Activity Report for DHS Industrial Control Systems Joint Working Group (ICSJWG)

For OSGug Meeting – SG Security Knoxville, TN – 28 February 2012

Ralph MackiewiczSISCO, Inc.

What is ICSJWG?• A collaborative and coordinating body operating under the Critical

Infrastructure Partnership Advisory Council (CIPAC) http://www.dhs.gov/files/committees/editorial_0843.shtm

• www.us-cert.gov/control_systems/icsjwg/index.html

• Primary means for private USA entities to interact with DHS on cyber security issues related to “industrial control systems” which is how energy control systems are classified.

• Meets twice a year face to face

• Working groups meet via telcon regularly

• Quarterly newsletter

Spring Meeting 2012

Spring 2012 Meeting Highlights• Savannah, GA:– May 7: working group meetings

– May 8-9: ICSJWG meeting (see site for agenda)

– May 10: International Partners Day – Information sharing with invited international partners.

• Idaho Falls, ID– May 14-18: INL Advanced Cybersecurity Training (Red/Blue

Team)

ICSJWG Subgroups• Sector coordinating council and government coordinating council

(GCC/SCC) *

• R&D

• International

• Workforce development *

• Information Sharing

• Roadmap **

• Vendor **

ICS Roadmap Subgroup• Develop the Cross-Sector Roadmap as a resource for

all sectors to provide a common lexicon and a set of ready to tailor models to develop sector specific roadmaps that incorporate cybersecurity and maturity of ICS as a supporting business model.

• Provide and ongoing review of the state of ICS across all sectors.

Cross Sector Roadmap

Cross-Sector Roadmap

• Cross Sector Roadmaphttps://cs.hsin.gov/C14/C1/RoadmapToSecureICS/Document%20Library/Cross%20Sector%20Roadmap/Final%20Roadmap%20-%20Post%202011%20Fall%20Conference/Cross-Sector%20Roadmap%20Sep%2030%202011-Final.pdf

• Goals and Gap Analysis

GOAL TITLE SECTOR SHORT/NEAR TERM MILESTONES (avg.0-3 yrs)

MID-TERMMILESTONES (avg.4-7 yrs)

LONG TERM MILESTONES (avg.7-10 yrs) OBJECTIVE1

Chemical

Establish an industry-driven awareness effort to communicate information relating to the cybersecurity thre ats, vulnerabilities, and risks and the availabil ity of recommended practices, tools, and training materials to the Chemical Sector

Metrics for benchmarking security posture are available and agreed upon

Asset owners and operators are performing self-assessments of their ICSs using consistent criteria

Real-time security state monitors for new and legacy systems are in use

Fully automated security state methodologies are in use

Create a risk matrix that balances threat, vulnerability, and consequence

Dams

Integration of se curity into all operational plans

Development of control system security recommended guidelines for use by the Dams Sector

Development of common risk assessment metrics and standards

Development of tools to assess security posture and compliance with pertinent regulations

Impleme ntation of training programs throughout the Dams Sector on the control system security recommended guidelines

Inte gration of control system security education, awareness, and outreach programs into Dams Sector operations

Impleme ntation of risk assessment tools throughout the Dams Sector – asset owners and operators begin performing self-assessme nts of their se curity postures

Update Dams SSP as appropriate

Development of fully automated security state monitors in most dam control systems networks

Industry-wide active assessment of ICS security profiles including benchmarks against other sectors

2006Energy

Baseline security methodologies available, self-assessments published, and training provided

50% of asse t owners and operators performing self-assessments of their control systems using consistent criteria

Common metrics available for benchmarking security posture (relative to peers)

90% of energy sector asset owners conducting inte rnal compliance audits

A real-time security state monitor for new and legacy systems commercially available

Fully-automated security state monitor and response systems are common in control system networks

Create an environment for securely sharing collected US Government information on threats and real-world attacks with utilities and vendors

Assess Risk Water

Develop ICS risk assessment and re porting guidelines, published and available throughout the water sector

Identify common metrics for benchmarking ICS risk (threat-vulnerabilities-consequence) in the water se ctor

Develop ICS risk assessment tools, such as end-to-end, thre at-vulnerabilities-consequence analysis capability for the water sector

Conduct sector-wide training on risk assessment tools

The water sector actively measures ICS security performance and benchmarks with other sectors

Create an ICS risk matrix that balances threat, vulnerability, and conseque nce

Chemical

Sector is participating in security training to available, qualified, and consistent control system security training materials

Secure connectivity between business systems and ICSs within corporate networks

Widespread implementation of mehtods for secure communication between remote access devices and control centers that are scalable and cost effective to deploy

Perform nondisruptive intrusion tests on ICSs to demonstrate the effectiveness of automated isolation and response

