SlideShare a Scribd company logo

Cyber_range_whitepaper_cbr_070716_FINAL_DRAFT

Courtney Brock Rabon, MBA
Courtney Brock Rabon, MBA
1 of 9
Download to read offline
This whitepaper assesses how modern security assessment’s fail as a means to assess Information Technology (IT)/Industrial Control Systems (ICS), how cyber ranges work, and how the future of ICS cybersecurity depends on the use of Cyber Ranges as a means of assessment. SECURING OUR FUTURE WHY TODAY’S SOLUTIONS CANNOT SOLVE TOMORROWS PROBLEMS
1 SECURING OUR FUTURE WHY TODAY’S SOLUTIONS CANNOT SOLVE TOMORROWS PROBLEMS INTRODUCTION INDUSTRIAL CONTROL SYSTEM (ICS)s are control systems including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other configurations using programmable logic controllers (PLC) to provide a desired function, often in unauthenticated network environments. ICSs are a critical component to important national infrastructure, yet ICS are many times forgotten in an organization’s security plan and one of the biggest cyber threats. ICS have a history of making the news when compromised and have real world consequences when penetrated and exploited by a perpetrator. Examples such as the Ukrainian power utility hack left 225,000 people without power in March of 2015, prove the threat ICS hacks pose[1]. At the Risk Management Summit, Applied Control Systems surmised of the 750 ICS hacks reported, the financial cost has been $30 billion dollars[2]. ICS-CERT responded to 295 ICS incidents across a wide variety of industries in 2015 as indicated in Figure 1. A IT/ICS. A cyber range includes hardware and software simulating and emulating a system for operation and security testing and training. An IT/ICS Cyber range for testing is crucial to ensure information assurance, safety, and correct functionality. As the Centre for the Protection Of National Infrastructure stated, “Another significant advantage of a KEY POINTS Industrial Control Systems (ICS) impact almost every aspect of life in America and it is one of the Department of Homeland Security’s leading initiatives. Every effort must be taken to ensure its security. Cyber Ranges represent the next step in securing our nation’s critical infrastructure for tomorrow’s threats. Communications 5% Government Facilities 6% Unknown 10% Critical Infastructure 44% Critical Manufacturing 35% Incidents Responded to by ICS-CERT in 2015 FIGURE 1 INCIDENTS RESPONDED TO BY ICS-CERT IN 2015
2 laboratory assessment is the ICS will be separate from the production version. This fact means the team will have a green light to non-destructively test any and all parts of the ICS without the possibility of causing a real-world impact.”[4] Cyber ranges allow for a more thorough and accurate assessment of ICS without the fear of compromising the ICS. An IT/ICS Cyber Range will allow for cyber analyst to test devices beyond what they were designed for and determine what functions they are capable of performing. Cyber ranges allow for a more thorough and accurate assessment of ICS without the fear of compromising the ICS. AUDITS ARE NOT ENOUGH An IT/ICS cyber range should be part of information security programs because audits are inadequate to ensure the systems are secure. Audits indicate if a security mechanism is in place and configured according to industry standards without specifying if the mechanism is effective. A router SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) may tell a tester if administrators locked a router according to Defense Information Systems Agency (DISA) standards. The STIG neglects to tell the tester if the lock improves the security posture of the system, resulting in systems locked to an arbitrary standard but no more secure as a result. STIGs and audits such as DoD Information Assurance Certification and Accreditation Process (DIACAP) and Risk Management Framework (RMF), fail to account for traffic and integration. CPNI states, “A secure ICS does not exist, which means that hidden vulnerabilities are still possible in an ICS, even after a clean report from a cybersecurity assessment”[4]. For example, a penetration test exploits the vulnerabilities in a system, as it exists compared to assuming an all-purpose approach such as DIACAP and RMF. Pairing a penetration test on your ICS equipment in a cyber range gives you a more accurate assessment of how secure your system is than an audit, which seeks to determine the status of security settings. Using a cyber range for security assessments addresses these issues and allows additional testing including penetration tests without fear of compromising the system and save millions by preventing significant loss of data or personally identifiable information (PII). Auditors use tools; testing components of a system in isolation, but the tools fail to test how the system works when the system is running. Auditors conducting an assessment use tools such as ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS) testing security settings, but disregarding the effectiveness of security settings. This is a flawed but accepted security testing approach, because it lacks empirical evidence to support the assertion the system is secure. Imagine if you went to a mechanic with an error code appearing on the console in your car and for some reason the car is smoking when you accelerate. You tell the mechanic your issue and show him the error code. He tells you to come back in 2 days. When you return he tells you he has resolved the error code, you pay your bill and leave. You get 2 miles away to find the error code