OCR of the Document

View the Document >>

Department of Homeland Security, ICS-CERT Year in Review FY 2012, 2013

I 1'9 9 ICS-CERT Year in Review Industrial Control Systems Cyber Emergency Response Team 1 i I I rlH1111 l m Fl ii i 2012 Homeland Security 5 What's Inside Welcome Organization 3 Outreach 4 Industrial Control Systems Joint Working Group s Advanced Analytical Laboratory 6 Cybersecurity Training 7 Cybersecurity Evaluations 8 Cybersecurity Evaluation Tool 9 Standards Support 9 Industrial Control Systems Consequence Effects and Analysis 10 Taking Action 11 ICS -CERT by the Numbers Calendar Years 12 ICS- CERT by the Numbers Fiscal Years 13 Sector Support by the Numbers Fiscal Years 14 Future 16 Homeland Security Welcome This year the Industrial Control Systems Cyher Emergency Response Team developed tools and capabilities to assist asset owners with incident handling and response efforts correlates emerging cyber incidents with previous events and tracks known threat actors based on their techniques and tactics The information these tools and capabilities yield is leveraged to provide situational awareness information for the greater industrial control system community Our team accomplished several key initiatives in 1011 including Developed incident handling and response guidancef training for asset owners including tools to assist in forensic data gathering and analysis Improved watch floor operational capabilities data fusion and data analysis capabilities to correlate events and disseminate data Developed a hands-on Control Systems Forensics for Law Enforcement course to train personnel in gathering handling and preserving forensic data Published relevant information products and cybersecurity guidance for protecting against merging threats mitigating common vulnerabilities and implementing best recommended practices ICS-CERT Year-in-Review 2012 Improved relationships with the critical infrastructure and key resources CIKR community to share critical information and raise awareness by leveraging knowledge of new vulnerabiliti to reduce risk across all sectors and Updated policy related to researcher attribution in alerts and advisories to support coordinated disclosures Cybersecnrity is a journey not a destination will continue to enhance our ability to identify wealcnasa and emerging vulnerabilities take the necessary steps to implement change and maintain adequate security measures to defend against the continuously evolving threats As we move into 2013 we are anxious to hear 'orn you Establishing a strong posture of continuous information exehange is essential to reduoing cybersecnrity incidents and improving the overall security posture of our Nation's critical infrastructure Regards War Marty wag Director industrial Control Systems Cyber Emergency Response Team Department of Homeland Security ICSIWG GCC Chair ICS-CERT Year-in-Review - 2012 Taking Action Providing Support Incident Reporting Advanced Analytical Laboratory Incident Response Cybersecurity Evaluation Tool VUinerabiiity Coordination and Reporting Information Products Onsite Evaluations Cybersecurity Training Industrial Control Systems Consequence Effects and Analysis Partners ffljemtional llence f _e ldership $Jlpport MisSion Resilience cross-sector COordination ICSJWG Critical Infrastructure Stakeholders Standards Organizations Law Enforcement Intelligence Community Information Sharing Analysis Centers Industry Agencies Other Government and Regulatory Agencies Cyber Research Community Vendors 2 ICS-CERT Year -in-Rev iew — 2012 Organization Recognizing the importance of control systems to our critical infrastructure the Department of Homeland Security DHS supported the Control System Security Program’s CSSP mission to reduce risk to the Nation’s critical infrastructure by strengthening control systems cybersecurity through public-private partnerships The ICS-CERT is aligning to facilitate the expansion of those essential capabilities in support of Cybersecurity Communications CS C CS C will provide guidance to promote operational efficiencies and transition of responsibilities and mission objectives to ICS-CERT ICS-CERT will continue to provide the same essential products services and support to critical infrastructure asset owners and operators vendors government agencies and others In 2012 ICS-CERT served as a primary component of the National Cybersecurity and Communication Integration Center NCCIC and contributed to the NCCIC’s growing mission and capabilities ICS-CERT continues to accomplish its mission to reduce cybersecurity risks to the Nation’s critical infrastructure by establishing and operating under its four core functional areas 1 Providing situational awareness through alerts and advisories to warn of cyber-based threats and vulnerabilities affecting critical infrastructure assets 2 Conducting technical analysis of malware digital media system vulnerabilities and emerging exploits 3 Performing incident response to support asset owners with discovery analysis and recovery efforts and 4 Coordinating and monitoring control system vulnerabilities