There are times for finesse and then there are times for blunt force. Determining which is which is often the defining characteristic of success in any endeavor. The ongoing efforts to address cybersecurity risks and threats to industrial systems have for many years been a period where finesse and patience rule as we slowly accrete the requisite components from which a solution can be constructed. The time has come, however, to swing some hammers.

The Situational Awareness Reference Architecture (SARA) is what the ICS ISAC was created to foster, and to itself be a part of. It has been clear to us since 2006 that there is a critical need for a basic agreement on how facilities can determine the three questions of situational awareness - Identity, Inventory and Activity - and how they can appropriately share knowledge of those with external parties to create broader situational awareness. Until this year, when evolutions in many areas have come together to provide the necessary foundations, there has not been any value in trying to drive to a final specific definition of SARA. Today, however, evidence that the stage is set for the final act is everywhere.

Years of legislative, technical, organizational and sociological evolution have produced the environment in which an operable solution can be created. From STIX 1.0 to PPD-21 “Implementation” section 4, NERC CIP 5.0 to Qatar’s National ICS Security Standards, from advances in security products to growth in the motivations of asset owners and integrators, the major building blocks of the shared solution have been placed together in the Assembly Area.

While enjoying Erich Gunther’s Brandy Barrel Porter on the Enernex veranda this Monday I related a story that sums up the times we are in. Back in 1990 at GE Power Generation we were assembling the first 9000F turbine prototype. After years of development and billions of dollars the 100-ton rotor of what would become the world’s most powerful fueled motor hung inches above the casing. A tense crowd of executives and luminaries watched anxiously as it crept downward. With less than an inch left before the finned marvel of science and engineering nestled onto its mirror-smooth bearing journals the harness supporting it went unexpectedly slack.

It didn’t fit.

With corporate masters fainting into the waiting arms of acolytes a group of four engineers and operators gathered and talked for a few minutes. With a mutual nod the largest of them - a Paul Bunyan of a man - strode over to this pinnacle of engineering and proceeded to beat the living tar out of it with a massive wooden mallet and an enthusiasm which would have made Wiley E. Coyote blush with envy. Finally satisfied, he gave a gesture to the crane operator and stepped back to watched the rotor snuggle perfectly into place.

We fired the 300,000 horsepower monster a few months later and went on to beat Mitsubishi for a billion-dollar installation at Tokyo Electric Power Company. That 9000f’s descendants went on to become the dominant fuel turbines in power generation worldwide to this day.

To solve the challenge we face in our community today we must establish a Global Knowledge Network. We must create an environment where industrial facilities: are able to have and maintain knowledge of their systems; where they can appropriately share some of that knowledge with the rest of us; and where they are capable of effectively using knowledge shared with them. The architecting, engineering, machining and component assembly of the Global Knowledge Network has been done. After it has been bolted together we will be tuning and tweaking it for many years to come. But now we need to seal the casing, install the support equipment, roll the bloody thing out to the test stand and fire it up.

It’s Hammer Time.

Although unidirectional gateway technology blocks all on-line attacks originating from outside the network additional cyber threats must be taken into account.
________________________________________
Join us June 19th when Andrew Ginter from Waterfall Security Solutions will review unidirectional gateway technology; provide understand of how and where the technology is routinely deployed; and present information regarding how the technology is being positioned within defense-in-depth security architectures.
In addition to Andrew Ginter Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) Chair Chris Blask will provide exciting new developments at the Center.
Designed to benefit both the technical & non-technical attendee the ICS-ISAC Public Briefing series takes a no-nonsense approach to addressing issues that cut across industry, sector, and job function. So whether you are hands-on ICS, administrator, or C-level decision-maker you will find valuable information that you can take and implement to further secure your industrial control systems.
Stronger Than Firewalls: Unidirectional Gateways in Defense-In-Depth Architectures
June 19th, 2013 – 1:00-2:30pm ET
Register: https://attendee.gotowebinar.com/register/1500530255350160384
________________________________________
Secure application integration via hardware-enforced unidirectional security gateways is being deployed in a wide variety of industries and is being cited in new and updated industrial cyber-security standards. Industry analysts are advising industrial network security practitioners to become familiar with this alternative to conventional firewalls and to learn where and how to deploy the technology effectively.

While the gateway technology blocks absolutely all on-line attacks which originate on external networks, the technology is not a “silver bullet.” On-line attacks are a very important threat vector, but they are not the only cyber threat which organizations must address. Join us to review unidirectional gateway technology, to gain understand of how and where the technology is routinely deployed, and to recognize how the technology is being positioned within defense-in-depth security architectures.

Andrew Ginter spent the first part of his career developing operating system and industrial control system products for a number of vendors, including Honeywell and Hewlett-Packard. At Agilent Technologies, he led the development of middleware products connecting industrial control systems to the SAP enterprise resource planning system. As Chief Technology Officer at Industrial Defender, Andrew led the development of the industrial security product suite.
Currently Andrew functions as Director of Industrial Security for Waterfall Security Solutions where he represents Waterfall on standards bodies and works with industry to incorporate Waterfall Unidirectional Gateways into their industrial network designs. Waterfall’s Unidirectional Gateways are deployed in utilities and critical national infrastructures throughout North America, Europe, Asia and Israel. These products help reduce the cost and complexity of compliance with NERC-CIP, NRC, NIST, CFATS and other regulations as well as facilitate implementation of cyber-security best practices.

Chris Blask has a career that spans the breadth of the industrial control system cybersecurity space. From humble beginnings as a control system engineer he soon saw the need for and invented one of the first commercial firewall products. Joining Cisco Systems he then led their firewall business to a position of global leadership, a legacy that continues to this day. Recognizing the need to apply Security Information and Event Management (SIEM) technology to ICS cybersecurity he founded Lofty Perch, authored the first book on SIEM, and created AlienVault’s ICS Group.
Today, Mr. Blask is actively involved with a wide range of domestic and international efforts. He is Founder and CEO of ICS Cybersecurity, Inc.; Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC); Chief Architect for NorthWind Technologies in Doha, Qatar; and is advisor to Itex Solutions in Sana’a, Yemen and to Targetproof in Atlanta, Georgia (USA).
The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) exists to bring together the private sector partners and stakeholders for the purpose of sharing knowledge about risks, threats and best practices across our shared critical infrastructure. The Center was created to provide the ICS community with a common platform where collaboration can be performed in an environment best suited to the needs of all involved parties.
A member driven organization, the ICS-ISAC is supported by valued industry partners including Red Tiger Security, Dynetics, SourceFire, IBM, Management Analytics, McAfee, n-Dimension, Yokogawa, GDS Transnational, SISCO, and Asguard Networks.
Organizations, researchers, vendors, and asset owners interested in joining this collaborative effort to further the collective mission of cybersecurity can become a part of the Industrial Control System Information Sharing and Analysis Center at http://ics-isac.org.