returns and the car continues to smoke. When you return to the mechanic, he tells you he resolved the error code but failed to crank the car to see if the actual issue was resolved. Doesn’t make sense, does it? Only by testing the performance of the car can you have an accurate idea of the performance. Modern tools are limited in their assessment of security because they fail to account for the system operating. By using a cyber range and simulating the traffic a system will experience, your testing tools will give you a more accurate assessment of the system. Testing the system using a IT/ICS cyber range allows integrated assessment, Security Goals of Traditional IT versus ICS IncreasingImportance Confidentiality Integrity Availability Availability Integrity Confidentiality IncreasingImportance Confidentiality Integrity Availability Availability Integrity Confidentiality FIGURE 2 SECURITY GOALS OF TRADITIONAL IT VS ICS
3 reflecting how the system will function when operational where other methods ensure implemented settings without addressing how the system works when it is operating. Audits fail to address the effect traffic will have on the system, such as bottlenecks or capacity issues. Winters states, “A good example of such tests is investigating shifts in traffic workload patterns. Adding new components such as workstations in an office or new sensors or reporting thresholds in an industrial control system can cause unexpected critical traffic flow changes in parts of the system quite remote from the location where the new components were added. This, in turn, can make a single router in yet another part of the system a critical component.”[6] While security has been the focus of cyber ranges, ranges also have tremendous implications for engineers in observing traffic in an operational system. While engineers can plan and design for capacity, unless a system is operational the engineer cannot be sure the design has addressed the actual system bandwidth requirement. Cyber ranges would allow engineers to model and test systems using realistic traffic while identifying where potential issues may occur once a system is running. ICS TOO CRITICAL TO SECURE As ICS’ adopt Internet Protocol (IP) or similar protocols, the risk of hacking increases. Dell reported, “Dell SonicWALL saw global SCADA attacks increase against its customer base from 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014.”[7] This warrants security reviews, which may also pose a risk to the system due to the risk of an auditor breaking the system during testing. As NIST reported, “The nature of ICS means that when an organization does a risk assessment, there may be additional considerations that do not exist when doing a risk assessment of a traditional IT system. Because the impact of a cyber incident in an ICS may include both physical and digital effects, risk assessments need to incorporate those potential effects.”[8] Through various ways, a security auditor may break a system by accident. Tools have design flaws with unintended operational consequences. One, now defunct, security testing application had a “Mitigate All’ button, which fixed identified security issues. The unintended consequence of locking these features resulted in a computer, ICS attacks have seen a sharp increase over the last few years due to the ease of conducting ICS cyber attacks and the growing number of attackers with access to the tools and internet access to conduct the attacks. 0 100000 200000 300000 400000 500000 600000 700000 800000 2012 2013 2014 Global SCADA Attacks FIGURE 3 GLOBAL SCADA ATTACKS
4 which would no longer function. Certain ICS’ being broken for a security test has the potential to cause serious injury. Mimicking an ICS using a cyber range and testing it mitigates the risk of perilous harm. Testers cannot test many ICS implementations because ICS functions are essential and testing risks shutting down the system. As the Centre for the Protection of National Infrastructure states, “For example, several tools employed in such a test could have a serious impact on the ICS itself. Various ICS’ will malfunction or halt completely when security tools, such as scanners, are run on the network. Therefore, the asset owner and assessment team must understand the potential implications of testing on a production system. Whenever possible, cyber security tests should be performed on a backup or offline ICS.”[4] At a scientific research station in the Artic, testing would be life threatening if it broke the HVAC. However, this poses a security risk like the 2013 breach of Target’s payment system, initiated with the HVAC system, which seen in the diagram below. Auditor inability to test ICS with traditional tools leaves few options to ensure maintenance of security. Creating a virtualized version and testing security issues through a cyber range delivers higher assurance of system resilience to hacking. When loss of human life is a non-determinant, like the Artic example above, for testing an ICS, a company’s bottom line may be the issue preventing accurate security assessment. As Ashford reports “This means almost 100% availability is required, which in turn means it is difficult and expensive to interrupt these systems for things like security updates.”[9] Ashford maintains when detecting malware there is little that can be done because of the fear of breaking a system. “It is not uncommon for organisations responsible for critical infrastructure to continue running control systems even though a malware infection has been detected.”