ICS Cybersecurity Strategy Paradigm White Paper March 2018

Industrial Control Systems Cybersecurity Strategy, A New Approach

ICS Cybersecurity Strategy Paradigm White Paper March 2018

Industrial Control Systems Cybersecurity Strategy, A New Approach

by Annabelle Lee, Nevermore Security

 

Executive Summary

Threats to Industrial Control Systems (ICS) and Operational Technology (OT) that operate our critical infrastructures are now in daily news media. ICS controls provide automation of operating power plants, oil and natural gas flowing through pipes nationwide, and support critical manufacturing of goods and pharmaceutical products for everyday use. Attacks on these systems can cause interruptions of major critical infrastructures, physical damage, and potentially threaten human health and safety.

The advances in technology and today’s offerings of the Industrial Internet of Things (IIoT) devices expands the attack surface of the ICS with the impact extending to all parts of the organization operating the critical infrastructures, the supply chain, and ultimately the end-use customers. Current cybersecurity solutions today cannot provide comprehensive protection against all the known and unknown threats of the automation components that operate the critical infrastructures, and specifically the energy sector. Particularly with the constantly changing threat and technology environments, this defensive approach results in the critical infrastructures constantly trying to play catch up in cybersecurity. Cyber attacks may be launched, for example, by malicious insiders, via the supply chain, and/or by unauthorized remote access. Attackers only have to be effective once and defenders need to be effective 100% of the time. It is not realistic to be 100% effective in identifying and addressing all known and potential cyber attacks. In addition, with the increasing availability of attack tools and techniques, the end result is that the defenders keep falling further behind in addressing cybersecurity.

This white paper proposes an alternative to the current defensive paradigm. The paradigm proposed in this paper augments this defensive approach and considers cybersecurity from the attacker’s perspective and includes identifying attack surfaces, attack vectors, and impacts. Because it is not possible to mitigate all potential cyber events, the objective is to identify the most common attack paths and mitigate the highest impact cyber events, independent of the specific attack method. This will include known and potential cybersecurity events. The unknown cyber events will be determined based on the impact to the ICS and the reliability of the grid. This paradigm will allow the energy sector to be more proactive in addressing cybersecurity and more resilient in the event of cyber attacks.

Download Full Publication

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector

Recommendations for the European Commission on a European Strategic Framework and Potential Future Legislative Acts for the Energy Sector (co-author)

The Commission under the lead of DG Energy is preparing a strategy on cyber security for the whole energy sector to reinforce and to complement the implementation of Directive on security of Network and Information Systems (NIS) at energy sector level and also to foster synergies between the Energy Union and the Digital Single Market agenda. In this respect, the Energy Expert Cyber Security Platform (EECSP) – Expert Group started work in December 2015. This document reflects the work of this Expert Group towards the development of an energy cyber security strategy by analysis of respective cyber security challenges and existing policy papers with the aim to recommend actions for consideration by the European Commission.

  • Chapter 3 provides an executive summary highlighting the key analysis results and recommended actions.
  • The approach and methodology to derive these recommendations from the EECSP-Expert Group is described in detail in chapter 4.
  • Chapter 5 gives a detailed view on the challenges in the energy sector as viewed by the EECSP-Expert Group.
  • These has led to a set of strategic areas that need to be addressed by the energy sector; the strategic areas are described in chapter 6.
  • Chapter 7 summarizes the existing policy landscape in cyber security for the energy sector at European Union level.
  • These policy papers were analyzed in the context of the strategic areas identified in order to identify gaps in the existing policy which are provided in chapter 8.
  • A set of recommended actions to be considered by the European Commission are included in chapter 9.

Download Full Publication

National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security

National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security

National Institute of Standards and Technology Interagency Report (NISTIR) 7628, Guidelines for Smart Grid Cyber Security (technical lead for the initiative and co-author)

This three-volume report presents a framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart grid stakeholders can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify.

Download Full Publication

National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations

National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations

National Institute of Standards and Technology (NIST) Special Publication 800-53, Rev 5, Security and Privacy Controls for Information Systems and Organizations (one of the original authors)

This publication provides a catalog of security and privacy controls for federal information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile attacks, natural disasters, structural failures, human errors, and privacy risks. The controls address diverse requirements derived from mission and business needs, laws, Executive Orders, directives, regulations, policies, standards, and guidelines.

The publication describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions and business functions, technologies, environments of operation, and sector-specific applications. Finally, the consolidated catalog of controls addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms) and an assurance perspective (i.e., the measure of confidence in the security or privacy capability). Addressing both functionality and assurance ensures that information technology products and the information systems that rely on those products are sufficiently trustworthy.

