WIXLIB

NIST Industrial Control SystemSecurity ActivitiesKeith StoufferNational Institute of Standards and TechnologyInformation Security and Privacy Advisory Board (ISPAB) MeetingDoubletree Hotel, Rockville, MDSeptember 14, 2005Intelligent Systems DivisionManufacturing Engineering Laboratory

Industrial Control System Security The (US) National Plan for InformationSystems Protection and the recently releasedGAO-04-354 cite industrial control systems ascritical points of vulnerability in America'sutilities and industrial infrastructure.“ Successful attacks on control systemscould have devastating consequences, suchas endangering public health and safety.”Electric power — Water — Oil & GasChemicals — PharmaceuticalsMining, Minerals & MetalsPulp & Paper — Food & BeverageConsumer ProductsDiscrete Manufacturing(automotive, aerospace,durable goods)

General Supervisory Control andData Acquisition (SCADA) System

General Distributed ControlSystem (DCS)

Information Technology vs.Industrial Control SystemsDifferent Performance RequirementsInformation TechnologyIndustrial ControlNon-RealtimeResponse must be reliableRealtimeResponse is time criticalHigh throughput demandedModest throughputacceptableHigh delay and/or jitter is aserious concernHigh delay and jitter accepted

Information Technology vs.Industrial Control SystemsDifferent Reliability RequirementsInformation TechnologyScheduled operationOccasional failures toleratedBeta testing in the fieldacceptableIndustrial ControlContinuous operationOutages intolerableThorough testing expected

Information Technology vs.Industrial Control SystemsDifferent Risk Management RequirementsDelivery vs. SafetyInformation TechnologyData integrity paramountRisk impact is loss of data,loss of business operationsRecover by rebootIndustrial ControlHuman safety paramountRisk Impact is loss of life,equipment or productFault tolerance essentialThese differences create huge differences inacceptable security practice

Information Technology vs.Industrial Control SystemsDifferent Security ArchitecturesInformation TechnologyThe central server is thecritical device forprotection (not the edgeclient)Industrial ControlThe edge device, suchas the PLC or smartdrive controller, isconsidered moreimportant than a centralhost such as a datahistorian server

Industrial Control System (ICS)Security Challenges Real time constraints - IT security technologycan impact timing, inhibit performance(response times are on the order of ms to s) Balancing of performance, reliability, flexibility,safety, security requirements Difficulty of specifying requirements and testingcapabilities of complex systems in operationalenvironments Security expertise and domain expertiserequired, but are often separated

ICS Security ProgramSummary Goal: To develop standards and test methods toenable the integration of security engineeringinto the industrial automation life cycle, includingdesign, implementation, configuration,maintenance and decommissioning. This goalsupports the objectives of the NIST HomelandSecurity Strategic Focus Area Outcome: Reduced likelihood of successfulcyberattack on the nation’s critical infrastructure NIST Role: Working with industry to developstandards and test methods for validation andconformance

NIST ICS Security ActivitiesApproximately 3 FTE Level of Effort Process Control Security Requirements Forum (PCSRF) System Protection Profile for Industrial Control Systems(SPP-ICS) SCADA Protection Profile SP800-82 Guide for SCADA and ICS Security ICS Vendor Security Checklist Program Industrial Control System Security Testbed Support related efforts (ISA SP-99, DHS ProcessControl Systems Forum (PCSF), I3P SCADA Initiative,AGA 12 SCADA Cryptography, IEC/ISO 65C, etc.)

Process Control SecurityRequirements Forum (PCSRF)Securing future systems:Public/private partnership started in spring2001 to increase the security of industrialprocess control systems through the definitionand application of a common set of informationsecurity requirements for these systems.Based on the ISO 15408Common Criteria for IT tsForum9

Collaborators/PartnersApproximately 680 registered members including:ICS VendorsIT VendorsStandards OrganizationsISA-SP99ISO/IEC 15408,19791, 61508, 65CAGA 12GovernmentEnd Users

PCSRF MembershipOn 8/31/05 There were: 680 individual members from 401 organizations from 32 Countries (USA, Canada, Australia, Austria,Belgium, Chile, China, Croatia, France,Germany, Hong Kong, India, Ireland, Israel,Italy, Japan, Lithuania, Netherlands, NewZealand, Norway, Panama, Portugal, Russia,Saudi Arabia, Singapore, South Africa, SouthKorea, Spain, Sweden, Switzerland, UK,Venezuela)

PCSRF scontrolGoogle searchfor “industrialcontrol security”or “processcontrol security”returns thePCSRF site asthe first (mostvalid) listingSPP-ICSdownloadedover 20,000timesWebsite hadover 100,000server requests

System Protection Profile forIndustrial Control Systems (SPP-ICS) 151 page generic system level protection profile for ICS Contains security functional and assurance requirementsthat extend ISO 15408 to address systems (ISO/IEC 19791) Presents a cohesive, cross-industry set of securityrequirements for new industrial process control systems Includes IT and non-IT security requirements Considers an entire system and addresses requirements forthe entire system lifecycle A starting point for: More specific system protection profiles (SCADA, DCS) A System Security Target (SST) for a specific instance ofan industrial control system Component protection profiles (PPs) – e.g., industrialcontroller authentication, sensor authentication, etc.

