Standards

Certification

Education & Training

PublishingConferences & Exhibits

ISA EXPO 2008

Control System Self Assessment Tools and Methods

Welcome

• Presenter: Carol Muehrcke, Cyber Defense Agency LLC– Co-chair SCADA Cyber Self Assessment Working Group (WG) under

Process Control System Forum (PCSF)– Computer security R&D since 1992

• Topics:– WG background– Requirements for IACS cyber security self assessment– Survey of available tools and methods– Planning a self assessment

IACS: Industrial Automation and Control System (ISA term)

PCSF Self Assessment WG

• Rationale: 2005 - pressing need to understand IACS cyber security readiness

• Charter: Enable the development and use of the best possible next generation of self administered tools and methodologies for the assessment of the cyber security readiness of process control systems.

• Deliverables:– IACS self-assessment requirements list– Gaps: Requirements unmet by existing tools and

methodologies• Final report: on PCSF web site

https://www.pcsforum.org/groups/13/

Self Assessment WG Core Team• Garill Coles

Pacific Northwest National Laboratory Garill.Coles@pnl.gov

• Mark C. Morgen 3M - Optical Systems Division mark.morgen@mmm.com

• Carol Muehrcke (Co-chair) Cyber Defense Agency, LLC cmuehrcke@cyberdefense agency.com

• Matt Earley Decisive Analytics Corporation matt.earley@dac.us

• Ron Melton Pacific Northwest National Laboratory ron.melton@pnl.gov

• Candace Sands EMA csands@ema-inc.com

• Brian Isle (Chair) Adventium Labs brian.isle@adventiumlab s.org

• Cliff Glantz Pacific Northwest National Laboratory cliff.glantz@pnl.gov

• Mary S. Hester Intelligent System Solutions mhester@issatlanta.com

Self Assessment Requirements Categories

• Importance of Cyber Security in Business

• Scope of the Cyber Security Management System

• Security Policy• Personnel Security• Organizational Security• Compliance• Physical and Environmental

Security• Access Control**• Information and Document

Management• Identifying Vulnerabilities**• Risk Identification, Classification

and Assessment**

• Risk Management and Implementation

• Incident Planning and Response• Infrastructure-Related Operations

and Change Management• Staff Training and Security

Awareness**• System Development and

Maintenance• Monitoring and Reviewing the

Cyber Security Management System

• Maintaining and Implementing Improvements

Key: Covered; Gaps in some Sectors; Gaps in all sectors ** Highest WG priority

Example – Access Control

General: • Principle of least privilege, controlled management of accounts, coverage of

personnel and third parties IACS Specific:• Administrative vs. control access• Critical vs. non-critical operator functions and platforms • Stronger authentication for remote access• Team passwords• Approval of privileges by personnel familiar with control tasks• Complementary physical access controls (e.g. unattended logged in

terminals)• Control risks due to denial of service: forgotten passwords, expiring

passwords, account lockout on login failures, screen savers blocking status information, authentication using remote servers or LAN/WAN elements

• Operation during modification of access controls

Type and Scope for Tools and Methodologies

Risk Vulnerability

Cyber Physical

IACS IT

StandardSoftware Tool

Step by Step Method

Questionnaire

Tools and Methods Analyzed

Name Type Sector Scope

API 1164 Standard Appendices A-B

Questionn aire & cyber security plan

Refining and Petrochemic al

Risk & Vulnerability, Cyber, IACS

API SVA - Security Vulnerability Analysis

Methodol ogy

Refining and Petrochemic al

Risk, Physical & Cyber, Generic

Industry Participant Tool - Proprietary

Excel- based tool

Refining & Petrochemic al

Vulnerability, Cyber, IACS

CIDX Guidance for Address. Cyber Security in Chem. Industry V 3.0 – App. 1

Questionn aire

Chemical Vulnerability; cyber, IT & some IACS

PHAWorks – Primatech, w/ cyber guidance doc

Software Tool

Refining, Petrochemic al & Chemical

Risk, Physical and Cyber, Generic

Tools and Methods Analyzed (cont.)