Greetings ICS-ISAC Members and Partners!
As we close out the Spring 2013 season it is time to pause and reflect on where we have been as a Center, where we are now, and share our vision for the second half of 2013 and beyond.
Just one year ago the Center was conceived as a gap was identified in the existing ISAC structure. At the May ICSJWG in Savannah, GA the conversation was broadened beyond the half dozen initial participants and further validated. In June of this year the Center will mark one year since incorporation and as the year progresses more anniversaries will roll by.
Fast forwarding to today we find Membership continues to increase with the addition of educators, vendors, integrators, asset owners, municipalities, regulators, consultants and military representing the diverse community the Center seeks to serve. We welcome the following organizations since our last newsletter:

• · City of Glendale Arizona
• · Comsphere Telecommunications,
• · Databracket
• · GDS Transnational
• · Industrial Control Security
• · JFDI Software
• · Management Analytics
• · Midwest Reliability Organization
• · Naval Supply Systems Command
• · Prime Controls
• · SafeLogic
• · SANS
• · Sourcefire
• · SQLStream
• · Teumim Technical
• · Texas PUD
• · Velocity Technology Partners
• · Virginia Tech
• · Waterfall Security
• · Yokogawa

Speakers for the Center’s Monthly Briefings have been lined up far enough into the future that we are now adding a second track with both Public and Members only events. The Members-only track kicked off with Mandiant presenting a high level discussion on their APT1 report.
New developments this coming quarter are the rollout and ongoing development of the Initial Assessment and ICSLab, establishment of public-private information sharing mechanisms with the completion of our Cooperative Research and Development Agreement (CRADA) with DHS and our participation in the EO/PPD Integrated Taskforce Working Groups (ITF WGs).

Situational Awareness Reference Architecture (SARA)
The ICS-ISAC focuses on Knowledge Sharing of two types: Human-to-Human and Machine-to-Machine. This newsletter, emails, briefing and other mechanisms for exchanging knowledge between people comprise the Human-to-Human efforts of the Center. The Situational Awareness Reference Architecture (SARA) is presently at the center of the Center’s Machine-to-Machine knowledge sharing focus.
SARA in its simplest form is a set of documentation defining a portable and interoperable set of methods for maintaining situational awareness in industrial control systems and for sharing that awareness appropriately with external parties. The combination of such shared awareness by facilities gives rise to situational awareness at Municipal, State, Regional, National and International levels.
Working with members the Center has begun to draft an initial SARA document to provide a basic outline to the architecture. The fundamental structure of this outline document will be to provide space for: a narrative description (“Executive Summary”); open architecture; and expanded appendices.
SARA is focused on the three areas of knowledge necessary for industrial facility situational awareness:
Identity

• “Who are you?” What are your business drivers, decision making processes, organizational capabilities?

Inventory

• “What do you have?” What control system device do you have? What do they control?

Activity

• “What are you doing?” What activity is normal? How do you maintain visibility? How do you manage change?

Members interested in contributing to the development of the SARA outline should send a note to [email protected].

Executive Order 13636 and PPD-21
At the ICS-ISAC we believe that Private Sector interests will best be served inasmuch as we actively engage with the Public Sector. The recent Executive Order — Improving Critical Infrastructure Cybersecurity (EO 13636), Presidential Policy Directive 21 (PPD-21) and NIST Framework Request For Information provide specific opportunities for the Private Sector to work with our Public Sector partners. The Center is engaging with Members individually and in groups to aid in coordinating Private Sector input into this process. We encourage Members to contact us and participate in that conversation. ICS-ISAC staff participated in the April 3rd NIST Cybersecurity Framework Conference and the Center’s response to the RFI can be found here. Patrick Coyle had kind words about our response here on his Chemical Security Blog site.
The ICS-ISAC is participating in the DHS Integrated Task Force (ITF) Situational Awareness & Information Exchange (SAIE) as well as Research & Development (R&D) working groups and NIST CyberSecurity Framework development efforts. Our goals in these efforts are to provide direct contribution to the processes, provide a representative voice on behalf of our membership who cannot participate directly, and to coordinate our related activities with these pivotal evolutions in the US Federal public sector.

Member Vetted Provider Program
The respected Multi-State ISAC has built a successful Trusted Purchasing Alliance program designed to bring vetted and cost-reduced services and products of particular value to its members. The ICS-ISAC has begun a similar program, the Member-Vetted Provider program (MVP).
The first MVP partner Management Analytics provides an ICS Initial Assessment (ICS IA) which helps asset owners answer the first of the three key situational awareness questions:
Identity

• “Who are you?” What are your business drivers, decision making processes, organizational capabilities?

ICS-ISAC member City of Columbus, Ohio recommended the service for the MVP program after engaging Management Analytics for their own purposes. The City has made dramatic progress under the guidance of Chief Security Officer Miki Calero in previous years and found the one-day interview process and resulting report provided valuable metrics to baseline progress to date and guide future efforts.
The service is delivered as an intensive one-day remote interview to establish the organization’s comprehensive Current State and encompasses all related issues from executive management structure through operational controls and technical architecture. A detailed 40-70 page itemized report delivered within two weeks of the interview session. This service supports facility operators’ goals by providing a strategic framework within which resource allocation for improving security can be effectively prioritized and compliments traditional services such as penetration testing and on-site assessments. A number of the Center’s integrator members have endorsed the service as supporting their own service offerings.
Management Analytics has published the assessment Standard of Practice in the open source realm as part of their efforts to contribute to the greater good. This open source Standard of Practice is reflected in the Situational Awareness Reference Architecture (SARA) the ICS-ISAC and its members are currently developing.
To learn more about the Initial Assessment please view our Archived video from April featuring Dr Cohen and Gary Sturdivan titled “Raising All Boats: Establishing Security Baselines at Industrial Facilities” or contact [email protected].

