1A - ICS
Reconstitution
(occurs after an event) -Involves actions taken to rebuild or restore a critical asset capability after it has been damaged or destroyed
Incident Response
(occurs after an event) -Comprises the plans and activities taken to eliminate the cause or source of an infrastructure event
Analysis and Assessment
(occurs before an event) -Most important phase of the CIP life cycle -Identifies the assets absolutely critical to mission success and determines the assets' vulnerabilities, as well as their interdependencies, configurations, and characteristics
Remediation
(occurs before an event) - Includes education and awareness, operational process or procedural changes or system configuration and component changes
Indications and Warnings
(occurs before and/or during an event) -Involves daily sector monitoring to assess the mission assurance capabilities of critical infrastructure assets and to determine if there are event indications to report -Actions that indicate whether an infrastructure event is likely to occur or is planned -Tactical, Operational, and Strategic Levels -Tactical—input comes from asset owners -Operational—Inputs comes from NDI -Regional assets—allied intelligence, North Atlantic Treaty Organization (NATO), command intelligence, allied governments, and coalition forces -Strategic—inputs comes from intelligence, law-enforcement, and the private sector -Warning—process of notifying asset owners
Mitigation
(occurs both before and during an event) -Comprises actions taken before or during an event in response to warnings or incidents
Communications
*protocols and media used by ICS environments for field device control and intra-processor communication are typically different from the generic IT environment -May be proprietary
Building Automation System (BAS)
-A computerized intelligent network of electronic devices, designed to monitor and control the mechanical and lighting system in a building -An example of a DCS -Functionality keeps the building climate within a specified range -Provides lighting based on an occupancy schedule -Monitors system performance, alarms and security, device failures and provides email and/or text notifications to building engineering staff -Often referred to as an intelligent building system
SCADA
-A system used to control geographically dispersed assets, often scattered over thousands of square kilometers, where centralized data acquisition and control are critical to system operation
factors that currently contribute to the increasing risk to control systems
-Adoption of standardized protocols and technologies with known vulnerabilities -Connectivity of the control systems to other networks -Insecure and rogue connections -Widespread availability of technical information about control systems
Cellular
-Advantages Infrastructure is already in place and maintained by provider Technicians can access services with personal devices (immediate alarm notifications) Network maintained by carrier -Disadvantages Possible latency issues (call establishment delays) At the mercy of service provider in case of reduced connectivity or outages Upfront cost of hardware Reoccurring monthly costs Limited coverage in certain areas Call drop problems
Expected data Throughput
-Amount of data retrieved will dictate what technologies can be used -Estimate data retrieval requirements by dividing the number of bytes of data required by the speed of the communications device in bytes per second
The main objectives of this federal/civilian partnership
-Assess the vulnerabilities of the sector to cyber or physical attacks -Recommend a plan to eliminate significant vulnerabilities -Propose a system for identifying and preventing attempted major attacks -Develop a plan for alerting, containing and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstitute minimum essential capabilities in the aftermath of an attack
Control Loop Theory
-Based on a cause-effect relationship -Controlled variables are transmitted to the controller from the sensors. -The controller interprets the input signals and generates corresponding manipulated output variables, based on set-points, which it transmits to the outputs/actuators -Process changes from disturbances (i.e. opening oven door) result in new sensor signals, identifying the state of the process, to again be transmitted to the controller The controller performs its function by using an algorithm -The algorithm modifies the output in order to create a change in the input -This input-output relationship represents the cause-and-effect relationship of the process
Networked SCADA Systems
-Closely related to 2nd generation --Primary difference being that of open system architecture rather than a vendor controlled, proprietary environment -Opened system architecture; utilized open standards and protocols; made it possible to distribute SCADA functionality across a WAN and not just a LAN -Utilization of off-the-shelf systems made it easier for the user to connect third party peripheral devices to the system and/or the network -Major improvement came from the use of WAN protocols such as the Internet Protocol (IP) for communication between the master station and communications equipment
