Category Archives: NIST

13
MAR
2013

What makes a good SCADA/DCS security assessment?
Posted by Sinclair Koelemij

To protect and improve the security of SCADA / DCS systems, cyber security audits and assessments have become a popular instrument to determine where we stand with regard to security and what needs to be done. But what makes for a good security assessment? Many companies offer these services today, both vendors as well as the traditional IT providers, and large differences in quality and price exist. So let’s take a closer look.

When we evaluate cyber security, we distinguish between two types of cyber security gaps: One I will call the design gap, and another I call the implementation gap.

design-and-implementation-gapThe design gap exists when we are missing security counter measures in the security architecture, either not implemented or a device lacks the capabilities. Examples of this for the technology security architecture are missing firewalls, bad network segmentation, missing encryption, missing antivirus, missing authentication, etc. Examples of missing counter measures from the operations security architecture are missing patch management processes, backup processes, security incident handling processes, etc. The design gap is measured by inspecting for compliance with a reference such as ISA99.03.03 or specific national / industrial regulations (OLF, CIP, ictQATAR, WIB, etc.)

The implementation security gap exists when the counter measures (cyber security controls) show deficiencies in their configuration, or are available but not configured. Examples of this for the technology security architecture are badly configured firewall rule sets, bad passwords, insufficient hardening of equipment. The implementation gap in processes (operations architecture) is measured using a maturity model where processes are judged on how well they are defined, repeatable, manageable and continuously optimized.

For the design gap we need a reference, we need some objective criterion that specifies if a counter measure is required or not. If we would leave this decision to an individual engineer’s skills and experience, we would lose consistency. The reference must specify what counter measures need to be implemented for countering a specific threat level. This can be the method used by ISA 99, which specifies a set of security requirements for each of the four Security Assurance Levels (SAL), or a more direct approach such as that taken by ictQatar, which specifies the requirements for critical information infrastructure in its Guidelines for ICS Security. Of course, such a specification needs to be in general terms so it can withstand the fast-changing technology and threat landscape.

We call measuring the design gap the audit portion because we compare the security architecture (technology and operations) against a reference of requirements. The audit creates a complete inventory of all security controls present without evaluating their effective implementation. So the outcome is an evaluation of the security design for both the security technology as well as the security operations.

To determine the implementation gap, we need to evaluate the effective implementation of each security control. This can be a correct technical implementation (proper hardening, adequate filter definitions, etc.) or the maturity of the security operations process (defined, repeatable, manageable, etc..). We call this part the assessment. The assessment also requires using references, references such as provided by NIST, CIS and the Bandolier project.

A good audit and assessment should be objective and results should be repeatable and consistent. Objectivity with regard to the level of protection needed, the quality of design /configuration/implementation, and of course the observations themselves.

risk-chartAnother important factor is the completeness and thoroughness of the assessment. For example, just running a vulnerability scanner and documenting the output in a report is not going to identify all security issues. The plug-ins of vulnerability scanners are primarily capturing the general IT deficiencies, but the specific control system requirements and software components used in SCADA / DCS are often missed. So it is important to collect all configuration / installation data and make certain all software components are accounted for in the vulnerability analysis.

That brings us to the security analysis process, an important process because here we determine the risk to the SCADA/DCS. Security analysis identifies and “translates” the vulnerabilities and configuration deficiencies into risk. It is not always straightforward how a particular vulnerability impacts the SCADA/DCS when exploited, or the nature of the target distribution. This translation process from vulnerability to risk is called risk profiling. Risk profiling allows us to rank risk, which is important because we need to define which risk to remediate and which risk can be accepted as residual. For this, we need metrics to differentiate between levels of risk.

The completeness, thoroughness and quality of the security analysis are where the differences between a good and a bad security assessment are made. Here is where we see many differences in the overall quality and cost of the assessment. It is easy to capture the low hanging fruit, but hard work to detect all vulnerabilities in the system.

Leave a comment
Posted in General, ISA, NIST, Nuclear, Petrochemicals – CFATS, Power – NERC CIP and tagged , , . Bookmark the permalink.
21
FEB
2013

Using Analytics to Fight Cyber Crime
Posted by Shawn Gold

analyticsSecurity at our airports is based primarily on looking for known banned items.  The premise is that terrorists will be thwarted from being successful with an approach that was either previously successful or nearly successful and fortuitously prevented.  That’s pretty much how black listing, also known as Anti-virus software works and in most cases how intrusion detection and prevention systems work.

But staying with this analogy, when travelling out of Israel you find that while they also scan for known threats on your body and in your luggage, Israeli security primarily focuses on analyzing behavior, looking for someone likely to commit a terrorist act.  In a way, that is similar to what many customs checks do.  Rather than x-raying luggage, they ask a few questions to determine if someone is likely to be bringing in contraband.  In effect, they are using behavior algorithms in their analysis.

