Control System Self Assessment Tools and Methods

Standards Certification

Education & Training Publishing

Conferences & Exhibits

ISA EXPO 2008

Control System Self

Assessment Tools and

Methods

Welcome

• Presenter: Carol Muehrcke, Cyber Defense Agency LLC

– Co-chair SCADA Cyber Self Assessment Working Group (WG) under Process Control System Forum (PCSF)

– Computer security R&D since 1992

• Topics:

– WG background

– Requirements for IACS cyber security self assessment

– Survey of available tools and methods

– Planning a self assessment

PCSF Self Assessment WG

• Rationale: 2005 - pressing need to understand IACS cyber security readiness

• Charter: Enable the development and use of the best possible next generation of self administered tools and methodologies for the assessment of the cyber security readiness of process

control systems.

• Deliverables:

– IACS self-assessment requirements list

– Gaps: Requirements unmet by existing tools and methodologies

• Final report: on PCSF web site

Self Assessment WG Core Team

• Garill Coles

Pacific Northwest National Laboratory [email protected] • Mark C. Morgen 3M - Optical Systems Division [email protected]

• Carol Muehrcke (Co-chair)

Cyber Defense Agency, LLC cmuehrcke@cyberdefense agency.com • Matt Earley Decisive Analytics Corporation [email protected] • Ron Melton Pacific Northwest National Laboratory [email protected] • Candace Sands EMA [email protected]

• Brian Isle (Chair)

Adventium Labs brian.isle@adventiumlab s.org • Cliff Glantz Pacific Northwest National Laboratory [email protected] • Mary S. Hester Intelligent System Solutions [email protected]

Self Assessment Requirements Categories

• Importance of Cyber Security in Business

• Scope of the Cyber Security Management System

• Security Policy

• Personnel Security

• Organizational Security

• Compliance

• Physical and Environmental Security

• Access Control**

• Information and Document Management

• Identifying Vulnerabilities**

• Risk Identification, Classification and Assessment**

• Risk Management and Implementation

• Incident Planning and Response

• Infrastructure-Related Operations and Change Management

• Staff Training and Security Awareness**

• System Development and Maintenance

• Monitoring and Reviewing the Cyber Security Management System

• Maintaining and Implementing Improvements

Key: Covered; Gaps in some Sectors; Gaps in all sectors ** Highest WG priority

Example – Access Control

General:

• Principle of least privilege, controlled management of accounts, coverage of personnel and third parties

IACS Specific:

• Administrative vs. control access

• Critical vs. non-critical operator functions and platforms

• Stronger authentication for remote access

• Team passwords

• Approval of privileges by personnel familiar with control tasks

• Complementary physical access controls (e.g. unattended logged in terminals)

• Control risks due to denial of service: forgotten passwords, expiring

passwords, account lockout on login failures, screen savers blocking status information, authentication using remote servers or LAN/WAN elements

Type and Scope for Tools and Methodologies

Step by Step Method Questionnaire

Tools and Methods Analyzed

Name Type Sector Scope

API 1164 Standard Appendices A-B Questionn aire & cyber security plan Refining and Petrochemic al

Risk & Vulnerability, Cyber, IACS

API SVA - Security

Vulnerability Analysis Methodol ogy Refining and Petrochemic al

Risk, Physical & Cyber, Generic Industry Participant Tool - Proprietary Excel- based tool Refining & Petrochemic al

Vulnerability, Cyber, IACS

CIDX Guidance for Address. Cyber Security in Chem. Industry V 3.0 – App. 1

Questionn aire

Chemical Vulnerability; cyber, IT & some IACS PHAWorks – Primatech, w/ cyber guidance doc Software Tool Refining, Petrochemic al & Chemical

Risk, Physical and Cyber, Generic

Tools and Methods Analyzed (cont.)

Name Type Sector Scope

RAM-W Risk Assessment Methodology-Water Methodol ogy Water/Wast ewater

Risk, Physical & Cyber, Generic VSAT Vulnerability Self Assessment Tool Software Tool Water/Wast ewater

Risk, Physical & Cyber, high level IT and IACS

CS2SAT

Cyber Security Self Assessment Tool Software Tool Cross- sector, tailorable to a sector

Vulnerability & some Risk, Cyber, IACS

DHS NCSD Questionnaire Question naire Cross- sector Vulnerability, Cyber, Generic

WG Results - Highlights

– 3 IACS specific (one proprietary)

– 2 some unique IACS content

– 4 no unique IACS content

• Much sector material applicable cross-sector

• Risk specific to IACS treated at high level or via consequence

– VSAT: IACS as one element of enterprise, probability is user input

– API 1164:

– application consequence categories determine requirements

– Some guidance on ranking interfaces by value and susceptibility

– CS2SAT: consequence as proxy for risk

– Need fundamental R&D and data gathering

• CS2SAT: most depth for IACS vulnerabilities, access control

• Staff Awareness and Training Category

– Tools and methods not success driver

– Unique to sectors and enterprises

– Sector groups have role providing guidance

Planning a Self Assessment

– Standards typically touch most of them

• Choosing tools and methods:

– Unlikely you will find a comprehensive self-assessment tool or method

– Software tool functionality: standards compliance tracking vs. technical features

– Consider organizational structure (IT and IACS, Cyber and Physical Security)

– Other characteristics (cost, ease of use) covered in WG analyses

• Address both risk and vulnerability

• Little detailed guidance available on risk specific to IACS

• World class organizations treat all risks under same structure (physical, IT cyber, IACS cyber)

• As first steps:

– Coordinate with physical security assessments

Sample Resources

Requirement Category

Tool or Method Comments

Security Policy American Petroleum Institute 1164

Appendix B

Sample security plan

Information and Document Management American Petroleum Institute 1164 and Appendix A List of IACS documents requiring protection Access Control, Vulnerabilities

CS2SAT Create model of network, then

examine, host by host Risk Identification,

Classification and Assessment

VSAT Systematic approach to prioritizing risks

Review

• Start with understanding of self assessment requirements

• Tools and methods specific to IACS are few, new

• Tool or method may be helpful although not IACS-specific

• One way to find useful tools and methods - WG Final Report matrix of methods and tools vs. requirements

• Consider resources from other sectors

Q & A

Example – Personnel Security

• Employees and contractors are screened upon employment and job changes, based on criticality of job. Job responsibilities for security clearly defined.

IACS Specific:

• Guidance on defining job criticality for control system personnel

• Guidance on security responsibilities of control room and other control system personnel.

• Third party contracts related to control room have provisions for cyber security.

Example – Risk Identification, Classification and Assessment

General:

• Identify threats, vulnerabilities, consequences, probability of occurrence for realization of threats identified

IACS Specific:

• Consider when defining criticality: how long can you operate without control, without visibility? How fast do you need alerts, alarms, and to be able to start, stop or modify a process?

• Enumeration and characteristics/preferences of threat sources (e.g. terrorist, activists, employees, criminals)

• Guidance for assessing probability of control system security incidents

• Guidance on assessing consequences

• Consider: interdependencies and cascading effects

Example – Staff Training and Awareness

• Need for timely awareness and specific technical cyber security training plus periodic updates

IACS Specific:

• Awareness and training for control system personnel tailored to specific needs