Washington DC – Mar 16, 2017 DL Name(s) Michael Chipley PhD GISCP PMP LEED AP DL Title(s) and Bio(s) President, The PMC Group LLC Discussion Title DHS National Cybersecurity and Communications Integration Center Discussion Summary Michael will give an overview of the NCCIC and ICS-CERT, Incident Reporting, Alerts and Advisories, NVD and CVE’s, ICS-CERT JWG and Newsletter, Training, and CSET
PLATINUM GOLD SILVER/ CHAPTER The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. SILVER/ CHAPTER
NCCIC and ICS-CERT Overview The Department of Homeland Security is responsible for protecting our Nation's critical infrastructure from physical and cyber threats. Cyberspace enables businesses and government to operate, facilitates emergency preparedness communications, and enables critical control systems processes. Protecting these systems is essential to the resilience and reliability of the Nation's critical infrastructure and key resources and to our economic and national security. The NCCIC serves as a central location where a diverse set of partners involved in cybersecurity and communications protection coordinate and synchronize their efforts. NCCIC's partners include other government agencies, the private sector, and international entities. Working closely with its partners, NCCIC analyzes cybersecurity and communications information, shares timely and actionable information, and coordinates response, mitigation and recovery efforts. ICS-CERT reduces risk to the nation's critical infrastructure by strengthening control systems security through public-private partnerships. ICS-CERT has four focus areas: situational awareness for CIKR stakeholders; control systems incident response and technical analysis; control systems vulnerability coordination; and strengthening cybersecurity partnerships with government departments and agencies.
National Cybersecurity and Communications Integration Center The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. https://www.us-cert.gov/nccic
NCCIC Organization Chart ESTCP is DoD’s environmental technology demonstration and validation program. The Program was established in 1995 to promote the transfer of innovative technologies that improve DoD’s environmental performance, reduce operational costs and enhance and sustain mission capabilities. ESTCP funds demonstration projects to validate technology cost and performance with the ultimate goal to transition successful technology to implementation and regulatory acceptance.
NCCIC Reporting Options and Subscribing to Alerts The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP.
NCCIC Revised Federal Incident Notification Guidelines Apr 2017 The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. https://www.us-cert.gov/incident-notification-guidelines
NCCIC Revised Federal Incident Notification Guidelines Apr 2017 These guidelines support US-CERT in executing its mission objectives and provide the following benefits: Greater quality of information – Alignment with incident reporting and handling guidance from NIST 800-61 Revision 2 to introduce functional, informational, and recoverability impact classifications, allowing US-CERT to better recognize significant incidents. Improved information sharing and situational awareness – Establishing a one-hour notification time frame for all incidents to improve US-CERT’s ability to understand cybersecurity events affecting the government. Faster incident response times – Moving cause analysis to the closing phase of the incident handling process to expedite initial notification. Table of Contents Notification Requirement Submitting Incident Notifications Impact and Severity Assessment Major Incidents Impact Category Descriptions Attack Vectors Attack Vectors Taxonomy Incident Attributes The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. https://www.us-cert.gov/incident-notification-guidelines
NCCIC Revised Federal Incident Notification Guidelines Apr 2017 The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. https://www.us-cert.gov/incident-notification-guidelines
NCCIC Report Incidents The Energy and Water Program covers a wide array of technologies that are applicable to use and management of energy and water on military installations. The technologies are organized in three main areas of focus. The first is “Smart and Secure Installation Energy Management”, which includes…, the Second is Efficient Integrated Buildings and Components, which includes…tech and tools that…and the Third is “Distributed Generation”, which includes renewables, waste heat recovery and CHP. https://www.us-cert.gov/forms/report
ICS-CERT Alerts https://ics-cert.us-cert.gov/alerts
ICS-CERT Advisories https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01
ICS-CERT Advisories VULNERABILITY OVERVIEW CREDENTIALS MANAGEMENT CWE-255 Tableau Server is embedded within the Schneider Electric Wonderware Intelligence software and contains a system account that is installed by default. The default system account is difficult to modify to use non-default credentials after installation and changing the default credentials in the embedded Tableau Server is not documented. As such, Schneider Electric has released a new software version that removes the default system account in the embedded Tableau Server. If Tableau Server is used with Windows integrated security (Active Directory), the software is not vulnerable. However, when Tableau Server is used with local authentication mode, the software is vulnerable. The default system account could be used to gain unauthorized access. CVE-2017-5178 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01
National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5178
ICS-CERT https://ics-cert.us-cert.gov/
CVSS Calculator Score https://nvd.nist.gov/cvss/v3-calculator?name=CVE-2017-5178&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ICSJWG Meetings https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG
ICSJWG Newsletter
ICS-CERT Standards and References https://ics-cert.us-cert.gov/Standards-and-References
ICS-CERT Training Hands-On Format - Technical Level ICS Cybersecurity (301) - 5 days This event will provide hands-on training in discovering who and what is on the network, identifying vulnerabilities, learning how those vulnerabilities may be exploited, and learning defensive and mitigation strategies for control system networks. The week includes a Red Team / Blue Team exercise that takes place within an actual control systems environment. The training provides the opportunity to network and collaborate with other colleagues involved in operating and protecting control system networks. Note that this course is not a deep dive into training on specific tools, control system protocols, control system vulnerability details or exploits against control system devices. This event consists of industrial control systems cybersecurity training and a Red Team / Blue Team exercise: Day 1 - Welcome, overview of the DHS Control Systems Security Program, a brief review of cybersecurity for Industrial Control Systems, a demonstration showing how a control system can be attacked from the internet, and hands-on classroom training on Network Discovery techniques and practices. Day 2 - Hands-On classroom training on Network Discovery, using Metasploit, and separating into Red and Blue Teams. Day 3 - Hands-On classroom training on Network Exploitation, Network Defense techniques and practices, and Red and Blue Team strategy meetings. Day 4 - 8-hour exercise where participants are either attacking (Red Team) or defending (Blue Team). The Blue Team is tasked with providing the cyber defense for a corporate environment, and with maintaining operations to a batch mixing plant, and an electrical distribution SCADA system. Day 5 - Red Team/Blue Team exercise lessons learned and round-table discussion. https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
ICS-CERT Assessments https://ics-cert.us-cert.gov/Assessments
ICS-CERT 2015
ICS-CERT Assessments 2015 Top 20
ICS-CERT CSET https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
CSET Process
CSET Visio and GrassMarlin Import CSET has a very robust network diagramming and inventory capability, additional templates added with each new release
CSET Site Cyber Secuirty Plan Generated using NIST SP 800-53 R4 and NIST SP 800-82 R2 Security Controls
Contact Michael Chipley The PMC Group LLC mchipley@pmcgroup.biz 571-232-3890
THANK YOU CS2AI Confidential