In much the same way, cyber security is taking on a more holistic analysis to identify threats in addition to looking for specific known threats.  More advanced cyber tools look for anomalies, such as a burst of data flow at an unscheduled time or a higher than normal load.  It is these out of normal patterns that can help detect an otherwise unknown and undetected threat.  While these may cause more false positives initially, with advanced algorithms embedded into analytics software and through better tracking of consistency in behavior, the frequency will decrease rapidly.

To make this work, algorithmic scripts can be created within a firewall or through IDS/IPS devices.  The key is knowing what to look for; and that is where cyber security experts, particularly within the industrial process control domain, are extremely valuable.  To be fair, this isn’t a new idea.  The concept has been around a while.  See a 2010 Deloitte publication and this article on a solution IBM proposed for the FAA.   Providing a self learning system would make this solution extremely valuable; which is what Google apparently did, as noted in an October 2010 patent application for an adaptive cyber security analytics package.

Waiting for these solutions to become commercially available does not preclude you from taking advantage of analytics based cyber security tactics today.  However, the skills to know what to look for; and then knowing how to filter out the noise are not widely available.  Some sophisticated cyber security organizations such as Honeywell’s security group do have these skills; so if you are interested, you should talk to your DCS vendor and see if they can help you use algorithm based analytics to prevent cyber crime.

Leave a comment
Posted in General, ISA, NIST, Nuclear, Petrochemicals – CFATS and tagged , , , . Bookmark the permalink.
15
JAN
2013

The threat of client-side attacks
Posted by Sinclair Koelemij

I would like to start the New Year not so technical, but look back on the subjects I covered last year and the trends for the coming year. My focus in the blogs of the second half of 2012 was primarily malware attacks, protection strategies against advanced persistent threats and related subjects such as disconnection management and security incident handling. This was not a coincidental choice of subject, last year showed an amazing rise of new malware and some very damaging examples (such as wiper malware destroying file systems and boot records in Saudi Arabia, Qatar, and Iran) of successful attacks. We started the year with approximate 70.000 new viruses each day, this grew to an already amazing 125.000 in May to 200.000 new viruses every day end of 2012 (Source Kaspersky Labs.)

Virus technology became very mature, polymorphic viruses that change their signature every generation are very common now, and it is easy to make your own virus with a malware development kit and distribute this in various ways. Crime-As-A-Service has entered the world, tools and services are readily available to assist the untrained attacker. There is a market for zero-day exploits; sometimes vulnerability and exploit are published simultaneously to embarrass vendors. The level of skills required for a cyber attack has lowered year after year. Entry points into the ICS have grown and continue to grow. Therefore we must consider the “client-side” attack strategy as the number one threat today for industrial control systems (ICS).

An astonishing series of very sophisticated malware was discovered in 2012, many most likely of nation-state origin. Malware entering systems through Microsoft security patches (Flame), documents or the USB interface. New malware propagation methods were revealed, using firmware to propagate within the system. And new computers were shipped from the warehouses with malware already build-in. A trusted supply chain becomes essential for the security of ICS. These advances further increased the risk for national critical infrastructure and require a re-evaluation of the security of these systems.

When analyzing our observations of last year’s security assessments we can see that most ICS are protected against malware attacks, only using traditional AV systems. A level of protection that primarily depends on a known malware signature, if this signature is missing (which is the case for most new viruses) then the protection is not effective. If we combine this hole in our defenses with the ongoing struggle plants have with patching the ICS in order to remove vulnerabilities, an absence of a containment strategy (such as IPS / virtual patching, disconnection management, incident response processes) to limit the impact of a malware attack, together with an increased focus of nation-states and cyber terrorism on ICS then you realize that we are badly protected against client-side attacks.

Today’s defense strategy as applied by plants is primarily a perimeter protection strategy, focusing on firewalls and protection of vulnerable protocols. However client-side attacks jump right over the perimeter into the heart of the ICS, an area with limited protection. So what should we do in 2013 to increase ICS robustness against these client-side attacks?

There are a couple of actions we can take:

- Analyze ICS for proper segmentation / security zone design. Which by the way is not the same; having segmented your network in L1, L2, L3, and DMZ segments does not mean that this also is an appropriate security zone division. Security zones generally require a higher granularity.

- Once we have a clear picture of our security zones we can design our protection. We can shield legacy software with virtual patching solutions, we can protect L1 equipment with deep packet inspection (DPI) firewalls, we can apply IPS filtering at L2 and L3 layers of the system, and we can prepare ourselves by developing disconnection strategies / procedures and implement a security incident response process.

- And of course we need to enhance our malware protection against this flood of new malware by implementing application white listing (AWL). Though AWL raises management cost it does offer a stronger defense against client-side attacks. But unfortunately it is an add-on and not a replacement of black listing.

