Friday, November 28, 2008

RBPS Guidance – Cyber Security Measures

This is the another in a series of blog posts that looks at the recently released draft DHS guidance document for implementing the Risk-Based Performance Standards (RBPS) in site security plans (SSP) for high-risk chemical facilities. The RBPS are a key component of the Chemical Facility Anti-Terrorism Standards (CFATS). This post deals with the discussion of cyber security procedures in RBPS #8.. Earlier blogs in this series include: RBPS Guidance – Introduction RBPS Guidance Shortcomings RBPS Guidance – 18 Risk Based Performance Standards RBPS Guidance – RBPS Metrics RBPS Guidance – Physical Security Measures RBPS Guidance – Security Procedures, Policies and Plans A wide variety of cyber systems are used throughout the modern chemical facility. They may be used to control critical processes, provide access to critical areas or enable business systems to control shipments of chemicals of interest. The introduction to RBPS #8 maintains that protecting “against cyber sabotage of these systems is an essential component in managing overall risk for a facility” (page 74). Security Measures This performance standard identifies nine categories of policies and practices that may help a facility address the cyber security issue. Additional details about these security measures can be found in Appendix C to the Guidance. These categories are:
Security policy, Access control, Personnel security, Awareness and training, Monitoring and incident response, Disaster recovery and business continuity, System development and acquisition, Configuration management, and Audits
Security Policy This security measure includes policies, plans and procedures that address how the facility will address cyber security concerns. It will include high-level corporate policy statements outlining the importance of cyber security. Plans and processes that lay out how the facility will achieve those policy goals form the intermediate level of documents in this area. It also encompasses those step-by-step procedures that employees will use in implementing those policy goals. Finally, it includes the designation of a ‘cyber security officer’ that will have responsibility implementing the cyber security program for the facility. A change management process for cyber systems is one of the most important parts of computer security. This process will outline “the steps an organization will take to request, evaluate, plan, implement, and measure the impact of a change to a system” (page 146). This will include a testing process that ensures that a change to one of the many components of the system does not adversely impact other components. Access Control This section of the RBPS leads security managers through the most complicated part of cyber security, controlling access to the critical cyber systems. This section discusses:
Defining System Boundaries Managing External Connections Controlling Remote Access and Rules of Behavior Limiting Access via Least Privilege Rule Password Management
The discussion of external connections in both RBPS #8 (pages 76-7) and Appendix C (page 147) are very important. They point out that these connections include obvious connections like those to corporate cyber systems and the Internet. It is also noted that many systems are designed to automatically connect with outside servers for maintenance or system updates. Finally it looks at temporary physical connections to portable devices as well as wireless connections with cameras, sensors and controllers. The discussion of Remote Access is limited to connections to outside systems initiated by users within the facility; accessing a wide variety of internet sites for instance. While this is important, the discusion totally ignores the remote access situation where communication is initiated from outside of the facility boundaries. Many facilities allow managers and technical personnel to access the cyber system via laptop or other internet connected device. Additionally many vendors include remote access in their system to allow updates to be fed to the system or allow remote maintenance. This portion of the remote access problem is completely ignored. Personnel Security Since personnel are a key component of any cyber system managing personnel access to that system is an important part of cyber security. While this was briefly discussed in Access Control, there is a much more detailed discussion provided under this heading in both RBPS #8 and Appendix C. These discussions include:
Separating Role Based Access Rights Providing Individual User Accounts Managing Changing Roles Managing External Service Providers Maintaining Access Control Lists Managing Physical Access
Managing ‘Changing Roles’ is the changing access controls for individuals undergoing adverse personnel actions. The discussion in Appendix C (pages 149-50) note that for “all employees who have departed under adverse circumstances, however, it is recommended that all access rights (both physical and electronic) be revoked by close of business the same day”. Just as important is reviewing and adjusting the access rights for employees that have under gone adverse personnel actions short of dismissal. These personnel may harbor grudges just as strong as those being dismissed, but they still retain physical access to critical systems. This requires close coordination between Human Resources, IT security and all supervisory personnel. Monitoring and incident response This section includes a brief discussion of cyber intrusion detection systems as a tool for monitoring networks. Since these are automated systems it is important that the cyber security plan includes a requirement for review of the logged events. There is a brief discussion of the need for reporting ‘security events’ to management and the DHS United States Computer Emergency Readiness Team (US-CERT) though there is no discussion of what constitutes a security event. There is a brief discussion, both in RBPS #3 (page 79) and in Appendix C (page 151) about watchdog systems or Safety Instrumented Systems. They both note that these systems had been mostly stand-alone systems with no connections to other cyber systems; this made them relatively safe from cyber attack. The Guidance document notes that there has been a move lately in the control system community to link these systems with facility control system. When this is done a special effort must be taken to protect these safety critical systems. Configuration management The discussion of configuration management in RBPS #8 (pg 80) is rather light. The discussion in Appendix C (pages 152-3) is more detailed. It covers the need for maintaining an inventory of cyber assets and requiring a business justification for each of the assets and applications. There is also a brief discussion of the need for maintaining the system with regular patches and updates. This is also recommended in the earlier section dealing with anti-virus software. There is, unfortunately, only a single sentence of discussion of how the updates to one system might interfere with other systems on the network. Appendix C (page 153) notes that the “complex nature of systems and networks occasionally introduces secondary vulnerabilities in an attempt to remedy another”. There is no accompanying discussion of testing updates and patches before implementing them on the system. Remaining Areas None of the remaining discussions of security measures are likely to provide useful information to a cyber security novice or provide much guidance to a professional. The resources listing provided at the end of the discussion in Appendix C (pages 155-6) provide a number of interesting sources, but none of them deal specifically with control systems. At the very least the North American Electric Reliability Corp (NERC) Critical Infrastructure Protection (CIP) standards for cyber systems (CIP-002-1 thru CIP-009-1) should be included in this reference section.

No comments:

/* Use this with templates/template-twocol.html */