3. • Research and Find…
– LOTS!
– [insert vendor] [insert product] [insert vuln count]
• The Answer:
– Get vendors to fix all vulnerabilities
– Get asset owns to apply all patches
Vulnerabilities
4. • Flat Networks, Single Points of Failure
• The Answer:
– Get asset owners to re-architect all networks
Architectures
5. • Operators, Architects and Coders Lack Skills
• The Answer:
– Train all Users to Control Behavior
– Educate all System Designers
– Train all vendor engineers to build Secure-By-Design
Training
7. • ~6,000 Electric Utilities
• 55,000 Substations
• 100,000 EHV Transformers
• 200,000 Miles of Transmission Lines
• 2.2 Million Miles of Distribution Lines
• 300,000 Electric Engineers
Let’s Talk Scale…
8. • ~50,000 Water Utilities
• 1 Million Miles of Water Pipes
• 400B Gallons Potable Water Per Day
• 80B Gallons of Wastewater Per Day
Let’s Talk Scale…
10. • 200 Natural Gas Utilities
• 300,000 Miles of Gas Transmission Pipelines
• 2.4 Million Miles of Distribution Pipes
• 2T Cubic Feet Annually
• 600,000 Gas Sector Employees
Let’s Talk Scale…
15. • To Find All Vulnerabilities?
• To Apply All Patches?
• To Create All New Devices?
• To Re-Architect All Networks?
• To Train Everyone?
How Long Will All That Take?
16. • Infrastructure Vulnerable to Every Day Zero
• Network Segments That Still Fail
• Insider Threats that Succeed
What Would We Gain?
17. • The Same Thing Operators Use Now:
Visibility
• At the Facility
• Across Sectors
• Nationally
• Internationally
What is Achievable?
20. • Who We Are
• What We Have
• What it is Doing
• How To Share
We Need to Know:
21. • Tools and Process For Visibility
• Common Language for Sharing
• Compatible Plumbing
• Local, State, National and Global Structures
Pieces Falling Into Places
23. Automated Knowledge Sharing
TAXII™ defines a set of services and message
exchanges that, when implemented, enable
sharing of actionable cyber threat information
across organization and product/service
boundaries.
24. Project Avalanche
• Open Source Sharing Platform
• STIX Repository
• TAXII Server
• Pilot Operational
• Open Source Summer 2014
25. • Identity
– “Who are we?”
• Inventory
– “What do we have?”
• Activity
– “What is it doing?”
• Sharing
– “How do we communicate with others?”
Situational Awareness Ref Arch (SARA)
26. • Reference Architecture for Shared Visibility
• Guide
• Network
• Open Source Toolset
• ICS-ISAC.org/sara
SARA Overview
27. • Foundation for Rational Decisions
– What capabilities do we have?
– How do we make decisions?
– What is our structure?
• Existing Methodologies
– all.net/Arch/index.html
– CSET
Identity
28. • Create and Maintain Inventory
– Control System Components
– Process Equipment
– System Topology
– Device Configurations
• Open Source Tools
– Snort, nmap, ossim
Inventory
30. • Inbound
– Receiving and Utilizing External Knowledge
• Outbound
– Deriving
– Anonymizing
• Communication
– Schemas and Transports (STIX, TAXII, IODef, CIF…)
– Policies and Practices
Sharing
31. • Data
– Atomic: syslog messages, device configurations…
• Information
– Aggregate: Lots of Data
• Knowledge
– Actionable, Sharable
Information Types
32. Switch
Schemas and Transports
ActiveMQ, STIX, TAXII
Message Bus
ICS-ISAC
PLC
HMI
SCADA Server
SARA Server
Internet
Process Equipment
SARA Pilot
Enernex LAB
Firewall/VPN
Palo Alto
Palo Alto
Tripwire
Tripwire
Vendors
GE
Service
Providers