Status of National and International Standards for Control System Cyber Security Joe Weiss KEMA, Inc

1
Status of National and International
Standardsfor Control System Cyber SecurityJoe
WeissKEMA, Inc.jweiss_at_kemaconsulting.com(408)
253-7934December 4, 2003

2
Why Do We Care
3
Control Systems Have Been Impacted

• More than 40 confirmed cases including chemical
  and nuclear power plants
• Not identified by any traditional reporting
  entity
• In all industries
• Power, oil/gas, water, paper, chemicals
• Damage not recognized as cyber
• Firewalls, IDS not in-place
• Damage viewed as mechanical or electrical, not
  cyber
• Control system suppliers providing web-enabled,
  Microsoft, and/or wireless capabilities
• Control systems becoming unintended targets
• Slammer and Blaster impacted control system
  performance

4
Hackers Starting to Look at SCADA

• 'We have your water supply, and printers' -
  Brumcon report Things started to get a little
  more interesting when semi sober we reconvened to
  investigate the security surrounding the UKs
  water management system. The talk was titled "how
  safe is a glass of water." It was a detailed
  breakdown of the RF systems that are used by
  water management authorities in the UK and how
  these systems can be abused, interfered with and
  generally messed. The live demonstration
  included how to monitor the un-encrypted water
  management systems and create a denial of service
  attack. It was also made clear that additional
  communication channels using dial up connections
  would kick in automatically in the event of such
  an attack.

5
Standard and Industry Activities
6
Caveat

• This is not a complete list more groups seem to
  be forming without any formal coordination

7
IEEE Activities

• Power Engineering Society (PES) created a task
  force to review cyber security impacts
• Nuclear Power Engineering Committee (NPEC)
• Prepared cyber security chapter for Electric
  Power Substations Engineering
• POSIX (portable operating systems) excluded
  security as a consideration
• Now addressing as part of the Open Groups Real
  Time Security Forum
• Focus is to create security APIs for Real Time
  Operating System kernels

8
ISA Activities

• SP99- Manufacturing and Controls Systems Cyber
  Security
• ISA dTR99.00.01
• Security Technologies for Manufacturing and
  Control Systems
• ISA dTR99.00.02
• Integrating Electronic Security into the
  Manufacturing and Control Systems Environment
• Engineering Technology and Science Policy
  Committee
• Position statement on cyber

9
ISA SP99 Future Activities

• Involve additional users, vendors, and security
  expertise as appropriate
• WG 1 and 2 Update Technical Reports
• WG 2 Develop program requirements into standard
  
• WG 3 Develop security controls requirements
• WG 3 Develop or adapt reference model
• WG 7 Formalize liaisons/interfaces

10
IEC

• ISO/IEC JTC 1 Security Standards for all
  industries
• Includes banking, etc
• TC45 Nuclear Standards
• TC 57 Working Groups 7 and 15 Telecontrol for
  Electric Power Applications
• Revising TASE.2 (ICCP) to include security
• Not addressing control systems
• TC 57 Working Group 3 Data Integrity
• Companion standards 60870-5-101,102,103,104
• Working Group 15 is lead for security
• TC 65C Fieldbus
• Starting to address cyber security

11
DNP

• SCADA protocol
• Current status
• Does not include security
• Assessing the need
• Protocol analyzers available
• Cyber vulnerability demonstrated

12
CIGRE

• CIGRÉ JWG D2/B3/C2-01Security for Information
  Systems and Intranets in Electric Power Systems
• Spring Meeting 2003, June 5-6, 2003 in Oslo,
  Norway
• Fall Meeting, November 6-7 Paris, France
• White paper issued
• Preparing other documents for fall meeting

13
UCA2

• Substation and Field Equipment Protocol
• General Model for Substation and Field Equipment-
  GOMSFE
• Does not include security
• High Speed device to device communication
  protocol
• Generic Object Oriented Substation Event (GOOSE)
  protocol
• Does not include security
• UCA2TM addresses security
• Identified technology too resource intensive to
  implement in legacy systems

14
Other Protocols and Buses

• HART
• Profibus
• Profisafe
• Fieldbus (SP50)
• Devicenet
• Modbus, Modbus-Plus
• Vulnerability demonstrated

15
Meters

• ANSI Std C12.22-200x
• Protocol Specification for Interfacing to Data
  Communication Networks
• Security services are dated 1996

16
NERC CIPAG

• North American Electricity Reliability Council
  (NERC) Critical Infrastructure Protection
  Advisory Group (CIPAG)
• Providing Minimum security requirements to FERC
• Industry ISAC
• Response to Slammer Worm
• Providing guidelines
• Prepared first set of guidelines Securing
  Remote Access to Electronic Control and
  Protection Systems
• Time synchroniation

17
Regulation/Standards

• NERC CIPAG developed Cyber Security Standard
• 16 steps
• Does not include power plant control systems or
  substations
• Urgent Action Standard implementation schedule
• Substantial compliance by First Quarter-04
• Final Standard in preparation
• Expect to include power plant controls and
  substations

18
Government- Technical

• DOE
• National SCADA Test Bed
• Issued 21 Steps to Secure SCADA Networks
• NIST
• Test Beds
• Technology/standards support
• PCSRF
• DOD
• Red Team assessment
• Test Bed
• EMP/Cyber
• National Academies

19
Government-Technical (continued)

• Naval Post-Graduate School
• Lecture- Not addressing control systems
• Nuclear Regulatory Commission (NRC)
• Performing 4 plant assessments
• Homeland Security
• National Plan to Secure Cyberspace
• Weaknesses with respect to control systems
• Vulnerability assessments
• EPA
• Water industry vulnerability assessments
• National Infrastructure Security Coordination
  Centre (UK)
• Sponsoring research
• Sponsoring information-sharing

20
Government - Legislative

• National Infrastructure Protection Center -NIPC
  (FBI)
• Legislative
• Cyber Security funding
• Critical Infrastructure Protection hearings
• GAO
• Congressional testimony
• Library of Congress-CRS
• August 12 Report on Remote Control Systems
• Very poor technical quality
• July 14 revised report
• Much better, but still has technical issues

21
Other

• Nuclear Wireless Users Group
• CIDEX- Chemical Industry Database Exchange
• AGA- American Gas Association
• AGA12-1 SCADA encryption
• ASME (Mechanical Engineers)
• Technical support groups
• Not addressing cyber
• NSPE- National Society of Professional Engineers
• Technical support groups
• AICE (Civil Engineers)
• Not addressing cyber

22
Other (continued)

• Partnership for Critical Infrastructure Security
  (PCIS)
• Center for Strategic and International Studies
  (CSIS)
• Critical infrastructures not susceptible to
  cyber
• Professionals for Cyber Defense
• Input to Homeland Security
• Insurance
• Understanding
• Liability/exclusions
• SCADA list server (Australia)
• Protocol analyzers
• Modems
• Radios

23
Conclusions

• Lots of activity
• Still significant lack of understanding at all
  levels
• Not all technically viable or appropriate
• Insufficient control system guidelines and
  procedures
• Insufficient control system security technology
• Insufficient representation
• Very little coordination
• Who should coordinate efforts???