Cyber Security Procurement Language for Control Systems

Rita WellsIdaho National Laboratory

Program Sponsor:National Cyber Security Division

Control Systems Security Program

Cyber Security Procurement Language for Control Systems

Background Foundation How to Use Content

Department of Homeland Security: Cyber Security Procurement Language for Control Systems

August 2008

Procurement Language for Control Systems

Main Contributors:Department of Homeland Security – NCSD/CSSPDepartment of Energy – NSTBIdaho National LaboratoryAsset Owners, VendorsNew York StateSANS

Latest ReleaseAugust 2008 – Version 2.0

http://www.us-cert.gov/control_systems

U.S. Department of EnergyOffice of Electricity Delivery and Energy Reliability

Software AssuranceA Strategic Initiative to Promote Integrity, Security, and

Reliability in Software

Procurement Specification for Control Systems

Initiative to develop procurement language for control systems (hardware and software)

Risk ReductionWork with public and private sectors to reduce

vulnerabilities and minimize the severity of cyber attacks

Project Goal & ScopeGoal

Develop common procurement requirements and contractual language that the owners can use to ensure control systems they are buying or maintaining have the best available security

Scope

New control systems

Maintenance of systems

Legacy systems

Information and personnel security

Foundation

Analyzed 54 Assessments:Assessments funded by DHS, DOE, Industry, and Asset-

ownersEach assessment ranges from 275-800 hours of cyber

security researcher and additional efforts for control system and network engineers

20 in-lab and 18 on-site assessmentsIdentified common vulnerabilitiesAlso identified unique defensive architectures

When to Use: New Systems

Request for ProposalProposal SubmittalBid ReviewContract AwardStatement of WorkDesign Review Document ReviewFactory Acceptance TestingSite Acceptance TestingMaintenance

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

When to Use: Legacy Systems

Negotiating a new maintenance contract

Applying Upgrades

Accepting Updates

Applying security add-ons

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

How to Use: Security CultureNot a cut and pasteStill need to engineer system and understand the architecture,

functional requirements and operational constraints

Does your company have past experience:

Need for an ongoing security program (not a one time project)

Strong security culture or outsource?

Accustom to providing adequate funding for security

Have adequate security staff for support

Procurement LanguageAggressive project designed to provide a “buyers” tool kit

Provide security requirements for inclusion into RFPs

Use common, grounded and valuable language

Support Bid Reviews (gauge responsiveness)

Provide the detail required to support SOW development and Design Creation & Review

Starting with greatest risk that can be addressed

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

How to use: Functional Architecture

Factory Acceptance Test MeasurementsLinked to the procurement requirement

Provides language to include in Factory Acceptance Testing requirements and specifications

Designed to validate the requirement has been met

Allows for rigorous security testing in an isolated environment

Gives the vendor the opportunity to verify the product meets the security requirements prior to installation in the field.

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

Site Acceptance Test Measurements

Linked to the procurement requirementProvides language to include in Site Acceptance Testing

requirements and specificationsDesigned to validate the risk reducing requirement is not lost

during implementation in the Asset Owners environmentImportant step that requires an understanding of “why it was

delivered that way”First hand-off from the procurement / provider team to the actual

operator and maintainer

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

Maintenance Language & Operating GuidanceLinked to the procurement requirement

Provides language to include in maintenance contracts

Designed to further reduce the risk to control systems during their life-time

Critical step to ensure the benefits of the security requirements are not lost during the technologies operational lifespan

Requires an understanding of “why it was delivered that way”

ProcurementLanguage

FATMeasurements

SATMeasurements Maintain

Procurement Language TopicsSystem Hardening

Removal of Unnecessary Services and ProgramsHost Intrusion Detection systemsChanges for File Systems and OS PermissionsHardware ConfigurationsHeartbeat SignalsInstalling OS applications and 3rd party software

Perimeter ProtectionFirewallsNetwork Intrusion Detection SystemsCanaries

Account Management Disabling, Removing or Modifying Well-Known or Guest

AccountsSession ManagementPassword/Authentication Policy and ManagementAccount audit and LoggingRole-based Access Control Single Sign-onSeparation Agreement

Coding PracticesCoding for Security

Flaw remediationNotification and Documentation from VendorProblem Reporting

Malware Detection and Protection

Host Name ResolutionNetwork Addressing and Name Resolution

Department of Homeland Security: Cyber Security Procurement Language for Control Systems

August 2008

Procurement Language Topics - continuedEnd Devices

Intelligent electronic DevicesRemote Terminal UnitsProgrammable Logic ControllersSensors, Actuators and Meters

Remote AccessDial up Modems Dedicated Line ModemsTCP/IPWeb-based InterfacesVirtual Private NetworksSerial Communications

Physical SecurityAccess of Cyber ComponentsPerimeter AccessManual Override ControlIntra-perimeter Communications

Network PartitioningNetwork DevicesNetwork Architecture

Department of Homeland Security: Cyber Security Procurement Language for Control Systems

