Critical Infrastructure Protection:Two of Many Standards Needs

presented byKen Watson

President and ChairmanPartnership for Critical Infrastructure Security

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 2

Critical Infrastructure Protection:Two of Many Needs

AgendaCritical Infrastructure Protection backgroundTwo Key Standards Needs– Information Sharing– Manufacturing and Control Systems

Current Control System Standards ActivitiesInformation Sharing Recommendations

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 3

The World is a Network of Networks…Any Geographical Area, Any Network, Any Functional Area

Is a Place of Vulnerability

WaterWater

Oil and GasOil and GasBanking andBanking and

FinanceFinance

TransportationTransportationInternetCore

InternetInternetCoreCore

TelecommunicationsTelecommunicationsGovernmentGovernmentServicesServices

Emergency Emergency ServicesServices

ElectricElectric

3

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 4

Critical Infrastructures

PDD-63 CriticalInfrastructuresPDD-63 CriticalInfrastructures

WaterWater

TransportationTransportation

Oil & GasOil & GasBanking & FinanceBanking & Finance

Electric PowerElectric Power

Emergency ServicesEmergency Services

Government ServicesGovernment Services

TelecommunicationsTelecommunications

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 5

Critical Infrastructures

Added Critical InfrastructuresAdded Critical Infrastructures

Chemical Industry and Hazardous

Materials

Chemical Industry and Hazardous

Materials

AgricultureAgriculture Key National Assets*Key National Assets*

Public HealthPublic Health

Postal and ShippingPostal and Shipping

FoodFood

Defense Industrial Base

Defense Industrial Base

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 6

National Security Interest

Are critical to safety, security, our way of lifeDepend on commercial networksAre interdependentAre largely owned and operated by private companiesCannot entirely depend on the Federal government for defense against cyber attacks

Infrastructures…

Government Needs Industry in a True Public-Private Partnership

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 7

The Business CaseBusinesses dependent for their survival on the InternetVulnerabilities threaten economic survivability and competitivenessInterdependency

Supply chainPartnersCustomersInfrastructure industries

Companies are on the front lines of defenseIndustry Needs Government in a True Public-Private Partnership

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 8

Cross-sector Collaboration

Partnership for Critical Infrastructure Security (PCIS)

http://www.pcis.org

• Participation by leaders from government,industry & academia

• Coordinates cross-sector initiatives and compliments public-private efforts

• Board of Directors majority always critical infrastructure “sector coordinators”

Stat

e an

d Lo

cal G

over

nmen

ts

Advisory CommitteesAdvisory Committees

DHSDHS

President of the President of the United StatesUnited States

Federal Departments and Federal Departments and AgenciesAgencies

Sector CoordinatorsSector Coordinators

Elec

tric

Pow

erEl

ectr

ic P

ower

Food

Saf

ety

Food

Saf

ety

Fina

ncia

l Ser

vice

sFi

nanc

ial S

ervi

ces

Tele

com

mun

icat

ions

Tele

com

mun

icat

ions

Che

mic

als

Che

mic

als

Wat

erW

ater

Oil

and

Nat

ural

Gas

Oil

and

Nat

ural

Gas

Surf

ace

Tran

spor

tatio

nSu

rfac

e Tr

ansp

orta

tion

Air

Tran

spor

tatio

nA

ir Tr

ansp

orta

tion

Info

rmat

ion

Tech

nolo

gyIn

form

atio

n Te

chno

logy

Law

Enf

orce

men

tLa

w E

nfor

cem

ent

Fire

fight

ers

Fire

fight

ers

Emer

genc

y M

edic

alEm

erge

ncy

Med

ical

Man

ufac

turin

gM

anuf

actu

ring

PCISPCIS

US Public-Private Relationships for CIP

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 10

Information Sharing and Analysis Centers (ISACs)

Vital part of Critical Infrastructure Protection (CIP)Gather, analyze, and disseminate information on security threats, vulnerabilities, incidents, countermeasures, and best practicesEarly and trusted advance notification of member threats and attacks Organized by industry: cross-sector awareness, outreach, response and recoveryISAC Council: Leadership of ten ISACs

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 11

Need for Information Sharing Standards10 ISACs + DHS: Unique alert levels, message formats, requirementsVulnerability disclosure complex issue

National Infrastructure Advisory Council (NIAC) developing guidelines

PCIS taxonomy effort—6000 termshttp://www.pcis.org/library.cfm?urlSection=WG (first two listings)

ISAC Council working on cross-sector and public-private information sharing mechanismsMust consider physical and cyber aspects

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 12

Need for Common IT/Control System Risk Analysis Standards

Control system networks are becoming more like IT networksPlant/control system engineers understand safety risk assessments; IT security engineers understand information security risk assessmentsCyber incident data much more scarce than accident data—deliberate cyber attacks hard to quantifyTherefore, need common physical and cyber analysis tools

Methodologies similar for both aspectsInterdependencies

Current Control System Cybersecurity Standards Activity

American Gas Association AGA-12-1: draft standard currently in development for protecting legacy Supervisory Control And Data Aquisition (SCADA) communications links

See http://www.gtiservices.org/security/Instrumentation Systems and Automation Society (ISA) SP-99: cross-sector cybersecurity initiative

Aimed at attempts to do the best with existing technology and practicesTwo reports:

– TR-1 (Technology)– TR-2 (Application and Practice)—out for ballot 16 Sep 2003

See http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821NIST Process Control Systems Security Requirements Forum (PCSRF): draft "Security Capabilities Profile" document to serve as the basis for writing protection profiles for different control systems components

Aimed at next generation of control system networks and productsSee http://www.isd.mel.nist.gov/projects/processcontrol/

ANSI Annual Conference 2003Homeland Security: Collaboration, Innovation and Standardization Slide 14

Information Sharing Recommendations

Leverage ongoing workNIAC Vulnerability Disclosure guidelinesISAC Council proceduresPCIS “dictionary”

Work toward standard:Message formatsTermsAlert levels (where applicable)