HighlightsProgram AnnouncementsDHS selected Industrial Defender as a licensed distributor of CS2SAT The U. S. Department of Homeland Security (DHS) has selected Industrial Defender as a licensed distributor of the Control System Cyber Security Self-Assessment Tool (CS2SAT), which is a software application tool that is designed to assist critical infrastructure asset owners and operators with a comprehensive approach for assessing the cyber security posture of industrial control system and Supervisory Control and Data Acquisition (SCADA) networks. - View Industrial Defender's press release. Recommended Practice for Patch Management of Control Systems Patch management of industrial control systems is critical to resolve security vulnerabilites and functional issues. The objective of a patch management program is to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software. However, a single solution does not exist that adequately addresses the patch management processes of both traditional information technology (IT) data networks and industrial control systems (ICSs). While IT patching typically requires relatively frequent downtime to deploy critical patches, any sudden or unexpected downtime of ICSs can have serious operational consequences. As a result, there are more stringent requirements for patch validation prior to implementation in ICS networks. The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) recognizes that control systems owners/operators should have an integrated plan that identifies a separate approach to patch management for ICS. This document specifically identifies issues and recommends practices for ICS patch management in order to strengthen overall ICS security. DHS Control Systems Self Assessment Tool (CS2SAT) Licensed for Distribution to the Water and Waste Water Sector The Water Environment Research Foundation (WERF) and the American Water Works Association Research Foundation (AwwaRF) are new distributors of the Control System Cyber Security Self-Assessment Tool (CS2SAT) to the water and waste water sector. They are authorized to distribute the tool only for WERF subscribers and AwwaRF members. Recommended Practice: Creating Cyber Forensics Plans for Control Systems This document addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments. This recommended practice supports forensic practitioners in creating a control systems forensics plan, and assumes evidentiary data collection and preservation using forensic best practices. The goal of this recommended practice is not to reinvent proven methods, but to leverage them in the best possible way. As such, the material in this recommended practice provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain. Cyber Security Procurement Language for Control Systems The Cyber Security Procurement Language for Control Systems summarizes security principles that should be considered when developing system specifications and procuring control systems products (software, systems, and networks) and provides example language to incorporate into procurement specifications. The guidance is offered as a resource for informative use-it is not intended as a policy or standard. This document serves as a "tool kit" designed to reduce cyber security risks in control systems through the procurement cycle to assist with the management of known vulnerabilities and weaknesses by delivering more secure systems, and enables asset owners to request security "built-in" rather than "bolted on."NIST released Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides comprehensive assessment procedures for the security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. GAO Examined Tennessee Valley Authority Information Security Practices Protecting its Control Systems The United States Government Accountability Office (GAO) was asked to determine whether the Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, has implemented appropriate information security practices to protect its control systems. The GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security. What GAO found. Critical Infrastructure and Control Systems Security Curriculum The Critical Infrastructure and Control Systems Security Curriculum is designed as a tool to be employed by an instructor for use in creating a masters-level professional course on Critical Infrastructure and Control Systems Security. The objective of any course constructed with this tool will to convey fundamental organizational and economic principles required to (1) effectively manage high-impact risk to infrastructure services, and (2) design and implement public policies and business strategies that mitigate such risks. Even though many of the case examples are drawn from control systems, the principles will apply to other critical infrastructure situations. A December 10, 2007 SANS Consensus Document details successful projects undertaken by US government agencies to implement the National Strategy to Secure CyberspaceDecember 19, 2007 Three white papers, "Understanding OPC and How it is Deployed", "OPC Exposed", and "Hardening Guidelines for OPC Hosts" provide: an overview of OPC Technology and how it is actually deployed in industry; outline the risks and vulnerabilities incurred in deploying OPC in a control systems environment; and summarize current good practices for securing OPC applications running on Windows-based hosts. Lofty Perch to License DHS Control Systems Self Assessment Tool (CS2SAT) Lofty Perch, Inc. recently announced that it has been selected by the
