SANS Institute Information Security Reading Room
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SANS Institute Information Security Reading Room Road Map to a Secure, Smart Infrastructure ______________________________ Barbara Filkins Copyright SANS Institute 2020. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Road Map to a Secure, Smart Infrastructure
A SANS Whitepaper
Written by Barbara Filkins
August 2017
Sponsored by
Rapid7
©2017 SANS™ InstituteIntroduction
In June 2016, New York Magazine depicted a fictional re-enactment1 of New York being
brought to its knees by a group of hackers. The events—such as cars driving themselves
into walls and snarling traffic, and hospital systems freezing as their ranks fill up with the
injured—are based on what could actually happen at the hands of attackers.
In the real world, tampering with European and U.S. election systems has already occurred,
and earlier this year the WannaCry ransomware took down hospital and transportation
systems in the U.S. and Europe.2 Industroyer, a recent variant of the malware that brought
down the Ukraine electric grid, is an order of magnitude easier to use than previous
malicious programs aimed at our infrastructures—Industroyer is almost “plug and play.”3
Malware is also getting more invasive and less visible to the end user, as evidenced by the
Zusy malware, which spreads via PowerPoint slides with no clicking required.4
The ease of new malware, coupled with the fact that much of our infrastructure runs on
older, legacy operating systems,5,6 has created the perfect storm of opportunity for attackers
to exploit the many risks in our infrastructure system. Infrastructure is critical to the
human existence, yet constraints on qualified IT and risk management resources continue
to limit our ability to protect and respond to attacks on these systems. According to SANS
surveys, those constraints are usually due to lack of budget, tools or skilled personnel.7
The industry sectors that comprise critical infrastructure are diverse: water/power and
energy, financial systems, transportation and more. Yet, there are similarities in the
threats to these various sectors, so we created a road map that addresses the needs of all
industry sectors, covering the most critical infrastructure risks and protections.
For example, security, dependability, safety, timeliness, availability/reliability, integrity
and confidentiality all join in the list of essentials that require some measure of
implementation regardless of infrastructure sector. This paper provides a multifaceted
security approach for securing infrastructure systems that are being targeted by
attackers and malware, keeping in mind that as technology and operational trends
continue to transform in the industry, so will the security trends and issues.
1
“The Big Hack,” http://nymag.com/daily/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html
2
“ A Quarter of Orgs Worldwide Victims of WannaCry or Fireball,”
www.infosecurity-magazine.com/news/quarter-orgs-worldwide-wannacry/
3
“ Malware Discovered that Could Threaten Electrical Grid,”
www.usatoday.com/story/tech/news/2017/06/12/malware-discovered-could-threaten-electrical-grid/102775998/?elq_mid=3153
and “Industroyer: Biggest Threat to Industrial Control Systems Since Stuxnet,”
www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/?elq_mid=3153
4
“ Zusy Malware Spreading Via PPTs, No Clicking Required,”
www.infosecurity-magazine.com/news/zusy-malware-spreading-via-ppts/?elq_mid=3153
5
“ Microsoft Issues Another Emergency Windows XP Patch,”
www.bankinfosecurity.in/microsoft-issues-another-emergency-windows-xp-patch-a-9995?rf=2017-06-19_ENEWS_SUB_BIS_Slot1&mkt_
tok=eyJpIjoiWTJZek5tRTJZVFl5TXpNMCIsInQiOiJLalhudTJYS3lPcHRSZERpXC9KRkxnRmprMDNwSUVYSFFlSDVKMU1iSkNSakFraDFVM0V2Ukp1U2ZcL0FYalF
6
“ Microsoft Resurrects Windows XP Patches for Second Month Straight,”
www.computerworld.com/article/3200791/windows-pcs/microsoft-resurrects-windows-xp-patches-for-second-month-straight.html
7
“ Network Security Infrastructure and Best Practices: A SANS Survey,” May 2017,
www.sans.org/reading-room/whitepapers/analyst/network-security-infrastructure-practices-survey-37795
SANS ANALYST PROGRAM
1 Road Map to a Secure, Smart InfrastructureCritical Infrastructure: The Challenges of an Automated World
Critical infrastructure provides the essential services and fundamental assets that underpin
a nation’s society and serve as the backbone of its economy, security and health.8
Industrial Sectors Associated with Critical Infrastructure
• Electricity generation, transmission and distribution
• Gas production, transport and distribution
• Oil and oil products production, transport and distribution
Whereas a sector • Telecommunication
such as agriculture • Water supply (drinking water, waste water/sewage, stemming of surface water—
e.g., dikes and sluices)
may not be heavily
• Agriculture, food production and distribution
dependent on
• Heating (e.g., natural gas, fuel oil, district heating)
industrial automation, • Public health (hospitals, ambulances)
it relies on the sectors • Transportation systems (fuel supply, railway network, airports, harbors, inland
that are, such as shipping)
• Financial services (banking, clearing)
telecommunications
• Security services (police, military)
and electricity.
