nist s industrial control system ics security project
play

NISTs Industrial Control System (ICS) Security Project Presented at - PowerPoint PPT Presentation

Apr 08, 2024 •358 likes •767 views

NISTs Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing in the Age of Globalization Workshop November 28, 2007 Stuart Katzke and Keith Stouffer National Institute of Standards and Technology

  1. NIST’s Industrial Control System (ICS) Security Project Presented at the: Secure Manufacturing in the Age of Globalization Workshop November 28, 2007 Stuart Katzke and Keith Stouffer National Institute of Standards and Technology skatzke@nist.gov Keith.stouffer@nist.gov National Institute of Standards and Technology 1

  2. Presentation Contents • NIST’s FISMA Implementation Project – NIST Risk Management Framework – Draft Special Publication 800-39 – Special Publication 800-53, Revision 1 • NIST Industrial Control System Project – NIST Draft SP 800-53, Revision 2 for industrial control systems – NIST SP 800-82: Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security (2 nd Draft) National Institute of Standards and Technology 2

  3. NIST’s FISMA Implementation Project: Phase I (2003 – 2008) Phase II (2007 – 2010) National Institute of Standards and Technology 3

  4. Phase I § Mission: Develop and propagate core set of security standards and guidelines for federal agencies and support contractors. § Timeline: 2003-2008 § Status: On track to complete final publications in FY08. National Institute of Standards and Technology 4

  5. Phase II § Mission: Develop and implement a standards- based organizational credentialing program for public and private sector entities to demonstrate core competencies for offering security services to federal agencies. § Timeline: 2007-2010 § Status: Projected initiated; Draft NISTIR 7328. National Institute of Standards and Technology 5

  6. Phase I Publications § FIPS Publication 199 (Security Categorization) § FIPS Publication 200 (Minimum Security Requirements) § NIST Special Publication 800-18 (Security Planning) § NIST Special Publication 800-30 (Risk Assessment) * * § NIST Special Publication 800-39 (Risk Management) ** ** § NIST Special Publication 800-37 (Certification & Accreditation) * * § NIST Special Publication 800-53 (Recommended Security Controls) § NIST Special Publication 800-53A (Security Control Assessment) ** ** § NIST Special Publication 800-59 (National Security Systems) § NIST Special Publication 800-60 (Security Category Mapping) * * * Publications currently under revision. ** Publications currently under development. National Institute of Standards and Technology 6

  7. Risk Management Framework Starting Point FIPS 199 / SP 800-60 SP 800-37 / SP 800-53A FIPS 200 / SP 800-53 CATEGORIZE MONITOR SELECT Information System Security Controls Security Controls Define criticality /sensitivity of information system according to Continuously track changes to the information Select baseline (minimum) security controls to potential impact of loss system that may affect security controls and protect the information system; apply tailoring reassess control effectiveness guidance as appropriate SP 800-37 SP 800-53 / SP 800-30 Security ty L Life fe C Cycle AUTHORIZE SUPPLEMENT Information System Security Controls SP 800-39 Use risk assessment results to supplement the Determine risk to agency operations, agency tailored security control baseline as needed to assets, or individuals and, if acceptable, ensure adequate security and due diligence authorize information system operation SP 800-53A SP 800-18 SP 800-70 ASSESS DOCUMENT IMPLEMENT Security Controls Security Controls Security Controls Determine security control effectiveness (i.e., Document in the security plan, the security Implement security controls; apply controls implemented correctly, operating as requirements for the information system and security configuration settings intended, meeting security requirements) the security controls planned or in place National Institute of Standards and Technology 7

  8. A Unified Framework Civil, D , Defe fense, In , Inte telligence C Community ty C Collaborati tion Th The G Generalized M Model Unique Information Intelligence Department of Federal Civil Agencies Security Community Defense Requirements The “Delta” Foundational Set of Information Security Standards and Guidance Common Information • Standardized security categorization (criticality/sensitivity) Security • Standardized security controls and control enhancements Requirements • Standardized security control assessment procedures • Standardized security certification and accreditation process Nati tional s security ty a and n non n nati tional s security ty i info formati tion s syste tems National Institute of Standards and Technology 8

  9. Special Publication 800-39 Managing Risk from Information Systems An E Ente terprise P Perspecti tive § Extending the Risk Management Framework to enterprises. § Risk-based mission protection. § Common controls. § Trustworthiness of information systems. § Establishing trust relationships among enterprises. § Risk executive function. § Strategic planning considerations (defense-in-breadth). National Institute of Standards and Technology 9