Download Full Publication

Cybersecurity Procurement Language for Energy Delivery Systems

Cybersecurity Procurement Language for Energy Delivery Systems

Cybersecurity Procurement Language for Energy Delivery Systems (co-author)

This document provides baseline cybersecurity procurement language that is the consensus opinion of the document authors and was guided by input from voluntary reviewers representing the Acquirer, Integrator, and Supplier communities. It focuses on the cybersecurity of energy delivery systems (i.e., control systems) and does not attempt to specify or replace cybersecurity-based procurement language for acquisitions involving IT. Considerations for IT cybersecurity are outlined in many standards and guidance documents (e.g., the NIST 800 series of publications). Users of this document have the responsibility of ensuring that actions taken during the procurement process comply with current standards and regulations. In addition to the language included in this document, acquired products and services should conform to the applicable IT security standards and operations technology (OT) standards for energy delivery systems.

This document is designed to provide baseline cybersecurity procurement language for the following:

  • Individual components of energy delivery systems (e.g., programmable logic controllers, digital relays, or remote terminal units).
  • Individual energy delivery systems (e.g., a SCADA system, EMS, or DCS).
  • Assembled or networked energy delivery systems (e.g., an electrical substation [transmission and distribution] or a natural gas pumping station).

Download Full Publication

Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.1

Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.1

Electricity Subsector Cybersecurity Capability Maturity Model, Version 1.1 (co-author)

The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) can help electricity subsector organizations of all types evaluate and make improvements to their cybersecurity programs. The ES-C2M2 is part of the DOE Cybersecurity Capability Maturity Model (C2M2) Program and was developed to address the unique characteristics of the electricity subsector. The program supports the ongoing development and measurement of cybersecurity capabilities within the electricity subsector, and the model can be used to:

  • Strengthen cybersecurity capabilities in the electricity subsector.
  • Enable utilities to effectively and consistently evaluate and benchmark cybersecurity capabilities.
  • Share knowledge, best practices, and relevant references within the subsector as a means to improve cybersecurity capabilities.
  • Enable utilities to prioritize actions and investments to improve cybersecurity.

The ES-C2M2 provides descriptive rather than prescriptive industry focused guidance. The model content is presented at a high level of abstraction so that it can be interpreted by subsector organizations of various types, structures, and sizes.

Download Full Publication

Appropriate Security Measures for Smart Grids: Guidelines to Assess the Sophistication of Security Measures Implementation

Appropriate security measures for smart grids- Guidelines to assess the sophistication of security measures implementation

Appropriate security measures for smart grids: Guidelines to assess the sophistication of security measures implementation (contributor)

This document describes a set of security measures which are considered to be appropriate for smart grids. The European Network and Information Security Agency (ENISA) issued this report to assist the Member States and smart grid stakeholders in providing a framework/measurement tool that could be used for:

  • Aligning the varying levels of security and resilience of the market operators with a consistent minimum framework;
  • Providing an indication of a minimum level of security and resilience in the Member States with regards to the smart grids, thereby avoiding the creation of the “weakest link”;
  • Ensuring a minimum level of harmonization on security and resilience requirements for smart grids across Member States and thus reducing compliance and operational costs;
  • Setting the basis for a minimum auditable framework of controls across Europe;
  • Facilitating the establishment of common preparedness, recovery and response measures and pave the way for mutual aid assistance across operators during crisis;
  • Contributing to achieve an adequate level of transparency in the internal market.

Download Full Publication

Catalog of Control Systems Security: Recommendations for Standards Developers

Catalog of Control Systems Security- Recommendations for Standards Developers

Catalog of Control Systems Security: Recommendations for Standards Developers (co-author)

This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. The recommendations in this catalog are grouped into 19 families, or categories, that have similar emphasis. The recommendations within each family are displayed with a summary statement of the recommendation, supplemental guidance or clarification, and a requirement enhancements statement providing augmentation for the recommendation under special situations. This catalog is not limited for use by a specific industry sector but can be used by all sectors to develop a framework needed to produce a sound cybersecurity program. This catalog should be viewed as a collection of recommendations to be considered and judiciously employed, as appropriate, when reviewing and developing cybersecurity standards for control systems. The recommendations in this catalog are intended to be broad enough to provide any industry using control systems the flexibility needed to develop sound cybersecurity standards specific to their individual security needs.

Download Full Publication

Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules

Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules

Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules (technical lead for the standard)

The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security in its computer and telecommunication systems. This publication provides a standard that will be used by Federal organizations when these organizations specify that cryptographic-based security systems are to be used to provide protection for sensitive or valuable data. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that will be satisfied by a cryptographic module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification; cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

Download Full Publication