cyber security procurement language for control systems · pdf filecyber security procurement...
TRANSCRIPT
Cyber Security Procurement Language for Control Systems
Rita WellsIdaho National Laboratory
Program Sponsor:National Cyber Security Division
Control Systems Security Program
Cyber Security Procurement Language for Control Systems
Background Foundation How to Use Content
Department of Homeland Security: Cyber Security Procurement Language for Control Systems
August 2008
Procurement Language for Control Systems
Main Contributors:Department of Homeland Security – NCSD/CSSPDepartment of Energy – NSTBIdaho National LaboratoryAsset Owners, VendorsNew York StateSANS
Latest ReleaseAugust 2008 – Version 2.0
http://www.us-cert.gov/control_systems
U.S. Department of EnergyOffice of Electricity Delivery and Energy Reliability
Software AssuranceA Strategic Initiative to Promote Integrity, Security, and
Reliability in Software
Procurement Specification for Control Systems
Initiative to develop procurement language for control systems (hardware and software)
Risk ReductionWork with public and private sectors to reduce
vulnerabilities and minimize the severity of cyber attacks
Project Goal & ScopeGoal
Develop common procurement requirements and contractual language that the owners can use to ensure control systems they are buying or maintaining have the best available security
Scope
New control systems
Maintenance of systems
Legacy systems
Information and personnel security
Foundation
Analyzed 54 Assessments:Assessments funded by DHS, DOE, Industry, and Asset-
ownersEach assessment ranges from 275-800 hours of cyber
security researcher and additional efforts for control system and network engineers
20 in-lab and 18 on-site assessmentsIdentified common vulnerabilitiesAlso identified unique defensive architectures
When to Use: New Systems
Request for ProposalProposal SubmittalBid ReviewContract AwardStatement of WorkDesign Review Document ReviewFactory Acceptance TestingSite Acceptance TestingMaintenance
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
When to Use: Legacy Systems
Negotiating a new maintenance contract
Applying Upgrades
Accepting Updates
Applying security add-ons
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
How to Use: Security CultureNot a cut and pasteStill need to engineer system and understand the architecture,
functional requirements and operational constraints
Does your company have past experience:
Need for an ongoing security program (not a one time project)
Strong security culture or outsource?
Accustom to providing adequate funding for security
Have adequate security staff for support
Procurement LanguageAggressive project designed to provide a “buyers” tool kit
Provide security requirements for inclusion into RFPs
Use common, grounded and valuable language
Support Bid Reviews (gauge responsiveness)
Provide the detail required to support SOW development and Design Creation & Review
Starting with greatest risk that can be addressed
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
How to use: Functional Architecture
Factory Acceptance Test MeasurementsLinked to the procurement requirement
Provides language to include in Factory Acceptance Testing requirements and specifications
Designed to validate the requirement has been met
Allows for rigorous security testing in an isolated environment
Gives the vendor the opportunity to verify the product meets the security requirements prior to installation in the field.
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
Site Acceptance Test Measurements
Linked to the procurement requirementProvides language to include in Site Acceptance Testing
requirements and specificationsDesigned to validate the risk reducing requirement is not lost
during implementation in the Asset Owners environmentImportant step that requires an understanding of “why it was
delivered that way”First hand-off from the procurement / provider team to the actual
operator and maintainer
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
Maintenance Language & Operating GuidanceLinked to the procurement requirement
Provides language to include in maintenance contracts
Designed to further reduce the risk to control systems during their life-time
Critical step to ensure the benefits of the security requirements are not lost during the technologies operational lifespan
Requires an understanding of “why it was delivered that way”
ProcurementLanguage
FATMeasurements
SATMeasurements Maintain
Procurement Language TopicsSystem Hardening
Removal of Unnecessary Services and ProgramsHost Intrusion Detection systemsChanges for File Systems and OS PermissionsHardware ConfigurationsHeartbeat SignalsInstalling OS applications and 3rd party software
Perimeter ProtectionFirewallsNetwork Intrusion Detection SystemsCanaries
Account Management Disabling, Removing or Modifying Well-Known or Guest
AccountsSession ManagementPassword/Authentication Policy and ManagementAccount audit and LoggingRole-based Access Control Single Sign-onSeparation Agreement
Coding PracticesCoding for Security
Flaw remediationNotification and Documentation from VendorProblem Reporting
Malware Detection and Protection
Host Name ResolutionNetwork Addressing and Name Resolution
