Cyber Infrastructure Security Presentation

(1)

Cyber Infrastructure Security

Presentation

Moderator:

Col. Ron Torgerson, PE, PMP, CHS-V, F.SAME, USAF (Ret.), and

Chair, Cyber Security Infrastructure Task Force (CSITF)

Speakers:

Gary Seifert, P.E.

Mark Duszynski, Vice President, Johnson Controls Federal Systems

Col. Steve Moes, USAF (Ret.), COO, LRS Federal

(2)

2013 JETC hosted by the Society of American Military Engineers HQ and the San Diego Post

Building Systems Threats and

Mitigation Measures

Mark Duszynski

VP Johnson Controls Federal Systems

Cyber Infrastructure Security Presentation

SAME JETC San Diego

(3)

Current Federal standards and Industrial Control

Systems (ICS) security requirements

• Federal ICS need to be approved based on a risk

assessment process

• The risks are identified and mitigated until the risk is

acceptable

• The risk assessment is now an on-going process

through the lifecycle of the systems (continuous

(4)

In general, the following processes must be followed in

order to gain “Authority to Operate (ATO)”

• DIACAP (DoD Information Assurance Certification

and Accreditation Process) … “C&A process”

–

Air Force uses ETL; Navy DIACAP and Army DIACAP

• Risk Management Framework for civilian agencies

–

Federal Information Security Management Act (FISMA)

–

Risk Management Framework (RMF)

(5)

Industrial Control Systems (ICS) refers to a wide

variety of controls systems typically found on

DOD installations and civilian agency sites

• Building Automation Systems (BAS)

–

Sometimes referred to as Energy Management Control Systems

(EMCS), Utility Monitoring and Controls Systems (UMCS), HVAC

controls or DDC

• Other ICS elements

–

SCADA, security systems, metering, fire alarm systems, fuel

distribution, water controls, wastewater controls, power

generation, airfield controls, lighting controls, intrusion

detection systems etc.

(6)

(7)

Control systems uniquely present two types of vulnerabilities: 1) Data and intellectual property theft of

business networks and 2) Sabotage through normal control process disruptions

(8)

http://abcnews.go.com/International/chinese-hack-us-chamber-commerce-authorities/story?id=15207642

“At one point, the penetration into the Chamber of Commerce was so

complete that a Chamber thermostat was communicating with a

computer in China. “

(9)

(10)

(11)

The inherent user-friendly design features of a BAS

make them vulnerable

• Device and point naming standards are highly descriptive

–

e.g. “5

th

Floor Supply Air Fan Start/Stop Control”

• All possible port/protocol configurations allowed

• Use of DoD Logon banners virtually unheard of

• Easy, open access to online Help files

• Widely available USB and RS232 ports

• Verbose and highly descriptive error messages

• Weak password controls

(12)

(13)

The evolution of Building Automation Systems

networks has also increased their vulnerabilities

• Originally were built on own proprietary networks

• By late 90s push to utilize business Ethernet LANs

• Today over 95% of all BAS reside on shared networks

• Use commercial operating systems & COTS components

• Follow IEEE and IT networking standards and

client/server models

(14)

(15)

ICS and Building Automation Systems cyber

security risks and vulnerabilities are generally

found in three vectors:

1. Physical Security

2. Network Security

3. ICS Operations

Risk identification and corresponding mitigation steps should align and derive from these three general

areas of vulnerability

(16)

Next few slides are an example of ICS

network vulnerabilities and mitigation

actions as identified by the Naval District

Washington

(17)

(18)

(19)

(20)

(21)

The most basic network vulnerability mitigation

measure is the construction of firewalls

(22)

(23)

Companies are developing “secure” BAS controllers

that imbed firewalls & provide encryption

Metasys

®

(24)

Mitigation is generally implemented through coincident

EMCS modernization and cyber hardening projects

• A high percentage of DOD installations have diverse, aging

buildings with disparate, out-dated automation systems

–

makes it difficult to effectively operate and conserve energy

–

increases vulnerabilities to cyber attack

• Modernization brings many benefits

–

A more cyber secure EMCS or BAS

–

increased energy efficiency and reduced operational costs

–

enhanced energy security

–

improved functionality (e.g. GHG reporting)

–

better mission support

(25)

Many excellent resources are available for analyzing

and designing building systems and ICS protections

Standards and References are included in the areas of: Cyber Security Policy Planning and Preparation,

Establishing Network Segmentation, Firewalls and DMZs, Control System Security Procurement

(26)

(27)

(28)

For additional information contact:

Mark Duszynski

VP Johnson Controls Federal Systems

[email protected]

414-524-4234

(29)

Utility Subcommittee

Steve Moes

Col (Ret), USAF

LRS Federal, LLC

(30)

Utility Subcommittee Members

• Pat Coullahan – COE AK

• Dave Maharrey – LSU

• Irv Lee – City of Tampa

• Dan Clairmont – UT Austin

• Joe Okes – AOC

• Steve Scott – SEPI Engineering and

Construction

(31)

Definition

Utility cybersecurity is the protection of the

utility systems (Water and Waste Water)

operation and the information the system

collects. Information includes equipment info,

usage data, etc. The protection of the system

is both external (blocking ports) and internal

such as programs that search for anomalies or

other traces of cyber attackers.