Main Recommendations Address security throughout the system life cycleDefense in depth approachIdentification and authentication - users and dataEvent recording and auditingReliable and standard (consistent) time stampsEncryption where requiredSecure out of the boxPolicies and procedures Personnel Configuration and patch management

Security RequirementsPackages ApproachIndustry 1AddedRequirementsSpecificGuidanceIndustry 2additionsComponent 1additionsIndustry 3additionsBaseline System Protection Profile for IndustrialControl Systems (SPP-ICS):Common specification of requirements,application notes and guidance

SCADA Protection Profile PCSRF Working Group 10 member group Experienced in Common Criteria, SCADA systems andrequirements Specific functional and assurance requirements forSCADA systems Comprised of 2 connected PPs Control Center Protection Profile Field Device and Communications Protection Profile

SP800-82 SCADA/ICSSecurity Guideline Guidance for establishing secure SCADA andIndustrial Control Systems Provides an overview and presents typical topologiesto facilitate the understanding of industrial controlsystems Identifies typical vulnerabilities, threats andconsequences Provides guidance on security deployment includingadministrative, physical and technicalcountermeasure to mitigate the associated risks Public draft by September 30, 2005 with finaldocument completed by January 1, 2006

Document Organization Executive SummaryIntroductionIndustrial Control SystemsIndustrial Control Systems VulnerabilitiesIndustrial Control Systems Security DeploymentEmerging Security CapabilitiesAppendices Acronyms and AbbreviationsGlossary of TermsCurrent Activities in SCADA/Industrial Control SecurityCase Study

Audience Control engineers, integrators and architects when designingand implementing secure SCADA and/or industrial controlsystemsSystem administrators, engineers and other IT professionalswhen administering, patching, securing SCADA and/or industrialcontrol systemsSecurity consultants when performing security assessments ofSCADA and/or industrial control systemsManagers responsible for SCADA and/or industrial controlsystemsResearchers and analysts who are trying to understand theunique security needs of SCADA and/or industrial controlsystemsVendors developing products that will be deployed in SCADAand/or industrial control systems

Industrial Control Systems Provides an overview of SCADA and industrialcontrol systems Control Systems vs. Typical IT Systems SCADA Systems Industrial Process and Discrete Part ControlSystems Control System Components and Connectivity

Industrial Control SystemsVulnerabilities Discusses SCADA and industrial controlsystems vulnerabilities Administrative Vulnerabilities (policies andprocedures) Physical Vulnerabilities Platform Vulnerabilities Network Vulnerabilities

Industrial Control SystemsSecurity Deployment Business case for security Layered security Recommended Management, Operational andTechnical security controls (countermeasures)to mitigate the risk associated with thevulnerability

Management Controls Risk Assessment Developing and Implementing a SecurityProgram System and Services Acquisition Security Assessments

Operational Controls Personnel SecurityPatch ManagementConfiguration ManagementChecklistsNetwork SegmentationIncident ResponseDisaster Recovery PlanningPhysical Protection

Technical Controls User Identification, Authentication and AuthorizationData Identification and AuthenticationDevice Identification, Authentication and AuthorizationLoggingAuditSecure CommunicationsAccess ControlIntrusion Detection and PreventionVirus, Worm and Malicious Code Detection

Emerging SecurityCapabilities Discusses emerging security capabilities thatare being developed in the SCADA andindustrial control system sector such as deviceauthentication for field devices and encryptionmodules

Appendices Acronyms and Abbreviations Glossary of Terms Mapping of document controls to SP800-53,ISA-SP99, ISO 17799, others?) Current Activities in SCADA/Industrial ControlSystem Security Case study in SCADA and industrial controlsystem security References

ICS Vendor SecurityChecklist Program Work with SCADA/ICS security and security-enabledproduct vendors/ manufactures to submitrecommended security settings for their products tothe current NIST IT Security Checklist Program Checklists are also commonly referred to aslockdown guides, hardening guides, securitytechnical implementation guides (STIGS), orbenchmark. A checklist could also contain scripts,templates, and pointers to patches, or updates orfirmware upgrades that can be applied to the product. NIST Special Publication 800-70 SecurityConfiguration Checklists Program for IT Productsprovides guidance for checklist developers and users

NIST Industrial Control SystemSecurity Testbed Provides an industrial setting in which to validate standards for process control security develop performance- and conformance testmethods Targeted outcomes: development and dissemination of best practices forprocess control security security standards for acquisition, development, andretrofit of industrial control systems

NIST Industrial Control System SecurityTestbed Architecture

Water Distribution SCADA System Ultrasonic Level TransmittersAnalog Flow MetersDNP 3.0 Serial Liquid Level SwitchesCentrifugal PumpsEthernet

Factory Control System DeviceNet I/O network Three controller options Wonderware PC-basedsoftware PLC Modicon hardware PLC DeltaV Hybrid ControllerSQL database for data logging

National SCADA Testbed

Antivirus Test Methods Develop performance tests to screen forpotential problems when deployingsecurity software in industrial controlsystem environments Test procedures, and guidance withaccompanying data to illustrate potentialproblems and solutions when deployingsecurity software with industrial controlsystems

Test Case

Manual Scanning Hard Drive

Virus Definition Update