However, the two
Supporting the Human Need
worlds are converging,
The industrial sectors most commonly associated with the term critical infrastructure
and the road map
lie at the very heart of what is fundamental to the human existence—providing a
needs to address these
global view, as opposed to a national view, of the challenges faced in securing their
differences. infrastructure. Maslow’s hierarchy of needs, a motivational theory in psychology, states
that the most basic needs are for physical survival and that these needs must be fulfilled
before we are motivated to achieve the next highest level.9
A Balance Between IT and ICS
Critical infrastructure is not just limited to information technology. It encompasses, to
varying degrees within each sector, industrial control systems (ICS), which consist of
different connected devices for different sectors.
8
Adapted from www.dhs.gov/what-critical-infrastructure
9
www.simplypsychology.org/maslow.html
SANS ANALYST PROGRAM
2 Road Map to a Secure, Smart InfrastructureCritical Infrastructure: The Challenges of an Automated World (CONTINUED)
Table 1, drawn from NIST guidelines, shows some of the key differences between IT and
ICS that can influence how a sector may approach infrastructure design, deployment
and security/response support of its infrastructure.
Table 1. Comparison of IT and ICS10
Category IT System ICS
Performance Response must be consistent. Response time is critical.
requirements High throughput is demanded. Modest throughput is acceptable.
High delay and jitter may be High delay or jitter is not acceptable.
acceptable. Response to human and other emergency
Less critical emergency interaction. interaction is critical.
Tightly restricted access control Access to ICS should be controlled but not
can be implemented to the be stopped or interfere with human-machine
degree necessary for security. interaction.
Availability Responses such as rebooting are Responses such as rebooting may not be
(reliability) acceptable. acceptable because of process availability
requirements Availability deficiencies can requirements.
often be tolerated, depending Availability may require redundant systems.
on the system’s operational Outages must be planned and scheduled days
requirements. or weeks in advance.
High availability requires exhaustive pre-
deployment testing.
Risk Data confidentiality and integrity Human safety is paramount, followed by
management is paramount. protection of the process.
requirements Fault tolerance is less important— Fault tolerance is essential; even momentary
momentary downtime is not a downtime may not be acceptable.
major risk.
System operation Systems are designed for use with Operating systems differ and are possibly
typical operating systems. proprietary, often without security capabilities
Upgrades are straightforward built in legitimate ICS.
with the availability of automated Software changes must be carefully made,
deployment tools. usually by software vendors because of the
specialized control algorithms and perhaps
modified hardware and software involved.
Resource Systems are specified with enough Systems are designed to support the intended
constraints resources to support the addition industrial process and may not have enough
of third-party applications such as memory and computing resources to support
security solutions. the addition of security capabilities.
Communications Communications protocols are Communication protocols and media are
standard. standard and nonstandard.
IT networking practices are Networks are complex and sometimes require
typical. the expertise of control engineers.