  10. Risk-based Mission Protection (1) § A Risk-based protection strategy requires the information system owner to: § Determine the appropriate balance between the risks from and the benefits of using information systems in carrying out their organizational missions and business functions § Carefully select, tailor, and supplement the safeguards and countermeasures (i.e., security controls) for information systems necessary to achieve this balance National Institute of Standards and Technology 10

  11. Risk-based Mission Protection (2) § A Risk-based protection strategy requires the authorization official to: § Take responsibility for the information security solutions agreed upon and implemented within the information systems supporting the organization § Fully acknowledge and explicitly accept the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation that result from the operation and use of information systems to support the organization’s missions and business functions § Be accountable for the results of their information security-related decisions. National Institute of Standards and Technology 11

  12. Common Controls § Categorize all information systems first, enterprise-wide. § Select common controls for all similarly categorized information systems (low, moderate, high impact). § Be aggressive; when in doubt, assign a common control. § Assign responsibility for common control development, implementation, assessment, and tracking (including documentation of where employed). National Institute of Standards and Technology 12

  13. Common Controls § Ensure common control-related information (e.g., assessment results) is shared with all information system owners. § In a similar manner to information systems, common controls must be continuously monitored with results shared with all information system owners. § The more common controls an enterprise identifies, the greater the cost savings and consistency of security capability during implementation. National Institute of Standards and Technology 13

  14. Business Relationships Supply C Chain R Risks § Enterprises are becoming increasingly reliant on information system services and information provided by external providers to carry out important missions and business functions. § External service provider relationships are established in a variety of ways—joint ventures, business partnerships, outsourcing arrangements, licensing agreements, supply chain exchanges. § The growing dependence on external service providers and the relationships being forged with those providers present new challenges for enterprises, especially in the area of information security. National Institute of Standards and Technology 14

  15. Supply Chain Uncertainty Challenges with using external providers include: § Defining the types of services and information provided to the enterprise. § Describing how the services and information are protected in accordance with the security requirements of the enterprise. § Obtaining the necessary assurances that the risk to the enterprise resulting from the use of the services or information is at an acceptable level. National Institute of Standards and Technology 15

  16. Information System Trustworthiness § Trustworthiness is a characteristic or property of an information system that expresses the degree to which the system can be expected to preserve the confidentiality , integrity , and availability of the information being processed, stored, or transmitted by the system. § Trustworthiness defines the security state of the information system at a particular point in time and is measurable . National Institute of Standards and Technology 16

Recommend

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control

NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE

616 views • 15 slides
Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor

Security Challenges and Requirements for Industrial Control Systems in the Semiconductor Manufacturing Sector Malek Ben Salem Accenture Technology Labs NIST Workshop on Cyber-Security for Cyber-physical Devices April 23 rd , 2012 Outline

837 views • 37 slides
Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What

Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What

Industrial Control System Security Overview Peter Maynard, PhD Researcher # ?? @CSIT_QUB What is ICS and SCADA Industrial Control Systems (ICS): Chemical, water, gas processing. Transportation, electricity, nuclear systems.

331 views • 7 slides
Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and Implementation Activities . Joe Weiss, PE, CISM Executive Consultant Applied Control Solutions, LLC (408) 253-7934 joe.weiss@realtimeacs.com Stuart

947 views • 49 slides
Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and

Industrial Control System (ICS) Security: An Overview of Emerging Standards, Guidelines, and Implementation Activities . Joe Weiss, PE, CISM Executive Consultant KEMA, Inc. (408) 253-7934 joe.weiss@kema.com Stuart Katzke, Ph.D. Senior

764 views • 40 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control

Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control

A Resilient Algorithm for Power System Mode Estimation using Synchrophasors Arezoo Rajabi and Rakesh B. Bobba 2 nd Industrial Control System Security (ICSS) Workshop, December 6 th 2016 Outline Introduction Background and Problem

425 views • 30 slides
NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov

NIST Trustworthy Email Project High Assurance Domain Project Scott Rose, NIST scottr@nist.gov ICANN Meeting Oct. 15 th , 2014 Los Angeles CA First, A Bit of History 2011 USG DNSSEC Tiger Team has a 2 nd goal: authenticated email

308 views • 4 slides
Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2

Industrial Robots Industrial Robots Control Control Part 2 Control Control Part 2 Part 2 Part 2 Introduction to centralized control Independent joint decentralized control may prove inadequate when the user requires high task