Programmable Logic Controller (PLC)
-Computer-based, solid-state devices that control almost all industrial equipment and processes -Communications are usually performed using local area network (LAN) technologies --Typically more reliable and high speed compared to the long-distance communication challenges such as delays and data loss -Usually employ greater degrees of closed loop control -Has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode control (PID), communication, arithmetic, and data and file processing
Distributed Control System (DCS)
-Control is usually achieved by deploying feedback or feed forward control loops whereby conditions are automatically maintained around a desired set point (normally through the use of PLC's with PID controllers)
Homeland Security Presidential Directive (HSPD-7)
-Designated the Secretary of Homeland Security as the "principal Federal official to lead agencies, State and Local governments and the private sector" -Issued in 2003 specifically for Critical Infrastructure Identification, Prioritization, and Protection (CIIPP) -Broadened the definition of infrastructure in accordance with the Patriot Act
Remote Terminal Unit (RTU)
-Field devices often equipped with wireless radio interfaces to support remote situations where wire-based communications are unavailable -*****Gathers data from field devices (pumps, valves, alarms, etc.) in memory until the MTU initiates a send command or request -are more suitable for wide geographical telemetry SCADA) -PLCs are more suitable for local area control (LAN) -____and PLCs are beginning to overlap in responsibilities and many vendors sell RTUs with PLC-like features and vice versa
Monolithic SCADA Systems
-First developed with mainframe systems in mind -Networks generally non-existent -SCADA systems were standalone systems with virtually no connectivity to other systems -Protocols in use were developed by vendors of Remote Terminal Unit (RTU) equipment and were often proprietary
titled "Improving Critical Infrastructure Cybersecurity" (E.O. 13636)
-Focused on government agencies sharing both unclassified and classified "threat information" with private companies --Expanded current Joint Cybersecurity Services Program to include all U.S. Critical Infrastructure sectors ---Now known as the "Enhanced Cyber Security Services Program (ECS)" --Priority on privacy and civil liberties protections --Critical sectors have been reduced to 16
Energy Management and Control Systems (EMCS)
-Has an integrated central control and display panel that incorporates the building fire alarm system and controls for the building heating, ventilating, and air conditioning (HVAC) systems, and controls for the building lighting system -Typically in a campus/installation environment -Monitors the building's main utility meter and minimizes demand changes by shedding controllable loads for short time periods Priorities are determined by building management
Landline
-Have the option of leasing, owning or a combination thereof -Medium can be copper, coaxial or fiber -Can be used in conjunction with other mediums like radio due to location of remote sites in relation to actual landlines -Advantages Large bandwidth capability, accessible from anywhere the user has access to a landline -Disadvantages Monthly costs and service to remote areas may not be available When service is down, you are waiting for someone else to repair it
How CIP applies to USAF
-IAW AFDD 3-12, The Air Force depends upon US critical infrastructure and key resources for many of its activities, including force deployment, training, transportation, and normal operations -The DoD is responsible for protecting its portion of the government's critical infrastructure -PDD-63/HSPD-7 identified the responsibilities the DoD had for critical infrastructure protection --The DoD categorized its own critical assets by sector, in a manner similar to the national CIP organization
Performance Requirements
-ICSs are generally time-critical -Delay and jitter dictated by the individual installation (nuclear power plant operations cannot tolerate any amount of delay or jitter; deterministic responses required) -High throughput typically not essential to ICSs
Distributed Control System (DCS)
-Integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized process
SCADA Server or Master Terminal Unit (MTU)
-Master (or heart) of a SCADA system and is located at the operator's central control facility -initiates virtually all communication with remote sites and interfaces with an operator Data from remote field devices is sent to the _____ to be processed, stored and/or sent to other systems