(32)

Typical Installation Utility Systems

• Vulnerabilities

–

Identification is inherent at any Military

Installation for systems they own

–

Prioritized facilities/systems

• Mitigation

–

Contingency Plans

–

Local Operational Inspections and Exercises

(33)

W/WWT Systems-Water Sector Specific Plan

• EPA is the Federal lead for coordinating and

assisting in protecting the Nation’s critical

Water Sector infrastructure

–

> 153,000 public drinking water systems

(34)

Drinking Water Systems

–

Physical Elements

• Water Source

• Conveyance

• Raw Water Storage

• Treatment

• Finished Water Storage

• Distribution System

• Monitoring System

–

Cyber Elements

• Supervisory Control and

Data Acquisition (SCADA)

System

–

Human Elements

• Employees and Contractors

Waste Water Utilities

–

Physical Elements

• Collection

• Raw Influent Storage

• Treatment

• Treated Water Storage

• Effluent Discharge

• Monitoring System

–

Cyber Elements

• SCADA

–

Human Elements

(35)

• Goals

–

Sustain protection of public health and the

environment

–

Recognize and reduce risks

–

Maintain a resilient infrastructure

–

Increase communication, outreach, and public

confidence

• Assess Risk

–

Consequence, Threat and Vulnerability Assessments

–

Screening Infrastructure

(36)

• Prioritize

–

Population served

–

Amount of chlorine gas stored on site

–

Economic impact

–

Critical customers served

• Implement

–

Focus is on high-density population systems (> 100,000 people)

–

Develop templates for detection, response and recovery plans

–

Update emergency response and recovery plans

–

Increase public and political understanding of denial-of-service

impacts

(37)

(38)

Protecting Networks in the Age

of Light and Air

Cyber-attacks From the

Physical Infrastructure Standpoint

(39)

Light and Air

• Communication Infrastructure from Inside Plant to Outside Plant

• Vulnerabilities of Wired/Wireless Communications Networks

• Available Technologies to Protect Physical Infrastructure

• Department of Defense is Driving Information Assurance

• Protecting Everything

(40)

Drivers

• Internet Users in North America Growth: 153.3% from 2000-2012

• 273 million Internet Users in North America

• 327 million US Mobile Phone Users

• 58.4% of all American Homes Subscribe to Cable TV

• 80% of all US Phone Calls Traverse Passive Optical Equipment

• 30% of all US Mobile Calls Traverse Passive Optical Equipment

(41)

Vulnerabilities

• Fiber and Copper

• Tapping

• Denial of Service (DoS)

• Wireless

• Blind Trust of Senders (MAC Addresses)

• Denial of Service (DoS)

(42)

Available Technologies

Methods

• Harden

• Pipe, Concrete, Boxes, Locks, Welding etc…

• Inspection

• Constant or Periodic Visual Inspection

• Alarm

• External Monitors

• Internal Monitors

(43)

• Designed for data infrastructure security

• Makes the entire cable a sensor

-

Use a pair of fibers inside the cable being

protected

-

When any component of the cable is abnormally

handled, the monitored fibers sense the

disturbance

• Event discrimination technology

-

Learns the ambient state of the network and

differentiates between benign events and real

threats

-

False alarms eliminated

-

If an INTERCEPTOR alarms, there is a problem

(perhaps not a threat)

Standard fibers intrinsic to (inside) the cables being protected are used to monitor intrusions into the

(44)

Rack mounted Sensing Controller

Inactive

lead-in cable

Passive

Start

Junction

fiber optic sensing cable

Passive Terminator

• A SM fiber optic cable is used as a distributed sensor

• Steady CW laser light is sent down the fiber

• When any motion or vibration acts on the fiber, or anything the fiber is attached to or buried in, the

lightwave is affected and this change is detected and the event is classified using patented FFT

technology

(45)

Securing Wireless Networks

There are three primary areas for concern: Confidentiality, Accessibility, Integrity

Implement strong encryption algorithms with stringent password requirements.

Wireless Intrusion Detection Systems (WIDS) monitor network traffic and analyze it for various known

attack patterns. WIDS can be Signature based (also called misuse detection) and anomaly based

detection.

In signature based detection, a database of known abnormal patterns must be compiled and

maintained. Thus, this approach is weak against attacks that are have not been seen before.

In anomaly based detection, the system is trained on normal network activity so that when it

experiences activity that is different from what is expected, it alerts system administrators of possible

network intrusions. This approach will yield a high false-positive rate if the training set is not

(46)

Department of Defense

Defense Information Systems Agency (DISA)

A Combat Support Agency, provides, operates, and assures command and control, information sharing

capabilities, and a globally accessible enterprise information infrastructure in direct support to joint warfighters,

National level leaders, and other mission and coalition partners across the full spectrum of operations.

Information Assurance (IA) National Security Agency (NSA)

NSA's Information Assurance Mission focuses on protecting National Security Information and

Information Systems

Certified TEMPEST Technical Authority (CTTA)

"TEMPEST Countermeasures for Facilities," establishes guidelines and procedures that shall be used by

departments and agencies to determine the applicable TEMPEST countermeasures for national security