in collaboration with the cyber research and vendor communities These four core functions are supported by a foundation of partnering with the control system stakeholder community to facilitate cyber risk mitigation activities 3 I C S -C E RT Yea r -i n - R e vi e w — 2 0 1 2 Outreach The ICS-CERT is organized to support the Strategy for Securing Control Systems which outlines a longterm common vision where effective risk management of control systems security can be realized through successful coordination efforts ICS-CERT recognizes that outreach plays an important role in those coordination efforts In 2012 ICS-CERT provided nearly 60 briefings to 500 industry partners across the 18 critical infrastructure sectors including multiple classified threat briefings to industry organizations that have developed programs for security-cleared personnel The following is a sampling of the sector briefings • Electrical Sector Information Sharing and Acquisition Centers ISAC 4 • Combined Chemical and Oil and Natural Gas ISACs • Water ISAC • Cyber Threat Intelligence Coordination Working Group CTICG • Transportation Security Sector Cyber Working Group TSSCWG and • Nuclear Sector Specific Agency NSSA In addition ICS-CERT attended over 200 events to promote awareness among critical infrastructure owners operators and vendors This level of engagement supports the continuous development of resources to help industry understand and prepare for ongoing and emerging control systems cybersecurity issues vulnerabilities and mitigation strategies Industrial Control Systems Joint Working Group ICS-CERT's outreach strategy has leveraged the Industrial Control Systems Joint Working Group ICSJWG to engage a broad range of partners including critical infrastructure sector specific agencies other federal state local and tribal government agencies national trans and subnational groups and councils fusion centers vendors researchers and academia infrastructure owners and operators and international partners including various CERTs In 2012 ICSJWG had one of the most successful years to date with membership expanding to more than 1 400 industrial control systems ICS professionals The increased coordination between various ICS professionals and cybersecurity organizations was mirrored at the Spring and Fall 2012 ICSJWG meetings Highlights include the following • The CS-CERT participated in panels fostering open dialog about control systems vulnerabilities and how the community can work together to mitigate these issues • The Introduction to Control Systems Cybersecurity training course was taught to more than 11 S meeting attendees at the Spring meeting and the Intermediate Cybersecurity Industrial Control Systems Training was taught to over 65 participants at the Fall meeting • CS-CERT hosted its first International Day featuring information sharing sessions goal discussions and conversations about a possible path forward for creating a new ICSJWG international subgroup • Marty Edwards provided an ICS threat brief and overview to meeting attendees at the Fall meeting • International attendees were invited to attend the world renowned hands-on Industrial Control Systems Cybersecurity Advanced Training held at the CS-CERT training facility in Idaho Falls Idaho Moving forward we will continue to promote growth and collaboration in the ICSJWG community through public­ private partnership • The subgroup meetings allowed participants to discuss in depth the current status ofsubgroup activities and report accomplishments to the community 5 I C S -C E RT Yea r -i n - R e vi e w — 2 0 1 2 Advanced Analytical Laboratory ICS-CERT provides expertise for response and analysis of cyber incidents affecting the ICS community through the Advanced Analytical Laboratory AAL One such example in 2012 was the spear-phishing campaign against the oil and natural gas sector AAL worked directly with a dozen energy and manufacturing companies affected by the campaign providing digital media and log file analyses to identify compromised hosts During the course of this response effort AAL analyzed over 50 malware samples and malicious files 20 emails and 38 hard drive images to determine the extent of the compromise and identify the techniques and tactics used by the threat actors By analyzing malicious emails and malware samples AAL was able to provide indicators of compromise through alerts and advisories to the ICS community to aid in detection efforts AAL provided onsite support to two affected companies helping determine the extent of the compromise and providing mitigation recommendations The chemical sector was also the victim of targeted spear-phishing attacks in 2012 AAL worked directly with companies affected by this campaign providing onsite support analyzing drive images and malware samples 6 and disseminating indicators back to the community AAL provided onsite support to one of the affected companies AAL also provides vulnerability verification and patch validation for ICS products AAL’s verification and validation reports assist ICS-CERT Vulnerability Handlers with