Just like safety, cyber security has become an essential part of managing industrial control systems. The big difference being between the two is that cyber security has an important “malicious intent” component which causes a continuous need of reassessing and improving the defense year after year. So also in 2013 we all, vendors and owner / operators, need to maintain our focus on providing and maintaining secure industrial control systems.

Leave a comment
Posted in best practices, General, ISA, NIST, Nuclear, Petrochemicals – CFATS, Power – NERC CIP, Security and tagged , , , , , . Bookmark the permalink.
07
DEC
2012

Are You at Risk? : Consider a Cyber Security Vulnerability Assessment
Posted by Shawn Gold

Are you at risk of a cyber attack?  How can you be sure you’re not?  Have you completed a cyber security vulnerability assessment?  Did you follow the recommendations?  Are you able to sleep at night?  Have I got you thinking?  If so, read on.

Of course you’ve updated your virus signature files and done a reasonable job of updating your security patches (they’re only a few months out of date at any given time) so you’re not really at risk.  At least not as at risk as the other guy you know has done a lot less.  You may follow the adage that you don’t have to be faster than the (put in your scary carnivore of choice), you just have to be faster than the guy next to you.

That philosophy works in the woods, but not so much in the server, rack or control room.  The problem is that cyber security is anonymous and it’s easy to hit a wide audience, and you could easily be collateral damage having not even been targeted.  And while you are probably less likely to have a break-in by this scatter gun approach; you may still be loosely targeted and discover the hacker found a vulnerability you were not aware of; or you underestimated the risk.

Are you at risk?

Are you at risk?

Case in point, I’m responsible for security in our condominium.  We had some incidents and implemented major upgrades, including reinforcing doors and windows, additional cameras, etc. and we figured we were pretty secure.  That worked for a few years until we got hit by a guy determined to defeat our security with time and not very sophisticated tools.  We corrected the vulnerability he exploited and he defeated another, then we hired a security guard and he came back again.  Needless to say, it impacted our peace of mind.

What’s the point you ask.  You can’t assume you are secure.  You need to know and evaluate all your vulnerabilities and you need to assume that any vulnerability will result in a break in.  Once you realize you are not truly secure, you should do two things: first you need to figure out what it will cost to secure that vulnerability and what it might cost if you don’t; and second you need to plan for recovery regardless of whether you mitigate the risk, because you can never be 100% certain you are truly secure.

For our condo, we’re reassessing our strategy now that the likelihood has gone from very low to very real.  There’s no real difference for a control system.  You need to assess your cyber security vulnerabilities and make a business decision on cost versus risk.  (Hopefully you will complete that assessment before you are successfully attacked.)  You also need to plan for how you will recover if an attack is successful.  You won’t eliminate the risk, but you will sleep a lot better.

Leave a comment
Posted in best practices, General, ISA, NIST, Petrochemicals – CFATS, Power – NERC CIP, Security and tagged , . Bookmark the permalink.
03
DEC
2012

How Secure is Secure Enough? The Question Continues…
Posted by Mike Baldi

Hello, All!

As we approach the last month of 2012, we can take a quick look in the rearview mirror and evaluate the state of control system security.  It’s easy to get complacent when things are going well, but we all know that security, like safety, requires vigilance.

It’s interesting that there still remain numbers of control systems installations where cyber security is still not among the main topics of conversation.  However, it is encouraging to note that many of the sites that I have visited have a keen interest in securing their control systems and in providing better defenses.

The industry as a whole is becoming more eloquent in the discussion of security risks, the sources of risk, tools and methods for detection and prevention, and the level of discipline that is required to maintain and advance security.

I was asked to participate in a series of interviews a few months ago with Walt Boyes, Editor-in-Chief of Control.  Among the topics discussed were:

  • Are we more secure now than last year?
  • Who are the attackers and what do we do to defend against them?
  • Is security for control systems another Y2K?
  • How does control system security differ from enterprise security?
  • Are the any metrics for security?
  • How much security is too much?

If these questions are interesting or provocative, then you might want to read the article that is the result of interviews with many industry experts.  It provides a somewhat extensive look at different views of the maturity of the control systems industry when it comes to cyber security.  Still considered the “new kids on the block” (compared to usually more mature security programs in business systems and networks) by several experts, I find that many Honeywell customers have developed a heightened awareness of cyber security.

When asked who the attackers are, and what do we do to defend against them, I replied:  “There is no easy answer for this. Systems have to be protected from the intentional external attack and from the intentional or accidental insider attack. Locking down USB devices and CD/DVD readers significantly improves the security of the system. Using defense-in-depth, least-privilege-required and separation of duties strategies will greatly reduce the attack surface. Once a system is installed securely, it must be monitored continuously for indications of non-normal events that could signal a cyber incident against the system.”

Read the entire article…I think you’ll enjoy it!

Leave a comment
Posted in best practices, General, ISA, NIST, Security and tagged , , , . Bookmark the permalink.