Change Software changes are applied in Software changes must be thoroughly tested
management a timely fashion in the presence and deployed incrementally throughout a
of good security policy and system to ensure that the integrity of the
procedures. The procedures are control system is maintained. ICS outages often
often automated. must be planned and scheduled days or weeks
in advance. ICS may use operating systems that
are no longer supported.
Component Lifetime is on the order of three to Lifetime is on the order of 10 to 15 years.
lifetime five years.
Components Components are usually local and Components can be isolated and remote, and
location easy to access. require extensive physical effort to gain access
to them.
10
Adapted from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf, p. 31.
SANS ANALYST PROGRAM
3 Road Map to a Secure, Smart InfrastructureCritical Infrastructure: The Challenges of an Automated World (CONTINUED)
As can be seen, there are inherent differences between how IT and ICS can affect an
overall operation. As an example, denial of service to an IT system may be extremely
significant to a business process, whereas in ICS, the manipulation of sensors or the
process is more disturbing because it could lead to the failure of safety systems designed
to protect human life or induce the process to injure personnel.
Profiling the Adversary
What are the “habits” of an effective attack on infrastructure systems? Common methods
for exploitation, attack, and hiding and embedding are generally well known and
documented in the IT community. An understanding of critical infrastructure needs to
be built out to include the common patterns attackers use to achieve their objectives, as
DEFINATION
shown in Figure 1.
An attack pattern is an
abstraction mechanism for
describing how a type of
observed attack is executed.
In short, an attack pattern
is a blueprint for an exploit
but not a description of
a specific exploit.11 An
example of an attack pattern
would be privilege abuse or
fingerprinting.
Figure 1. Attack Objectives and Attacker Methods12
11
“Introduction to Attack Patterns,” www.us-cert.gov/bsi/articles/knowledge/attack-patterns/introduction-to-attack-patterns
12
Developed from “The Industrial Control System Cyber Kill Chain,” SANS, October 2015,
www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
SANS ANALYST PROGRAM
4 Road Map to a Secure, Smart InfrastructureCyber Dependencies: Factors to Consider
Overall, a sector will generally emphasize one leg of the confidentiality, integrity and
availability (CIA) security triad13 over the other two in support of its business mission. For
example, public health will emphasize confidentially over availability and integrity, while
finance (banking) will emphasize availability. This emphasis must be taken into account
in establishing business continuity, an important factor for critical infrastructure and the
essential services it delivers.
Mapping Cyber Dependencies
In critical infrastructure, the state of one asset usually influences or relies upon
the state of another. An asset can be considered to have a cyber dependency if its
“operation depends on information transmitted via electronic or informational
links.”14 Cyber dependencies can be broadly categorized as related to:
• Network performance
• Data use and processing
• Endpoint services
A cyber security strategy needs to consider all three of these dependencies as they
apply to each sector.
Network Performance
The Purdue Enterprise Reference Architecture provides a useful way to distinguish between
IT and ICS system components, and enables an understanding of how interfaces within the
infrastructure might be specified and designed. Figure 2 presents six broad levels in the
Purdue reference architecture, showing representative levels of speed and confidence.
Figure 2. Purdue Enterprise Reference Architecture15
13
http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
14
“Assessment of Critical Infrastructure Cyber Dependencies,”
https://cip.gmu.edu/2015/10/23/assessment-of-critical-infrastructure-cyber-dependencies/
15
www.tandfonline.com/doi/figure/10.1080/23742917.2016.1252211?scroll=top&needAccess=true
SANS ANALYST PROGRAM
5 Road Map to a Secure, Smart InfrastructureCyber Dependencies: Factors to Consider (CONTINUED)
Overall network performance needs to account for these disparate time frames with a
clear understanding of how parameters such as transfer rate, latency and speed affect
data flow and service quality.
