HTML Injection Attacks: Impact and Mitigation Strategies
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely final 05182016
1. Cyber Security 2016 Law & Regulatory
Environmental Trends
A) Presidential Executive Orders 13636 and 13691 Critical
Infrastructure Cyber Security
B) Legal Authority: Key Federal Laws, DOD Guidance (161
Directives), FAR/DFARS
C) System Cyber Defense Resilience Architecture
Alex Dely, Contracts Manager, Innovation & Cyber
Directorates, Raytheon Missile Systems
ASIS Phoenix Chapter 18 May 2016
Alex_Dely@Raytheon.com
1
2. Cyber Tidbits
• Typical Dwell Time in Public Infrastructure Networks before
Penetration Detection: 128 Days.
• Every minute 1,080 hacks occur, 27 Days to Resolve, $
7.4M/Incident.
• Software Code: 4.9 Flaws/1000 Lines of Code, of which 1 to 5%
represent serious vulnerabilities
• Typical Penetration Detector: External Vulnerability Assessment Part
• 1.5 Million Cyber Security Jobs Unfilled (Unfillable?)
• Attacker only needs 0.0001 Success Rate
• Most Asset Owners do not know about their Outbound Traffic: #
Connections, Length of Connection, Amount of Data, % Encrypted,
Destination IP
2
4. POTUS Executive Order 13636
EO 13636 Improving Critical Infrastructure Cybersecurity (March 2013)
* technology-neutral cybersecurity framework and practices
* increase volume, timeliness and quality of threat information sharing
* incorporate strong privacy and civil liberties protections
* evaluate regulatory adequacy
POTUS Policy Directive-21 Critical Infrastructure Security and Resilience directs the
Executive Branch, led by DHS, in coordination with NIST, NSA and sector Agencies to:
* develop near-real time physical and cyber situational awareness capability
* understand cascading consequences of infrastructure failures
* mature public-private partnerships
* update the National Infrastructure Protection Plan
* develop comprehensive research and development plan
5. NIPP 16 Critical Infrastructure Sectors
1) Defense Industrial Base 9) Energy
2) Critical Manufacturing 10) Communications
3) Emergency Services 11) Chemical
4) Government Facilities 12) Dams
5) Financial Services 13) Water & Wastewater
6) Information Technology 14) Food & Agriculture
7) Transportation 15) Public Health Facilities
8) Nuclear Reactors & Materials 16) Commercial Facilities
COMPLEX INTERLINKAGES WITH LIMITED CORRESPONDING
GOVERNMENT-INDUSTRY EXPERTISE & ACCOUNTABILITY
5
6. POTUS EXECUTIVE ORDER 13691
EO Order 13691 Private Sector Cybersecurity Information Sharing (Feb 2015)
- establishes Information Sharing & Analysis Organizations (ISAO)
standards and protocols to coordinate with US Government Information
Sharing & Analysis Centers (ISAC)
- strengthens DHS National Cybersecurity & Communications Integration
Center (NCCIC) ability to approve access to classified information
Categories: 1) Cyber-Physical (nano-scale to large-scale wide-area systems
of systems; dependably, safely, securely, efficiently and in
real-time; convergence of computation, communication, and
control)
2) Cyber-Cyber (Network Cyber)
3) Physical-Cyber
4) Physical-Physical
8. Integrated SCADA/ICS
Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
9. Control System is NOT IT Network !!
Industrial Control Systems (ICS):
* Distributed Control Systems (IoT)
* Supervisory Control and Data Acquisition Systems (SCADA)
* Process Control Systems
* Manufacturing Execution Systems
Vulnerability Categories:
* Millions of Remote Access Points, many in Legacy systems with limited
Access Control, open Communications Protocols, Default Passwords,
Limited/No Firewalls
* Complex Systems Dynamically Reconfiguring in Space/Time
* Reliance on mostly Offshore Suppliers
* Technical Documentation freely available on Internet
* Hierarchical Wireless Sensor network allow attacker to determine where
the root node is placed;
9
11. DHS Cross Sector Roadmap of Cyber
Security Control Systems
Homeland security Presidential Directive-7: Robustness,
Survivability & Resilience Systems-of-Systems Principles:
1) Operational Independence of Elements
2) Managerial Independence of Elements
3) Geographical Distribution of Elements
4) Evolutionary Development
5) Emergent behavior
6) Heterogeneous Network of Systems
7) Automated Intrusion Audit Trails
8) Real Time Incident Response
9) Acquisition Strategy & Contracting
10) Training
11
12. Where We Want to Go
“Defense-in-Depth Architecture”
Graphic courtesy of DHS Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies October 2009
14. Key Federal Laws
1) Title 44 Federal Information Security
Management Act (3541 et seq)
2) Title 18 Computer Fraud & Abuse Act (1030)
3) Title 18 Stored Communications Act (2701 et
seq)
4) Title 18 Federal Wiretap Act (2510 et seq)
5) Title 18 Pen Registers and Trap and Trace
Devices (3121 et seq)
