Internet Modernization Critical Infrastructure Impacts · • Mitigations -executive championship...

InternetModernizationCriticalInfrastructureImpacts

SAND2017-8869CCurtisKeliiaa

CISSP,IPv6ForumGoldCertifiedEngineerSeptember27,2017

SandiaNationalLaboratoriesisamultimissionlaboratorymanagedandoperatedbyNationalTechnologyandEngineeringSolutionsofSandia,LLC.,awhollyownedsubsidiaryofHoneywellInternational,Inc.,fortheU.S.DepartmentofEnergy'sNationalNuclearSecurityAdministrationundercontractDE-NA-0003525.

LearningObjectivesTounderstand:internetmodernizationimpactsacrossthe16DHSdefinedcriticalinfrastructuresectors;

howtoaddressevolvingoperationalandsecurityneeds;increasedcomplexityofinternetprotocolmodernization;

howtoaddressworkforcedevelopmentchallenges;increasedriskofinternetmodernization;andhowriskmitigationcanbemanaged

1

HighPerformanceComputing» FundingprofilesforScientificComputingatSandia:

1. NNSAAdvancedSimulationandComputing2. InstitutionalComputingprogram3. DOEOfficeofScience,AdvancedScientificComputingResearch

» ASCTri-LabNetworks/SystemsatSNL,LANLandLLNL:• ContinuousAccesstoLargeComputeSystems• ~60PF,~10BProcessorHours/Year

» Operations:• ScientificComputingPlatforms– 14clustersin4environments• SystemAcquisition,Maintenance&Operations• HighSpeedParallelFileSystems• HighPerformanceParallelNetworks• Multi-PetabyteDataArchiveSystems• FacilitiesImprovements• UserSupportPersonnel• Analysts&CodeDevelopment

CenterforComputingResearch» Computingresearchfocusedoncross-cuttingchallenges

andenablingcapabilities:• Streamingalgorithmstoprocesslargedatastreams• Algorithmstofindpatternsinlargegraphs• Machinelearningtechniquestodetectadversarial

behavior(e.g.phishingemails)• QuantumInformationSystems• CognitiveScience• NeuralNetworks• CyberEmulytics• ExascaleComputing• Remotesensingchallenges• CybersecurityEngineeringResearchInstitute

CollaborationwithIndustryandAcademia

IntroductiontoComputingatSandiaNationalLaboratories

2

InternetModernizationInformation&CommunicationTechnologyImpacts:

Multi-DomainIntegrationUnprecedentedGrowthIncreasedComplexity

IncreasedRisk

3

RadioFrequencyRFisa fundamentalenablerofmobility

FederalCommunicationsCommissionSpectrumAllocation

ExpandingCyberEcosystem: 5G,LTEMobility,MobileNetworks,NearFieldCommunications

4

InternetProtocol

ARINexhausteditsIPv4free-poolSeptember24,2015

ExpandingCyberEcosystem:IPv6,Cloud,IoT,Mobile,Information&OperationalTechnologyconvergence

IPisa fundamentalenablerofConnectivity

5

IPDualStackLatentThreat

TwopathwaysintoYourData• IPv4ingress/egresstraffic• IPv6ingress/egresstraffic• Mustmanageboth(dual-stack)• Allnodes– hostandnetwork• IPv6preferredbystandard• Dual-stackisIPv6halfdone

PROPERTY IPv4 IPv6Address size and network size 32 bits, network size 8-30 bits 128 bits, network size 64 bits

Packet header size 20-60 bytes 40 bytesHeader-level extension Limited number of small IP

optionsUnlimited number of IPv6

extension headersFragmentation Sender or any intermediate

router allowed to fragmentOnly sender may fragment

Control protocols Mixture of non-IP (ARP), ICMP, and other protocols

All control protocols based on ICMPv6

Minimum allowed MTU 576 bytes 1280 bytesPath MTU discovery Optional, not widely used Strongly recommendedAddress assignment Usually one address per host Usually multiple addresses per

interfaceAddress types Use of unicast, multicast, and

broadcast address typesBroadcast addressing no longer used, use of unicast, multicast

and anycast address typesAddress configuration Devices configured manually or

with host configuration protocols like DHCP

Devices configure themselves independently using stateless

address auto-configuration (SLAAC) or use DHCP

Differences between IPv4 and IPv6Source: National Institute of Standards and Technology (NIST) 6

ReducedThreatExposure

DualStack=increasedthreatsurface

Cybersecurityasadesignrequirement

DivestoldITandremovelegacydependencies

IPv6“only”reducesthreatexposure

Source: Sandia National Laboratories: Cyber-e Infrastructure Assurance 7

CyberSafeguardsforIT

» InformationTechnologyCybersecurity:• Confidentiality,Integrity,Availability• Secureinformationandcommunicationtechnologies(ICT)

• InformationavailabletoauthorizedusersSource: Sandia National Laboratories: Research Engineering Cyber Operations Intelligence Lab

8

Risks/Mitigations

Facts– Certainty• IPv4exhaustion• IPv6expansion• ICTinnovation

Risks– Ifthisrisk,thenthatconsequence• Iftechnicalrelevanceislost,thenorganizational

connectivitywillbeineffectual

Concerns– Whatifs• Whatifthecompetitionunderstandsnewtechnologyfirst?