Data Use and Processing
The actual quality of the data matters at all phases: at rest (physically stored), in motion
(being transferred), and in use (under change). Compromise of the data at any step
can have severe consequences, especially for control data between transmitting and
receiving assets. For example, data flow can affect infrastructure system confidentiality,
integrity and availability in the following ways:
• Interruption—when the data does not get to the receiver, whether a data
repository or control device. The interruption affects data availability.
• Interception—when the data is captured between the transmitter and the receiver,
such as a man-in-the-middle attack. The interception affects data confidentiality.
• Modification—when the data is processed (degraded or changed) before
reaching the receiver. Modification can result in false information or potentially a
loss of safety. The modification affects data integrity.
• Fabrication—when the data received by the receiver is not originating from the
good (or approved) transmitter. Again, this can result in false information being
trusted or a loss of safety. The fabrication thus affects data authenticity.
Classification schemes based on established sensitivity levels are used to establish
protective controls on the most available information on traditional IT systems.
On the other hand, ICS-level data typically lacks appropriate identification and
classification and should also be included in security and risk management to protect
infrastructure devices.
Endpoint Services
Endpoint security and risk management services are part of the CIS Critical Security
Controls, which prioritize these activities as the top three needed to achieve cyber
security hygiene. A misconfigured or rogue device can severely compromise
infrastructure if the proper controls are not in place. The introduction of ICS into the
security program further compounds this issue due to informal procedures, lack of
knowledge about legacy systems, and lack of best practices around hardening assets
that were never intended to be hardened. The gradual shift from proprietary platforms
to modern IT-style computers running Windows or Unix-style operating systems will
better enable automated asset management, but the discipline needed make it a
standard operating procedure that still needs to be built up.
SANS ANALYST PROGRAM
6 Road Map to a Secure, Smart InfrastructureCyber Dependencies: Factors to Consider (CONTINUED)
Protecting the Dependencies
The cyber dependencies show us what to protect. The CIS Critical Security Controls serve
as a guide for how to protect. Table 2 addresses how the controls address the phases
in the kill chain model, a model that applies equally to the mix of IT and ICS in critical
infrastructure.
Table 2. CIS Critical Security Controls by Kill Chain Phase
Kill Chain Phase CIS Critical Security Controls
Reconnaissance Understand How Your Organization Appears to Outsiders, Harden
Internal Resources, Decrease Attack Surfaces
Inventory of Authorized and Unauthorized Devices (CSC 1)
Inventory of Authorized and Unauthorized Software (CSC 2)
Secure Configurations for Hardware and Software on Mobile Devices, Laptops,
Workstations (CSC 3)
Continuous Vulnerability Assessment and Remediation (CSC 4)
Weaponization and Limitation and Control of Network Ports, Protocols, Services (CSC 9)
Delivery Penetration Tests and Red Team Exercises (CSC 20)
Identifying Attacker Presences with Physical and Technical Controls
Security Skills Assessment and Appropriate Training to Fill Gaps (CSC 17)
Application Software Security (CSC 18)
Boundary Defense (CSC 12)
Email and Web Browser Protection (CSC 7)
Exploitation and Prevent, Detect and Respond to Malware
Installation Continuous Vulnerability Assessment and Remediation (CSC 4)
Malware Defenses ( CSC 8)
Command and Control/ Detect Unauthorized Internal Activities and Lateral Movement, Reduce
Exploration “Living Space” for Attackers
Controlled Use of Administrative Privileges (CSC 5)
Account Monitoring and Control (CSC 16)
Maintenance, Monitoring, Analysis of Audit Logs (CSC 6)
Secure Configuration for Devices Like Firewalls, Routers, Switches (CSC 11)
Act on Objectives Detect and Disrupt Data Exfiltration and Other Actions Before Damage,
Minimize Effects
Data Protection (CSC 13)
Controlled Access Based on Need to Know (CSC 14)
Incident Response and Management (CSC 19)
SANS ANALYST PROGRAM
7 Road Map to a Secure, Smart InfrastructureCyber Dependencies: Factors to Consider (CONTINUED)
Plan and Invest
But knowing what to protect and how to protect it is only part of constructing the road
map. We need to address the planning, the investment and the actions that will allow us
to actually follow the map toward our destination. Here are the steps:
• Design and maintain a secure infrastructure that minimizes both the exposure to
and the effects of an attack.
