NIST Recommendations for ICS & IIoT SecuritySecuring Manufacturing Industrial Control Systems:

Behavioral Anomaly Detection

Mike Powell, Project Cybersecurity Engineer, NIST /NCCoEJim McCarthy, Energy Sector Federal Lead NIST / NCCoETimothy Zimmerman, Computer Engineer, NIST EL

2nccoe.nist.govNational Cybersecurity Center of Excellence

Agenda

• NIST / NCCoE Overview

• Cyber Risks to Manufacturing Organizations

• Why Stronger ICS Cybersecurity is Needed

• Benefits of Behavioral Anomaly Detection (BAD)

• NIST Testbeds: Process Control & Robotics

• NIST Cybersecurity Framework (CSF) Mapping

3nccoe.nist.govNational Cybersecurity Center of Excellence

Foundations & Mission

Collaborative Hub The NCCoE assembles experts from businesses, academia, and other government agencies to work on critical national problems in cybersecurity. This collaboration is essential to exploring the widest range of concepts.

As a part of the NIST cybersecurity portfolio, the NCCoE has access to a wealth of prodigious expertise, resources, relationships, and experience.

Mission Accelerate adoption of secure technologies:collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs

4nccoe.nist.govNational Cybersecurity Center of Excellence

Engagement & Business Model

OUTCOME: Define a scope of work with industry to solve a pressing cybersecurity challenge

OUTCOME: Assemble teams of industry orgs, govt agencies, and academic institutions to address all aspects of the cybersecurity challenge

OUTCOME: Build a practical, usable, repeatable implementation to address the cybersecurity challenge

OUTCOME: Advocate adoption of the example implementation using the practice guide

ASSEMBLE ADVOCATEBUILDDEFINE

5nccoe.nist.govNational Cybersecurity Center of Excellence

Manufacturing Sector Projects

• NISTIR 8219 Behavioral Anomaly Detection

• Protecting Information System Integrity in Manufacturing Environments Project Description

Join our Community of InterestEmail us at manufacturing_nccoe@nist.gov

6nccoe.nist.govNational Cybersecurity Center of Excellence

NISTIR 8219 Behavioral Anomaly Detection

Project StatusFinal NISTIR 8219 expected release date March 2019

Collaborate with Us• Download draft NISTIR 8219:

https://www.nccoe.nist.gov/sites/default/files/library/mf-ics-nistir-8219.pdf

• Email manufacturing_nccoe@nist.gov to join the Community of Interest for this project

Securing Manufacturing Industrial Control Systems – Behavioral Anomaly Detection

DEFINE ASSEMBLE BUILD ADVOCATEDEFINE ASSEMBLE BUILD ADVOCATE

Overview• A cyber attack directed at manufacturing

infrastructure could result in detrimental consequences to both human life and property

• The goal is to provide a cybersecurity example solution that businesses can implement or use to strengthen cybersecurity in their manufacturing processes

• The NISTIR demonstrated how manufacturing companies can implement behavioral anomaly detection tools without negatively impacting the performance of their operational environments

7nccoe.nist.govNational Cybersecurity Center of Excellence

Manufacturing Behavioral Anomaly Detection Use Case

NISTIR 8219: Securing Manufacturing Industrial Control Systems –Behavioral Anomaly Detection

• The NCCoE deployed commercially-available behavioral anomaly detection systems in two distinct but related manufacturing demo environments:

• Collaborative robotics system

• Simulated chemical process system

• Security characteristics were mapped to the NIST Cybersecurity Framework (CSF)

8nccoe.nist.govNational Cybersecurity Center of Excellence

NISTIR 8219

• Project goal:• demonstrate behavioral anomaly detection techniques that businesses can implement and

use to strengthen the cybersecurity of their manufacturing processes.

• Three detection methods: • network-based

• agent-based

• operational historian/sensor-based

Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection

9nccoe.nist.govNational Cybersecurity Center of Excellence

Cyber risks to manufacturing organizations

• Cybersecurity attacks directed at manufacturing infrastructure can be detrimental to both human life and property.

• BAD mechanisms support a multifaceted approach to detecting cybersecurity attacks against ICS devices on which manufacturing processes depend, in order to permit the mitigation of those attacks.

• Introducing anomalous data into a manufacturing process can disrupt operations, whether deliberately or inadvertently.

• More sophisticated hacking tools and techniques are readily available for downloading from the internet.

• Growing cyber-dependency makes critical infrastructure attacks harder to stop.

10nccoe.nist.govNational Cybersecurity Center of Excellence

Benefits of Behavioral Anomaly Detection (BAD)

This NISTIR is intended to help organizations accomplish their goals by using anomaly detection tools for the following purposes: • detect cyber incidents in time to permit effective response and recovery• expand visibility and monitoring capabilities within manufacturing control

systems, networks, and devices• reduce opportunities for disruptive cyber incidents by providing real-time

monitoring and anomaly-detection alerts• support the oversight of resources (e.g., IT, personnel, data)• enable faster incident-response times, fewer incidents, and shorter downtimes

11nccoe.nist.govNational Cybersecurity Center of Excellence

Process Control System

12nccoe.nist.govNational Cybersecurity Center of Excellence

Collaborative Robotics System

• Discrete process• Four machining stations• Two machine-tending robots• Supervisory PLC• Modbus TCP

13nccoe.nist.govNational Cybersecurity Center of Excellence

Mapping the security characteristics of BAD to the NIST CSF

14nccoe.nist.govNational Cybersecurity Center of Excellence

Protecting Information System Integrity in Manufacturing Environments

Project StatusProject Description expected release date for public comments March 2019

Collaborate with Us• Email manufacturing_nccoe@nist.gov to join the

Community of Interest for this project

Cybersecurity for the Manufacturing Sector

DEFINE ASSEMBLE BUILD ADVOCATE

Overview• Threats to organizational environments such as

destructive malware, malicious insider activity, advanced persistent threats, and even honest mistakes create the imperative for organizations to be able to protect their assets from data integrity attacks

• This project explores methods one could deploy to help prevent/mitigate the threats identified above as it pertains to deploying cybersecurity capabilities in an ICS manufacturing environment

301-975-0200http://nccoe.nist.gov

15nccoe.nist.govNational Cybersecurity Center of Excellence

nccoe@nist.gov

Questions?

Michael Powell, Security Engineer

Michael.Powell@nist.gov

301-975-0310

Jim McCarthy, Senior Security Engineer

James.McCarthy@nist.gov

301-975-0228

Timothy Zimmerman, Computer Engineer

Timothy.zimmerman@nist.gov

301-975-2435