focus group 1b cybersecurity dr. bill hancock, cissp, cism cable & wireless fg1b chair
DESCRIPTION
Focus Group 1B Cybersecurity Dr. Bill Hancock, CISSP, CISM Cable & Wireless FG1B Chair [email protected] 972-740-7347. Purpose of Today’s Brief. Brief discussion of work completed for NRIC by FG1B Brief discussion on blended attacks - PowerPoint PPT PresentationTRANSCRIPT
Network Reliability and Interoperability Council
Focus Group 1B Cybersecurity
Dr. Bill Hancock, CISSP, CISM
Cable & Wireless
FG1B Chair
972-740-7347
Purpose of Today’s Brief
• Brief discussion of work completed for NRIC by FG1B
• Brief discussion on blended attacks
• Request for approval of seven additional BPs since March, 2003
• Preparation for survey in 2004
• Recommendations for NRIC VII
Charter of FG1B
• Generate Best Practices for cybersecurity – Telecommunications sector– Internet services
• Propose New Actions (if needed)• Deliverables
– December 2002 – prevention (105 BPs)– March 2003 – recovery (48 BPs)– December 2003 blended atack (7 BPs)
• Have made all deliverables, complete and on-time
FG1B Members
FG1B Outreach
• Extensive outreach in the last 12 months– Most major telecommunications events– Standards organizations– Industry groups– Congressional testimony– Webinars– Industry trade publications– Writing (books, papers)– Email and phone support to implementers
Policy, Auditand SecurityManagement
Fraud & Risk Management
Application and Commerce
Security
Network Security
Security Technologies
AberdeenGroup
e-Businesse-Business
Information Information flowflow
Pattern matching
Identification
Authentication
AuthorizationContent filtering
Applications
forensics
access controls
Employees
Data
e-directories
Audit
digital signatures
AvoidanceCompliance
Reliance
Privacy
Assurance
Internet services Customers
Suppliers
viruses
applets
e-Mailweb servers
intrusion detection
VPNs
PKI
risk assessment
cryptography
firewalls
worms
smart cards
biometrics
tokens
monitoring and reporting
Partners
RAS
privacy
spam
BPs and Implementation Guidance
Number 6-6-8008
Title Network Architecture Isolation/Partitioning
Preventative Best Practice
Compartmentalization of technical assets is a basic isolation principle of security where contamination or damage to one part of an overall asset chain does not disrupt or destroy other parts of an asset chain. Network Operators and Service Providers should give deliberate thought to and document an Architecture plan that partitions and isolates network communities and information, through the use of firewalls, DMZ or (virtual) private networks. In particular, where feasible, it is suggested the user traffic networks, network management infrastructure network, customer transaction system networks and enterprise communication/business operations networks be separated and partitioned from one another. Special care must to taken to assess OS, protocol and application vulnerabilities, and subsequently hardened and secure systems and applications, which are located in DMZ's or exposed to the open Internet.
Reference ISF SB52, www.sans.org
Dependency
Implementor NO, SP
+1300 pages160 BPs
Blended Attack BPs
• Working with FG1A• Base definition: physical attack combined
with a cyber attack to disable infrastructure in a meaningful and intense manner
• Highly complex• Many potential combinations• Range from simple-to-do attacks to
sophisticated variants
Type ASpecific Targeting Against a
Technology Type
• Definition: A coordinated attack against the physical and cyber attributes of a specific product or technology type
• Examples:– Physical attack against an HVAC control system
monitoring facility with a cyber attack against SNMP-managed HVAC entities at specific locations
– Certificate authority server farm physical locations are attacked to access consoles and then used to “poison” root keys via cyber attack to disable all PKI and crypto-sharing entities
Type BSpecific Blended Attack Against
Single Infrastructure Entity• Definition: Blended attack against a specific infrastructure
entity by attacking the physical management control locations and simultaneously attacking management or control “plane” cyber entities
• Examples:– Power grid – grid management locations are physically disabled
with munitions and grid management network disabled via cyberattack (router table attack, autonomous malicious logic, etc.)
– Telco NOC – NOC primary and backups attacked by physical attack and NOC management network and entities attacked by cyber attack
– Airport – multi-spectrum wireless jamming of emergency voice/data wireless communications while physically attacking airport communications blockhouse facilities or fiber junctions
– Manufacturing or process facility – main SCADA control facilities physically attacked and SCADA networks and interconnects suffer cyberattack to disable process control facilities throughout the network
Type CMulti-phased Sequenced Blended
Attack Against Multiple Infrastructures
• Definition: A coordinated physical and cyber attack against two or more different infrastructure constructs causing dependency outages/disruption that are difficult to manage or recover, causing grievous harm and economic disruption on a wide scale
• Example:– Power and Telco: physical attacks (phase 1) to cut
345KVA power lines coordinated with a cyber attack (phase 2) ASN.1 vulnerability “worm” attack against Telco voice infrastructure
– Telco voice and Internet: physical attacks against main NOC and hosting locations combined with ASN.1or similar cyberattacks against routers, switches and other interconnects to disrupt/disable separate voice and data networks simultaneously
Stopping Blended Attacks is Like…
Today’s Request: 7 New BPs
• Mostly geared towards attack situations• Four for prevention
– 6-6-8107 Pre-establish working relationships between cyber and physical security teams.
– 6-6-8108 Authentication System Failure– 6-6-8109 Automated patching systems may be
unauthenticated– 6-6-8110 News Disinformation
• Three for recovery– 6-6-8564 Authentication System Failure– 6-6-8565 Automated patching systems may be
unauthenticated– 6-6-8566 News Disinformation
2004 Survey Preparation
• Fg1B or its equivalent NRIC VII will need to work extensively with the survey creation team
• Do not expect quick adoption of some cybersecurity BPs due to complexity and technology issues
• Security is a process with many solutions along the path…
FG1B Recommendations for NRIC VII• Most of these were provided in our March 2003
documentation– Work for NRIC VII will need to include these items, some
of which are long-term issues• Establish a working relationship with DHS
cybersecurity teams due to long-term “heavy lift” of some popular and extensively used technologies that require a lot of R&D and engineering work over the next few years
• New recommendations:– “Clean and scrub” of all BPs from NRIC I-VII to
consolidate BPs and repair conflicts– Identify specific action plans for “heavy lift” efforts– Work on evangelism of use of FG1B BPs throughout all
areas of US Government and all network environments (many apply to any organization which uses network technologies)
– Accelerate efforts on blended attack BPs
Ultimately, Security is All About…
Network Reliability and Interoperability Council
Focus Group 1B Cybersecurity
Dr. Bill Hancock, CISSP, CISM
Cable & Wireless
FG1B Chair
972-740-7347