developing product advisories for the ICS community In 2012 AAL enhanced its analysis capabilities with a core information storage system This system maintains forensic information for all analysis activities and is integrated with the AAL automated analysis environment AAL also developed a tool to scan whole drives for malware using multiple antivirus engines This tool greatly reduced the time needed to scan multiple drive images with commercial antivirus products ICS-CERT will continue to support AAL’s development of tools and techniques available to ICS community members affected by cyber incidents ICS-CERT Year -in-Rev iew — 2012 Cybersecurity Training ICS-CERT offers cybersecurity training at no cost to ICS professionals and managers across all sectors of CIKR in order to support risk reduction efforts These training courses include Introduction to Control Systems Cybersecurity Intermediate Cybersecurity for Industrial Control Systems ICS Advanced Cybersecurity and ICS Security for Management In 2012 over 2 200 ICS professionals were trained 2012 Training Highlights included the following • Provided 12 Advanced Training sessions which are week-long events that provide intensive hands-on training and a 12-hour red team blue team exercise that simulates a corporate espionage scenario • Delivered 52 training sessions across the country including Introduction to Control Systems Cybersecurity 101 Intermediate Cybersecurity for Industrial Control Systems lecture 201 and Intermediate Cybersecurity for Industrial Control Systems with lab 202 • Provided demonstrations of how an ICS attack could progress for high ranking government officials and congressional staffers • Conducted our first regional training event in Atlanta Georgia This event was so successful that ICS-CERT will now conduct regional training on a regular basis • Developed a Control Systems Forensics for Law Enforcement course This course helps law enforcement agents to understand the differences in performing forensics on ICSs versus normal corporate enterprise network forensics 7 I C S -C E RT Yea r -i n - R e vi e w — 2 0 1 2 Cybersecurity Evaluations ICS-CERT provides cybersecurity evaluations to support the reliability and resiliency of the systems that comprise and interconnect critical infrastructures ICS-CERT develops and implements coordinated security measures in collaboration with partners from across public private and international communities In 2012 ICS-CERT conducted 89 onsite assessments across all CIKR The objective of the assessment is to establish a “baseline of performance” with regard to cybersecurity maturity as defined within a suite of cybersecurity standards and guidelines Although the results may differ from sector to sector many of the vulnerabilities and weaknesses within the networks are similar This year has seen considerable partnering with the Nuclear Industry Oil and Gas Industry and Department of Defense with regard to performing onsite cybersecurity assessments 8 Cybersecurity assessments are now tailored to each individual assessment depending on the level of complexity in the system s Asset owners can now request Cybersecurity Evaluation Tool CSET® evaluations and or Architecture Reviews which is a more in-depth comprehensive evaluation of specific control systems networks architectures and components Cybersecurity Evaluation Tool Standards Support The ICS-CERT foundation tool for onsite assessments is our CSE'I'® In 2012 over 5 500 CSETs®were distributed and downloaded Version 4 1 was released in January 2012 and incorporated integration with MicrosoftVisio This functionality allows users to develop a diagram inVisio and then map and export it to CSE'I'® where component questions are generated It also allows for a diagram created in csET® to be imported intoVisio with all the CSET® metadata preserved A new stencil of CSE'I'® components for Visio was also included as part of the installation package A broad range of standards exists to support the CSET® tool across CIKR ICS-CERT executes a comprehensive approach to standards by providing assistance to standards bodies promoting awareness of accepted standards and providing tools like CSET® to asset owners to evaluate compliance The ICS-CERT continues to engage with cross-sector industry partners to develop new cybersecurity standards and enhancement of existing standards The ICS-CERT provides key support to ICS-CERT released CSE'I'® 5 0 in January 2013 this version represents the most significant upgrade in the underlying technical architecture of the tool This upgrade involves conversion to the Microsoft NET framework environment as well as utilization of component pieces from Syncfusion In addition Section 5 08 of the Americans with Disabilities Act ADA was incorporated into the new version to allow those with disabilities a way to interact with and use the CSET® • the ISA-99 Working Groups • International Standard Organization ISO International Electrotechnical Committee IEC • the National Institute of Standards NIST • Technology Smart Grid Interoperability Panel SGIP • American