ICS Security Laboratory
The Center is creating an ICS Security Lab as a shared asset for research, training and demonstrations. Physically hosted in Livermore, CA by Robot Garden, Phase One of the Lab has begun the process of designing a baseline architecture and procuring necessary equipment. The Lab has its own Linkedin Group where a group of interested parties are holding a public discussion on the topic. The initial goal is to establish a basic control system network which can be used to demonstrate the Situational Awareness Reference Architecture, eventually expanding to provide a model of a Municipality with multiple interdependent infrastructures.
Robert Martin is program managing the development of the Lab and is currently seeking input from members willing to provide support in the form of equipment or services in the following categories:

• Network Gear (routers, switches,..)
• Servers
• Control System Gear (PLCs, HMIs, RDUs,…)
• Process Gear (motors, pumps, sensors, actuators…)
• Security Gear (firewalls, VPN terminator…)

ICS-ISAC Corporate Board
We are pleased to announce the addition of Andy Bochman with IBM, Sean Paul McGurk from Verizon, Gib Sorebo of SAIC and Jon Stanford of PwC to the Corporate Board of the ICS-ISAC. Each of these individuals brings a wealth of knowledge, ability and experience to the governing board of the Center. The ICS-ISAC Corporate Board now consists of the following membership:

• Chris Blask, ICS Cybersecurity, Inc – Chair
• Debbie Windle - Secretary
• Robert Martin – Treasurer
• Brad Blask, ICS Cybersecurity Inc. – Board Member
• Andy Bochman, IBM - Board Member
• Sean Paul McGurk, Verizon - Board Member
• Jonathan Stanford, PwC - Board Member
• Gib Sorebo, SAIC - Board Member

International News: ICS-ISAC Instigates National CERT in Yemen
As the infrastructures in sectors combine to create the single infrastructure that creates stability in modern society, so the infrastructure of nations combine to support stability in the global community. With this in mind the ICS-ISAC seeks to propagate knowledge sharing capabilities not only in the United States but around the world.
In November of 2012 Center Chair Chris Blask visited Sana’s, Yemen at the request of member Itex Solutions. Itex worked with local government, academia and private industry to establish a series of meetings and seminars on the opportunity to foster stability through cybersecurity knowledge sharing systems. Mr. Blask led sessions with public and private leadership in Telecommunications, Energy, Banking, Defense and Technology and delivered a lecture to over 400 students at Sana’a University which was covered extensively in the national media.
A core message delivered was the need for the people of Yemen to establish a national Cyber Emergency Readiness Team (CERT) as a foundational step to national stability, this spring the Yemeni federal government gave approval to begin the process of establishing the center. The ICS-ISAC has coordinated with FIRST (the Forum of Incident Response and Security Teams) – the global coalition of CERTs – to launch a new Fellowship Programme to support the effort in Yemen and other Least Developed Countries (LDC). ICS-ISAC staff are now working with FIRST staff to investigate the expansion of the Fellowship Programme to other challenged nations not officially designated as LDCs.
Several articles have been published about the effort in Yemen, including Yemeni CERT Could Turn the Tide for Millennials published by Tech Target and Building Trust Among Cyber Tribes published by Tripwire. Yemen national coverage has included articles at media outlets Aden Al Ghad, Altajded News, Al Tagheer, Barakish , Yemenat.net and Aden Online.

Spring and Fall ICSJWG Conferences Cancelled
The spring ICSJWG conference which was scheduled for May in Phoenix, Arizona as well as the Fall ICSJWG have been cancelled due to the federal government budget “sequestration”. Here is the notification from the ICSJWG Program Office regarding the cancellation:
“The Industrial Control Systems Joint Working Group (ICSJWG) would like to thank all of those who registered for the 2013 Spring Conference and associated activities and who submitted abstracts for presentation.
“At this time the Program Office must cancel the 2013 Spring Conference due to restrictions resulting from sequestration. This cancellation will include all subgroup meetings and training as well as the classified briefing and the International Partners Day activities which were planned. We apologize for any inconvenience this difficult decision may cause you.
“In order to continue the collaborating, we will be sending out communications in the near future to solicit, suggest and implement alternatives to the Spring Meeting activities. Should you have questions or suggestions, please feel free to contact us.
“The important work of the Industrial Control Systems Joint Working Group will continue, overcoming all obstacles to work to secure our Nation’s critical infrastructure.”

Briefing Schedule
Speakers for the Center’s Monthly Briefings have been lined up far enough into the future that we are now adding additional briefs with both Public and Members only tracks. We will continue to maintain the third Wednesdays at 1pm ET time slot for Public Briefings and add other briefs to the monthly line up in a non-fixed manner.

Upcoming Briefings:

• June 4th (Tuesday @ 1pm ET) – David Mattes founder of Asguard Networks will present Mitigating ICS System Vulnerabilities Register
• June 19th (Wednesday @ 1pm ET) — Andrew Ginter from Waterfall Security Solutions will present Stronger Than Firewalls: Unidirectional Gateways in Defense-In-Depth Architectures Register
• July 17th (Wednesday @ 1pm ET) – Gary Sturdivan will be providing insight into Cybersecurity for Water and Wastewater

Past briefings are available on the ICS-ISAC Archives page:

• Going over the Waterfall with Tridium Niagara: An ICS Case Study — Billy Rios (we are still working on reformatting this recording and will post that when it works)
• Industrial Cybersecurity in the Chemical Sector — Ed Liebig CTO at CSC
• ICS Security for Municipalities — Miki Calero CSO for the City of Columbus (this recording is viewable by request only so please contact [email protected] to get access)
• Mandiant APT1 Research – Kevin Albano Threat Intelligence Manager at Mandiant (this recording is viewable by request only so please contact [email protected] to get access)
• Cryptography for ICS — Ray Potter CEO of SafeLogic
• ICS Security in Rail Transit Control and Communication – Dave Teumim President of Teumim Technical
• Raising All Boats: Establishing Security Baselines at Industrial Facilities – Fred Cohen from Management Analytics and Gary Sturdivan from the water sector
• The Evolution of Information Sharing – Panel discussion featuring Michael Murray from Carnegie Melon’s CERT/CC, Tim Conway from SANS and Sourcefire’s Marc Blackmer

If you have a topic or speaker you would like to submit for a monthly briefing, please contact Debbie Windle at [email protected].