Opportunities– Whatcouldbe• ICTCybersecurityreadyfortheforeseeablefuture

Challenges– Obstacles• Workforcereadinessisthe#1challenge

Risks/Mitigations• Organizational• Administrative• Operational• Technical

Source: DHS Cybersecurity Framework 9

Resilience

LevelofConcern• LifeSafety• Energy• Communications• RolesandResponsibilities• BusinessContinuityPlanning

• EmergencyManagement• ContinuityofOperations• ITDisasterRecovery

• HighAvailability• Redundancy• AlternateFacilities• Cyber-PhysicalSecurity

LevelofEffort• Multi-jurisdictional• SupplyChain• Inter-organizational• Organizational• Administrative• Operational• Technical

Is our cyber dog digging in for

resilience or just burying her head

in the sand?

ExternalThreatVectors• NaturalDisaster• PhysicalDisruption• CyberDisruption• ResourceDisruption

10

CriticalInfrastructureSectorsIT&CommunicationsSectorImpacts:

Multi-DomainIntegrationUnprecedentedGrowthIncreasedComplexity

IncreasedRisk11

CriticalInfrastructureSectors

» DepartmentofHomelandSecuritydefinedcriticalinfrastructuresectors

» InnovationsintheIT&Communicationssectorsareapplicableacrossallothersectors

Source: Sandia National Laboratories: Resilient Infrastructure Systems

Ö

Ö

12

CyberSafeguardsforOT

» OperationalTechnologyCybersecurity:• Availability,Integrity,Confidentiality• Secureindustrialcontrolsystems (ICS),supervisorycontrolanddataacquisition(SCADA)

• Serviceavailabletoauthorizedcustomers

13

Cyber and Infrastructure Security

Source: Sandia National Laboratories: Cyber and Infrastructure Security

IT;Communications;GovernmentFacilities;FinancialServices;

CommercialFacilitiesInformationAssurance

14

InformationAssurance

» DataGovernance» CrosscuttingICTDependencies» ITCybersecurity» Multi-DomainIntegration» EmergentCyberEcosystemTechnologies

Source IPv6 Forum: http://www.ipv6forum.org (accessed 8-9-2017)15

EmergencyServices;HealthcareandPublicHealth;Transportation;DefenseIndustrialBase;CriticalManufacturing

Communications

16

EmergencyCommunications» EmergencyServices

• 911» Enhanced911(E911)

• Geo-Location,automatednumber&locationinformation

» NextGeneration911(ng911)• Voice,Video,Data

» FirstNet• Emergent- Nationalbroadbandpublicsafetynetwork

» APCOProject25• Emergent:700-800MHzDigitalNarrowBanding• ITBackendRadioManagementSystems• Legacy:LandMobileRadio

Source: Sandia National Laboratories: Resilient Infrastructure Systems 17

MobileCommunications

» Space• Satellitebroadband

» Air• Manned/Unmannedaerialvehiclefleets

» Land• Manned/Unmannedterrestrialvehiclefleets

» Sea• Oceanicshippingfleets

» Tracking• Distributedsensornetworks• Personnel• Materials• Provenance

SpaceSatellite

AerialAircraft/UAV

TerrestrialFleets/Automated

Self-Driving

OceanicShipping/Tracking

DistributedSensorNetworks

Materials,Personnel,&Provenance

IPv6Internet

18

Energy;Dams;Water,WasteWaterSystems;Nuclear

Reactors,Materials,&Waste;Food&Agriculture; Chemical

IndustrialControlSystems,SupervisoryControlandDataAcquisition

19

IndustrialControlSystems,SupervisoryControlandDataAcquisition

» OT/IT» Cyber/Physical» GridModernization» SmartGridTechnology» SmartMeters» DistributedSensorNetworks