Public Transportation Association APTA and • ICSJWG Roadmap Subgroup 9 Industrial Control Systems Consequence Effects and Analysis rCS-CERT supports the development of leading edge tools to foster an environment of collaboration and provide unique forensic capabilities to address cybersecurity challenges specific to res The Industrial Control Systems Consequence Effects and Analysis rCS-CEA framework is a collaboration tool rCS-CEA provides a critical infrastructure modeling and simulation capability The tool also provides a means for users to model analyze and share information related to potential consequences of naturally occurring or man-made threats on our Nation's critical infrastructure The rCS-CEA system provides the NCCrC a capability for daily use of modeling simulation analysis and information sharing related to potential cross-sector consequence effects to res and their related CrKR sectors 10 In 2012 rCS-CEA has been used for responding to multiple requests by the NCCrC regarding the identification of potentially affected CIKR because of natural and potential man-made threats These events have included analysis support for the Super Bowl national level exercises and others related on our Nation's energy water and transportation infrastructure rCS-CERT's suite of tools provides analysis to improve security posture as well as identify the appropriate cybersecurity mitigation measures res-CERT continues to cultivate capabilities in collaboration and forensics to span the gap between res information technology and the user interface to provide advanced industrial analysis to enhance cybersecurity ICS-CERT Year -in-Rev iew — 2012 Taking Action ICS-CERT works with critical infrastructure asset owners and operators to respond to cyber incidents that have the potential to impact ICS ICS-CERT works with the affected organizations to offer subject matter expertise for immediate actions to mitigate the compromise and develop strategies for recovery and future defenses The mitigation strategies are specific to the incident and individual needs of the organizations ICS-CERT is a component of the NCCIC bringing ICS security technical and response capabilities to the partnership The work is performed in conjunction with the NCCIC and furthers its overall mission to coordinate defense against and response to cyber attacks across the Nation In 2012 ICS-CERT responded to a steady stream of cyber incidents coordinated researcher-discovered ICS vulnerabilities with vendors and produced alerts and advisories to notify the ICS community These situational awareness products provide actionable information about mitigation and protection strategies for implementing sound security practices This year ICS-CERT received and responded to 138 incidents as reported by asset owners and industry partners In 2012 attacks against the energy sector represented over 40 percent of all incidents reported to ICS-CERT In roughly half of these incidents information pertaining to the ICS SCADA environment including data that could facilitate remote unauthorized operations was targeted in these incidents ICS-CERT also deployed on site incident response teams to assist various critical infrastructure operators with efforts to mitigate cyber intrusions The on site teams were able to help identify the extent of the intrusion and develop strategies for recovery and improving the operator’s defensive posture and future detection capabilities The AAL played a key role in the response providing support for analysis of hard drives log files and malware artifacts The AAL also developed the guidelines found in the paper on Cyber Intrusion Mitigation Strategies a Vulnerability analysis and coordination activities continued to increase with more researchers using ICS-CERT as a conduit for coordination with ICS vendors The ICS-CERT AAL also provided analytic support to vendors to perform proof-of-concept testing and patch validation Many of those vulnerabilities resulted in ICS-CERT alerts and advisories on the US-CERT secure portal and on the public Web site In 2012 ICS-CERT published 342 information products warning the ICS community about various vulnerabilities and threats that could potentially impact control systems ICS-CERT also published the Incident Summary Reportb to summarize cyber incidents onsite deployments and associated findings from 2009 through 2011 a http www us-cert gov control_systems pdf ICS-TIP-12-146-01 pdf b http www us-cert gov control_systems pdf ICS-CERT_Incident_Response_ Summary_Report_09_11 pdf 11 I C S -C E RT Yea r -i n - R e vi e w — 2 0 1 2 ICS-CERT by the Numbers “Calendar Years” Table 1 compares the overall incident vulnerability onsite event and information product statistics for calendar years 2010 2011 and 2012 indicating control system cyber events and activity Table 1 ICS-CERT activity trend by Calendar Year ICS-CERT Metrics ICS Incident Reported — tickets ICS Incident Response Onsite Deployments ICS Related Vulnerability Report — tickets ICS-CERT Information Products Distributed or Downloaded CSET® Onsite Assessments Professionals