6) Many Presidential Executive Orders
14
15. DOD Guidance Documents (161!)
Build & Operate a Trusted DoDIN handut (CIO Cyber)
1) Lead & Govern (18)
2) Design for the Fight (26)
3) Develop the Workforce (12)
4) Partner for Strength (9)
5) Secure Data in Transit (22)
6) Manage Access (16)
7) Assure Information Sharing (7)
8) Understand the Battlespace (7)
9) Prevent & Delay Attackers/Prevent Attackers from Staying (15)
10) Develop and maintain Trust (9)
11) Strengthen Cyber Readiness (8)
12) Sustain Missions(12)
15
16. DoDI 5000.02 & 5200.39 Program Protection Planning
PPP is iterative System Security risk management process:
1) Critical Program Information Identification/Criticality
2) Mission Critical Functions & Components Trusted Systems &
Networks Analysis
3) Identification of Horizontal Protection Requirements
4) Identification of Foreign Involvement (Trusted Supply Chain)
5) Threat Analysis
6) Vulnerability Assessment
7) Risk Assessment
8) Trade-off Analyses
9) Countermeasures Implementation (Defensive Cyber Resilience,
Anti Tamper, OpSec, InfoSec/Information Assurance, Software
Assurance)
10) Verification & Validation and Residual Risk
16
17. DFARS 252.204-7012 (Sept 2015)
“Safeguarding Covered Defense Information and Cyber
Incident Reporting”: INTERIM RULE:
1) 72 Hr Network Penetration Reporting
2) Contracting for Cloud Services
Four Recommended Contractor Actions:
1) Register with DOD to obtain a mandatory Medium
Assurance certificate
2) Identify & Mark all Attributional/Proprietary Information
3) SCM Flowdown to Subcontractors (including Commercial
Item and Small Business Subcontracts, Teaming
Agreements etc). Sub must report to Prime and DOD within
72 hrs (no Tier limitation).
4) Monitor Existing Contract Mods
17
18. DFARS 252.204-7012 Cont 2
“Covered Defense Information”:
- unclassified information provided to contractor by or on behalf of DOD in
connection with performance of a contract
- Information collected, developed, received, transmitted, used or stored by or
on behalf of the contractor in support of contract performance
CDI includes:
- Controlled Technical Information - Critical Information
- ITAR Export Control Information - Other Restricted Information
Covered Contractor Information Systems: any systems
owned, or operated by or for, that processes, stores or transmits CDI.
NIST SP 800-171 Protecting Controlled Unclassified Information in
Nonfederal Information Systems and organizations. REPLACES NIST SP
800-53
18
19. DFARS 252.204-7012 Cont 3
72 HR CYBER INCIDENT REPORTING:
- Any action that results in a compromise or an actual or
potentially adverse effect on an information system and/or
the information residing therein
- Required “Review for Compromise”:
* disclosure of information to unauthorized persons
* violation of the security policy of a system in which
unauthorized intentional or unintentional disclosure,
modification, destruction or loss of an object, or copying to
unauthorized media may have occurred
90 DAY IMAGE PROTECTION OF INFORMATION SYSTEMS FOR
FORENSIC ANALYSIS AND DAMAGE ASSESSMENT
19
20. DFARS 252.204-7012 Cont 4
COMPANION DFARS 252.204-7009 Limitations on the
Use and Disclosure of Third Party Contractor Reported
Incident Information
Cyber Incident Info may be shared with:
1) US and other entities affected
2) Entities that may assist in diagnosis, detection, or mitigation
(need additional PIA/NDA!)