August 2008

A Page From the Tool Kit: FormatProcurement TopicSecurity Risk or Basis DescriptionLanguage GuidanceProcurement LanguageFactory Acceptance Test

MeasurementsSite Acceptance Test MeasurementsMaintenance and Operations

GuidanceReferences or StandardsDependencies

Subjects Version 2.0System Hardening

Removal of Unnecessary Services and Programs

Host Intrusion Detection systemsChanges for File Systems and OS PermissionsHardware ConfigurationsHeartbeat SignalsInstalling OS applications and 3rd party software

Security Issues and Fixes: 1.2.3.4

Type Port Issue and Fix

Informational netbios-ssn (139/tcp) An SMB server is running on this port

Nessus ID : 15071

Informational netbios-ns (137/udp)

Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. …..The remote host has the following MAC address on its adapter : 00:0e:0e:b1:08:d9 CVE : CVE-1999-0671 Other references : OSVDB:13577 Nessus ID : 10490

Analysis of Host

Address of Host Port/Service Issue regarding Port

1.2.3.4 netbios-ssn (139/tcp) Security notes found

1.2.3.4 netbios-ns (137/udp) Security notes found

1.2.3.4 ldap (389/tcp) Security notes found

From a Nessus Scan

Subjects Version 2.0Perimeter Protection

FirewallsNetwork Intrusion Detection

SystemsCanaries

Subjects Version 2.0Account Management

Disabling, Removing or Modifying Well-Known or Guest Accounts

Session ManagementPassword/Authentication Policy and

ManagementAccount audit and LoggingRole-based Access Control Single Sign-onSeparation Agreement

User: dopeyPassword: badPassword

Subjects Version 2.0Coding Practices

Coding for Security

OllyDbg

Rating System Description of weaknesses Simplicity Impact

A Database Software; SQL non-parametric query allows for SQL attacks B Perl scripts taintness option not enabled - allowed for the uploading and

execution of arbitrary code

C SQL Injection vulnerabilities used to exploit server on DMZ

D Miscellaneous Client software, database connections, SQL injection E Real time database, SQL forward, IPSec can be disabled F Application point of failure, several variable overflows, ICCP, 3rd party

security product

G Proprietary file share server, data listener, input output handler H Database and application server key logger attack I Input output handler, 3rd party log monitor tool, OS scheduling utility

proprietary listener

J Proprietary listener and database

Subjects Version 2.0Flaw Remediation

Notification and Documentation from Vendor

Problem Reporting

1988 Clear Text Vulnerability

Impact

Exposure

Deployment

SimplicityEXAMPLE (CVE-2006-3942)

Subjects Version 2.0Malware Detection and Protection

SANS.org Internet Storm Center

Subjects Version 2.0Host Name Resolution

Network Addressing and Name Resolution

Allowed Network Flows

Host 1 Host 2 Port

Host A Host B TCP 80

Host C Host D TCP 123

Alert on all other flows

New Subjects Version 2.0End Devices

Intelligent electronic DevicesRemote Terminal UnitsProgrammable Logic ControllersSensors, Actuators and Meters

Sensors

ControlValves

Programmable Logic Controllers (PLC)

Smart Meters

Remote Terminal Unit

New Subjects Version 2.0Remote Access

Dial up Modems Dedicated Line ModemsTCP/IPWeb-based InterfacesVirtual Private NetworksSerial Communications

New Subjects Version 2.0Physical Security

Access of Cyber ComponentsPerimeter AccessManual Override ControlIntra-perimeter Communications

New Subjects Version 2.0Network Partitioning

Network DevicesNetwork Architecture

VendorsAudience is for asset owners or buyers of systems

Support the vendors by addressing technology security problems they deal with as buyers of components

- Important trend: Control System company is an integration & software effort

Provide value to vendors which will pass on to asset owners, start the security dialog in a common language

International OutreachPressure from multiple markets

Europe & Asia

International participation & interest15 countriesUK & Australia taking leadership roleEuropean Union discussions

Participant CreationDevelop an “Open Contribution” framework

Shift drafting from drafting team to participants

Need to set up quality review process and rules190+ asset owner membersMultiple stakeholder communitiesAllow other programs to support (CPNI, AUS Gov, etc.)

Sectors take ownership to apply sections needed unique to architectures

System Integrators use as baseline

Vendors use as discussion points

Vendor ResponseMap requirements to product offerings

Distinguish what is provided to what is not

No one entity will be able to provide all requirements

Categorize the not provided functions to want to in the future or not needed because of other functions or architecture makes the requirement not relevant

Start the dialog: Use the ‘we don’t provide that’ to open the discussion with the customers on why not or alternatives that work better for the functional needs

Discussion

Gary J. FincoIdaho National Laboratorygary.finco@inl.gov208-526 7048

Rita WellsIdaho National Laboratoryrita.wells@inl.gov208-526 3179