20

Multi-DomainInnovation

» MeshNetworks• Constrainedcompute,communications,powerdevices

» MobileNetworks• Space,air,land,sea

» HighPerformanceComputing• MachineLearning• Petatoexascale

» DistributedSensorNetworks• InternetofThings• Machine-to-machinecommunications

» InformationCentricNetworks• Nameddatanetworks/namedbasedrouting

» QuantumComputing• Quantum-scalephenomenaforcomputationaldata• Encryption

MeshNetworks

MobileNetworks

HighPerformanceComputing

DistributedSensor

Networks

InformationCentric

Networks

QuantumComputing

IPv6Internet

21

LegacyDependencyRisk» LegacyTechnologyDependence

• Ifanorganizationreliestooheavilyonlegacytechnologies,thenthe:- businesscontinuityriskofinsufficientconnectivityisincreased- riskofinsufficientinformationassurancethroughlackofnewtechnologyprotection

mechanismsisincreased- riskofreducedlife-safetyresponseisincreasedinemergencycommunications- riskofinsufficientOT/ITintegrationisincreased- riskinsufficientoperationaltechnologysecurityisincreased- riskofinsufficientcriticalinfrastructureserviceavailability,diversification,andsecurityis

increased• Mitigations- IT/Communications/OT/ICS/SCADAmodernizationwithcyber

security,physicalsecurity,andresilienceasdesignrequirements22

EmergentTechandAutomationRisk» EmergentTechnology

• IfanorganizationdoesnotappropriatelysecureemergingIT,communications,OT,andICS/SCADA,thenariskofinsufficientcybervisibility,protection,andincidentresponsecapabilityisincreased

• Mitigations- executivechampionshipforaskilledcyberworkforcewithcybersecurity,physicalsecurity,andresilienceasdesignrequirements

» Automation• Ifanorganizationdoesnotappropriatelysecureautomatedcomputational,

networked,andvirtualizedinformationservices,thenariskofunseeninformationassetcompromiseisincreased

• Mitigation- executionofstandards-based&industrybestpracticeswithcybersecurity,physicalsecurity,andresilienceasdesignrequirements

23

ReduceRiskExposureor“CPRforInformationSystems”

CPR“Baked-in”DesignRequirements• Cybersecurity• PhysicalSecurity• Resilience

Science-basedCyberResearchandDevelopment• Obfuscation,Emulytics,Provenance,Correlation

Fourphaseautomateddefenseconcept• Behavior,Situational,RapidResponse• Cyber/Physical

• HomelandSecurityAdvisorySystem• Low,Guarded,Elevated,High,Severe

Source: Sandia National Laboratories: Cyber-e: National Cyber Defense High Performance Computing & Analysis: Concepts, Planning and Roadmap

24

So…Whatcouldgowromg?

» NaturalDisaster• SuperStormSandy(2012),HurricaneHarvey

» HumanError• Underpressure,fatigue,lackoftrainingorskills

» MaliciousIntent• SnipertakessubstationSanJoseCalifornia(2013)

» Misconfiguration• Manualorautomatedwhentechnologychanges

» UnintendedConsequences• Duetolackofknowledgewithembedded/newtechnology

» LocalCausalitytoWideAreaDisruption• TreestakeoutNortheastgrid(2003)

» CyberCausalitytoPhysicalDisruption• CyberdisruptionwithICSconsequences,i.e.smartgrid

» PhysicalCausalitytoCyberDisruption• Physicaldisruptionwithcyberconsequences,i.e.facilitiesorcommunicationsfailure

NYCAfterTropicalStormSandy-Localmicrogridsprovidedenergy

reliability,security,andmissionassurance

Source: Sandia National Laboratories: Energy Storage 25

GridModernization

Source: Quadrennial Energy Review/ Second Installment | Department of Energy 26

CyberWorkforceCalltoAction

Training,Education,andAwareness• Who- Everyonewithcyberorphysicalaccess• What- recognizeandreportunusualcontentandactivity• Why- importanceofpoliciesandprocedures• How- Training,certification,andhighereducation

NewSkilledCyberWorkforceFundamentals• IPv6:“basicstoexpert”tomeetrolesandresponsibilities• Cybersecuritybigpicture:Humanelement,information,

services,applications,systems,network,operations• SecureAppDevelopment:programming+security

Source: Sandia National Laboratories: Cyber Engineering Research Laboratory, Research Engineering Cyber Operations Intelligence Lab

27

Practices,Standards,&Teaming

BestPractices• (ISC)2 Certifications• CenterforInternetSecurity:20Criticalcontrols

Standards-basedIT/OTIntegration• InternetEngineeringTaskForce• InstituteofElectricalandElectronicsEngineers• NationalInstituteofStandardsandTechnology

