Using Operational Security (OpSec) to Support a Cyber ... OpSec... Using Operational Security (OPSEC)

  • View
    3

  • Download
    0

Embed Size (px)

Text of Using Operational Security (OpSec) to Support a Cyber ... OpSec... Using Operational Security...

  • Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments Version 1.0

    Draft Recommended Practice

    February 2007

    DISCLAIMER

    This report was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party’s use, or the results of such use, or any information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party would not infringe privately owned rights.

    i

  • ii

  • Using Operational Security(OPSEC) to Support a Cyber

    Security Culture in Control Systems Environments

    Version 1.0

    Draft

    Authors: Mark Fabro, Lofty Perch Inc.; Vincent Maio, INL

    Contributors: Rita Wells, David Kuipers, Trent Nelson, Heather Rohrbaugh

    February 2007

    INL Critical Infrastructure Protection Center

    Idaho Falls, Idaho 83415

    Prepared by Idaho National Laboratory

    iii

  • iv

  • CONTENTS

    Keywords ...................................................................................................................................................... 1

    Introduction................................................................................................................................................... 1

    Audience and Scope...................................................................................................................................... 1

    Background................................................................................................................................................... 2

    1. Creating Cyber OPSEC Programs: From Management to Users ....................................................... 5

    1.1 Creating the Program............................................................................................................. 6

    1.2 Program Elements ................................................................................................................. 6

    1.2.1 Risk Assessment and Treatment ......................................................................... 6 1.2.2 Information Security Policy for the Control Domain.......................................... 6 1.2.3 Organization of Information Security (Internal and External) ............................ 7 1.2.4 Asset Management, Classification, and Control ................................................. 7 1.2.5 Human Resources Security ................................................................................. 7 1.2.6 Physical and Environmental Security ................................................................. 7 1.2.7 Communications and Operations Management .................................................. 8 1.2.8 Access Control .................................................................................................... 8 1.2.9 System Acquisition, Development, and Maintenance......................................... 9 1.2.10 Incident Management.......................................................................................... 9 1.2.11 Business Continuity Management....................................................................... 9 1.2.12 Compliance ....................................................................................................... 10

    2. Sustaining Cyber Security Culture: Embedding Security into the Operations Life Cycle ............... 10

    2.1 Clipping Levels ................................................................................................................... 12

    2.2 Configuration, Access, and Change Management............................................................... 13

    2.2.1 Request for A Change to Take Place ................................................................ 14 2.2.2 Approve the Change.......................................................................................... 14 2.2.3 Document the Change ....................................................................................... 14 2.2.4 Test and Present Results.................................................................................... 14 2.2.5 Implement Schedule.......................................................................................... 15 2.2.6 Report change to management .......................................................................... 15

    2.3 System Controls .................................................................................................................. 16

    2.4 Trusted Recovery ................................................................................................................ 16

    3. Technical and Nontechnical Solutions ............................................................................................. 18

    3.1 Administrative Activities..................................................................................................... 19

    3.1.1 Separation of Duties .......................................................................................... 19

    v

  • 3.1.2 User Accountability .......................................................................................... 20

    3.2 Addressing Single Points of Failure .................................................................................... 20

    3.2.1 Fault Tolerance and Clustering ......................................................................... 21 3.2.2 Backups ............................................................................................................. 21

    3.3 Training and Awareness ...................................................................................................... 22

    4. Conclusion........................................................................................................................................ 24

    5. References ........................................................................................................................................ 25

    vi

  • Keywords

    Control Systems, Operations Security, OPSEC, Security Culture, Cyber Security, Industrial Networks

    Introduction

    Information infrastructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. Many organizations use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. Data security is often deployed using specialized technologies and is supported by the creation of a cyber security “culture” that is based on policy, guidance, and operational requirements. By using methods of operational security (OPSEC), the security culture empowers management and users to maintain and enhance cyber security by instilling procedures and guidelines into the day-to-day operations.

    However, the cyber security strategies required to protect the business domains and the associated security culture that is created to support the security programs may not be easily translated to the control system space. Factors such as operational isolation, legacy networking, and inflexible roles in job activities may not be conducive to creating environments that are rich with cyber security capability, functionality, or interest. As such, guidance is required to help organizations leverage operational security and establish effective, self-sustaining security cultures that will help protect information assets in the control systems architectures.

    This document reviews several key operational cyber security elements that are important for control systems and industrial networks and how those elements can drive the creation of a cyber security-sensitive culture. In doing so, it provides guidance and direction for developing operational security strategies including:

    • Creating cyber OPSEC plans for control systems

    • Embedding cyber security into the operations life cycle

    • Creating technical and non-technical security mitigation strategies.

    Audience and Scope

    This document is designed for managers and security professionals charged with developing, deploying, and improving the cyber security in their control systems domains. Although designed to be flexible enough to be read and used by system operators and engineers, the material is intended to be used by those that are deploying cyber security programs and creating security-sensitive cultures in control system environments. It is not designed to replace a sector-specific approach to creating a cyber security program, but rather guide interested parties in some of the more common areas requiring special attention. It may be found most appropriate by those that have experience in deploying cyber security programs in modern information

  • technology (IT) domains and are beginning to address the issues related to deploying cyber security strategies for industrial control architectures. The scope of the material is not technically demanding and can be used to provide a foundation for creating or augmenting existing information resource protection initiatives.