Department of Homeland Security: Cyber Security Procurement Language for Control Systems
August 2008
Procurement Language Topics - continuedEnd Devices
Intelligent electronic DevicesRemote Terminal UnitsProgrammable Logic ControllersSensors, Actuators and Meters
Remote AccessDial up Modems Dedicated Line ModemsTCP/IPWeb-based InterfacesVirtual Private NetworksSerial Communications
Physical SecurityAccess of Cyber ComponentsPerimeter AccessManual Override ControlIntra-perimeter Communications
Network PartitioningNetwork DevicesNetwork Architecture
Department of Homeland Security: Cyber Security Procurement Language for Control Systems
August 2008
A Page From the Tool Kit: FormatProcurement TopicSecurity Risk or Basis DescriptionLanguage GuidanceProcurement LanguageFactory Acceptance Test
MeasurementsSite Acceptance Test MeasurementsMaintenance and Operations
GuidanceReferences or StandardsDependencies
Subjects Version 2.0System Hardening
Removal of Unnecessary Services and Programs
Host Intrusion Detection systemsChanges for File Systems and OS PermissionsHardware ConfigurationsHeartbeat SignalsInstalling OS applications and 3rd party software
Security Issues and Fixes: 1.2.3.4
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 15071
Informational netbios-ns (137/udp)
Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. …..The remote host has the following MAC address on its adapter : 00:0e:0e:b1:08:d9 CVE : CVE-1999-0671 Other references : OSVDB:13577 Nessus ID : 10490
Analysis of Host
Address of Host Port/Service Issue regarding Port
1.2.3.4 netbios-ssn (139/tcp) Security notes found
1.2.3.4 netbios-ns (137/udp) Security notes found
1.2.3.4 ldap (389/tcp) Security notes found
From a Nessus Scan
Subjects Version 2.0Account Management
Disabling, Removing or Modifying Well-Known or Guest Accounts
Session ManagementPassword/Authentication Policy and
ManagementAccount audit and LoggingRole-based Access Control Single Sign-onSeparation Agreement
User: dopeyPassword: badPassword
Subjects Version 2.0Coding Practices
Coding for Security
OllyDbg
Rating System Description of weaknesses Simplicity Impact
A Database Software; SQL non-parametric query allows for SQL attacks B Perl scripts taintness option not enabled - allowed for the uploading and
execution of arbitrary code
C SQL Injection vulnerabilities used to exploit server on DMZ
D Miscellaneous Client software, database connections, SQL injection E Real time database, SQL forward, IPSec can be disabled F Application point of failure, several variable overflows, ICCP, 3rd party
security product
G Proprietary file share server, data listener, input output handler H Database and application server key logger attack I Input output handler, 3rd party log monitor tool, OS scheduling utility
proprietary listener
J Proprietary listener and database
Subjects Version 2.0Flaw Remediation
Notification and Documentation from Vendor
Problem Reporting
1988 Clear Text Vulnerability
Impact
Exposure
Deployment
SimplicityEXAMPLE (CVE-2006-3942)
Subjects Version 2.0Host Name Resolution
Network Addressing and Name Resolution
Allowed Network Flows
Host 1 Host 2 Port
Host A Host B TCP 80
Host C Host D TCP 123
Alert on all other flows
New Subjects Version 2.0End Devices
Intelligent electronic DevicesRemote Terminal UnitsProgrammable Logic ControllersSensors, Actuators and Meters
Sensors
ControlValves
Programmable Logic Controllers (PLC)
Smart Meters
Remote Terminal Unit
New Subjects Version 2.0Remote Access
Dial up Modems Dedicated Line ModemsTCP/IPWeb-based InterfacesVirtual Private NetworksSerial Communications
New Subjects Version 2.0Physical Security
Access of Cyber ComponentsPerimeter AccessManual Override ControlIntra-perimeter Communications
VendorsAudience is for asset owners or buyers of systems
Support the vendors by addressing technology security problems they deal with as buyers of components
- Important trend: Control System company is an integration & software effort
Provide value to vendors which will pass on to asset owners, start the security dialog in a common language
International OutreachPressure from multiple markets
Europe & Asia
International participation & interest15 countriesUK & Australia taking leadership roleEuropean Union discussions
Participant CreationDevelop an “Open Contribution” framework
Shift drafting from drafting team to participants
Need to set up quality review process and rules190+ asset owner membersMultiple stakeholder communitiesAllow other programs to support (CPNI, AUS Gov, etc.)
Sectors take ownership to apply sections needed unique to architectures
System Integrators use as baseline
Vendors use as discussion points
Vendor ResponseMap requirements to product offerings
Distinguish what is provided to what is not
No one entity will be able to provide all requirements
Categorize the not provided functions to want to in the future or not needed because of other functions or architecture makes the requirement not relevant
Start the dialog: Use the ‘we don’t provide that’ to open the discussion with the customers on why not or alternatives that work better for the functional needs
Discussion
Gary J. FincoIdaho National [email protected] 7048
Rita WellsIdaho National [email protected] 3179