Resource Constraints
-May not have computing resources available on ICS components to retrofit systems with current security capabilities -Third-party security solutions are usually not allowed due to ICS vendor license and service agreements **Loss of service support can occur if third party applications are installed without vendor acknowledgement or approval
Cost
-Need to consider upfront cost (equipment and installation) -Operating costs (monthly fees, maintenance costs and future upgrades) -Communications media Include licensed radio, spread spectrum radio, cellular, land line, microwave, and satellite
System Operation
-Operating systems (OS) and applications may not tolerate typical IT security practices -Legacy systems are especially vulnerable to resource unavailability and timing disruptions -Software and hardware are more difficult to upgrade in an operational control system network -Many systems may not have desired features like encryption capabilities, error logging, and password protection
Programmable Logic Controller (PLC)
-Output results are "high" and "low" signals to power lights, solenoids, contactors, small motors, and other devices lending themselves to on/off control -IEC 61131-3: standard-based programming language --Function block diagram (FBD) --Ladder diagram (Ladder Logic) --Structured text (similar to the Pascal) --Instruction list (similar to assembly language) --Sequential function chart Note*-list is not all inclusive, there are other programming languages used including proprietary languages created by manufactures for use in their systems
Master
-Polls for data -Controls slave devices -Repository of data
Risk Management Requirements
-Primary concerns for an ICS *Human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence *Regulatory compliance *Loss of equipment *Loss of intellectual property *Lost or damaged products
Intelligent Electronic Device
-Receive data from sensors or power equipment/ issue control commands such as tripping circuit breakers if they sense voltage, current or frequency anomalies -They can also raise/lower voltage levels in order to maintain the desired level -Common types of IEDs include protective relaying devices, load tap changer controllers, circuit breaker controllers, capacitor bank switches, re-closer controllers, and voltage regulators -Protection relays being manufactured these days are primarily IED's -Mainly used in the utility industry
Spread Spectrum radio
-Require no FCC licenses or fees -Maximum transmitter output power fed into the antenna is 30 dBm (1 watt) -Throughput is in the range of 115 Kbps -Distance a signal can travel is approx. 10-20 miles before some type of repeater is needed -Can use multiple repeaters -Repeater radios generally have built in error correction, encryption and other features ***No guarantee of data integrity or operating performance
Slave
-Responds to Master commands -Can have more than one master -Two types of transmission --Response to poll --Report by exception
Human-Machine Interface
-Software and hardware that allows human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency
Licensed radio
-They can transmit at up to five watts of power -VHF and UHF are less prone to attenuation by rain, fog, tree leaves, etc -Can communicate 40-50 miles with line of sight Speeds are limited to 19.2 Kbps --Some parts of spectrum bandwidth limited (channels spaced every 6.25 kHz) Limited to one repeater in a system
Disributed SCADA Systems
-Took advantage of Local Area Networking (LAN) technology to distribute the processing across multiple systems -Individual systems were generally based on LAN protocols and were not capable of reaching beyond the limits of the local environment --Some of the LAN protocols that were used were proprietary in nature --Limited (or effectively eliminated) the connection of the network from other vendors to the SCADA LAN
Satellite
-Traditionally very expensive in past -Evolution of the technology, costs have come down considerably --Dish installation at each remote site ($1200-$3000 each) -Data plans will cost 1-2 cents per poll --Can add up very quickly depending on the number of sites polled daily -Consideration must also be given to latency and signal loss or deterioration due to inclement weather
Time-Critical Responses
-Typical IT System *Access control can be implemented without significant regard for data flow -ICS *Automated response time or system response to human interaction is very critical *Information flow must not be interrupted or compromised *Access to these systems should be restricted by rigorous physical security controls
Physical Interaction
-Typical IT System *No physical interaction with the environment -ICS --Very complex interactions with physical processes *Could manifest into physical events --Security functions integrated into the ICS must be thoroughly tested *Cannot compromise normal ICS functionality
Architecture Security Focus