• Meet the key functions of identify, protect, detect, respond and recover, as stated
by the NIST Cybersecurity Framework (CFS).
• Account for both operational recovery and continuity in the delivery of critical
services to the population. Critical infrastructure demands planning for recovery,
business continuity and contingency planning.
NIST Cybersecurity Framework Key Functions
• Identify. Develop the organizational understanding to manage cybersecurity risk
to systems, assets, data and capabilities.
• Protect. Develop and implement the appropriate safeguards to ensure delivery of
critical infrastructure services.
• Detect. Develop and implement the appropriate activities to identify the
occurrence of a cybersecurity event.
• Respond. Develop and implement the appropriate activities to take action
regarding a detected cybersecurity event.
• Improve. Incorporate lessons learned from current and previous detection and
response activities into organizational response plans.
• Recover. Develop and implement the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a
cybersecurity event.
SANS ANALYST PROGRAM
8 Road Map to a Secure, Smart InfrastructureKeeping Things in Balance
Success is slowly coming. In the wake of the 2015 cyber attack on the Ukraine electrical
grid, the U.S. federal government, some states and the private sector are implementing
programs that focus on information sharing and improved collaboration, to keep
critical infrastructures such as the power grid safe from similar threats.16 We have
emerging and improving standards for cyber security, especially as ICS embraces some
of the technologies and techniques from IT. There is a growing emphasis on creating
an educated cyber security workforce that, hopefully in time, will resolve some of the
human resource limitations.
But we have a key failure: We are still not taking enough action. We tend to focus on
the breaches of information but fail to note the telltale signs that should be a call to
action and help shape that strategic direction. The events that comprise WannaCry
may fade into memory like so many other attacks, but the cause-and-effect pattern
that got us here needs to be considered. Future malware attacks, similar to what may
be possible with Industroyer, could ultimately cause our fixation on privacy breaches
to pale in comparison.
Aging Equipment
We also need to take a retrospective view of our infrastructure. Much of the critical
infrastructure is 15 to 20 years old with legacy operating systems baked into the design.
Even with slowly improving technology, we must realize that legacy assets and their
vulnerabilities must still be taken into consideration. Microsoft has realized it needs to
do so, with a second round of releases to patch Windows XP, three years after its official
end of life in 2014.
So what is preventing us from adequately protecting critical infrastructure? Common
threads, gleaned from multiple SANS surveys, include limited availability of skilled and
experienced staff in the market, lack of management buy-in for investments in security,
and the need for better automation that provides visibility into the state of cyber
dependencies in the infrastructure.
16
“Cyber Threats to the U.S. Electric Grid Are Real,”
http://nationalinterest.org/blog/the-buzz/cyber-threats-the-us-electric-grid-are-real-19000
SANS ANALYST PROGRAM
9 Road Map to a Secure, Smart InfrastructureKeeping Things in Balance (CONTINUED)
How do we achieve this balance between protection and resource outlay for critical
infrastructure? A first step is to build out a strategic approach to the investment. “The
Sliding Scale of Cyber Security,” shown in Table 3, defines five phases of investments an
organization can make to contribute to its cyber security strategy.
Table 3. The Sliding Scale of Cyber Security17
Investment Phase Protections
Architecture Understand the infrastructure, its strengths, and its inherent vulnerabilities
that lead to risk.
Determine trade-offs between infrastructure design and policy/procedure in
achieving cyber security objectives within schedule and budget.
