1. Department of Homeland Security Incident response and vulnerability analysis
Seán Paul McGurk
National Cybersecurity and Communications
Integration Center
U.S. Department of Homeland Security
Security within the control systems community can be viewed as value added by increasing efficiency and safety. DHS/NCSD recognizes the importance of control systems and the role that the private sector plays in protecting our nations’ infrastructure.
Outline for Presentation
Scope of CSSP mission control systems within critical infrastructure
Cuts across all 18 sectors
What is the concern/risk
Intersection of IT and control systems
What is DHS doing to reduce the risk to control systems
ICS-CERT and On-site assessment efforts
Observations
Stuxnet – what we have been doing 1

2. Cyber Incident Response and Analysis
Today we will focus on the ICS-CERT efforts and our findings as we have worked with the control systems stakeholders in the critical infrastructure community
ICS-CERT has gain significant traction in recent months as the number of cyber incidents is increasing and as asset owners have called us in for support. We have deployed fly-away teams to assist with on-site forensics and recover efforts and our malware analysis lab has been extremely busy. 2

3. Situational Awareness
ICS-CERT
Provide operational support for critical infrastructure stakeholders to respond and defend against emerging cyber threats
Situational Awareness
Observe, identify, acquire, or receive relevant ICS information
Incident Response
Provide on-site assistance and off-site analysis to bridge information gap
Technical Analysis
Perform digital media analysis for malware and consequences
Partnering
Provide disclosure through advisories, alerts, bulletins and information sharing
Benefits to the ICS and Critical Infrastructure Community
Awareness of emerging issues and threats
State of the art analysis capabilities specific to ICS
Incident response support for recovery and future defense
Established partnership for immediate support and guidance
ICS-CERT collaboration with other agencies and partners
Theses four focus areas function to provide important benefits to the ICS community.

4. ICS-CERT: Products Alerts Advisories Website & Portal
These are the three main ways we communicate with our customer. Trusted partners may join the US-CERT Portal – Control systems compartment to receive updates on alerts and advisories. The website is updated weekly with news articles related to relevant critical infrastructure events via an RSS feed.
Advisories: Provides advice and guidance on dealing with a specific situation; mitigations
Alerts: Quick release product (within hours); may not have mitigations but we want to provide a heads up on information we have
Portal membership: Need to know environment; trusted partners; (example, zero day with no known fix would be released through the portal but not to the public)
Advisories
Website & Portal

5. National Cybersecurity and Communications Integration Center
ICS-CERT and the NCCIC
The National Cybersecurity and Communications Integration Center is comprised of organizational components and operational liaisons
Components refers to DHS organizations that have a major presence on the NCCIC floor
Operational Liaisons refers outside agencies such as ISACs, Law Enforcement and Industry
The execution of NCCIC’s mission relies on coordinated operations that contribute to all products and services
The NCCIC provides a collaborative environment were the security agencies and divisions can share information and coordinate responses to national cyber events and incidents. The ICS-CERT is one of the 5 main components that constitutes the NCCIC.
National Cybersecurity and Communications Integration Center

6. Incident Response Support
Assist asset-owners
Onsite “flyaway” teams
Network architecture
Data collection
Mitigation
Offsite technical analysis teams
Analysis of collected data
Customer reporting
Bridge threat awareness gap
Purpose of incident response capability
Assist asset-owners with identification and elimination of threat actors affecting critical infrastructure; the effort is collaborative with US-CERT with ICS-CERT focusing on control environments within critical infrastructure
On-site: Fly-away team available to deploy onsite, review affected entities network architectures, collect applicable forensic data, assist with immediate mitigation efforts when appropriate, and redeploy with collected data to perform additional forensic analysis in laboratory environment
Team members – Team Lead with support from ICS-CERT Technical Analysis Team – typically a Control Engineer and Cybersecurity Analyst; and US-CERT technical teams as necessary/appropriate
Off-site: after redeployment, analytical findings are conveyed to customer on a weekly basis or sooner if circumstances/findings dictate. Off-site analysis is also available without a fly-away team if appropriate data sets can be provided to the ICS-CERT Technical Analysis team or appropriate US-CERT analysis team.
On-site assistance attempts to bridge the gap between threat information held by the government and the needs of owner/operators when identifying and recovering from incidents or attempting to plan for future security of their network
Access to important data sources enables ICS-CERT and US-CERT to add unique value as part of partnerships and collaborative initiatives with private sector stakeholders

7. Incident Response Example
Information package
Pre-deployment
ICS-CERT Operations
Company-X request for assistance
3. ICS-CERT notifies appropriate authorities, delivers pre-visit checklist and based on checklist inputs determines appropriate fly-away team composition. Prior to deployment, ICS-CERT analysts prepare a classified pre-deployment briefing for the fly-away team.