Name Type Sector Scope

RAM-W Risk Assessment Methodology-Water

Methodol ogy

Water/Wast ewater

Risk, Physical & Cyber, Generic

VSATVulnerability Self Assessment Tool

Software Tool

Water/Wast ewater

Risk, Physical & Cyber, high level IT and IACS

CS2SATCyber Security Self Assessment Tool

Software Tool

Cross- sector, tailorable to a sector

Vulnerability & some Risk, Cyber, IACS

DHS NCSD Questionnaire

Question naire

Cross- sector

Vulnerability, Cyber, Generic

WG Results - Highlights

• The score:– 3 IACS specific (one proprietary)– 2 some unique IACS content– 4 no unique IACS content

• Much sector material applicable cross-sector• Risk specific to IACS treated at high level or via consequence

– VSAT: IACS as one element of enterprise, probability is user input– API 1164:

– application consequence categories determine requirements– Some guidance on ranking interfaces by value and susceptibility

– CS2SAT: consequence as proxy for risk– Need fundamental R&D and data gathering

• CS2SAT: most depth for IACS vulnerabilities, access control• Staff Awareness and Training Category

– Tools and methods not success driver– Unique to sectors and enterprises– Sector groups have role providing guidance– Nuclear initiative

Planning a Self Assessment

• Study and address all 18 categories– Standards typically touch most of them

• Choosing tools and methods:– Unlikely you will find a comprehensive self-assessment tool or method– Software tool functionality: standards compliance tracking vs. technical features– Consider organizational structure (IT and IACS, Cyber and Physical Security)– Other characteristics (cost, ease of use) covered in WG analyses

• Address both risk and vulnerability• Little detailed guidance available on risk specific to IACS• World class organizations treat all risks under same structure (physical, IT

cyber, IACS cyber)• As first steps:

– Coordinate with physical security assessments– Reuse IT work on vulnerabilities (risk and mitigations less applicable)

Sample Resources

Requirement Category

Tool or Method Comments

Security Policy American Petroleum Institute 1164 Appendix B

Sample security plan

Information and Document Management

American Petroleum Institute 1164 and Appendix A

List of IACS documents requiring protection

Access Control, Vulnerabilities

CS2SAT Create model of network, then examine, host by host

Risk Identification, Classification and Assessment

VSAT Systematic approach to prioritizing risks

Review

• Start with understanding of self assessment requirements• Tools and methods specific to IACS are few, new• Tool or method may be helpful although not IACS-specific• One way to find useful tools and methods - WG Final Report

matrix of methods and tools vs. requirements• Consider resources from other sectors• Look for improvements in treatment of risk

Q & A

• Any questions?

Backup Slides

Example – Personnel Security

General: • Employees and contractors are screened upon employment and

job changes, based on criticality of job. Job responsibilities for security clearly defined.

IACS Specific:• Guidance on defining job criticality for control system personnel• Guidance on security responsibilities of control room and other

control system personnel.• Third party contracts related to control room have provisions for

cyber security.

Example – Risk Identification, Classification and Assessment

General: • Identify threats, vulnerabilities, consequences, probability of

occurrence for realization of threats identified IACS Specific:• Consider when defining criticality: how long can you operate

without control, without visibility? How fast do you need alerts, alarms, and to be able to start, stop or modify a process?

• Enumeration and characteristics/preferences of threat sources (e.g. terrorist, activists, employees, criminals)

• Guidance for assessing probability of control system security incidents

• Guidance on assessing consequences • Consider: interdependencies and cascading effects• List of control system specific vulnerabilities…

Example – Staff Training and Awareness

General: • Need for timely awareness and specific technical cyber security

training plus periodic updates IACS Specific:• Awareness and training for control system personnel tailored to

specific needs• Guidance on training needs for control system personnel