facility related control system inventory - … · facility related control system inventory 07...
TRANSCRIPT
Leadership, Energy, and Execution 1UNCLASSIFIED / FOUO 07 NOV 2017 Mr. Marcus De La Rosa/703-806-6721
Facility Related Control System Inventory
07 November 2017
Laura Vaglia, Office of the Assistant Chief of Staff for Installation Management
Jey Castleberry, Pacific Northwest National Laboratory
Leadership, Energy, and Execution 2UNCLASSIFIED / FOUO 07 NOV 2017 Mr. Marcus De La Rosa/703-806-6721
Learning Objectives
• Why is this inventory taking place?
• What are the program's overall cybersecurity objectives and how does this strategy accomplish them?
• What is my role within the FRCS process and what tools and training will be available to me?
ARMY CybersecurityFacility-Related Control Systems
Laura Vaglia
Office of the Assistant Chief of Staff for Installation Management
Information & Technology Directorate
Facility-Related
Weapons Energy
Medical
ARMY CybersecurityCommon Control Systems
Manufacturing Civil
ARMY CybersecurityFacility-Related Control Systems(FRCS)
• Risks to the Army’s mission
caused by electronic systems
• Evolving understanding of risks
and mitigation
– 2014 DODI – Cybersecurity – Risk
Management Framework (RMF)
– 2015 Army Directive Risk
Management Framework (RMF) for
IT Systems
– 2015 – ASAIEE directs IPT led by
CIO-G6 for FRCS
– 2016 – OSD Memo “Managing Cyber
risks to FRCS
– 2017 – Task Force Cyber Strong
established
• Army Approach
– Governance under Army Cyberspace
Council
– New construction meets UFC for
cybersecurity
– Assess and Authorize systems
– Inventory legacy based on risk
– Address vulnerabilities
From FY2011 to FY2014 the number of cyber incidents reported to the Department of Homeland Services
(DHS) involving industrial control systems increased from 140 to 243.
•In 2017, the City of Dallas experienced a cyber incident that activated 156 tornado sirens for one and a
half hours.
•In 2015, Ukraine experienced a cyberattack that successfully compromise information systems of
three energy distribution companies in Ukraine and temporarily disrupt electricity supply to the end
consumers.
• In 2014, a federal agency reported a cyber incident at a wastewater treatment plant.
•In 2013, the retailer Target experienced a breach in its payment card data, which the company
believes occurred after intruders obtained a heating, ventilation, and air-conditioning system vendor’s
credentials to access the outermost portion of its network.
•In 2010, a sophisticated computer attack known as Stuxnet was discovered that targeted control
systems used to operate industrial processes in the energy, nuclear, and other critical sectors.
•In 2009, a security guard at a Dallas-area hospital loaded a malicious program onto the hospital’s
computers, one of which controlled the heating, ventilation, and air-conditioning control system for two
floors, which, according to court records, could have affected patients’ medications and treatments.
•In 2006, Los Angeles city employees hacked into computers controlling the city’s traffic lights, an
action that disrupted signal lights and caused substantial backups and delays.
* Source: GAO Report 15-6 Federal Facility Cybersecurity
ARMY CybersecurityFRCS Exploitation Vector
New IT Regulations at DoD levelDoDI 8500.01 Cybersecurity
• All ICS have cybersecurity considerations and must be assessed for
security
• Establishes specific roles for ICS and IT
DoDI 8510.10 Risk Management Framework
• Shifts from the current certification and accreditation process (DIACAP)
• Specifically addresses lifecycle cybersecurity risk of both IT and ICS
• Uses the NIST documents to identify actual security controls that must be
applied
Force ProtectionNational Infrastructure Protection Plan
GAO Report on securing critical infrastructure
High profile exploitsStuxnet - computer worm that targets the types of industrial control systems
(ICS) commonly used in infrastructure supporting facilities (i.e. power plants,
water treatment facilities, gas lines, etc)
Target Breach – implied entry was gained through HVAC system (actually
through improper access control)
ARMY CybersecurityIncreased Interest for Security
FRCS CybersecurityMilestones
Published new policy
• Feb 2017 – US Army’s Cybersecurity Strategy for Facility Related Control
Systems
• Inventory Existing Facility-Related Control Systems
• Assess and Enhance the Cybersecurity Posture
• Sustain Effective Cybersecurity
• Insure Adequate Resourcing
• May 2017 - Task Force Cyber Strong established to
provide overarching governance for control systems
• November 2017 – Implementation Guidance Issued
Control System Cybersecurity Technical Center of
Expertise – U.S. Army Corps of Engineers
FRCS CybersecurityInventory
The US Army Engineering and Support Center, Huntsville
(Huntsville Center), serving as the US Army Corps of Engineers
(USACE) Technical Center of Expertise (TCX) for Control System
Cybersecurity, has developed a Control System Inventory
Methodology.
The inventory focuses on components/devices residing within
Levels 2-5 of the Control System Architecture referenced in UFC
4-010-06, “Cybersecurity of Facility Related Control Systems”.
The current inventory requirements focus is on devices that use
the Internet Protocol (IP) for communication.
ARMY CybersecurityAssessment
Six step RMF process – Risk decision is made by the Army CIO/G-6
appointed Authorizing Official (AO)
ARMY CybersecurityAssessment
Assess Only Construct
Assess & Approve for use
Assess and approve for use but not added to an existing authorization
boundary
Single Purpose Devices/Products where 6 step process against security
controls is not required. (e.g. noise canceling headsets, calibration tools)
IT Services evaluated against an identified standard (e.g. DoD Cloud
computing Security Requirements Guide (SRG))
Assess & Incorporate
Assess and then incorporated into an existing authorization boundary
Hardware – devices or products with embedded software may not need to
undergo the full categorization, selection and tailoring process. (e.g
control sensors/operational technology)
Applications – assessed using vulnerability scans, industry standards (e.g.
software independent of operating system)
ARMY CybersecurityAssessment
What is the Risk?
Availability is a priority attribute for control systems
•What is the likelihood that availability will be compromised
•What is the impact on the mission if the service is not
available, for whatever reasons
Technology
Nature
Man made
Dependencies must be considered, not just the original
location
Integrity and confidentiality need to be considered
Quality of service
Security of transmission
Assistant Chief of Staff for Installation Management
QUESTIONS?
Assistant Chief of Staff for Installation Management
CONTACT INFORMATION
November 2017
Denise Faldowski
OACSIM Operations Directorate
Dan Shepard
USACE Huntsville Center
Sally Dixon
CIO/G6 Cybersecurity Directorate
Laura Vaglia
OACSIM Information & Technology [email protected]