Chris BlaskICS-ISAC Chair

chris@ics-isac.org

Shared Situational Awareness: The Achievable Path

What Paths Are We Pursuing?

• Research and Find…– LOTS!– [insert vendor] [insert product] [insert vuln count]

• The Answer:– Get vendors to fix all vulnerabilities– Get asset owns to apply all patches

Vulnerabilities

• Flat Networks, Single Points of Failure

• The Answer:– Get asset owners to re-architect all networks

Architectures

• Operators, Architects and Coders Lack Skills

• The Answer:– Train all Users to Control Behavior– Educate all System Designers– Train all vendor engineers to build Secure-By-Design

Training

• Shodan / Project Shine– 1,000,000 connected networks

• The Answer:– Air Gaps!– Forbid Remote Access

Isolation

• ~6,000 Electric Utilities

• 55,000 Substations

• 100,000 EHV Transformers

• 200,000 Miles of Transmission Lines

• 2.2 Million Miles of Distribution Lines

• 300,000 Electric Engineers

Let’s Talk Scale…

• ~50,000 Water Utilities

• 1 Million Miles of Water Pipes

• 400B Gallons Potable Water Per Day

• 80B Gallons of Wastewater Per Day

Let’s Talk Scale…

• 150 Oil Refineries

• 6.5B Barrels Annually

• 120,000 Gas Stations

• 2,000 Offshore Oil Rigs

• 1,000,000 Oil Wells

• 40,000 Petroleum Engineers

Let’s Talk Scale…

• 200 Natural Gas Utilities

• 300,000 Miles of Gas Transmission Pipelines

• 2.4 Million Miles of Distribution Pipes

• 2T Cubic Feet Annually

• 600,000 Gas Sector Employees

Let’s Talk Scale…

• 28,000 Food Processing Facilities

• 2,200,000 Farms

• 1B Tons of Food Products Annually

Let’s Talk Scale…

• 100 Urban Rail Systems

• 25,000 Locomotives

• 1.3M Cars

• 200,000 Rail Crossings

• 140,000 Miles of Freight Rail

• 1.5T Ton-Miles of Freight

Let’s Talk Scale…

• 300,000 Manufacturing Plants

• 17.4M Jobs

• $2T in Manufactured Goods

Let’s Talk Scale…

• Metals and Mining

• Aviation

• Maritime

• Ports

• Highways

• … … … … …

Let’s Talk Scale…

• To Find All Vulnerabilities?

• To Apply All Patches?

• To Create All New Devices?

• To Re-Architect All Networks?

• To Train Everyone?

How Long Will All That Take?

• Infrastructure Vulnerable to Every Day Zero

• Network Segments That Still Fail

• Insider Threats that Succeed

What Would We Gain?

• The Same Thing Operators Use Now:

Visibility• At the Facility

• Across Sectors

• Nationally

• Internationally

What is Achievable?

Shared Knowledge Network

Private Centers

PublicCenters

Service Providers Knowledge

Data & Information

Resilience of Shared Situational Awareness

ICS-ISAC

Integrators

CERTs

SharingNode

Knowledge Source

Service Providers

Trade Organizations

Knowledge Centers

Asset Owner

• Who We Are

• What We Have

• What it is Doing

• How To Share

We Need to Know:

• Tools and Process For Visibility

• Common Language for Sharing

• Compatible Plumbing

• Local, State, National and Global Structures

Pieces Falling Into Places

A Common Language for Sharing

Automated Knowledge Sharing

TAXII™ defines a set of services and message

exchanges that, when implemented, enable

sharing of actionable cyber threat information

across organization and product/service

boundaries.

Project Avalanche

• Open Source Sharing Platform

• STIX Repository

• TAXII Server

• Pilot Operational

• Open Source Summer 2014

• Identity– “Who are we?”

• Inventory– “What do we have?”

• Activity– “What is it doing?”

• Sharing– “How do we communicate with others?”

Situational Awareness Ref Arch (SARA)

• Reference Architecture for Shared Visibility

• Guide

• Network

• Open Source Toolset

• ICS-ISAC.org/sara

SARA Overview

• Foundation for Rational Decisions– What capabilities do we have?– How do we make decisions?– What is our structure?

• Existing Methodologies– all.net/Arch/index.html– CSET

Identity

• Create and Maintain Inventory– Control System Components– Process Equipment– System Topology– Device Configurations

• Open Source Tools– Snort, nmap, ossim

Inventory

• Behavior Baseline– Device Relationships– Approved Patterns– Change Control

• Anomaly Detection– Did Something Change?

Activity

• Inbound– Receiving and Utilizing External Knowledge

• Outbound– Deriving– Anonymizing

• Communication– Schemas and Transports (STIX, TAXII, IODef, CIF…)– Policies and Practices

Sharing

• Data– Atomic: syslog messages, device configurations…

• Information– Aggregate: Lots of Data

• Knowledge– Actionable, Sharable

Information Types

Switch

Schemas and TransportsActiveMQ, STIX, TAXII

Message Bus

ICS-ISAC

PLC

HMI

SCADA ServerSARA Server

Internet

Process Equipment

SARA Pilot

Enernex LABFirewall/VPN

Palo Alto

Palo Alto

Tripwire

Tripwire

Vendors

GE

Service Providers

SCADA ServerSARA Server

DNP3 VisibilityService

Providers

ICS-ISAC

DNP3 Command Traffic

Act!

● Know Yourself

● Know Your Stuff

● Know What You Do

● Learn How to Share

Thanks to our Membership

Thank you for your time