Evaluate the design, including business functionality and security
requirements (i.e., defense in depth). Factors to consider include:
• Data—information flow, protections
• Application—custom, COTS, hybrid
• Infrastructure—cloud, on-prem, hybrid
• Network—segmentation, perimeter
Passive Defense Establish and prioritize the defenses needed to defend critical assets such as
the network or data.
Infrastructure (network) protections, starting from outside to inside:
• Policies, procedures, awareness
• Physical security
• Perimeter defense
• Network segmentation
• Asset hardening
• Application hardening
• Protocol and transport defense
• Embedded device hardening
Active Defense Establish the procedures for active defense that are based on the
consumption of threat intelligence. It is comprised of four phases, with each
phase continually feeding into another in order to create an ongoing process:
• Network security monitoring—collecting, detecting and analyzing data
from the environment
• Incident response
• Threat and environment manipulation (e.g., malware analysis)
• Threat intelligence consumption
Intelligence Closes gaps in defense through 1) collecting data, 2) converting data
to information, 3) assessing information to gain knowledge, and 4)
disseminating and integrating knowledge into enterprise defense practices.
Offense Action taken against the attacker. May not be the best course of action for
critical infrastructure sectors.
How these phases map out is dependent on the organization, the phase in which it will
begin its investment, and its current dependency on IT and ICS.
17
“The Sliding Scale of Cyber Security,” August 2015,
www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240
SANS ANALYST PROGRAM
10 Road Map to a Secure, Smart InfrastructureKeeping Things in Balance (CONTINUED)
Invest
Step two is taking the strategic investment phases into a set of plans that can shape a
cyber security strategy. With its close alignment to basic human needs, the protection
of critical infrastructure entails more than a set of properly configured technical
security controls.
Design
Consider secure infrastructure design. A reference architecture, such as the Purdue
model shown in Figure 2, provides guidance on where protections should be in the
infrastructure, given an enterprisewide view of risk management. A security architect
can visualize how the technical aspects of applications, network devices and endpoint
systems, including IoT and sensors, are integrated within the enterprise through well-
designed interfaces and well-understood information flows.
We need to consider
But design needs to go one step further. The process of design needs to address the
an expanded
bigger picture. Networks and endpoints in the enterprise are not necessarily stand-alone
definition of
for those sectors that are part of critical infrastructure. Understanding and modeling the
infrastructure that dependency relationships among connected infrastructures, such as those presented
includes people and in Figure 1, can help mitigate the devastating cascade unleashed by the hackers that
process—along with brought the fictional city in the New York Magazine article to a standstill.
technology—as part Maintain
of the definition of Keeping up with changes is another ongoing challenge. Change management
critical infrastructure. requires investment, policy and planning. Automation for asset and configuration
management is crucial. Otherwise, even for smaller networks, the initial baseline
quickly becomes dated, resulting in essential activities such as continuous monitoring
no longer being effective and potentially abandoned.
Unfortunately, many organizations do not have any handle on the current state of their
assets and thus cannot confidently understand risk exposure. Some make the mistake
of deferring these activities until late in the system design cycle, only to find that they
have underestimated the resources needed to automate and maintain management
of the approved baseline. Organizations attempting to place legacy networks under
configuration management face the limitations imposed by older infrastructures
whose assets may not be compatible with the use of automation to capture and
maintain an asset inventory. Workflows are needed to capture both the manual and
automated parts of the process.
SANS ANALYST PROGRAM
11 Road Map to a Secure, Smart InfrastructureKeeping Things in Balance (CONTINUED)
Close the Gaps
Threats to critical infrastructure can be fast moving. While automation is key as a force
multiplier, decisions and acting on decisions remain the responsibility of the human
element. Gaps in workforce awareness, technical know-how and skills to prepare,
respond and defend against cyber assaults need to be resolved.
A key factor to consider is communication. There are significant differences between IT
systems and ICS with respect to cyber security. Failure to understand these differences
can lead to conflicts between IT and ICS administrators, resulting in less-than-optimal
security for the enterprise. Building trust across this potentially contentious boundary
between IT and ICS experts requires fostering understanding of these differences
and promoting communications to resolve and avoid conflict. Road maps need to
represent a solution that is people- and process-centric as well as technology-centric.
