Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
101 views17 pages

Control System Security: A Case Study in Collaboration

This document summarizes a collaboration between an electric utility (TVA), control system vendor (AREVA), consultant (Digital Bond), cybersecurity standards organization (NERC), and configuration standards group (CIS) to improve industrial control system security. Through this collaboration, AREVA customized the CIS security benchmarks and Digital Bond's Bandolier templates to their control system products. Bandolier templates were tested on AREVA systems to validate secure configurations. This improved security of AREVA systems, helped TVA with compliance, and established best practices for asset owners through secure system delivery and guidance documents. The collaboration benefited all parties by bringing together expertise to develop sound security practices.

Uploaded by

augur886
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
101 views17 pages

Control System Security: A Case Study in Collaboration

This document summarizes a collaboration between an electric utility (TVA), control system vendor (AREVA), consultant (Digital Bond), cybersecurity standards organization (NERC), and configuration standards group (CIS) to improve industrial control system security. Through this collaboration, AREVA customized the CIS security benchmarks and Digital Bond's Bandolier templates to their control system products. Bandolier templates were tested on AREVA systems to validate secure configurations. This improved security of AREVA systems, helped TVA with compliance, and established best practices for asset owners through secure system delivery and guidance documents. The collaboration benefited all parties by bringing together expertise to develop sound security practices.

Uploaded by

augur886
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Control System Security: A Case Study in Collaboration

Stephen Hilt TVA Sharon Xia AREVA Mike Assante - NERC Dale Peterson Digital Bond Clint Kreitner Center for Internet Security (CIS)

The collaborators
The asset owner/operator TVA The control system vendor AREVA

The consultant (with DOE funding) Digital Bond


The configuration standards CIS The cybersecurity standards NERC

ICSJWG 2010 Spring Conference

The Asset Owner/Operator View


The motivation to improve Control System security
NERC CIP compliance NIST/FISMA compliance Risk Management

Security Configuration standard


The use of COTS software platforms Change Management Industry standard settings over in-house developed standards.

ICSJWG 2010 Spring Conference

Goal of the NERC CIP Program


Encourage voluntary collaboration to develop benchmarks to be used by BPS entities Motivate the supply chain via the procurement process Encourage collaborations among asset owners, security researchers, and vendors Mandatory reliability standards are necessary, but are not sufficient as they tell you what to do and not how to do it & standards are more static in nature Compliance does not necessarily achieve a significantly improved security posture, unless entities adhere to proven and expert developed practices
ICSJWG 2010 Spring Conference

Building on the Standards


Advanced collaborations can take the best knowledge from the right people/organizations and apply it in a time sensitive manner
Keeps up with technology (new system versions/upgrades) Keeps up with the ever changing threatscape Harnesses expertise and interest of:
Cyber security researchers Security professionals and facilitators Security administrators

ICSJWG 2010 Spring Conference

Electric Infrastructure Protection


A real community effort!
Provides a channel to apply information developed from government funded research efforts Develops sound practices in the form of configurations that brings security value to CIP compliance Gives asset owners the ability to proactively integrate and verify security of critical cyber assets before deploying them Helps the vendors support their customers, design winning products, and improve their product development process

ICSJWG 2010 Spring Conference

The CIS Benchmarks


Produced via expert consensus (>1,500 SMEs) Current portfolio of 50 IT benchmarks
Recommended values for configurable settings
Desktop Mobile Network OS Printers Servers

Multiple hardening levels

CIS-CAT - CIS Configuration Audit Tool


Scores a system against the benchmark values
ICSJWG 2010 Spring Conference

Digital Bonds Bandolier


Dept. of Energy Research Contract Identify Optimal Security Config Settings
Start with industry guidelines on OS, IT apps Test with vendor to insure they dont break it Identify SCADA/DCS specific security settings

Create Bandolier Security Audit File


Automate testing of thousands of parameters Works with Nessus Compliance Plugin / Low Impact Available from Digital Bond or ICS Vendor

ICSJWG 2010 Spring Conference

AREVA e-terra Numbers


Linux System: 1337 Security Settings
Client, App Server and Web Server 110 e-terra application checks

Windows System: 676 Security Settings


Client, App Server and Web Server 63 e-terra application checks

Application Check Example


Are trace files configured to record operator actions?

ICSJWG 2010 Spring Conference

Bandolier Security Audit Files


ABB 800xA [dev] ABB Ranger AREVA e-terra Emerson Ovation Matrikon OPC OSIsoft PI Server Siemens Spectrum Power TG SISCO ICCP [dev] SNC GENe Telvent OASyS DNA Toshiba TOSMAP [dev]

More to come

ICSJWG 2010 Spring Conference

Meet Customers Needs


Security baked into the products
Provided security guides for the AREVA products
e-terraplatform Network Security Guides e-terraplatform System Security Guide Windows e-terraplatform System Security Guide Linux

Cost effective ongoing monitoring by asset owners


The 10 AREVA Bandolier templates

Auditable reports for compliance


NERC CIP-002 through CIP-009 NIST/FISMA

ICSJWG 2010 Spring Conference

Adopt Industry Best Practices


The AREVA System Security Guides and Bandolier templates
Based on the CIS Benchmarks Customized to fit the AREVA Systems

Collaboration with Digital Bond


Provided automated audit tool Customized Bandolier OS templates for AREVA systems Produced templates for application checks Tested the AREVA Bandolier templates in the R&D lab

ICSJWG 2010 Spring Conference

Deliver Secured Systems


Harden the systems in FAT Customize the AREVA Bandolier Templates to conform to customers security policies Audit the systems using Nessus and the Bandolier templates in FAT and SAT Deliver the customized templates with the systems to customers Provide trainings

ICSJWG 2010 Spring Conference

Benefits to the Owner/Operator


Deployment of new systems
Documented and audited secure configurations
Assure only necessary services are enabled
Disable FTP, telnet, etc..

Set appropriate file and registry permissions

Maintaining secure configurations over time


Use of industry recognized configuration standards
Reduction in configuration errors Vendor product updates

ICSJWG 2010 Spring Conference

Benefits to the Owner/Operator


Scan results provide documented evidence for compliance audits
NIST/FISMA NERC

ICSJWG 2010 Spring Conference

16

Ongoing
Generic CS benchmarks for W7, Server 2008
Benchmark teams now forming
Call for participation

Vendor application product specific benchmarks


Collaboration
The power of many working toward a common goal
TVA, NERC, AREVA, Digital Bond, DOE, CIS

ICSJWG 2010 Spring Conference

You might also like