673 views • 36 slides
NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST

NIST Gaithersburgs Approach to a Solar PV Array Project John.R.Bollinger@nist.gov 2 NIST had awarded larger ESPC ($45M) with 4 ECMs the previous year (June 2015) Non-selected ECM was fixed-tilt, ground-mounted solar array on federal

559 views • 17 slides
yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

yxwvutsrponmlkihgfedcbaUTSONCA Control systems are computer based facilities, systems, and

7/11/2011 Why this presentation? This is an emerging and important area of information assurance that of cyber physical systems. CPS instantiated in the industrial world can be view as control system security or sometimes called

130 views • 10 slides
Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity

Designing, Building and Managing a Cyber Security Program Based on the NIST Cybersecurity Framework (NIST CSF) A Business Case Agenda and Objectives The Digital Innovation Economy The Cyber Security Problem The Cyber Security Solution

260 views • 22 slides
Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST

Federal Computer Security Managers Forum Meeting September 10, 2018 NIST Gaithersburg NIST Heritage Room NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 NIST Building 101 Ground Floor Map Stairs to Outside and

664 views • 11 slides
Personnel Demonstration Project 1 BACKGROUND Clone of the NIST Demonstration Project. DOC

Personnel Demonstration Project 1 BACKGROUND Clone of the NIST Demonstration Project. DOC

U. S. DEPARTMENT OF COMMERCE Personnel Demonstration Project 1 BACKGROUND Clone of the NIST Demonstration Project. DOC Demonstration Project tests NIST innovations in different environments Five year project began March 27, 1998

361 views • 24 slides
FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST

FEDERAL COMPUTER SECURITY MANAGERS FORUM MEETING FEBRUARY 6, 2020 NIST WEST SQUARE NIST GAITHERSBURG NIST Building 101 Ground Floor Map FCSM Quarterly Meeting Overview| 2 FCSM Quarterly Meeting Overview| 2 NIST-Guest Wireless Network

612 views • 14 slides
Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The

Cyber Security Research on Industrial Control Systems SM Yiu Department of Computer Science The University of Hong Kong Cyber-security for industry 4.0 conference 23 June, 2017 1 Will the followings only be seen in movies? Movies: Cyber

510 views • 28 slides
Style Guide for Voting System Documentation: Why User-Centered Documentation Matters to Voting

Style Guide for Voting System Documentation: Why User-Centered Documentation Matters to Voting

Style Guide for Voting System Documentation: Why User-Centered Documentation Matters to Voting Security Sharon Laskowski, NIST sharon.laskowski@nist.gov Dana Chisnell, UsabilityWorks Svetlana Lowry, NIST Susan Becker, Codewords Whats wrong

628 views • 35 slides
ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and

ROLE BASED ACCESS CONTROL (RBAC) John Barkley RBAC Project Leader Software Diagnostics and Conformance Testing National Institute of Standards and Technology (301) 975-3346 jbarkley@nist.gov http://hissa.nist.gov/rbac/ ACTIVE PARTICIPANTS

635 views • 27 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
NIST Role-based Training Guideline: SP 800-16, Rev. 1 Mark Wilson, CISSP Computer Security

NIST Role-based Training Guideline: SP 800-16, Rev. 1 Mark Wilson, CISSP Computer Security

NIST Role-based Training Guideline: SP 800-16, Rev. 1 Mark Wilson, CISSP Computer Security Division National Institute of Standards and Technology - March 23, 2010 - mark.wilson@nist.gov (301) 975-3870 (voice) http://csrc.nist.gov/

92 views • 8 slides
Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control Systems Research Philipp Mieden & Rutger Beltman, 2020 Supervisor: Bartosz Czaszynski, Deloitte Industrial Network VS Corporate Network 2

379 views • 35 slides
Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H

Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H

Programming and Automation Ltd. www.proconingenieros.com Take Control Automated Control Industrial Engineering Industrial I.T. C/ Halcn n 20, 6H Granada. info@proconingenieros.com Automation and control Industrial I.T. - Industrial

304 views • 19 slides
Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019

Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019

3/8/2019 Industrial Control Systems The Other Network And Cyber Security Dated: March 7, 2019 Davenport GICSP 1848 What are ICS Networks? 1 3/8/2019 What are ICS Networks? ICS, or Industrial Controls Systems, is a generic

361 views • 20 slides
Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing

Combinatorial Testing Rick Kuhn NIST Computer Security Division NIST Combinatorial Testing Applying empirical results to reduce the cost of testing. Example: 2.5 year study ~ 20% lower test development cost and 20% - 50% better

479 views • 13 slides

More recommend