-Typical IT System *Protecting the operation of IT assets *Protection of information stored /transmitted among these assets -ICS --Edge clients (e.g., PLC, operator station, DCS controller) need to be carefully protected *Directly responsible for controlling the end processes --Protection of the central server is still important *Could adversely impact every edge device
Managed Support
-Typical IT Systems --Allows for diversified support styles, perhaps supporting disparate but interconnected technology architectures -ICS --Service support is usually via a single vendor ---May not have a diversified and interoperable support solution from another vendor
Component Lifetime
-Typical IT Systems --Lifetime on the order of 3 to 5 years -ICS --Lifetime of the deployed technology is often on the order of 15 to 20 years and sometimes longer
Change Management
-Typical IT Systems --Software updates and security patches typically applied in a timely fashion --Often automated using server-based tools -ICS --Patches/updates cannot always be implemented on a timely basis ---Updates need to be thoroughly tested by the vendor --Outages must often be planned and scheduled days/weeks in advance --ICS may also require revalidation as part of the update process --Older versions of operating systems that are no longer supported by the vendor ---Patches may not be applicable
Access to Components
-Typical IT Systems --Usually local and easy to access -ICS --Can be isolated, remote, and require extensive physical effort to gain access to them -Additionally --Available computing resources for ICS tend to be very limited
Availability Requirements
-Unexpected outages of systems *Not acceptable *Planned and scheduled days/weeks in advance -Pre-deployment testing is essential to ensure high availability for the ICS *Cannot be easily stopped and started without affecting production
Distributed Control System (DCS)
-Used to control production systems within the same geographic location for industries such as -Oil refineries, Water and wastewater treatment, Electric power generation plants, Chemical manufacturing plants, Pharmaceutical processing facilities
Microwave
-Widely used for point-to-point communications --Small wavelength allows conveniently-sized antennas to direct them in narrow beams which can be pointed directly at the receiving antenna --Allows nearby microwave equipment to use the same frequencies (roughly 1 GHz to 30 GHz) without interfering with each other -High frequency of microwaves gives the microwave band a very large information-carrying capacity --The microwave band has a bandwidth 30 times that of all the rest of the radio spectrum below it -Disadvantages --Limited to line of sight propagation; cannot pass around hills or mountains --Cost to build infrastructure is high --Hardware costs are high and the tower space cost is also very high
Closed Loop Theory
-control system uses a measurement of the output and feeds it back into the input of the controller -The difference between the desired output and the actual output is equal to the error, which is then adjusted by the controller -The output of the controller causes the actuator to modulate the process in order to reduce the error
Integral Control
-will continuously increment or decrement the controller's output to reduce the error -Considers the history of past errors -Over time, will drive the controllers output far enough to reduce the error to zero -Accomplishes this goal by automatically shifting the proportioning band over time -If we want to reduce the time it takes to return to zero, we can include the derivative process
Data Historian
A centralized database supporting data analysis using statistical process control technologies
Remote Access Points
Are distinct devices, areas and locations of a control network for remotely configuring control systems and accessing process data
SCADA
Can be broken down into three generations of systems -Monolithic -Distributed -Networked
Output/Actuators
Controls Electric Motors (Standard, Stervo, Variable Speed), Pump, Light, Valve, Electro-magnetic switch
Inputs/Sensors
Controls, light, temp, pressure, sound, humidity, direction, piezo, acidity, position
only to DOD-owned systems
DOD and Air Force directives and instructions pertaining to IA and DIACAP requirements apply
slave, master
Devices can only be either a ______ or _______ for each communication environment
Presidential Decision Directive (PDD-63)
Established a national program called "Critical Infrastructure Protection" (CIP)
Network Components
Fieldbus Network links sensors and other devices to a PLC or other controller Eliminates the need for point-to-point wiring between the controller and each device Control Network connects the supervisory control level to lower-level control modules. Layer 2/3 Devices Communication devices that transfer messages between two networks. (connecting MTUs to RTUs)
