE AND WHAT WE DO
GOAL 1PROVIDE PRACTICAL CYBERSECURITYHelp people secure their data and digital infrastructure by equipping them with practical ways to implement standards-based cybersecurity solutions that are modular, repeatable and scalable
VISIONADVANCE CYBERSECURITYA secure cyber infrastructure that inspires technological innovation and fosters economic growth
MISSIONACCELERATE ADOPTION OF SECURE TECHNOLOGIESCollaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs
GOAL 2INCREASE RATE OFADOPTIONEnable companies to rapidly deploy commercially available cybersecurity technologies by reducing technological, educational and economic barriers to adoption
GOAL 3ACCELERATE INNOVATIONEmpower innovators to creatively address businesses’ most pressing cybersecurity challenges in a state-of-the-art, collaborative environment
21
BUSINESS MODEL
The NCCoE seeks problems that are:
‣ Broadly applicable across much of a sector, or across sectors
‣ Addressable through one or more reference designs built in our labs
‣ Complex enough that our reference designs will need to be based on a combination of multiple commercially available technologies
Reference designs address:
‣ Sector-specific use cases that focus on a business-driven cybersecurity problem facing a particular sector (e.g., health care, energy, financial services)
‣ Technology-specific building blocks that cross sector boundaries (e.g., roots of trust in mobile devices, trusted cloud computing, software asset management, attribute based access control)
22
TENETS
Standards-based Apply relevant local, national and international standards to each security implementation and account for each sector’s individual needs; demonstrate reference designs for new standards
ModularDevelop reference designs with individual components that can be easily substituted with alternates that offer equivalent input-output specifications
UsableDesign usable blueprints that end users can easily and cost-effectively adopt and integrate into their businesses without disrupting day-to-day operations
RepeatableEnable anyone to recreate the NCCoE builds and achieve the same results by providing a complete practice guide including a reference design, bill of materials, configuration files, relevant code, diagrams, tutorials and instructions
Open and transparentUse open and transparent processes to complete work, and seek and incorporate public comments on NCCoEdocumentation, artifacts and results
Commercially availableWork with the technology community to identify commercially available products that can be brought together in reference designs to address challenges identified by industry
23
PROJECT LIFECYCLESituational
Awareness – we are here
Pre-ProcessWestrategicallyidentify,select,andprioritizeprojectsthatalignwithourmission.
P1:ConceptAnalysis
Wepartnerwithindustrytodefine,
validate,andbuildbusinesscasesforthe
mostchallengingcybersecurity
issues.
P2:DevelopUseCaseUsinga
collaborativemethodwithindustry
partners,wedevelopafullUseCasethatoutlinesaplanfortacklingtheissue.
P3:FormBuildTeamWeuniteindustry
partnersandtechnologycompaniesto
buildaqualifiedteamtoexecutetheUseCase.
P4:Design&Build
TheUseCaseteamplans,designs,andbuildsthesystemina
labenvironment
anddocumentsitinthePractice
Guide.
P5:Integrate&Test
Theteamtestthesystemandmakerefinementsasnecessary.Thesystemmaybe
validatedbyourpartners.Thefinalsolutionsystemis
documentedinthePractice
Guide.
P6:Publish&Adopt
We,alongsideourpartners,
publish,publicizeanddemonstratethePracticeGuide.Thissolutionprovidesareference
architecturethatmaybeimplementedinwholeorin
part.
IconCredits(righttoleft):TalkingbyJuanPabloBravo;TestTubebyOlivierGuin;CollaborationbyKrisada;TeambyWilsonJoseph;BrainstormbyJessicaLock;NetworkbyMatthewHawdon;ArrowbyJamisonWieser;allfromtheNounProject.
IdAM – we are here