8. Incident Response Example
Onsite
Company-X
ICS-CERT Operations
Logs
Drive Images
ICS-CERT & US-CERT Technical Analysis
4. The ICS-CERT team (sometimes joined by a US-CERT representative) conducts investigation and provides on-scene assistance to UTILITY-X; In parallel, ICS-CERT Analysts prepare all-source background briefings for DHS consumers.
Technical Analysis

9. Incident Response Example
Post-deployment
Company-X
Technical Analysis
ICS-CERT & US-CERT Technical Analysis
6. Based on technical findings, ICS-CERT reports to all appropriate authorities/agencies and provides follow-up assistance to UTILITY-X.
ICS-CERT Operations

10. Fly-Away Team Observations
Increase in control systems owner/operator’s desire to understand the threats to their systems and how to mitigate risks
Increased security measures are needed not only to prevent cyber attacks, but to detect and respond to incidents and mitigate the overall risk
Trends in the usage of USBs and other removable media have introduced and spread malware
USB thumb or flash drives have found their way into many networks
USB drives offer malware authors an unprecedented ability to circumvent customary network access controls and protections
Control systems are susceptible to attacks via USB drives since they tend to be isolated from the internet and business network and are, therefore, used to push out updates to the system
Based on our recent involvement with industry the following observations were noted.
General Observation: A lack of established security practices and adequate awareness among company employees has resulted in compromised networks

11. Control System Vendor’s Response
Developing internal incident response teams or CERTs for triaging major issues
Notifying their consumer base through increased advisories and communications
Collaborating with ICS-CERT on vulnerability related issues, including testing of mitigations and workarounds
Participating in working groups such as the Industrial Control Systems Joint Working Group (ICSJWG) to collaborate with other vendors and solicit feedback from owner/operators.
Overwhelming response to participate in the Program’s week-long ICS advance cybersecurity training.
As the malware analysis team has worked with ICS vendors, we have seen positive results and willing participation to improve the security posture of their products and provide security support to their customer base.
Vendor community is stepping up as players in this fight and taking steps to improve security within their products.
Siemens started CERT team

12. Cyber Security Evaluation Tool (CSET)
CSET Features
Assessment Covers Policy, Plans, and Procedures in 10 Categories
Provides recommended solutions to improve security posture
Allows for standards specific reports (e.g., NERC CIP, DOD , NIST SP800-53)
Recent Accomplishments
Issued Version 2.0 of the Tool
The embedded Global Assessment cross-references multiple standards
Version 3.0 in development – planned completion in Sept 2010
Distributed over 1,000 copies since October 2009 to asset owners in 15 different sectors
CSET
The evaluation tool helps owners and operators to evaluate the security posture of their control system, and it provides recommendations of how the security can be improved.

13. Assessments: On-Site Support
CSSP used the CSET to assist critical infrastructure asset owners in conducting self-assessments
Completed 50 assessments in multiple sectors
Assessments teams assisted infrastructure asset owners in 17 states and territories, including several remote locations where the control systems represent ‘single-point failures’ for the community
CSSP encourages asset owners to identify their security gaps and implement the recommended mitigation strategies
Another key focus area for the program has been our on-site assessment work.
Sectors: Water, Transportation, Health, shipping, dams, energy, banking & finance, chemical, IT, Defense
States and Territories included: CA, NM, OK, WA, LA, AL, NH, ND, PA, NV, MN, American Samoa, Saipan, Guam

14. On-Site Assessment Observations
Weak or nonexistent cybersecurity policies and practices.
Lack of a formal documented program and procedures
Need for an established cybersecurity team
Need for incident response and disaster recovery policies and/or directives
Insufficient control of remote logging and access.
Weak enforcement of remote login policies
Weak port security
Network architecture not well understood and internal networks not segmented
Flat networks--devices not properly configured

15. On-Site Assessment Observations continued
Media protection and control.
Weak control of incoming and outgoing media – use of USB drives
Lack of encryption implementation
Audit/logging events.
Insufficient methods for monitoring and control network events
Lack of understanding of disaster recovery techniques
Weak Testing Environments.
Limited patch management abilities
Weak backup and restore abilities
Weak firewall rule sets        
Patch management
Good Example: Army Core of Engineers has 9 dams on the Columbia River in Washington. They have a testing environment setup where they test patches for 1000 hours before pushing them out to their operational units.

16. Industrial Control Systems Joint Working Group (ICSJWG)
Provides a vehicle for collaboration between government and private sector control systems stakeholders
Government Coordinating Council
Sector Coordinating Council
Subject Matter Experts
International Community
Fosters information sharing and coordination of activities and programs across government and private industry stakeholders involved in protecting CIKR
Includes 6 subgroups – Volunteers welcome
Vendors
Research and Development
International
ICS Roadmap Development
Workforce Develop
Information Sharing

17. Contact Information
Report Control Systems cyber incidents and vulnerabilities
Report general cyber incidents and vulnerabilities or ,
Sign up for cyber alerts
Learn more about Control Systems Security Program 17