Saturday, February 5, 2011

DHS Control System Security Program Page Update

The DHS Control System Security Program web page was updated yesterday to include links to news about the upcoming Industrial Control System Joint Working Group (ICSJWG) 2011 Spring Meeting in Dallas, Tx and a new ICS-CERT recommended practices document.

ICSJWG Spring Meeting

The 2011 Spring Meeting will be held on May 2nd thru 5th at the Dallas/Addison Marriott Quorum hotel. According to the meeting web page

“The ICSJWG Conference will consist of panel discussions, presentations, training, and working group meetings on various topics such as emerging technologies, standards development, threat and incident reporting, analysis tools and techniques, roadmap development initiatives, workforce development and certification, vulnerability management, research and development, information sharing, and international coordination.”
The page also includes a Call for Papers for this meeting. It provides a non-exclusive list of potential topics, a link to an electronic submission form for sending an abstract for a proposed presentation and a submission deadline of February 18th.

The last day of the Spring Meeting will be the typical ICSJWG all-day training course. For this meeting it will be the Intermediate Industrial Control Systems Cybersecurity training. Prior control system security experience or attendance at the basic-level course is the recommended prerequisite for this class. The training will include:

• The importance of protecting control systems from cyber attacks and why they are susceptible

• Understanding the risks and potential consequences of attacks

• Understanding common vulnerabilities in industrial control systems

• Discussion of system exposures to attacks, various attack scenarios, and associate mitigation strategies

• Control Systems Security Program products and services that are available to asset owners.
Both the Spring Meeting and the all-day training are free. Well, that’s not completely true; no charge for attending, but you do have to pay for travel and accommodations. As I expect that most travel budgets remain tight (I know mine is) I will make my standard recommendation that the organizers of this conference consider providing on-line access to at least some of the presentations. It would certainly expand the potential audience for this valuable information.

Remote Access for ICS

The DHS Control System Security Program and the Center for the Protection of Critical Infrastructure have produced a new best practices document; Configuring and Managing Remote Access for Industrial Control Systems. In a modern industrial setting there are many legitimate reasons to provide remote access to control systems this lengthy and dense document provide a detailed look at how that access can be provided in a secure manner.

This is not a how-to manual, but more of a policy discussion. As is typical for many policy discussion documents this means that the writing can get fairly intense. For example, here is the opening paragraph in the discussion of on ‘password policy’:

“In an ideal deployment, authentication mechanisms should be chosen based on the criticality of the system being accessed and should include not only passwords, but other mechanisms as well (see the section on ‘Two form factor authentication’). When using passwords, a secure remote access system should enforce complex passwords of 8 to 25 characters that are a mixture of upper and lower case letters, numbers and symbols.k In addition, corporate policy should demand that these passwords be changed at a rate that is commensurate with the value of the system being protected and regular audits of the strength of these passwords should be done as part of the organisational [sic] cyber security program. The corporate cyber security policy should dictate that these passwords are never shared and that each user ID is unique across the entire system.”
This seems fairly straightforward until you get down to the footnote referred to in the middle of the paragraph. That footnote (k) reminds the reader that:

“This guideline is a recommended best practice for general ICT security and the authors recognise [sic] that the creation and use of a 25-character complex password (although ideal) for day-to-day human machine interface operations may be inappropriate. The recollection and usage of such a password under duress may create circumstances that are unacceptable from a safety perspective.”
I think that this is a valuable manual to have and review, but I do have on major complaint about the mechanics of the document. There are a large number of high-density graphics included that make navigation through the 66-page document difficult and time consuming if you are using an older system. I had page load times of almost two minutes using my old Windows 2000 based lap top.

No comments:

/* Use this with templates/template-twocol.html */