Se cure ICS architectures with built-in, end-to-end security are in all critical operating systems

Identify accepted practices for physical and cyber security control cente rs

Dams

Development of control system protection guidelines for existing ICS

Enablement of e xisting ICS access controls throughout the Dams Sector

Development and impleme ntation of security patches for legacy systems

Establishment of mechanisms to enhance information sharing between asset owners and operators and vendors

Identification and dissemination of best ICS security practices among Dams Sector stakeholders

Development of guidance and education material associated with applicable project regulations

Development of guidelines to secure or isolate ICS communications from public networks and communication infrastructures

Impleme ntation of new protective tools and appropriate training

Impleme ntation of secure interfaces between ICS and business systems

Identification, publication, and dissemination of best practices, including ones for securing connectivity with business networks and for providing physical and cybersecurity for re mote facilitie s

Development of high-performance, secure communications for legacy syste ms

Se cure integration of ICS and business systems

Goal 1

Measure and Assess Security Posture

Goal 2

Develop and Integrate Protective Measures

Vendor Subgroup

• Regular Telcons

• Main Activities– Vulnerability Disclosure Guidelines Whitepaper

– Improve Communications Subcommittee

Vulnerability Disclosure Whitepaper v3• 2. Executive Summary• 3. Document Purpose• 4. Document Expectations• 5. Software Vulnerabilities• 5.1 Types of Vulnerabilities• 5.2 Mechanisms for Identifying Vulnerabilities• 6. Types of Disclosure• 6.1 Private Customer Disclosure• 6.2 Public Disclosure• 6.3 Third-Party Disclosure• 7. Vulnerability Disclosure Policy Components• 7.1 Foundation Elements• 7.2 Policy Commitments• 7.2.1 Distribution• 7.2.2 Deliverables

• 7.2.3 Timelines• 7.2.4 Mitigations• 7.2.5 Resolution• 7.3 Customer Deliverables• 7.3.1 Summary of Disclosure Policy• 7.3.2 Vulnerability Disclosure Policy Statement• 7.4 External Publications.• 7.4.1 Vulnerability Disclosure Policy Statement.• 7.5 Contact Mechanisms• 7.5.1 Security Webpage• 7.5.2 Security Email Address• 7.5.3 Anonymous Submission Form• 7.6 Classification of Vulnerabilities• 8. Appendix A – Terminology• 9. Appendix B – Sample Disclosure Policy • 10. Appendix C - References

Improve Communications Subcommittee

• Formed in response to persistent comments about gaps in information sharing

• 2 areas of focus– Internal: communications among ICSJWG groups and

activities

– External: communications outside of ICSJWG

• Done by May 2012

Internal Communications

• Require status reports by groups

• Developing org chart and information flow diagrams

• Review and address prioritized improvements– Tier 1 – Biggest impact. Completed by May

– Tier 2 – Aditional improvements.

External ICSJWG Improvement Suggestions Identify the types of communications that needs to take place between stakeholders, developers, manufacturers, vendors, and users.

Priority Rating Low - 1 Med - 3 High - 9

** **** Identify a way to inform vendors about issues they may not be aware of.

Identify current communication types and paths being used and assess how well or poorly they currently work.

**** ** **** **

Identify incident handling communication strategies for vendor specific topics.

**

DHS to describe who, what and how information is shared with different stakeholders (e.g., vendors, asset owners, consultants) so everyone understands current policies and guidelines.

-Provide useful information to vendors who want to improve their product’s security posture. -Share information with vendors who’s products and solutions are used in critical infrastructure. * -Develop a way to share sensitive information with the vendor community.

* ****

** ****

Identify different types or scenarios of communication; examples were: protocol, device, software, and situational awareness.

Identify knowledge flows within the ICSJWG community.

***

***** * ***

External Communications Challenges• Terminology is a problem– “Sensitive” has an official meaning.

• There already is a well established process for information sharing of Protected Critical Infrastructure Information (PCII).– The PCII Program enhances information sharing

between the private sector and the government.

PCII Information Flow

ICS-CERT and other alerts

Legitimate Concerns

• PCII is shared with an understanding of confidentiality by those disclosing to DHS.

• Some PCII is pretty darn “sensitive”.

• Initial reaction to sharing PCII: “No #%$&#@! Way”

Need a Solution• This information can only benefit industry if those in

industry are given access and allowed to use it to improve security.

• There must be a way to qualify/accredit firms and people to receive more detailed information than that which is currently shared.

• Need to get government lawyers to understand the benefit.

Realistic?

Thank You

Ralph MackiewiczSISCO, Inc.

6605 19 1/2 Mile RoadSterling Heights, MI 48314 USATel: +1+586-254-0020 ext. 103

Fax: +1-586-254-0053Mobile: +1-586-260-2571

ralph@sisconet.com