Department of Homeland Security Incident response and vulnerability analysis Seán Paul McGurk National Cybersecurity and Communications Integration Center U.S. Department of Homeland Security Security within the control systems community can be viewed as value added by increasing efficiency and safety. DHS/NCSD recognizes the importance of control systems and the role that the private sector plays in protecting our nations’ infrastructure. Outline for Presentation Scope of CSSP mission control systems within critical infrastructure Cuts across all 18 sectors What is the concern/risk Intersection of IT and control systems What is DHS doing to reduce the risk to control systems ICS-CERT and On-site assessment efforts Observations Stuxnet – what we have been doing 1

Cyber Incident Response and Analysis Today we will focus on the ICS-CERT efforts and our findings as we have worked with the control systems stakeholders in the critical infrastructure community ICS-CERT has gain significant traction in recent months as the number of cyber incidents is increasing and as asset owners have called us in for support. We have deployed fly-away teams to assist with on-site forensics and recover efforts and our malware analysis lab has been extremely busy. 2

Situational Awareness ICS-CERT Provide operational support for critical infrastructure stakeholders to respond and defend against emerging cyber threats Situational Awareness Observe, identify, acquire, or receive relevant ICS information Incident Response Provide on-site assistance and off-site analysis to bridge information gap Technical Analysis Perform digital media analysis for malware and consequences Partnering Provide disclosure through advisories, alerts, bulletins and information sharing Benefits to the ICS and Critical Infrastructure Community Awareness of emerging issues and threats State of the art analysis capabilities specific to ICS Incident response support for recovery and future defense Established partnership for immediate support and guidance ICS-CERT collaboration with other agencies and partners Theses four focus areas function to provide important benefits to the ICS community.

ICS-CERT: Products Alerts Advisories Website & Portal These are the three main ways we communicate with our customer. Trusted partners may join the US-CERT Portal – Control systems compartment to receive updates on alerts and advisories. The website is updated weekly with news articles related to relevant critical infrastructure events via an RSS feed. Advisories: Provides advice and guidance on dealing with a specific situation; mitigations Alerts: Quick release product (within hours); may not have mitigations but we want to provide a heads up on information we have Portal membership: Need to know environment; trusted partners; (example, zero day with no known fix would be released through the portal but not to the public) Advisories Website & Portal

National Cybersecurity and Communications Integration Center ICS-CERT and the NCCIC The National Cybersecurity and Communications Integration Center is comprised of organizational components and operational liaisons Components refers to DHS organizations that have a major presence on the NCCIC floor Operational Liaisons refers outside agencies such as ISACs, Law Enforcement and Industry The execution of NCCIC’s mission relies on coordinated operations that contribute to all products and services The NCCIC provides a collaborative environment were the security agencies and divisions can share information and coordinate responses to national cyber events and incidents. The ICS-CERT is one of the 5 main components that constitutes the NCCIC. National Cybersecurity and Communications Integration Center

Incident Response Support Assist asset-owners Onsite “flyaway” teams Network architecture Data collection Mitigation Offsite technical analysis teams Analysis of collected data Customer reporting Bridge threat awareness gap Purpose of incident response capability Assist asset-owners with identification and elimination of threat actors affecting critical infrastructure; the effort is collaborative with US-CERT with ICS-CERT focusing on control environments within critical infrastructure On-site: Fly-away team available to deploy onsite, review affected entities network architectures, collect applicable forensic data, assist with immediate mitigation efforts when appropriate, and redeploy with collected data to perform additional forensic analysis in laboratory environment Team members – Team Lead with support from ICS-CERT Technical Analysis Team – typically a Control Engineer and Cybersecurity Analyst; and US-CERT technical teams as necessary/appropriate Off-site: after redeployment, analytical findings are conveyed to customer on a weekly basis or sooner if circumstances/findings dictate. Off-site analysis is also available without a fly-away team if appropriate data sets can be provided to the ICS-CERT Technical Analysis team or appropriate US-CERT analysis team. On-site assistance attempts to bridge the gap between threat information held by the government and the needs of owner/operators when identifying and recovering from incidents or attempting to plan for future security of their network Access to important data sources enables ICS-CERT and US-CERT to add unique value as part of partnerships and collaborative initiatives with private sector stakeholders

Incident Response Example Information package Pre-deployment ICS-CERT Operations Company-X request for assistance 3. ICS-CERT notifies appropriate authorities, delivers pre-visit checklist and based on checklist inputs determines appropriate fly-away team composition. Prior to deployment, ICS-CERT analysts prepare a classified pre-deployment briefing for the fly-away team.