3) Law enforcement and counterintelligence
4) Defense Industrial Base participants
5) Support services contractors
20
22. Cyber Resiliency Defined (MITRE)
1) The ability of a nation, organization, mission,
process or weapon system to anticipate,
withstand, recover from, and evolve to improve
capabilities in face of adverse conditions,
stresses, or attacks on the supporting cyber
resources it needs to function
2) The sub-discipline of Mission Assurance
Engineering which considers: a) the ways an
evolving set of resilience practises can be applied,
and b) the tradeoffs associated with the different
strategies for applying those practises
22
24. Cyber Resiliency 3 Pillars
1) NATIONAL INSTITUTE FOR STANDARDS & TECHNOLOGY
(NIST):
A) Cybersecurity Framework
B) Risk Management Framework
C) Trustworthy Resilient Systems
D) Supply Chain Risk Management
SP 800 Series of Documents: SP 800-160 System Security Engineering,
SP 800-115 Information Security Testing, SP 800-161 Supply Chain Risk
Management
2) DOD ENGINEERED RESILIENT SYSTEMS INITITATIVE (ERS
TOGAF)
3) DOD PROGRAM PROTECTION PLANNING (PPP)
24
25. 18 Cyber Resiliency Architecture Principles
1) Separate 2) Manual Operation
3) “Stateless” Services (no record of previous interaction)
4) Common vs Redundant Services 5) Any Function/Console
6) Location Independent services 7) Degraded Modes
8) Saturation Alleviation 9) Disconnected Modes
10) Least Privilege 11) Provenance
12) Reconfigurability 13) Layers
14) Vulnerability Containment 15) Isolation
16) Boundaries 17) Audit
18) Recovery
25
27. 14 Cyber Attack Mechanisms
1) Gather Information
2) Deplete Resources
3) Injection
4) Deceptive Interactions
5) Abuse of Functionality
6) Probabilistic Techniques
7) Exploitation of Authentication
8) Exploitation of Authorization
9) Manipulate Data Structures
10) Analyze Target
11) Gain Physical Access
12) Malicious Code Execution
13) Alter System Components
14) Manipulate System Users
27
28. Measuring Cyber Resilience
• DOD Universal Joint task List Enclosure B
• MITRE Cyber Resiliency Metrics (272)
28
29. SUMMARY:
1) Critical Infrastructure Cyber Security goes
WELL beyond IT networks
2) Cyber Security Law & Regulation is infancy
and DOD Guidance will likely drive significant
expansion in scope & quantity of new laws
and FAR/DFARS regulations
3) Most of the 16 Critical Infrastructure Industry Sectors have
BARELY begun Cyber Resilience Architecting & Engineering
of Critical Systems
29
31. SCADA Cyber Security Needs
Operational Needs
• Certifiable, attribute-based access control (only authenticated AND authorized users)
• Low cost, small form factor information assurance appliances—SW and HW
• Tailorable levels of assurance to changing operational requirements
• Real-time data delivery between stations
• Interfaces with multiple communications protocols
• Rapid reconfiguration of security policies to meet dynamic needs of smart grids
• Scalable for all levels of service (e.g. generating stations, substations, primary & secondary
customers)
Operational Benefits
Enhanced operational effectiveness and efficiency
(e.g. lower cost per kwh)
Streamlined certification & accreditation to meet
emerging policy mandates
32. DHS Cyber Cryptography
• Aging Cryptographic Algorithms
– Legacy 80-bit algorithms (DES, MD5, SHA-1, RSA-1024, two-key 3DES,
SKIPJACK, KEA, and DSA) are threatened. NIST SP 800-78 requires
Government users to replace RSA-1024/SHA-1 with higher security
algorithms
• Suite B Algorithms for the Next Generation
– NSA-endorsed algorithms that are approved for classified use and deliver
the information assurance required for the next 30-50 years
– ECC in GF(p) (P-256, P-384, P-521*)
– Equivalent to 3,072, 7,680, and 15,360-bit RSA
– ECMQV and EC Diffie-Hellman key establishment
– ECDSA digital signatures
– AES-128/192*/256, SHA-224*/256/384/512*
33. DHS Control System AMI Security Requirements
2.8 System Communication Protection
* Policy/Management
* Port Partitioning/Security Function Isolation/Information
Remnants/Denial of Service Protection/
* Communication Integrity/Trusted Path/
* Validated Cryptographic Key Establishment/Public Key
Infrastructure Certificates
* Message Authenticity/Secure Name–Address Resolution
34. 2.9 Information System Management
2.10 System Development & Maintenance (Legacy)
2.12 Incident Response (Continuity of Operations/Alternate
Control Centers)
2.14 System & Information Integrity (Malicious
Code/Accuracy/Completeness/Validity/Authenticity)
2.15 Access Control (Authenticator Management, Remote
Access, Wireless Access)
2.16 Audit & Accountability (Time Stamps)
DHS Control System AMI Sec Cont
35. NIST Control System Security Cont
15 Categories of Logical Interfaces
1) SCADA Control Systems 2) WAN Control Systems
3) DMS/LMS Control Systems 4-5) Back Office Systems
6) B2B Connections 7) Control to NC Systems
8) Sensor Networks 9) Sensor to Control Sys
10) AMI Network Interfaces 11) HAN/BAN Customer
12) Interface to Customer 13) Mobile Field Crews
14) Metering Interfaces 15) Decision WAMS/ISO