-ICS priorities: Availability VERY HIGH, Integrity MEDIUM and Confidentiality LOW -IT priorities: Confidentiality HIGH, Integrity HIGH-MEDIUM and Availability LOW
How does the CIA triad apply to ICS in comparison to traditional IT networks
PIT Systems
ICS's that do not have a direct connection to the AF-GIG are considered
PITI
If a connection to the AF-GIG exists, that connection is considered a
Terrain of area: hills, valleys, trees; urban or rural environment Distance between remote locations Dimensions of remote locations; width and length
Location of remote sites are dependent on various factors like
no security capabilities built-in
Many ICS protocols have few or
OPC UA
Many of these vulnerabilities have been eliminated with the introduction of
Modems
Often used in SCADA systems to enable long-distance serial communications between MTUs and remote field devices (being replaced by more secure means of communications like VPN's)
They are logically or physically separated/isolated from the base common user infrastructure and systems
PIT point-to-point interconnections using the Air Force base installation's backbone infrastructure for the purpose of connecting to remote sensors or to another PIT capability are not considered PITIs as long as
AFCAP and DIACAP
PITI's are subject to the
Firewall
Protects devices on a network by monitoring and controlling communications packets using predefined filtering polices
Mission Assurance Cat I
Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. Consequences of loss are unacceptable and could include the immediate and sustained loss of mission effectiveness; require the most stringent protection measures
Mission Assurance Cat II
Systems handling information that is important to the support of deployed and contingency forces. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness; require additional safeguards beyond best practices to ensure assurance
Mission Assurance Cat III
Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences could include the delay or degradation of services or commodities enabling routine activities; require protective measures, techniques, or procedures generally commensurate with commercial best practices
IAW AFDD 3-12
The Air Force depends upon US critical infrastructure and key resources for many of its activities, including force deployment, training, transportation, and normal operations
proportional control
The way we set_____________is through gain (G) and the proportional band (PB)
provides economic and technical benefits, but also increases the susceptibility of ICS to cyber incidents
Transition to using open protocol standards .......
-Expanded the Critical Infrastructure and Key Resource (CIKR) sectors to 17 which were overseen by 9 Sector Specific Agencies (SSA) -Provided the unifying structure for the integration of existing and future CIKR protection efforts and resiliency strategies into a single national program to achieve a united goal
Updated in 2009 and 2013, IAW HSPD-7, DHS created NIPP, what did this do to critical infrastructure
PID Controller
When there is a "process upset", or when the process variable quickly changes, the __________ has to quickly change the output to get the process variable back to the setpoint
master, slave
a device can be a ______ in one environment but a ________ in another
OPC (Object Linking and Embedding (OLE) for Process Control)
a protocol that enables interaction between control systems and PC-based application programs
ISACs
are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators
Diagnostic and maintenance utilities
are used to prevent , identify and recover from abnormal operation or failures
DoD
categorized its own critical assets by sector, in a manner similar to the national CIP organization
Open Loop Theory
control system utilizes an actuating device to control the process directly without using feedback
PDD-63/HSPD-7
identified the responsibilities the DoD had for critical infrastructure protection
AC (Assured Channel)
is a network communication link protected by a security protocol providing authentication, confidentiality, and data integrity, and employs US government-approved cryptographic technologies whenever cryptographic means are used
ICS PIT Certification and Accreditation (C&A)
is required for any new or existing ICS
DoD
is responsible for protecting its portion of the government's critical infrastructure
Proportional Mode
is the main driving force behind a controller
PID Controller
job is to maintain the output at a predetermined level so that there is no difference (error) between the process variable (PV- output) and the setpoint (SP-desired setting)
Derivative Control
produces an output based on the rate of change of the error (predicts what is yet to happen by projecting the current rate of change into the future) -Rarely Used in Controlling Processes -Very sensitive to measurement noise
TCP/IP
to reduce costs and improve performance