Incident Response Example Onsite Company-X ICS-CERT Operations Logs Drive Images ICS-CERT & US-CERT Technical Analysis 4. The ICS-CERT team (sometimes joined by a US-CERT representative) conducts investigation and provides on-scene assistance to UTILITY-X; In parallel, ICS-CERT Analysts prepare all-source background briefings for DHS consumers. Technical Analysis

Incident Response Example Post-deployment Company-X Technical Analysis ICS-CERT & US-CERT Technical Analysis 6. Based on technical findings, ICS-CERT reports to all appropriate authorities/agencies and provides follow-up assistance to UTILITY-X. ICS-CERT Operations

Fly-Away Team Observations Increase in control systems owner/operator’s desire to understand the threats to their systems and how to mitigate risks Increased security measures are needed not only to prevent cyber attacks, but to detect and respond to incidents and mitigate the overall risk Trends in the usage of USBs and other removable media have introduced and spread malware USB thumb or flash drives have found their way into many networks USB drives offer malware authors an unprecedented ability to circumvent customary network access controls and protections Control systems are susceptible to attacks via USB drives since they tend to be isolated from the internet and business network and are, therefore, used to push out updates to the system Based on our recent involvement with industry the following observations were noted. General Observation: A lack of established security practices and adequate awareness among company employees has resulted in compromised networks

Control System Vendor’s Response Developing internal incident response teams or CERTs for triaging major issues Notifying their consumer base through increased advisories and communications Collaborating with ICS-CERT on vulnerability related issues, including testing of mitigations and workarounds Participating in working groups such as the Industrial Control Systems Joint Working Group (ICSJWG) to collaborate with other vendors and solicit feedback from owner/operators. Overwhelming response to participate in the Program’s week-long ICS advance cybersecurity training. As the malware analysis team has worked with ICS vendors, we have seen positive results and willing participation to improve the security posture of their products and provide security support to their customer base. Vendor community is stepping up as players in this fight and taking steps to improve security within their products. Siemens started CERT team

Cyber Security Evaluation Tool (CSET) CSET Features Assessment Covers Policy, Plans, and Procedures in 10 Categories Provides recommended solutions to improve security posture Allows for standards specific reports (e.g., NERC CIP, DOD 8500.2, NIST SP800-53) Recent Accomplishments Issued Version 2.0 of the Tool The embedded Global Assessment cross-references multiple standards Version 3.0 in development – planned completion in Sept 2010 Distributed over 1,000 copies since October 2009 to asset owners in 15 different sectors CSET The evaluation tool helps owners and operators to evaluate the security posture of their control system, and it provides recommendations of how the security can be improved.

Assessments: On-Site Support CSSP used the CSET to assist critical infrastructure asset owners in conducting self-assessments Completed 50 assessments in multiple sectors Assessments teams assisted infrastructure asset owners in 17 states and territories, including several remote locations where the control systems represent ‘single-point failures’ for the community CSSP encourages asset owners to identify their security gaps and implement the recommended mitigation strategies Another key focus area for the program has been our on-site assessment work. Sectors: Water, Transportation, Health, shipping, dams, energy, banking & finance, chemical, IT, Defense States and Territories included: CA, NM, OK, WA, LA, AL, NH, ND, PA, NV, MN, American Samoa, Saipan, Guam

On-Site Assessment Observations Weak or nonexistent cybersecurity policies and practices. Lack of a formal documented program and procedures Need for an established cybersecurity team Need for incident response and disaster recovery policies and/or directives Insufficient control of remote logging and access. Weak enforcement of remote login policies Weak port security Network architecture not well understood and internal networks not segmented Flat networks--devices not properly configured

On-Site Assessment Observations continued Media protection and control. Weak control of incoming and outgoing media – use of USB drives Lack of encryption implementation Audit/logging events. Insufficient methods for monitoring and control network events Lack of understanding of disaster recovery techniques Weak Testing Environments. Limited patch management abilities Weak backup and restore abilities Weak firewall rule sets         Patch management Good Example: Army Core of Engineers has 9 dams on the Columbia River in Washington. They have a testing environment setup where they test patches for 1000 hours before pushing them out to their operational units.

Industrial Control Systems Joint Working Group (ICSJWG) Provides a vehicle for collaboration between government and private sector control systems stakeholders Government Coordinating Council Sector Coordinating Council Subject Matter Experts International Community Fosters information sharing and coordination of activities and programs across government and private industry stakeholders involved in protecting CIKR Includes 6 subgroups – Volunteers welcome Vendors Research and Development International ICS Roadmap Development Workforce Develop Information Sharing

Contact Information Report Control Systems cyber incidents and vulnerabilities ics-cert@dhs.gov 877-776-7585 Report general cyber incidents and vulnerabilities www.us-cert.gov or soc@us-cert.gov 703-235-5111, 888-282-0870 Sign up for cyber alerts www.us-cert.gov Learn more about Control Systems Security Program www.us-cert.gov/control_systems cssp@dhs.gov 17