Department of Homeland Security to be a licensed distributor of the DHS
Control Systems Cyber Security Self-Assessment Tool (CS2SAT). This
application, created at the Idaho National Laboratory for the DHS
National Cyber Security Division, was developed specifically to assist
SCADA and Process Control System-users in improving the cyber security
posture of their control systems. The CS2SAT application is a security
assessment support tool based on industry standards, best practices, and ISA Automation Standards Compliance Institute to distribute DHS NCSD
Control Systems Self Assessment Tool (CS2SAT) The ISA Automation Standards Compliance Institute (ASCI) recently completed an agreement with the Idaho National Laboratory to distribute CS2SAT on behalf of the United States Department of Homeland Security. The tool is distributed with a training video, online documentation and, 2 hours of phone support from control systems cyber security specialists to help licensees structure their self assessment approach. The CS2SAT was developed by the Control Systems Security Program of the
Department of Homeland Security's National Cyber Security Division. The
purpose of the CS2SAT is to provide organizations that use SCADA Online training - OPSEC for Control Systems This innovative, web-based course introduces control systems employees
to the basic concepts of operations security (OPSEC) and applies these
concepts to the control system environment. Course lessons let you check Catalog of Control Systems Security: Recommendations for Standards
Developers This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. It is not limited for use by a specific industry sector but can be used by all sectors to develop a framework needed to produce a sound cyber security program. It should be viewed as a collection of recommendations to be considered and judiciously employed, as appropriate, when reviewing and developing cyber security standards for control systems. The recommendations in this catalog are intended to be broad enough to provide any industry using control systems the flexibility needed to develop sound cyber security standards specific to their individual security needs. Cyber Security Response to Physical Security Breaches Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. However, the current trend of using computer networks to remotely monitor and control unmanned facilities has also increased the possibility that these physical property crimes could be used to conceal less discernible cyber crimes. A topical paper has been prepared and posted on the US-CERT website that provides discussion and guidance for the security managers of these facilities. This paper, "Cyber Security Response to Physical Security Breaches" utilizes an electrical substation break-in scenario to illustrate steps that can be taken to assist security managers to determine whether a cyber security intrusion may have occurred. It offers a process for escalation of the investigation to determine extent of the intrusion and steps to initiate a recovery to a known state. Feedback is welcome and can be sent to cssp@hq.dhs.gov. The Chemical Sector Cyber Security Program has announced the release of a guidance document outlining the Department of Homeland Security's Protected Critical Infrastructure Information Program. Recommended Practices Guide Securing ZigBee Wireless Networks in Process Control System Environments (Draft) released ZigBee is a protocol specification and industry standard for a type of wireless communications technology generically known as Low-Rate Wireless Personal Area Networks (LR-WPAN). LR-WPAN technology is characterized by low-cost, low-power wireless devices that self-organize into a short-range wireless communication network to support relatively low throughput applications such as distributed sensing and monitoring. The document begins with a conceptual overview of LR-WPAN technology and the role that the ZigBee protocol plays in the development and standardization process. A section on the IEEE 802.15.4 specification upon which ZigBee is based is then presented, followed by a description of the ZigBee standard and its various components. A following section describes the ZigBee security architecture, services, and features. Next, a section on secure LR-WPAN network design principles is presented, followed by a list of specific recommended security best practices that can be used as a guideline for organizations considering the deployment of ZigBee networks. Finally, a section on technical issues and special considerations for installations of LR-WPAN networks in industrial environments is presented. A concluding section summarizes key points and is followed by a list of technical references related to the topics presented in this document. New recommended practices and supporting document
Web-based cyber security training To connect to the training:
NIAC makes public report Potential Vulnerabilities in Municipal Communications Networks DHS recognizes that the upgrading of network technologies in municipalities to improve the efficiency of operations by connecting previously independent systems and to provide new sources of revenue is a prevalent practice. The maintenance of adequate cyber security to protect both the information and physical infrastructure is a significant issue when municipal managers take advantage of these technologies.
|