Member Blog Articles
The Center is beginning a process of seeking members interested in writing articles for the Center’s public blog. An on-going series will be started shortly on the topic of Lessons Learned in Knowledge Sharing (thanks to those members who have already agreed to contribute to this series), suggestions for other series’ or on-off articles can be directed to the ubiquitous Debbie Windle at [email protected].

Weekly Member Open Discussion Forum
Thursdays at 2pm ET the Center hosts its weekly open discussion forum where Members can engage in lively and informative conversation about relevant current events or topics of concern. This unstructured session has proven to provide a rich and valuable forum for all involved, reflecting timely and topical topics.
It is not expected that members will make every one of these or other sessions held by the ICS-ISAC. The Center continually seeks to create a diverse enough range of forums so that our membership can find among them appropriate mechanisms to suit their knowledge sharing needs. All members are welcome to join this or other sessions as frequently or rarely as fits their evolving schedules and requirements.
The session uses GoToMeeting and can be accessed using the following phone and online information:

https://global.gotomeeting.com/join/715079837

United States: +1 (213) 289-0017
Australia: +61 2 8355 1034
Austria: +43 (0) 7 2088 3707
Belgium: +32 (0) 28 08 9460
Denmark: +45 (0) 89 88 03 61
Finland: +358 (0) 942 45 0382
France: +33 (0) 170 950 588
Germany: +49 (0) 811 8899 6931
Ireland: +353 (0) 15 255 598
Italy: +39 0 694 80 31 28
Netherlands: +31 (0) 208 084 055
New Zealand: +64 (0) 9 887 3469
Norway: +47 23 96 01 18
Spain: +34 932 20 0506
Sweden: +46 (0) 840 839 467
Switzerland: +41 (0) 435 0824 78
United Kingdom: +44 (0) 207 151 1818

Access Code: 715-079-837

Topics from recent calls have included: development of the Situational Awareness Reference Architecture; the EO/PPD; the NIST Framework; DHS Integrated Taskforce Working Groups; the ICSLab; member guest-blogging; the evolution of information sharing; international development and other issues.

Membership Outreach
Membership in the Center continues to grow and we thank all of you for your participation and support. If you know of organizations that would benefit from and provide value to our shared efforts please direct them to the Center’s registration page.
In addition, Introduction to the ICS-ISAC sessions are held each Tuesday at 1pm ET. These sessions have turned out to provide a valuable forum for describing and discussing the Center with interested parties. The registration link for the Introduction sessions can be found on the ICS-ISAC homepage. Please share this link with organizations and individuals you believe would benefit from ICS ISAC membership.

Get Connected, Stay Engaged
The ICS-ISAC provides a wide array of human-to-human mechanisms for collaboration and information dissemination including our LinkedIn group (427 members), Twitter account (2037 tweets and 710 followers), YouTube channel, Blog Articles, exclusive Member Briefings, weekly Member open sessions, whitepapers, and much more. Our goal is to get our Members accurate, timely, and actionable information. For additional information on any of these products please contact ICS-ISAC Community Director Debbie Windle at [email protected].

Your Membership in and support of the ICS-ISAC are vital to our ongoing efforts to achieve a shared vision of bringing together the Private Sector for the purpose of sharing knowledge about risks, threats and best practices across the critical infrastructure sectors. Without our membership’s ongoing support we would be unable to serve our mission of providing the ICS community a common platform where this exchange can take place in an environment best suited to the needs of all involved parties. We appreciate your participation in this effort and pledge always to do our utmost to serve your interests.
Best regards,
The ICS-ISAC Team

The National Institute of Standards and Technology (NIST) in the US Department of Commerce requested responses to guide development of the National Cybersecurity Framework. These responses were posted here, the ICS-ISAC’s response is here as well as posted below in full.

Introduction

It is our position that maximum reduction of cyber risk to national critical infrastructure can only be achieved through improved operator control of industrial facilities and maximized knowledge sharing among involved parties. As facility operators can increase their technical and procedural ability to establish and maintain visibility into and control over the Industrial Control Systems (ICS) which manage their infrastructure they develop the ability to have knowledge of these systems. Where this knowledge can be shared appropriately without compromising personal and organizational privacy the United States can develop the situational awareness necessary to measure and manage national risk. Such a knowledge sharing system will support self-healing capabilities which will allow the national infrastructure to respond automatically to attack in an auto-immune fashion.

While vulnerability reduction, industry standards, workforce development and other methods play important parts in improving overall security none of these will lead to survivability of the national infrastructure against sophisticated active threats. The United States federal government, through this NIST Framework and other appropriate means, should support the development and adoption of human and technical capabilities which improve the ability for operators to have and maintain adequate control of their facilities and to engage in and benefit from appropriate knowledge sharing networks.

The Limits of Vulnerability Reduction

The millions of connected systems which today constitute American critical infrastructure face common challenges. These include pervasive vulnerabilities, the significant reduction of which will require extended periods of time and extensive capital investments. While actions aimed at reducing these vulnerabilities should be given due attention and resource, it must be understood that:

1. Given realistic resources, vulnerability reduction alone cannot reduce aggregate risk to an acceptable level at any point in the foreseeable future

• Based on the vulnerability research to date which is available in the public domain it is reasonable to assume that virtually every deployed Industrial Control System device or piece of software contains exploitable vulnerabilities
• The trained workforce of researchers necessary to identify a majority of vulnerabilities in all deployed ICS cyber devices in a reasonable and prudent period of time for these purposes does not exist
• The necessity to “touch” every individual control system device found throughout every critical infrastructure facility in the nation in order to apply remediation to known vulnerabilities would mandate a workforce which is not available nor will be available under the most optimistic conditions for many years
• It is unrealistic to assume that a single remediation of each ICS cyber device would be adequate to ensure all knowable vulnerabilities have been addressed in all deployed devices

 

1. Even with unlimited time and resources vulnerability reduction alone cannot reduce the aggregate risk to an acceptable level

• even if the aforementioned resource restraints could be overcome and all reasonably knowable cyber vulnerabilities to all deployed devices and software could be discovered and remediations applied, all deployed systems would remain susceptible to all “Zero Day” vulnerabilities discovered by threat actors
• the publically-known attacks against critical infrastructure to date have employed such Zero Day vulnerabilities, and therefore would have been successful even if all known vulnerabilities to the target systems had been remediated

Improving Operator Control of Industrial Facilities

It is within the reasonable reach of facilities to improve their control over their cyber systems given existing fiscal limits and within appropriate periods of time. Such control can be implemented without causing unacceptable negative impact to the current safety, reliability and availability of such systems. This can be accomplished with technology currently available in both commercial as well as Open Source forms. The operational characteristics of the organizations which own and manage the majority of these systems lends themselves to the adoption of such control capabilities.

