Building
Insecurity
Lisa Kaiser
Industrial Control Systems Cyber Emergency
Response Team (ICS-CERT)
Insecurity
How do I
� Specify it
� Buy it
� Test it
� Deploy it
� Regret it
� Apologize
for it
Specifying Insecurity
Ignore security entirely
Specify inappropriate standards
Use vagueness
Demand particular technology solutions
Buying Insecurity
� Never mention security
� Don’t put it in writing
� Listen when they say “We’ll
secure it later”
� Cheaper is always more
secure
� New is more secure
Testing Insecurity
� Never test
� Check only
“sunny day”
scenarios
� Rely on vendor
assurances
� Use only cheap
security “experts”
� Use your firewalls
Deploying Insecurity
� Don’t plan
� Use default passwords
� Bypass all the security
� Never do SAT
� Ignore security alarms
and alerts
Photo courtesy of Kristian Ovaska, 2003
Regretting Insecurity
� Begin with RFQ
� Ignore any
breaches
� Shoot the
Messenger
� Apply quick-fixes
� Use the
“Blame-game”
Apologizing for Insecurity
� Leave the organization
� Distract customers
� Avoid responsibility
� Attack the messengers
� Use the press
� Blame us
However…
» If you’re NOT trying to Building Insecurity,
but instead which to Build In Security…
» Try this to achieve your goal:
Cyber Security Evaluation Tool (CSET )
10
� Stand-alone software application
� Self-assessment using recognized standards
� Tool for integrating cybersecurity into existing corporate risk management strategy
CSET Download:http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
R
CSET Standards
11
Requirements Derived from Widely Recognized Standards
R
NIST Special Publication 800-53Recommended Security Controls for Federal Information SystemsRev 3 and with Appendix I, ICS Controls
Consensus Audit Guideline (CAG)Criteria Evaluation Recommendations based upon National Security Association (NSA) Cyber Attack Phases
NERC Critical Infrastructure Protection (CIP)
Reliability Standards CIP-002 through CIP-009, Revisions 3 and 4
DoD Instruction 8500.2 Information Assurance Implementation, February 6, 2003
NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security, June, 2011
NRC Reg. Guide 5.71 Cyber Security Programs for Nuclear Facilities, January 2010
CFATS RBPS 8- CyberChemical Facilities Anti-Terrorism Standard, Risk-Based Performance Standards Guidance 8 – Cyber, 6 CFR Part 27
Transportation Security Agency Pipeline Guidelines
DHS TSA guidance for the pipeline industry
CSET Capabilities
12
What the CSETCAN do:
� Provide a consistent means of evaluating a control system network as part of a comprehensive cybersecurity assessment
� Specify cybersecurity recommendations
� Report using standards-based information analysis
� Provide a baseline cybersecurity posture
� Validate accuracy of user inputs
� Ensure compliance with organizational or regulatory cybersecurity policy & procedures
� Ensure implementation of cybersecurity enhancements or mitigation techniques
� Identify all known cybersecurity vulnerabilities
What the CSETCAN’T do:
R
Assessment Team
13
A TEAM of participants is requiredto perform a successful assessment
Type of Participant Knowledge
Control Systems Engineer Control systems
Configuration Manager Systems management
Operations Manager Business operations
IT Network Specialist IT infrastructure
IT Security Officer Policy & procedures
Risk Analyst or Insurance Specialist Risk
Assessment Process
14
Analyze Results
Answer Questions
Build the Network Diagram
Determine the Security Level
Select the Mode and Standards
Add Assessment Information
Organize the Team
Context Specific Help
15
Starting Screen
16
Assessment Info – Main Window
17
Standards Screen – Assessment Modes
18
Questions and Standards
19
Questions and Standards
20
General SAL Determination
21
NIST SAL Determination
22
Diagramming Tool
23
24
Diagram – Maximized Screen Space
25
Questions Screen
26
Question Information
27
Comments, Marked and Alternates
28
Component Questions
29
Component Overrides
30
Analysis Screen
31
Analysis Detail Screens
32
Analysis Detail - Example
33
Question Filters
34
Hardcopy Reports
35
Resource Library
36
Resource Library - Search
New/Updated Standards
� NEI 08-09 Rev 6
� NISTIR 7628 Ver 1 (August 2010)
� INGAA Ver 1 (January 31, 2011)
� NIST SP800-53 Appendix J Rev 4
� NIST SP800-82 Rev 1 (May 2013)
� CNSSI ICS Overlay Update
37
CSET 6.0 Enhancements
New Evaluation Capabilities
• Merging
• Comparison
• Aggregation
• Trending
CSET Assessment Aggregation -- Trending Mode
Overall Trends
Components
Standards
Overall
20
30
50
80
50
20
30
80
30
80
20
30
50
80
20
30
25
30
45
65
45
25
30
65
30
65
25
30
45
65
25
30
80
80
75
80
75
80
80
80
80
80
80
80
75
80
80
80
0 20 40 60 80 100
Training
System and Services…
System Protection
System Integrity
Risk Management and…
Procedures
Privacy
Policies & Procedures General
Plans
Physical Security
Personnel
Configuration Management
Communication Protection
Audit and Accountability
Account Management
Access Control
2013 2012 2011
0
20
40
60
80
2011 2012 2013
Top 5 Areas of DeclineEnvironmentalSecurity
Incident Response
Info Protection
Information andDocumentManagementMaintenance
0
10
20
30
40
50
60
2011 2012 2013
Top 5 Most Improved AreasAccess Control
Account Management
Audit and Accountability
CommunicationProtection
ConfigurationManagement
Trending Sample Screen
CSET Assessment Aggregation – Comparison Mode
71
65
66
75
75
76
70
70
81
Overall
Standards
Components
Site C Site B Site A
0 50 100
Training
System and…
System Protection
System Integrity
Software
SIS
Risk Management…
Remote Access…
Procedures
Privacy
Portable/Mobile/Wir…
Information and…
Info Protection
Incident Response
Environmental…
Continuity
Configuration…
Communication…
Audit and…
Account Management
Access Control
Site C Site B Site ASite A Site B Site C
SAL Level
Sort By BestSort By Worst
20
30
50
60
0 50 100
Procedures
Policies
Password…
Access…
Site C
20
30
50
80
0 50 100
Procedures
Policies
Password…
Access…
Site A
1
2
3
25
0 50 100
Procedures
Policies
Password…
Access…
Site B
Site Total Questions Answered
Yes No
Site A 560 300 260
Site B 342 300 42
Site C 268 152 116
Aggregation Sample Screen
New/Updated Functionality
� Inventory Lists
� Security Plans
� YouTube Tutorials
� Updated Diagramming Tool
40
CSET 6.0 Enhancements (cont.)
Key Contact Information
Lisa Kaiser
Download CSET
http://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
41