shared situational awareness: the achievable path. icsjwg spring 2014
TRANSCRIPT
What Paths Are We Pursuing?
• Research and Find…– LOTS!– [insert vendor] [insert product] [insert vuln count]
• The Answer:– Get vendors to fix all vulnerabilities– Get asset owns to apply all patches
Vulnerabilities
• Flat Networks, Single Points of Failure
• The Answer:– Get asset owners to re-architect all networks
Architectures
• Operators, Architects and Coders Lack Skills
• The Answer:– Train all Users to Control Behavior– Educate all System Designers– Train all vendor engineers to build Secure-By-Design
Training
• Shodan / Project Shine– 1,000,000 connected networks
• The Answer:– Air Gaps!– Forbid Remote Access
Isolation
• ~6,000 Electric Utilities
• 55,000 Substations
• 100,000 EHV Transformers
• 200,000 Miles of Transmission Lines
• 2.2 Million Miles of Distribution Lines
• 300,000 Electric Engineers
Let’s Talk Scale…
• ~50,000 Water Utilities
• 1 Million Miles of Water Pipes
• 400B Gallons Potable Water Per Day
• 80B Gallons of Wastewater Per Day
Let’s Talk Scale…
• 150 Oil Refineries
• 6.5B Barrels Annually
• 120,000 Gas Stations
• 2,000 Offshore Oil Rigs
• 1,000,000 Oil Wells
• 40,000 Petroleum Engineers
Let’s Talk Scale…
• 200 Natural Gas Utilities
• 300,000 Miles of Gas Transmission Pipelines
• 2.4 Million Miles of Distribution Pipes
• 2T Cubic Feet Annually
• 600,000 Gas Sector Employees
Let’s Talk Scale…
• 28,000 Food Processing Facilities
• 2,200,000 Farms
• 1B Tons of Food Products Annually
Let’s Talk Scale…
• 100 Urban Rail Systems
• 25,000 Locomotives
• 1.3M Cars
• 200,000 Rail Crossings
• 140,000 Miles of Freight Rail
• 1.5T Ton-Miles of Freight
Let’s Talk Scale…
• 300,000 Manufacturing Plants
• 17.4M Jobs
• $2T in Manufactured Goods
Let’s Talk Scale…
• Metals and Mining
• Aviation
• Maritime
• Ports
• Highways
• … … … … …
Let’s Talk Scale…
• To Find All Vulnerabilities?
• To Apply All Patches?
• To Create All New Devices?
• To Re-Architect All Networks?
• To Train Everyone?
How Long Will All That Take?
• Infrastructure Vulnerable to Every Day Zero
• Network Segments That Still Fail
• Insider Threats that Succeed
What Would We Gain?
• The Same Thing Operators Use Now:
Visibility• At the Facility
• Across Sectors
• Nationally
• Internationally
What is Achievable?
Shared Knowledge Network
Private Centers
PublicCenters
Service Providers Knowledge
Data & Information
Resilience of Shared Situational Awareness
ICS-ISAC
Integrators
CERTs
SharingNode
Knowledge Source
Service Providers
Trade Organizations
Knowledge Centers
Asset Owner
• Who We Are
• What We Have
• What it is Doing
• How To Share
We Need to Know:
• Tools and Process For Visibility
• Common Language for Sharing
• Compatible Plumbing
• Local, State, National and Global Structures
Pieces Falling Into Places
A Common Language for Sharing
Automated Knowledge Sharing
TAXII™ defines a set of services and message
exchanges that, when implemented, enable
sharing of actionable cyber threat information
across organization and product/service
boundaries.
Project Avalanche
• Open Source Sharing Platform
• STIX Repository
• TAXII Server
• Pilot Operational
• Open Source Summer 2014
• Identity– “Who are we?”
• Inventory– “What do we have?”
• Activity– “What is it doing?”
• Sharing– “How do we communicate with others?”
Situational Awareness Ref Arch (SARA)
• Reference Architecture for Shared Visibility
• Guide
• Network
• Open Source Toolset
• ICS-ISAC.org/sara
SARA Overview
• Foundation for Rational Decisions– What capabilities do we have?– How do we make decisions?– What is our structure?
• Existing Methodologies– all.net/Arch/index.html– CSET
Identity
• Create and Maintain Inventory– Control System Components– Process Equipment– System Topology– Device Configurations
• Open Source Tools– Snort, nmap, ossim
Inventory
• Behavior Baseline– Device Relationships– Approved Patterns– Change Control
• Anomaly Detection– Did Something Change?
Activity
• Inbound– Receiving and Utilizing External Knowledge
• Outbound– Deriving– Anonymizing
• Communication– Schemas and Transports (STIX, TAXII, IODef, CIF…)– Policies and Practices
Sharing
• Data– Atomic: syslog messages, device configurations…
• Information– Aggregate: Lots of Data
• Knowledge– Actionable, Sharable
Information Types
Switch
Schemas and TransportsActiveMQ, STIX, TAXII
Message Bus
ICS-ISAC
PLC
HMI
SCADA ServerSARA Server
Internet
Process Equipment
SARA Pilot
Enernex LABFirewall/VPN
Palo Alto
Palo Alto
Tripwire
Tripwire
Vendors
GE
Service Providers
SCADA ServerSARA Server
DNP3 VisibilityService
Providers
ICS-ISAC
DNP3 Command Traffic
Act!
● Know Yourself
● Know Your Stuff
● Know What You Do
● Learn How to Share
Thanks to our Membership
Thank you for your time