InterdisciplinaryTeaming• ITCybersecurity• OTCybersecurity• PhysicalSecurity• Resilience• CriticalInfrastructureStakeholders Source: International Information Systems Security Certification

Consortium: www.isc2.org/certifications28

ReturnonInvestment» Internetmodernizationoffersafavorablereturnoninvestmentas

vastasthenewcyberecosystemitself» Procurementsince2010hasIPv6inallmodernoperatingsystems» Trainingisashort-terminvestmentwithlong-termgain» Executivechampionshiptopromotetheworkforceskill

developmentrelevanttotheneedsofthefuture» OT/IT/Communications/ICS/SCADAreadyforthefuture» Criticalinfrastructuremodernized,secure,protected,andresilient

29

Cuspofa NewCyberEcosystem» Aprofessionallyqualifiedcyberworkforceisrequiredtoseizeopportunitiesinadvancedinfrastructureservicesanddeliversufficientprotectioninanexpandingcyberecosystem

» Reducethreatexposureandcomplexitybymovingawayfromoldtechnologiestonewtechnologies

» Reduceriskinnewtechnologydeploymentwithcyberandphysicalsecurityandresilienceasdesignrequirementsfromthestart

30

References» APCOProject-25DocumentSuite:ReferenceP25SDR,January14,2010» APCOProject25StatementofRequirements(P25SoR),March32010» NationalPublicSafetytelecommunicationsCouncil,PublicSafetyBroadbandHigh-LevelLaunchRequirements:StatementofRequirementsforFirstNetConsideration,

December7,2012» CiscoWhitePaper:AStandardizedandFlexibleIPv6ArchitectureforFieldAreaNetworks:SmartGridLast-MileInfrastructure,ReferencingBCHydro IPv6deployment

,January2014» IoT– IPv6integrationhandbookforSMEs:M.R.Palattella,L.Ladid,SZiegler,WKastner,M.Jung,M.Kofler,D.D.Drajic,SKrco,G.Nam,R.M.Perez,May19,2014» UnitedStatesGovernmentAccountabilityOffice,TestimonyBeforetheCommitteeonCommerce,Science,andTransportation,U.S. Senate:PreliminaryInformation

onFirstNet’sEffortstoEstablishaNationwideBroadbandNetwork,March11,2015» NamedDataNetworkingNextPhase(NDP-NP)Project,May2015– April2016AnnualReport,PrincipalInvestigators– V.Jacobson,J.Burke,L.Zhang,T.Abdelzaher,

B.Zhang,kcclaffy,P.Crowley,J.A.Halderman,C.Papadopolis,L.Wang» iCenS:AnInformation-CentricSmartGridNetworkArchitecture,R.Tourani,S.Misra,T.Mick,S.Brama,M.Biswal,D.Ameme,DepartmentofComputerScienceand

ElectricalEngineering,NewMexicoStateUniversity,ReceivedApril4,2017» U.S.DepartmentofEnergy,QuadrennialEnergyReview- TransformingtheNation’sElectricitySystem:TheSecondInstallmentoftheQER,January2017:

https://energy.gov/epsa/quadrennial-energy-review-second-installment» InternationalInformationSystemsSecurityCertificationConsortium(ISC)2 ,Booz|Allen|Hamilton,CenterforCyberSafetyandEducation:2017GlobalInformation

SecurityWorkforceStudy:U.S.GovernmentResults,EducatingTheWorkforceinCyber» IPv6SecuritybyScottHoggandEricVyncke:ISBN-13978-1-58705-594-2,ciscopress.com ©2009CiscoSystemsInc.» DeployingIPv6NetworksbyCiprian Popoviciu,EricLevy-Abegnoli,andPatrickGrossetete:ISBN:15870552105,SixthPrintingJuly2011©2006CiscoSystemsInc.» ScientificAmerican,The2003NortheastBlackout—FiveYearsLater: https://www.scientificamerican.com/article/2003-blackout-five-years-later/» IPv6Forum:http://www.ipv6forum.org» AmericanRegistryforInternetNumbers:https://www.arin.net/vault/announcements/2015/20150924.html,

https://www.arin.net/knowledge/preparing_apps_for_v6.pdf» InstituteofElectricalandElectronicsEngineers(IEEE):https://www.ieee.org/index.html» InternetEngineeringTaskForce(IETF):https://www.ieee.org/index.html 31

MahaloNuiLoa,Thankyou!» Questionsplease

CurtisKeliiaacmkelii@sandia.gov

CISSPIPv6GoldCertifiedEngineerSandiaNationalLaboratories

CompSysSecurityAnalysisR&DTheopinionsexpressedaremyownandnotnecessarilythoseofmyemployer