Organizational Characteristics Supporting Cyber Controls

A common characteristic of organizations in many critical infrastructure sectors is a core focus on situational awareness. Physical, electrophysical and cyber Industrial Control Systems have been developed for the specific purpose of providing facility operators maximum situational awareness of the state of the physical process being managed. These organizational characteristics support the development of operational processes to establish and maintain situational awareness of the cyber systems at the core of this issue much more so than among Information Technology (IT) organizations.

In the effort to secure infrastructure a common commentary is to the effect that Industrial Control System networks are not able to utilize many of the methods of security prevalent in Information Technology (IT) applications. Methods as basic as the application of software patches become extremely problematic in ICS environments where the consequence of such a patch causing a fault may be higher and more likely than the problem fixed by the patch, or where no “off hours” window of opportunity to apply such patches presents itself. In the singular area of Situational Awareness, however, ICS environments are often more amenable to the use of such processes and technologies than are IT.

IT networks are characteristically complex and dynamic. Devices, users, applications and traffic patterns may change from moment to moment without the direct and explicit knowledge of the network operators. Establishing situational awareness on IT networks is a significant area of focus in enterprises today, but it is continuously challenged to address the “high false positive” aspect of discriminating between “bad changes” which indicate risks and threats and “good changes” which are simply artifacts of permitted enterprise activity.

In industrial settings on ICS networks, changes in users, devices and applications are generally rare and occur under controlled circumstances. Traffic patterns on these networks in the overwhelming majority of instances are deterministic and relatively low-volume, following predictable cycles explicitly known to system designers and operators. The application of situational awareness technologies currently available therefore require less customization and operational attention in ICS environments than in IT.

From a workforce perspective, the operational processes used by industrial system operators are oriented specifically towards maintaining situational awareness of the subject physical process. Whether manufacturing, energy, transportation, water or other sector-specific area the operational process in place has been designed with the singular attention to continuous awareness of the state of the physical process. This sociological focus lends itself to the adoption of the processes required to establish and maintain situational awareness of cyber systems very directly, whereas in IT environments such processes often run counter to enterprise operations.

Technical Methods for Maintaining Situational Awareness

Where facility operators do not have the ability to know definitively what their cyber control systems are composed of and what these systems are doing they can possess no effective knowledge as to the security state of these systems. Where facilities lack the capability to have and maintain this knowledge they will remain unable to effectively apply knowledge shared with them by external parties, and also unable to have knowledge which can be shared with appropriate external parties. Where this remains the common state among facility operators, there can be no national awareness of the state of the cybersecurity of our aggregate infrastructure nor ability to take effective action in its defense.

There exist today multiple technical methods which can be employed to create and maintain appropriate situational awareness of cyber control systems. These methods exist in Open Source as well as commercial forms, providing facility owners and operators sufficient selection to identify and acquire appropriate tools to serve this purpose at their sites. The adoption and deployment of these technical tools and methods can provide the organizations achievable means around which to build operational processes.

There are two major components of situational awareness of cyber control systems:

Inventory:

A current and accurate inventory of all software and hardware components of the Industrial Control System.

Activity:

An accurate awareness of past and present cyber activity within and between the Industrial Control System components.

For a facility operator to maintain situational awareness it is necessary to have the capability to:

- establish an initial baseline of Inventory and Activity

- validate this baseline against the intended composition and behavior of the subject control system

- maintain a capability to determine when divergence from this baseline occurs

Technical methods of establishing and maintaining situational awareness must in all cases take into account the priorities of the subject facility. Availability, safety and reliability considerations dictate that the tools used to establish and maintain situational awareness are implemented in such ways that they have minimal-to-no actual or potential impact on the currently deployed infrastructure. This can include the deployment of such monitoring technologies on network segments separate from the operational control system and the “mirroring” of the activity of the deployed cyber control system to these separate segments.

It is recommended that for the purpose of the NIST Framework specific technologies not be mandated or promoted, rather that methods be investigated to promote or as necessary mandate the adoption of technical and process mechanisms for maintaining appropriate situational awareness and detecting unauthorized inventory and/or activity alteration.

Knowledge Sharing

To achieve the goal of a survivable infrastructure it is mandatory that we develop the capability to create and maintain awareness of the ongoing aggregate state of national infrastructure. At present there is no adequate capability to determine whether the infrastructure of the United States is or is not under active attack by threat actors - either in a broad sense or with any specificity - at a given point in time or over a given span of time. While securing the individual facilities which together comprise national infrastructure is necessary, the national ability to determine the overall state of security across infrastructure remains a separate and distinct need. This need can be addressed through the development of appropriate Knowledge Sharing methods.

Similar with individual facilities, where the United States as a nation has no means of determining the Inventory nor Activity of its infrastructure there is no capacity for having Knowledge of the risks or threats to national security. Unlike individual facilities, it is not as fundamental a requirement to establish as precise and detailed a situational awareness of national infrastructure to achieve effective national situational awareness. Appropriately defining the mechanisms used and content shared across the National Knowledge Sharing Network are the crucial factors in building an effective national defense.

Knowledge Sharing Mechanisms

Knowledge Sharing Mechanisms fall into two basic categories:

- Human-to-human knowledge sharing

- Machine-to-machine (automated) knowledge sharing

To achieve a secure and reliable national infrastructure our ability to share knowledge must increase exponentially in both areas. Strategic and tactical planning by human operators and policy makers must always be informed by then-current realities and best practices. Our trained workforce must expand exponentially from current levels to provide the capacity to apply and maintain any viable solutions, while continuously improving itself in a highly dynamic environment. Our infrastructure itself must become significantly more autonomous and connected, increasing its ability to detect and respond to threats at a speed and with a reliability that will rapidly become beyond human operators’ capability.

Fortunately, the groundwork for advancing human and automated knowledge sharing has already been laid. The forward-looking efforts necessary are largely the increased adoption and utilization of processes, technologies and techniques which have been developed and demonstrated.