SANS ANALYST PROGRAM
12 Road Map to a Secure, Smart InfrastructureTaking Action: Shaping the Road Map
Planning should balance technology with engaging secure processes and enhancing
security capacity among the human stakeholders (the workforce, including employees,
contractors, managers and vendors). Therefore, the emphasis on our final road map is not
so much around the technical assets that are truly the bedrock of critical infrastructure
but the planning that integrates people and process into the cyber security strategy.
Our proposed road map has several different planning cycles, each one resulting in
artifacts to establish, maintain and expand the capability of the infrastructure. These cycles
are defined in Table 4 with samples of those planning artifacts belonging in each cycle.
Table 4. Critical Infrastructure Road Map Cycles and Associated Artifacts
Cycle Emphasis Example Artifact
Operational Operational Procedures Cyber Security Standard Operation Procedures
Objective (< 12-month • P
erform processes to prevent and protect as well as respond Incident Response Plan/Processes
window): Maintain and recover. Continuous Monitoring Process
security across daily • Maintain business continuity readiness.
operations, gather Business Continuity Readiness
lessons learned from Monitor and Measure Lessons Learned Review and Updates
experience to inform
tactical and strategic • E stablish meaningful security metrics aligned with the
planning. dependency of the sector on its cyber dependencies.
• M onitor these metrics frequently enough to minimize the
impact of any incident.
• H ave a plan of action that is rapid, efficient and effective.
Tactical Communication and Engagement Cyber Security Operation Plan
Short to Midrange • R esolve communication and conflict in the workforce (e.g., IT Incident Response Plan
Objective (12- to and ICS admins).
24-month window): Communication and Engagement Plan
• E ngage stakeholders. Communicate with executive
Short-term activities management to ensure that decision makers understand the Training and Awareness Plan
that shape the cyber appropriate actions regarding a possible incident and the need Cyber Security Governance Plan
security strategy, to invest in protective measures to avoid or mitigate damage.
including plan, Risk Management Plan
policy and procedure • P lan to communicate. Coordinate response activities with Business Contingency Plan and Recovery Plan
development; review; internal and appropriate external (e.g., law enforcement)
and update. stakeholders. Coordinate recovery and continuity activities
with internal and external parties, such as coordinating
centers, ISPs, owners of attacking systems, victims, other CSIRTs
and vendors.
Training and Awareness
• E stablish learning objectives for awareness and training
programs.
Governance
• E stablish key policies, procedures and processes for
cyber security. Note: Much of what is needed may be
done elsewhere. Build the plan to identify activities, party
responsibly and objectives.
• M anage and monitor regulatory, legal, risk, environmental
and operational requirements that inform and measure cyber
security risk.
• A ddress information assurance issues, specifically around data
classification and protection.
SANS ANALYST PROGRAM
13 Road Map to a Secure, Smart InfrastructureTaking Action: Shaping the Road Map (CONTINUED)
Cycle Emphasis Example Artifact
Risk Management
• E stablish organization’s priorities, constraints, risk tolerances
and assumptions used to support operational risk decisions.
• D evelop risk management plan that tells how to assess
and manage risk as well as safeguards and controls to be
established.
Contingency Planning
• P
lan immediate recovery activities that ensure timely
restoration of systems or assets affected by cybersecurity
events.
• A
ddress maintaining business continuity, including scenario-
based risk and impact assessment.
Strategic Cyber Security Strategic Planning Cyber Security Strategic Plan
Long-Range Objective • Incorporate lessons learned from tactical cycle to project needs Budget
(24 to 36 months): for future activities.
