Building

Insecurity

Lisa Kaiser

Industrial Control Systems Cyber Emergency

Response Team (ICS-CERT)

Insecurity

How do I

� Specify it

� Buy it

� Test it

� Deploy it

� Regret it

� Apologize

for it

Specifying Insecurity

Ignore security entirely

Specify inappropriate standards

Use vagueness

Demand particular technology solutions

Buying Insecurity

� Never mention security

� Don’t put it in writing

� Listen when they say “We’ll

secure it later”

� Cheaper is always more

secure

� New is more secure

Testing Insecurity

� Never test

� Check only

“sunny day”

scenarios

� Rely on vendor

assurances

� Use only cheap

security “experts”

� Use your firewalls

Deploying Insecurity

� Don’t plan

� Use default passwords

� Bypass all the security

� Never do SAT

� Ignore security alarms

and alerts

Photo courtesy of Kristian Ovaska, 2003

Regretting Insecurity

� Begin with RFQ

� Ignore any

breaches

� Shoot the

Messenger

� Apply quick-fixes

� Use the

“Blame-game”

Apologizing for Insecurity

� Leave the organization

� Distract customers

� Avoid responsibility

� Attack the messengers

� Use the press

� Blame us

However…

» If you’re NOT trying to Building Insecurity,

but instead which to Build In Security…

» Try this to achieve your goal:

Cyber Security Evaluation Tool (CSET )

10

� Stand-alone software application

� Self-assessment using recognized standards

� Tool for integrating cybersecurity into existing corporate risk management strategy

CSET Download:http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

R

CSET Standards

11

Requirements Derived from Widely Recognized Standards

R

NIST Special Publication 800-53Recommended Security Controls for Federal Information SystemsRev 3 and with Appendix I, ICS Controls

Consensus Audit Guideline (CAG)Criteria Evaluation Recommendations based upon National Security Association (NSA) Cyber Attack Phases

NERC Critical Infrastructure Protection (CIP)

Reliability Standards CIP-002 through CIP-009, Revisions 3 and 4

DoD Instruction 8500.2 Information Assurance Implementation, February 6, 2003

NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011

NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010

CFATS RBPS 8- CyberChemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 – Cyber, 6 CFR Part 27

Transportation Security Agency Pipeline Guidelines

DHS TSA guidance for the pipeline industry

CSET Capabilities

12

What the CSETCAN do:

� Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment

� Specify cybersecurity recommendations

� Report using standards-based information analysis

� Provide a baseline cybersecurity posture

� Validate accuracy of user inputs

� Ensure compliance with organizational or regulatory cybersecurity policy & procedures

� Ensure implementation of cybersecurity enhancements or mitigation techniques

� Identify all known cybersecurity vulnerabilities

What the CSETCAN’T do:

R

Assessment Team

13

A TEAM of participants is requiredto perform a successful assessment

Type of Participant Knowledge

Control Systems Engineer Control systems

Configuration Manager Systems management

Operations Manager Business operations

IT Network Specialist IT infrastructure

IT Security Officer Policy & procedures

Risk Analyst or Insurance Specialist Risk

Assessment Process

14

Analyze Results

Answer Questions

Build the Network Diagram

Determine the Security Level

Select the Mode and Standards

Add Assessment Information

Organize the Team

Context Specific Help

15

Starting Screen

16

Assessment Info – Main Window

17

Standards Screen – Assessment Modes

18

Questions and Standards

19

Questions and Standards

20

General SAL Determination

21

NIST SAL Determination

22

Diagramming Tool

23

24

Diagram – Maximized Screen Space

25

Questions Screen

26

Question Information

27

Comments, Marked and Alternates

28

Component Questions

29

Component Overrides

30

Analysis Screen

31

Analysis Detail Screens

32

Analysis Detail - Example

33

Question Filters

34

Hardcopy Reports

35

Resource Library

36

Resource Library - Search

New/Updated Standards

� NEI 08-09 Rev 6

� NISTIR 7628 Ver 1 (August 2010)

� INGAA Ver 1 (January 31, 2011)

� NIST SP800-53 Appendix J Rev 4

� NIST SP800-82 Rev 1 (May 2013)

� CNSSI ICS Overlay Update

37

CSET 6.0 Enhancements

New Evaluation Capabilities

• Merging

• Comparison

• Aggregation

• Trending

CSET Assessment Aggregation -- Trending Mode

Overall Trends

Components

Standards

Overall

20

30

50

80

50

20

30

80

30

80

20

30

50

80

20

30

25

30

45

65

45

25

30

65

30

65

25

30

45

65

25

30

80

80

75

80

75

80

80

80

80

80

80

80

75

80

80

80

0 20 40 60 80 100

Training

System and Services…

System Protection

System Integrity

Risk Management and…

Procedures

Privacy

Policies & Procedures General

Plans

Physical Security

Personnel

Configuration Management

Communication Protection

Audit and Accountability

Account Management

Access Control

2013 2012 2011

0

20

40

60

80

2011 2012 2013

Top 5 Areas of DeclineEnvironmentalSecurity

Incident Response

Info Protection

Information andDocumentManagementMaintenance

0

10

20

30

40

50

60

2011 2012 2013

Top 5 Most Improved AreasAccess Control

Account Management

Audit and Accountability

CommunicationProtection

ConfigurationManagement

Trending Sample Screen

CSET Assessment Aggregation – Comparison Mode

71

65

66

75

75

76

70

70

81

Overall

Standards

Components

Site C Site B Site A

0 50 100

Training

System and…

System Protection

System Integrity

Software

SIS

Risk Management…

Remote Access…

Procedures

Privacy

Portable/Mobile/Wir…

Information and…

Info Protection

Incident Response

Environmental…

Continuity

Configuration…

Communication…

Audit and…

Account Management

Access Control

Site C Site B Site ASite A Site B Site C

SAL Level

Sort By BestSort By Worst

20

30

50

60

0 50 100

Procedures

Policies

Password…

Access…

Site C

20

30

50

80

0 50 100

Procedures

Policies

Password…

Access…

Site A

1

2

3

25

0 50 100

Procedures

Policies

Password…

Access…

Site B

Site Total Questions Answered

Yes No

Site A 560 300 260

Site B 342 300 42

Site C 268 152 116

Aggregation Sample Screen

New/Updated Functionality

� Inventory Lists

� Security Plans

� YouTube Tutorials

� Updated Diagramming Tool

40

CSET 6.0 Enhancements (cont.)

Key Contact Information

Lisa Kaiser

Lisa.Kaiser@dhs.gov

Download CSET

http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

41