Human Knowledge Sharing

Human-to-human knowledge sharing methods include communications among and between peer groups. There has been significant progress to date developing human-to-human information sharing mechanisms. From in-person sessions to web-based and other virtual information human sharing mechanisms to the creation of the ISAC structure to facilitate public-private collaboration in concert with US-CERT, a substantial foundation has been laid. In addition, a peer-to-peer network of those directly involved in Industrial Control System operation and function has developed organically.

The information dissemination mechanisms developed to date on average remain challenged to address issues of timeliness and scale, however. We must continue to broaden the demographic reach and expand mechanisms used. Direct sharing of critical information between members of confined circles of trust needs to continue, but sufficient knowledge to perform component tasks must be disseminated to students preparing to contribute to the workforce as well as millions of workers currently involved with operating infrastructure.

The existing human-to-human information sharing work being done by public and private sector parties should be analyzed for effectiveness and where successful increased in scale and reach. Untapped communities of interest across all infrastructure sectors should continue to be brought into these mechanisms and conversations through all means including industry trade organizations, publications and conferences. Educational institutions should be further involved in propagating skills and knowledge to the diverse workforce needed to securely design, build and operate the increasingly automated and interconnected infrastructure of today and tomorrow.

This is in no way to diminish the incredible importance of human-to-human information sharing as it will remain a key component moving forward. Continuing to expand and build upon these efforts is crucial to long term success and viability of the critical infrastructure system.

Automated Knowledge Sharing and the Self-Healing Infrastructure

While human-to-human knowledge sharing is a critical component to inform strategy and tactics among decision makers and perform workforce development, it cannot ultimately be performed at speeds adequate to facilitate national defenses against large scale sophisticated attacks alone. During periods of military conflict or other foreseeable conditions of lesser but still substantial conflict with well-resourced threat actors our interdependent national infrastructure will require “self-healing” capabilities only possible through automated knowledge sharing. It is within the reach of the United States to implement such automated knowledge sharing systems based on existing technical and organizational developments. NIST and the US federal public sector should work to enable and accelerate where possible advancements in and adoption of such automated knowledge sharing systems.

Machine-to-machine knowledge sharing provides the opportunity to build a responsive national infrastructure capable of maintaining stability during periods of active attack. Work in various areas in recent years has provided a rich technical and operational foundation from which such an automated national network can be implemented. Development of standards for this purpose has reached fairly robust maturity and examples of operable automated defensive networks have been deployed for a number of years. By supporting the further development and deployment of reference architectures utilizing these methods the public and private sectors together have the opportunity to demonstrate replicable structures which can be broadly adopted.

An example of effective automated knowledge sharing deployed today is the Collective Intelligence Framework (CIF) created by the Research and Educational Network Information Sharing and Analysis Center (REN-ISAC). Where a CIF member detects for example an email address used in Phishing attacks or an IP address performing denial of service attacks, this information is shared with all other members whose systems may automatically block or watch for traffic so indicated. The Structure Threat Information eXpression (STIX) standard for representing threat indicators and the Trusted Automated eXchange of Indicator Information (TAXII) standard for securely exchanging threat information build on years of industry experience with automating knowledge sharing. All of these and other existing, developing, open and proprietary standards for threat representation and transportation provide technical options for machine-to-machine knowledge sharing which can be used to develop and exercise reference architectures capable of providing active defenses.

It is well within our reach - using current technologies - to create an infrastructure where an attempt to compromise industrial facilities results in immunity to such an attack being propagated automatically to all other vulnerable facilities. Enabling situational awareness at industrial and infrastructure facilities and connecting these facilities appropriately with public and private sector knowledge sharing and analysis centers can provide this national defensive capability.

Building Repeatable Reference Architectures

As there exists a significant mass of technology and expertise in the nation today which can be used to achieve the goals of securing critical infrastructure there is a value in enabling vendors, practitioners and other subject matter experts in efforts to validate, demonstrate and disseminate repeatable reference architectures. In the public and private sector exist groups capable of - and in some cases in the process of – building such reference architectures. NIST and other public sector entities at the state and federal level should take what actions reasonably achievable to support such exercises and to propagate demonstrated successes.

A great deal of progress on most, or perhaps even all, of the component challenges to infrastructure threat has been accomplished. Over the past two decades technical and procedural capabilities have consistently evolved in a positive direction and in recent years efforts have produced a plethora of applicable tools, structures and expertise. There exist individual organizations and consortia capable of performing both large as well as small-scale demonstration projects which can definitively prove or disprove methods for addressing aspects of the overall challenge. Existing groups of state, local and/or federal public sector authorities are currently engaged with pertinent private sector entities and capable of working together to perform demonstrations of local, regional and/or national defenses. NIST and the US federal public sector should as appropriate foster and enable such demonstrations of replicable reference models which can be adopted with a high degree of reliability.

Summary

NIST and the US federal public sector have a pivotal role to play in realizing the goal of a national infrastructure capable of remaining intact under coordinated and sophisticated cyber attack. Associated risks have a strong potential to continue to escalate from their current significant level to become clear and present dangers to the on-going stability of the nation, and to do so within the period of time necessary to enact adequate countermeasures and capabilities. The Framework to achieve this goal looking forward from the present must recognize existing progress made while executing on the opportunity to establish a system of national situational awareness and response.

Subject matter experts and private sector entities as well as local, state and regional public sector organizations are well prepared and poised to develop and deploy the human and automated knowledge sharing mechanisms necessary to achieve the national goal. Inasmuch as NIST and the US federal public sector is able to empower and harness these opportunities and abilities it is very much within our national grasp to implement the systems and educate the workforce required to make the American infrastructure an open yet robust platform for societal and economic growth. The US has a unique opportunity at this point in history to create the national reference model of modern infrastructure and lead global development in a field which will define the century.

Dale Peterson at Digital Bond posted a thoughtful piece this Monday on his blog titled: “How DHS Can Best Help ICS Security”. As always, Dale’s commentary is well informed and provides voice to points many experts in industry share.

I have added the following comment to the conversation following Dale’s blog post. We encourage interested parties to share their thoughts here or on the Digital Bond blog.

——————————-

Hey Dale,

The solution is not an either/or choice of what information to share how and with who, but nonetheless your primary point is correct: the maximum value returned from information sharing at this point will be found where it moves C-Level actions.