Trained Number of Training Sessions ICSJWG Membership Speaking Engagements Conference Exhibitions 2010 Totals 39 8 41 138 2 394 57 2 499 55 N A 47 11 2011 Totals 204 7 141 283 7 448 70 1 658 47 1 040 164 20 Calendar Year accounts for the time period between Jan 1 of a given year and Dec 31 of the same year 12 2012 Totals 138 6 147 343 5 584 89 2 241 52 1 416 200 19 ICS-CERT Year -in-Rev iew — 2012 ICS-CERT by the Numbers “Fiscal Years” Table 2 compares the overall incident vulnerability onsite event and information product statistics for fiscal years 2010 2011 and 2012 indicating control system cyber events and activity Table 2 ICS-CERT activity trend by Fiscal Year ICS-CERT FY Metrics ICS Incident Reported — tickets ICS Incident Response Onsite Deployments ICS Related Vulnerability Report — tickets ICS-CERT Information Products Distributed or Downloaded CSET® Onsite Assessments Professionals Trained Number of Training Sessions ICSJWG Membership Speaking Engagements Conference Exhibitions 2010 Totals 39 6 18 110 2 400 57 2 463 54 600 26 11 2011 Totals 140 7 139 243 5 100 81 1 686 47 1 012 137 20 2012 Totals 197 6 137 347 6 631 89 2 327 56 1 423 205 22 Fiscal Year 2010 represents the time period of October 1 2009–September 30 2010 2011 represents the time period of October 1 2010–September 30 2011 and 2012 represents the time period of October 1 2011–September 30 2012 13 I C S -C E RT Yea r -i n - R e vi e w — 2 0 1 2 Sector Support by the Numbers “Fiscal Years” Table 3 compares number of onsite assessments provided to the control systems community in each of the 18 critical infrastructure sectors in fiscal years 2010 2011 and 2012 The last row on the table compares the number of sector requesting support in each fiscal year with the total number of critical infrastructure sectors Table 3 Fiscal Year onsite assessments by Sector Sector FY-10 FY-11 FY-12 Agriculture Food Banking Finance Chemical Commercial Facilities Dams Defense Industrial Base Emergency Services Energy Government Facilities Information Technology National Monuments Icons Nuclear Reactors Materials Waste Postal Shipping Public Health Healthcare Telecommunication Transportation Water Critical Manufacturing Totals Number of Sectors Assessed 0 2 0 3 1 1 0 13 6 0 0 0 0 5 0 5 19 2 57 11 18 5 1 0 10 0 0 2 11 5 3 5 2 0 6 1 7 21 2 81 14 18 0 6 4 2 0 12 3 7 3 5 1 8 1 1 0 10 25 1 89 15 18 Cumulative Assessments 5 9 4 15 1 13 5 31 14 8 6 10 1 12 1 22 65 5 227 N A Fiscal Year 2010 represents the time period of October 1 2009–September 30 2010 2011 represents the time period of October 1 2010–September 30 2011 and 2012 represents the time period of October 1 2011–September 30 2012 14 ICS-CERT Year -in-Rev iew — 2012 Future ICS-CERT will continue to actively engage the public and private sectors as well as international partners to prepare for prevent and respond to cybersecurity incidents that could impair strategic assets The ICS-CERT provides resources to enhance the security resiliency and reliability of the Nation’s cyber and communications infrastructure The ICS-CERT will continue to pursue five strategic goals In order to provide integrated capabilities ICS-CERT enhances response capabilities based on the specific needs and requirements of the requesting customer This tailored approach provides scalable response to cybersecurity challenges across critical infrastructures ICS-CERT works to prevent or minimize disruptions to our critical information infrastructure in order to protect the public economy government services and the overall security of the United States This is accomplished through a series of continuous efforts designed to further safeguard systems by reducing potential vulnerabilities protecting against cybersecurity and communications intrusions or disruptions and anticipating future threats • Goal 3 Support robust preparedness planning and facilitate effective incident response capabilities • Goal 1 Foster public-private partnerships to plan coordinate and support ICS cybersecurity initiatives • Goal 2 Serve as a global clearinghouse for information associated with the security of ICS • Goal 4 Support increased awareness of control systems security issues and improved technical expertise for stakeholders • Goal 5 Ensure that ICS-CERT is an adaptive and prepared organization that effectively plans for anticipates and manages future risks and disruptions In 2012 ICS-CERT served as a primary component of the NCCIC and contributed to the NCCIC’s growing mission and capabilities Under ICS-CERT AAL’s future development plans include automated tools for registry analysis timelining and pdf analysis 15 Assistance from CS-CERT is only a phone call away The CS-CERT encourages you to report suspicious cyber activity and vulnerabilities affecting critical infrastructure control systems To report control systems cyber incidents and vulnerabilities contact the CS-CERT ics-cert@dhs gov 877 776-7585 www us-cert gov control_systems ics-cert For more information on the CS-CERT Program visit http I www us-cert govI control_systems 16 ICS-CERT Year-in-Review 2012 17 Securi 0 5