NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection Mike Powell, Project Cybersecurity Engineer, NIST /NCCoE Jim McCarthy, Energy Sector Federal Lead NIST / NCCoE Timothy Zimmerman, Computer Engineer, NIST EL
15
Embed
NIST Recommendations for ICS & IIoT Security Securing ...€¦ · NIST Recommendations for ICS & IIoT Security Securing Manufacturing Industrial Control Systems: Behavioral Anomaly
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
NIST Recommendations for ICS & IIoT SecuritySecuring Manufacturing Industrial Control Systems:
Behavioral Anomaly Detection
Mike Powell, Project Cybersecurity Engineer, NIST /NCCoEJim McCarthy, Energy Sector Federal Lead NIST / NCCoETimothy Zimmerman, Computer Engineer, NIST EL
2nccoe.nist.govNational Cybersecurity Center of Excellence
Agenda
• NIST / NCCoE Overview
• Cyber Risks to Manufacturing Organizations
• Why Stronger ICS Cybersecurity is Needed
• Benefits of Behavioral Anomaly Detection (BAD)
• NIST Testbeds: Process Control & Robotics
• NIST Cybersecurity Framework (CSF) Mapping
3nccoe.nist.govNational Cybersecurity Center of Excellence
Foundations & Mission
Collaborative Hub The NCCoE assembles experts from businesses, academia, and other government agencies to work on critical national problems in cybersecurity. This collaboration is essential to exploring the widest range of concepts.
As a part of the NIST cybersecurity portfolio, the NCCoE has access to a wealth of prodigious expertise, resources, relationships, and experience.
Mission Accelerate adoption of secure technologies:collaborate with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs
4nccoe.nist.govNational Cybersecurity Center of Excellence
Engagement & Business Model
OUTCOME: Define a scope of work with industry to solve a pressing cybersecurity challenge
OUTCOME: Assemble teams of industry orgs, govt agencies, and academic institutions to address all aspects of the cybersecurity challenge
OUTCOME: Build a practical, usable, repeatable implementation to address the cybersecurity challenge
OUTCOME: Advocate adoption of the example implementation using the practice guide
ASSEMBLE ADVOCATEBUILDDEFINE
5nccoe.nist.govNational Cybersecurity Center of Excellence
Manufacturing Sector Projects
• NISTIR 8219 Behavioral Anomaly Detection
• Protecting Information System Integrity in Manufacturing Environments Project Description
Overview• A cyber attack directed at manufacturing
infrastructure could result in detrimental consequences to both human life and property
• The goal is to provide a cybersecurity example solution that businesses can implement or use to strengthen cybersecurity in their manufacturing processes
• The NISTIR demonstrated how manufacturing companies can implement behavioral anomaly detection tools without negatively impacting the performance of their operational environments
7nccoe.nist.govNational Cybersecurity Center of Excellence
Manufacturing Behavioral Anomaly Detection Use Case
NISTIR 8219: Securing Manufacturing Industrial Control Systems –Behavioral Anomaly Detection
• The NCCoE deployed commercially-available behavioral anomaly detection systems in two distinct but related manufacturing demo environments:
• Collaborative robotics system
• Simulated chemical process system
• Security characteristics were mapped to the NIST Cybersecurity Framework (CSF)
8nccoe.nist.govNational Cybersecurity Center of Excellence
NISTIR 8219
• Project goal:• demonstrate behavioral anomaly detection techniques that businesses can implement and
use to strengthen the cybersecurity of their manufacturing processes.
• Three detection methods: • network-based
• agent-based
• operational historian/sensor-based
Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection
9nccoe.nist.govNational Cybersecurity Center of Excellence
Cyber risks to manufacturing organizations
• Cybersecurity attacks directed at manufacturing infrastructure can be detrimental to both human life and property.
• BAD mechanisms support a multifaceted approach to detecting cybersecurity attacks against ICS devices on which manufacturing processes depend, in order to permit the mitigation of those attacks.
• Introducing anomalous data into a manufacturing process can disrupt operations, whether deliberately or inadvertently.
• More sophisticated hacking tools and techniques are readily available for downloading from the internet.
• Growing cyber-dependency makes critical infrastructure attacks harder to stop.
10nccoe.nist.govNational Cybersecurity Center of Excellence
Benefits of Behavioral Anomaly Detection (BAD)
This NISTIR is intended to help organizations accomplish their goals by using anomaly detection tools for the following purposes: • detect cyber incidents in time to permit effective response and recovery• expand visibility and monitoring capabilities within manufacturing control
systems, networks, and devices• reduce opportunities for disruptive cyber incidents by providing real-time
monitoring and anomaly-detection alerts• support the oversight of resources (e.g., IT, personnel, data)• enable faster incident-response times, fewer incidents, and shorter downtimes
11nccoe.nist.govNational Cybersecurity Center of Excellence
Process Control System
12nccoe.nist.govNational Cybersecurity Center of Excellence
Collaborative Robotics System
• Discrete process• Four machining stations• Two machine-tending robots• Supervisory PLC• Modbus TCP
13nccoe.nist.govNational Cybersecurity Center of Excellence
Mapping the security characteristics of BAD to the NIST CSF
14nccoe.nist.govNational Cybersecurity Center of Excellence
Protecting Information System Integrity in Manufacturing Environments
Project StatusProject Description expected release date for public comments March 2019
Overview• Threats to organizational environments such as
destructive malware, malicious insider activity, advanced persistent threats, and even honest mistakes create the imperative for organizations to be able to protect their assets from data integrity attacks
• This project explores methods one could deploy to help prevent/mitigate the threats identified above as it pertains to deploying cybersecurity capabilities in an ICS manufacturing environment
301-975-0200http://nccoe.nist.gov
15nccoe.nist.govNational Cybersecurity Center of Excellence