In many ways the very act of issuing the Executive Order is just that. It is also the kind of Small Data information sharing that is appropriate for C-Level use. Executives don’t process information like “you need to develop a comprehensive identification and remediation strategy for vulnerable devices on your process control system” (much less anything deeper). Conversely, they are very good at processing information such as:

“The nation’s CEO is looking at you (and he’s pissed).”

The President and his bully-pulpit can perform that sort of single-packet information sharing very well. Much more effectively than those of us with more granular opinions and smaller megaphones. The purpose, though, is not to make those same C-Level executives then listen to the detailed solution - which they won’t do and wouldn’t understand - but rather to cause them to turn to their subordinates and share a similarly simple packet of information which junior executives are well versed in processing:

“The President of the United States is pissed off at me. Make it stop.”

This “Public Sector Executive to Private Sector Executive” information sharing needs to support the more detailed information sharing that folks like ourselves can accomplish by encouraging more of the right people to engage. We see this effect already both in the activity of the ICS-ISAC as well as other conversations we engage in. The increase in ICS-ISAC membership and attendance at the center’s public briefings since the Executive Order is mirrored in other groups’ briefings we have attended since.

Executive-to-Executive information sharing needs to support the more detailed information sharing that you mention above, though, not replace it. Inasmuch as the Executive-to-Executive information sharing is successful there needs to be not less but rather more opportunities for sharing of the pointillistic information that will satisfy the simple mandates facility executives roll downhill to their staffs.

The details of that granular information sharing among operational peers is the subject of other conversations, but the fact that those conversations are now getting more involvement is an indication that the Executive-to-Executive efforts are having the desired impact. What folks like your team and our team and the various groups and individuals who have comprised the information sharing activity to date need to do is continue to escalate those efforts, leveraging the seismic shifts caused by the Administration.

Any lack of success to date is well-shared among all involved. The combined efforts of all involved have not been completely unsuccessful, though. In the twenty years since these issues first crossed my own bow there has been a consistent growth in understanding among all involved. It may have been a long, low slope for much of that time, but the curve has continued to steepen and is following a predictable path leading to a foreseeable future.

The work that you and others have done has created the environment that leads to the President of the United States taking his recent action, an accomplishment worthy of a measurable amount of praise. Laurels are not for resting on, though. The general shape of what we all need to do going forward is clear, and a large part of it will include sharing more information with more people with more precise aim and craftsmanship.

-best

-chris

On February 12, 2013 United States President Barack Obama issued an Executive Order (EO) titled “Improving Critical Infrastructure Cybersecurity”. This Executive Order provides national guidance for efforts to secure critical infrastructure.

It can be assumed that the content of this Executive Order is based on available knowledge and perspective of the combined United States Federal government. This Executive Order will certainly impact how public and private sector entities work independently and jointly to address the threats posed to cyber infrastructure. It is therefore valuable to examine the mechanisms and intention of the guidance spelled out in the document.

Below is initial analysis of and commentary on the Executive Order. Links have been added to referenced programs and laws. All emphasis is our own.

Summary of Analysis

This Executive Order is an inevitable result of the failure to date to enact legislation addressing cybersecurity threats to infrastructure. It has always been unlikely that the US federal government would take no significant action to increase pressure on itself and the private sector to address associated risks.

This Executive Order provides potentially positive structure to improving the sharing of related knowledge between the public and private sectors. It is important to note, however, that the vast majority of information which can be practically applied by private sector organizations is in the hands of other private sector organizations. Therefore, while public/private knowledge sharing is an important part of securing infrastructure it remains the incumbent responsibility of private organizations to improve knowledge sharing inside the private sector.

The NIST Cybersecurity Framework is a crucial component of the consequences of this Executive Order. The private sector will be very well served to be as actively engaged in the development of this Framework as possible. In the worst possible case the Framework will be developed with little private sector input or with highly-biased input from a small number of powerful private sector entities. All purposes are better served inasmuch as a very broad range of expertise and interest from the private sector is involved in the creation of the Framework.

Privacy concerns are relatively well represented in this Executive Order. Existing legal and operational structures are directly referenced and the Administration appears to be clearly signalling an understanding that excessive government intrusion into private sector information is one of the greatest impediments to success.

Information Sharing and the involvement of the Private Sector are foundational themes of this Executive Order. We take this as a positive indication on the part of the Administration that it understands the principles upon which the ICS-ISAC was founded.

Executive Order — Improving Critical Infrastructure Cybersecurity
EXECUTIVE ORDER
- - - - - - -
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity[1]. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront[2]. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties[3]. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards[4].

[1] This statement provides validation that - based on knowledge held within the US federal government - attacks against infrastructure are in fact happening and increasing. Much of this knowledge is in the public domain, however this statement could be read as a confirmation that any additional unshared knowledge the federal government may have supports this hypothesis.

[2] The Administration is stating the official belief that cyber threats to infrastructure “represents one of the most serious national security challenges”. Given the perspective possible from the position held by the President and his staff, this can be taken as a validation of the level and imminence of these threats, something that private sector entities may want to factor into their internal prioritization of resources.

[3] By this order it becomes the official policy of the United States federal government to “enhance the security and resilience” of infrastructure. And to do so in a way which “promot(es) “business confidentiality, privacy, and civil liberties”. Therefore the balance of public sector diligence in maintaining national security is explicitly balanced against private sector concern with private sector concerns regarding excessive government intrusiveness.

[4] As is often stated, 85% or greater of the national infrastructure is owned and operated by the private sector. This statement can be taken as explicit understanding that the nation will only be able to address these threats with the involvement of and cooperation with the private sector.

Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

The official designation of “Critical Infrastructure” as used by the Department of Homeland Security had been focused on 18 sectors based on Presidential Policy Directive 7 (PPD-7) from 2003. PPD-21, which supersedes PPD-7, now defines critical infrastructure as the following 16 sectors:

• Chemical
• Commercial Facilities
• Communications
• Critical Manufacturing
• Dams:
• Defense Industrial Base
• Emergency Services
• Energy
• Financial Services
• Food and Agriculture
• Government Facilities
• Healthcare and Public Health
• Information Technology
• Nuclear Reactors, Materials, and Waste
• Transportation Systems
• Water and Wastewater Systems

Sec. 3. Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive-1 of February 13, 2009 (Organization of the National Security Council System), or any successor.

PPD-1 was issued on February 13, 2009 and defines the structure of the National Security Council (NSC), the NSC Principals Committee (NSC/PC), NSC Deputies Committee (NSC/DC) and NSC Interagency Policy Committees (NSC/IPCs).