Stability and growth of • E nsure yearly planning cycle that updates strategic outlook to
cyber security activities meet the event horizon of three to five years.
in the long term with
no event horizon Technology Review and Refresh
longer than five years, • R
eview current assets against evolving security requirements
planning to align with and factors such as asset end of life and ability to perform
enterprise strategic against evolving threats.
plans and mission
statement. • D
etermine architectural implications—new technology or
revised process?
• P
erform cost-benefit analysis taking into account other factors,
such as required training or implementation resources.
SANS ANALYST PROGRAM
14 Road Map to a Secure, Smart InfrastructureConclusion
Different critical infrastructure industries have common cyber dependencies but will
vary in terms of technical controls, especially given each sector’s varying dependence on
IT and ICS as well as the core business systems that support that sector’s mission.
In expanding the definition of infrastructure to process and people, however, we can
identify areas where commonalities in approach have either emerged or can emerge:
• Information assurance. A generic data classification schema can be defined
across sectors such as below:
Military IT Commercial IT ICS
Unclassified Public releasable DCS/SCADA acquisition
and historian data
Confidential Business proprietary
ICS process logic and
Secret Trade secrets programming
Top secret HR- and management- Control systems and
sensitive plan design
• Governance. Frameworks can support organizations as they actively work to
encourage a culture of compliance around cyber security. Interestingly, the culture
of safety in the aviation industry serves as an excellent model for a governance
framework in public health.
• Business continuity and disaster recovery. Most sectors follow the same steps,
despite regulatory differences.
• Incident handling. Most organizations embrace the six-step process that
originated in the late 1990s: 1) preparation, 2) identification, 3) containment, 4)
eradication, 5) recovery, and 6) lessons learned.18
• Communication planning and management. This includes techniques related
to stakeholder engagement with an emphasis on communication with decision
makers such as executive management or the board of directors.
• Metrics and reporting. Standardizing the meaning inferred from measurements
can ensure common understanding of key issues across sectors, especially
for those that share common dependencies and help in the effort to share
information.
Timely sharing of information is a vital effort that must become more prevalent and
effective across critical infrastructure sectors as our reliance on automation increases
along with the threats of disruption to services our lives depend upon. The areas listed
above are key to achieving this goal.
18
https://countuponsecurity.com/2012/12/21/computer-security-incident-handling-6-steps/
SANS ANALYST PROGRAM
15 Road Map to a Secure, Smart InfrastructureAbout the Author
Barbara Filkins, a senior SANS analyst who holds the CISSP and SANS GSEC (Gold), GCIH (Gold), GSLC
(Gold), GCCC (Gold), GCPM (Silver), GLEG (Gold) and GSNA (Silver) certifications, has done extensive
work in system procurement, vendor selection and vendor negotiations as a systems engineering
and infrastructure design consultant. She is deeply involved with HIPAA security issues in the health
and human services industry, with clients ranging from federal agencies (Department of Defense and
Department of Veterans Affairs) to municipalities and commercial businesses. Barbara focuses on
issues related to automation—privacy, identity theft and exposure to fraud, as well as the legal aspects
of enforcing information security in today’s mobile and cloud environments.
Sponsor
SANS would like to thank this paper’s sponsor:
SANS ANALYST PROGRAM
16 Road Map to a Secure, Smart InfrastructureLast Updated: October 31st, 2020
Upcoming SANS Training
Click here to view a list of all SANS Courses
SANS Sydney 2020 Sydney, AU Nov 02, 2020 - Nov 14, 2020 Live Event
SANS Secure Thailand Bangkok, TH Nov 09, 2020 - Nov 14, 2020 Live Event
APAC ICS Summit & Training 2020 Singapore, SG Nov 13, 2020 - Nov 28, 2020 Live Event
SANS Community CTF , Nov 19, 2020 - Nov 20, 2020 Self Paced
SANS Local: Oslo November 2020 Oslo, NO Nov 23, 2020 - Nov 28, 2020 Live Event
SANS OnDemand OnlineUS Anytime Self Paced
SANS SelfStudy Books & MP3s OnlyUS Anytime Self PacedYou can also read
