Control Systems Security Working Group Report CIPC Meeting Denver, CO September 2005 Tom Flowers Public Release.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

Secure Systems Research Group - FAU Process Standards (and Process Improvement)

NERC CIPC March 16, 2006 Roadmap to Secure Control Systems in the Energy Sector U.S. Department of Energy Office of Electricity Delivery and Energy Reliability.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)

Computer Security: Principles and Practice

September 2014 Lesson Learned Summary. September 2014 LLs 2 Three NERC lessons learned (LL) were published in September 2014 LL Redundant Network.

Stephen S. Yau CSE , Fall Security Strategies.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Network security policy: best practices

Introduction to Network Defense

Security Guide for Interconnecting Information Technology Systems

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel:

SEC835 Database and Web application security Information Security Architecture.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.

Lessons Learned in Smart Grid Cyber Security

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

הקריה למחקר גרעיני - נגב Nuclear Research Center – Negev (NRCN) Society of Electrical and Electronics Engineers in Israel (SEEEI) 2012 Eran Salfati, Amir.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

Role for Electric Sector in Critical Infrastructure Protection R&D Presented to NERC CIPC Washington D.C. June 9, 2005 Bill Muston Public Release.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Appendix C: Designing an Operations Framework to Manage Security.

WebCast 5 May 2003 Proposed NERC Cyber Security Standard Presentation to IT Standing Committee Stuart Brindley, IMO May 26, 2003.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Chapter 2 Securing Network Server and User Workstations.

Security fundamentals Topic 2 Establishing and maintaining baseline security.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

CIPC Executive Committee Update-1 CIPC Meeting Long Beach CA March 17, 2005 Pat Laird Vice Chair Public Release.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

2 Gordon Barber March 14, 2003 Focus Group Committee Chairs F Cable: John Thrower (Cox Communications) F CLECs: Robert Smith (McLeod USA) F Equipment.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

Information Security tools for records managers Frank Rankin.

Standards Certification Education & Training Publishing Conferences & Exhibits ISA Standards for Automation An Overview.

Security and Resilience Pat Looney Brookhaven National Laboratory April 2016.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Risk management.

Cybersecurity - What’s Next? June 2017

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Operations Security.

I have many checklists: how do I get started with cyber security?

NERC Cyber Security Standards Pre-Ballot Review

Focus Group Committee Chairs

IS4680 Security Auditing for Compliance

Role for Electric Sector in Critical Infrastructure Protection R&D

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Cyber System-Centric Approach To Cyber Security and CIP

CIPC Executive Committee Update-1

CSSWG Status Report March 17-18, 2005 CIPC Meeting Long Beach, CA

How to Mitigate the Consequences What are the Countermeasures?

Control Systems Security Working Group Report

Group Meeting Ming Hong Tsai Date :

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Control Systems Security Working Group Report CIPC Meeting Denver, CO September 2005 Tom Flowers Public Release

CSSWG Activities Since D.C. August 10, 2005 Meeting in St. Louis (20) ● 2005 Work Plan Review & Initiatives ● Review NSTB Liaison Initiatives - Mitigation of 2004 Top Ten Vulnerabilities - AGA – 12 Testing at SNL & PNNL ● Security Guideline Information Security - Encryption ( ) ● Liaison Reports ● CSSWG Business Processes

CSSWG Activities Since D.C Work Plan Review & Initiatives Ongoing 2005 Deliverables -(SG) Information Security – Encryption ( ) -(RD) 2005 Top 10 Vulnerabilities & Mitigations 12 emerging priorities in control system security identified Top Four under consideration: -(RD) “Zero Day” event detection/correlation (2006) -(SG) Physical & Cyber Incident Response (2006) -(RD) Wireless ( ) use in SCADA (2007) -(SG) Information Security – SCADA (2007)

CSSWG Activities Since D.C. Review NSTB Liaison Initiatives ● Mitigation Strategies for 2004 Top Ten Vulnerabilities “Potential Mitigation Strategies for the Top 10 Vulnerabilities Identified by NERC CSSWG” Discussion draft for the NERC CSSWG Meeting August 10, 2005 St. Louis, MO

2. Poorly designed Control System Networks that 1) fail to compartmentalize communication connectivity with corporate networks and other entities outside of the Control System electronic security perimeter; 2) fail to employ sufficient “defense in depth” mechanisms; 3) fail to restrict “trusted access” to the control system network; and 4) rely on “security through obscurity” as a security mechanism. ● Foundational  Implement electronic perimeters. Disconnect all unnecessary network connections. ● Intermediate  Implement concentric electronic perimeters. Use a completely autonomous network with no shared resources with non-control system networks. ● Advanced  Implement virtual LANs, private VLANS, intrusion prevention, anomaly detection, smart switches, etc.

3. Misconfigured operating systems and embedded devices that allow unused features and functions to be exploited. Untimely implementation of software and firmware patches. Inadequate testing of patches prior to implementation. ● Foundational  Conduct inventory. Ensure sufficient training of personnel responsible for component configuration and maintenance. ● Intermediate  Evaluate and characterize applications.  Patch management process: Hardware, firmware, software. Maintain full system backups and have procedures in place for rapid deployment and recovery. Maintain a working test platform and procedures for evaluation of updates prior to system deployment. ● Advanced  Active vulnerability scans. (Caution: recommend use of development system so that on-line control systems are not compromised during the scan.) Disable, remove, or protect unneeded or unused services/features that are vulnerable.

CSSWG Activities Since D.C. Review NSTB Liaison Initiatives ● AGA – 12 Testing at SNL & PNNL “ AGA - 12 Testing by the National SCADA Test Bed Program” Discussion draft for the NERC CSSWG Meeting August 10, 2005 St. Louis, MO

Scope ● Evaluate commercial versions of devices built to the American Gas Association (AGA)-12 Part 2 standard in a laboratory setting ● A variety of tests will be conducted using a representative assortment of equipment ● Serial communication focus ● Not formally approving nor certifying any devices:  But will publish test environment, suite of tests performed, and test results ● Goal is to provide an environment that represents typical electrical industry installations

Elements ● Equipment to be tested ● Common test elements ● Baseline tests ● Functionality tests ● Interoperability tests ● Fail-over tests ● Stress tests ● Cryptographic security tests

CSSWG Activities Since D.C. Information Security - Encryption ( ) Re-energize the effort Re-constitute the team May not be ready by December CIPC meeting

CSSWG Activities Since D.C. Liaison Reports ISA (Flowers) PCSF/I3P/O&G (Flowers & Holstein) Telecom (Leffler) IEC/IEEE (Klein) Roadmap (Kenchington)

CSSWG Activities Since D.C. CSSWG Business Processes Voting members Associate members Review participation over the last year - Finding (1) Asset Owner/Operator participation must be increased while preserving a quorum or (2) Relax quorum requirements

CSSWG Activities Since D.C. From CIPC EC Report in Long Beach: ● WG/TF Chairs and EC are reviewing assignment of CIPC members to WG/TFs  ensure adequate resources are in place to achieve deliverables  ensure appropriate contribution of asset owners/operators  balance contribution by individual CIPC members