This is the Third in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.
In this post I’ll look at two presentations that were made concerning cybersecurity. The first (not necessarily in order of presentation at the CSSS) was presented by Lisa Kaiser from ICS-CERT and the second was made by a consultant, Edward J Liebig of CTO Commercial Security Consulting. Neither specifically addresses the cybersecurity requirements of CFATS program (RBPS #8).
For readers of this blog there is very little new information in Lisa’s presentation. The first statement on her first real slide (#2) sets the tone for the presentation;
• Internet facing control system devices are a BAD idea
The rest of that slide presents the standard ICS-CERT view of internet facing devices. The next slide (#3) explains one of the reasons for that view; she describes the SHODAN search engine. The slide doesn’t explicitly state that attackers can use SHODAN to find control systems that face the Internet, but I expect that her explanation covered that. The next slide it the standard ICS-CERT pie chart about 2011 incidents, pointing out that 5% of the 2011 incidents were chemical related, though I doubt that she mentioned that there were no actual ICS attacks included in that 5%.
The most valuable slide in the presentation, in my opinion, is slide #5, Key Control Systems Contacts. It includes email contacts for:
• Joining the Industrial Control System Joint Working Group (ICSJWG; firstname.lastname@example.org);
• Joining the ICS-CERT Portal (email@example.com);
• Reporting ICS-CERT Incidents (firstname.lastname@example.org); and
• Reporting other cyber-incidents (email@example.com)
It also includes links for the ICS-CERT web site and the Cybersecurity Evaluation Tool (CSET). I hope that Lisa spent some amount of time explaining the CSET and how useful it would be to have an ICS-CERT team on site when running the tool.
A Cybersecurity Consultant’s View
Liebig’s presentation looks at cybersecurity from a consultants view of the process of evaluating and improving the security of cyber systems, both enterprise and control systems. He starts with an overview of the ICS threat environment, concentrating on the big threats, Stuxnet, Flame and Shodan (#3). Then he goes on to look at CFATS as a ‘call to action’ for addressing cybersecurity, making two important points (#5):
• The requirement for a “combined domain expertise in IT Security, ICS and Manufacturing Operations, with consistent cyber policy from the Enterprise Data Center to the Plant Control Room.”
• “Compliance is not enough – we must go “Beyond CFATS” to meet today’s cyber threats to manufacturing operations.”
He makes the point (#6) that cybersecurity evaluations are not unique to CFATS; noting that MTSA, and industry standards such as Responsible Care® also require cybersecurity assessments. Next he looks at (#7) building an ‘ICS Cyber Security Roadmap’ that looks at risk assessment, gap analysis, remediation & mitigation, and prioritization/roadmap.
The remaining slides in the presentation provide a great deal of high-level information about ‘Critical Success Factors’ (#8) and ‘Key Learnings’ (#9). Both pages have a large number of interesting bullet points that could have had their own pages. All of the points made are valuable, but the most interesting from my point of view are:
• “Understand that cyber security gaps will be a combination of people, process, and technology and actively engage all three aspects to assess and close gaps (including ICS suppliers).”
• “The engagement and awareness better aligns IT, Security and Operations stakeholders in understanding of how cyber risk is measured and managed.”
• “Assessments should be done at the ICS device level.”
• “Consider the impact on Safety/Health/Environment, Operations/Cost, and Company Image/Brand.”
The last page looks at how the previous slides were applied in an actual unnamed client operation. This is again a bullet-point dense slide that would be best understood with the presenter providing the necessary supporting details (yet another plug for future web casts). The key bullet point here is the last that addresses the ‘Client Value delivered’ with three important points made:
• Complete Risk Assessment & Remediation Plans to meet Security Policy and CFATS requirements.
• Clear understanding of risk to Manufacturing Operations across key plants.
• Comprehensive approach to rolling out Plant Cyber Security Standards globally.
This certainly sounds like what you pay a good cybersecurity consultant to provide. Now the facility just needs to make it work.