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities[5] so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order[6], the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

[5] “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities”. The National Infrastructure Advisory Council (NIAC) released a report in January. 2012 calling for a change in US government information sharing policy from a Cold War “need to know” basis to a more active “need to share” premise. This statement of policy in this Executive Order formalizes this intent as US policy.

[6] June 13, 2013

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

This section mandates the creation of a process within the federal government that “rapidly disseminates” knowledge from the public to private sector. This formalized structure should in theory support the “need to share” nature of such information.

(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

6 U.S.C. 143 specifies the sharing of both information - “analysis and warnings” - and resources - “ crisis management support” and “technical assistance” - from the federal government to the private sector as well as State, Local, Tribal and Territorial (SLTT) entities.

The Enhanced Cybersecurity Services (ECS) program is the mechanism the federal government uses to share such information with entities such as the ICS-ISAC. This system was originally created as a very limited program involving only a small number of private sector organizations from the Defense Industrial Base (DIB) sector. This Executive Order expands the ECS significantly.

(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

Certainly the ability of private sector entities to obtain security clearances which enable their representatives access to classified information could have a positive impact on information sharing. Most private entities are unlikely to have the resources or capacity to have employees go through this process, however, so the extent of the practical benefit will remain to be seen.

(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

Again it is a positive sign to see intent on behalf of the Administration to gather input and expertise from the private sector. The availability of subject matter experts, their willingness to enter temporary Federal service, and the impact of budgetary restraints due to political conditions such as the ‘Sequester’ currently in place may mitigate the effectiveness of this effort.

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

6 U.S.C. 133 allows such information shared with the government to be exempt from disclosure even under Freedom of Information Act (FIFA) requests, “including the identity of the submitting person or entity”. This should provide a level of protection from repercussions related to information sharing.

While the private sector is well served to continue to exercise diligence in protecting private information, it is generally positive that the Administration is placing explicit emphasis on privacy issues.

Sec. 6. Consultative Process. The Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. As part of the consultative process, the Secretary shall engage and consider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector-Specific Agencies; other relevant agencies; independent regulatory agencies; State, local, territorial, and tribal governments; universities; and outside experts.

Again, it is encouraging that this Executive Order continues to seek to enable involvement by private sector representatives.

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.

The Cybersecurity Framework being formulated by NIST under direction of this Executive Order is perhaps the greatest source of concern among the private sector. Many have voiced concern that a possible result could be regulations which foster compliance rather than security.

NIST has issued a Request For Information to solicit input into the development of this framework. NIST is holding a workshop on April 3, 2013 on the Framework. ICS-ISAC leadership will be attending this workshop.

We encourage our membership to engage with the ICS-ISAC or other groups in responding to the Framework RFI, and/or to engage directly with NIST.

(b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk[]. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

A principle methodology ICS-ISAC leadership will be promoting for inclusion in the Framework is Situational Awareness capabilities. It is a fundamental principle of the ICS-ISAC that infrastructure facilities can utilize available tools and techniques to establish visibility into normal behavior of their Industrial Control Systems and with reasonable effort detect alterations to this behavior indicative of compromise.

(c) The Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.

(d) In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB, owners and operators of critical infrastructure, and other stakeholders through the consultative process established in section 6 of this order. The Secretary, the Director of National Intelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework. The Secretary shall provide performance goals for the Cybersecurity Framework informed by work under section 9 of this order.

(e) Within 240 days of the date of this order, the Director shall publish a preliminary version of the Cybersecurity Framework (the “preliminary Framework”). Within 1 year of the date of this order, and after coordination with the Secretary to ensure suitability under section 8 of this order, the Director shall publish a final version of the Cybersecurity Framework (the “final Framework”).

October 10, 2013, date of delivery for the preliminary Framework. Final version to be in place February 12, 2014.

(f) Consistent with statutory responsibilities, the Director will ensure the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order, and any other relevant factors.

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the “Program”).

(b) Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

(c) Sector-Specific Agencies shall report annually to the President, through the Secretary, on the extent to which owners and operators notified under section 9 of this order are participating in the Program.

(d) The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.

(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.

The “Voluntary Critical Infrastructure Cybersecurity Program” is certain to have a given number of teeth to it, implicit or explicit. Section (c) requires federal agencies to report whether notified organizations are participating, for example.

Participation by private sector organizations in knowledge sharing systems such as vertical or horizontal ISACs may be one means of demonstrating voluntary involvement.

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review and update the list of identified critical infrastructure under this section on an annual basis, and provide such list to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

(b) Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section.

(c) The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section.

This process is certain to have positive as well as negative implications. Business interests will drive some infrastructure owners to work to avoid designation as critical infrastructure and thereby limit associated costs and perceived risks.

It is important for infrastructure owners to recognize the practical risks of compromise to their systems regardless of official designation as critical infrastructure, however. Threat actors do not follow official guidelines created by others, and they must be expected to behave according to their own motivations.

Sec. 10. Adoption of Framework. (a) Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required under section 9 of this order. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.

(b) If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk.

(c) Within 2 years after publication of the final Framework, consistent with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

(d) The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs.

(e) Independent regulatory agencies with responsibility for regulating the security of critical infrastructure are encouraged to engage in a consultative process with the Secretary, relevant Sector-Specific Agencies, and other affected parties to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

This section speaks pointedly to the concern many private sector entities have regarding mandatory regulations. Over the two-year period leading up to February 12, 2015 regulatory regimes will be reviewed for necessity and effectiveness. Wherein private sector entities and industries do not find means to address risks to their cyber infrastructures they can assume that the public sector will impose regulations to force them to do so.

Sec. 11. Definitions. (a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.

(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.
(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).

(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or any successor.

(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.

Sec. 12. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law.

(b) Nothing in this order shall be construed to impair or otherwise affect the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcement operations.

(d) This order shall be implemented consistent with U.S. international obligations.

(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
BARACK OBAMA

 

Vulnerability Mitigation Details available for Schneider Electric Accutech Manager and Ecava IntegraXor

ICS-CERT has published mitigation details for the vulnerabilities found in the Schneider Electric Accutech Manager and Ecava IntegraXor application.

Source
http://ics-cert.us-cert.gov/pdf/ICSA-13-036-02.pdf
http://ics-cert.us-cert.gov/pdf/ICSA-13-043-01.pdf