[9] In one example an engineer shutdown a bottling plant’s systems because they changed a timer for a maintenance controller; resulting in a $100,000 loss for the company. Using a cyber range to test ICS’ security system strength avoids the cost of a shutdown associated with a hack and reduces the risk of a shutdown because of testing. BUT DOES IT WORK? Cyber ranges are for security purposes but have tremendous potential for other forms of testing. OS updates, configuration changes and patching in ICS remain an issue because of the difficulty determining how patches or upgrades may affect a particular ICS. The Department of Homeland Security states, “As mentioned earlier, patch testing is of special importance in control systems because of the requirement for very high uptime. The following recommendations should be included in patch FIGURE 4 CAPTION TO BE ADDED FIGURE 5 2013 TARGET POS BREACH
5 testing: Test bed/simulation hardware should be dedicated for testing purposes”[10]. Again if we use a little common sense to the idea of testing we have all been the recipient of a patch or upgrade to our operating system on our computer which had unforeseen consequences. Cyber ranges address this issue by allowing developers to determine how changes affect functionality without applying the patch to production systems. Developers could also test new security devices, determining if they will damage system functionality without risking system shutdown. This would include new hardware and software tests against a system assessing how it would function against a specific ICS environment. One important illustration regarding a cyber range’s use to test new security hardware can be found in Winter’s work (Figure 5) where he notes “A recent example of such testing in the FCR found an intrusion prevention device deployed in a system model that could be made to fail open when subjected to the right kind of overloading. It would simply give up and pass all traffic through, good or bad. This is not something you would want to find out in a real system under attack.”[5] This illustrates the requirement to perform additional levels of scrutiny on products before adding them to an ICS. In this case, a simple flood attack resulted in a complete breach of the ICS although the ant-intrusion device was intended to prevent intrusion into the network. Security testing could also include unintended use of ICS devices. Consider the Nest Thermostat, which has an Application program interface (API) allowing third party developers to create new applications with the thermostat. What would happen if malicious manipulation occurred through the API? Without simulating traffic, functional testing offers a limited assessment of a system, lacking identification of unknown traffic created issues. Cyber ranges allow new hardware test and integration for specific environments and identify unknown hardware issues pre-installation. Functional Testing follows a script as indicated in the diagram to the right. These scripts list the steps and procedures to verify the system functions as expected, and can be automated or manual. The problem with testing this way is it fails to account for traffic and therefore how the system will function when operational. For example, what if 100 users on a network attempt to access the same resource at the same time. But the system is integrated in a way allowing 1 user access at any given moment. Here we can see where a cyber range is the only way to discover this type of bottleneck. FIGURE 6 FAILED IPS DEVICE FIGURE 7 RANGE BASED FUNCTIONAL TESTING
6 MAKING IT ALL WORK Cyber Ranges go through five phases of development. In the first phase, the system goes thorough documentation for the Cyber Range to approximate the actual network. Details included during this phase would resemble the documentation included in system accreditation packages such as the number of laptops, printers, versions of software and hardware. One important aspect of the system captured during the enumeration phase is traffic analysis. This is accomplished with a mix of passive and active network traffic analysis tools; striking a balance between collecting detailed traffic patterns and operational network performance. Network SME’s make assumptions during the enumeration phase if the system is in development and traffic patterns are unavailable. In the next phase of cyber range development, we reconstruct the system in a virtual environment. Next, we replicate details gathered during the enumeration phase through virtual machines (VMs) of the target system. If replicating a non-operational system, VMs can be produced which mirror the clients you intend to integrate. Once created, settings are verified through a functional test in the 3rd phase, Testing. The testing phase resembles a functional test and ensures the virtualized system functions. In the 4th phase, we model the target system by adding traffic to the virtualized network. We do this by configuring traffic emulators with the data gathered during the enumeration phase. The fifth and final stage is where the real value of the cyber range comes in. Sample uses of a cyber range include: Red/Blue Exercises Testing Hardware Testing Software Modeling and Simulation Independent Validation and Verification Research and Development Tabletop Exercises Comparative Solution Analysis Integration Environment Patch Testing Load Testing Configuration Testing Functional Testing Penetration Testing Certification Training Hypotheses Testing Team Assessment FIGURE 8 CYBER RANGE DEVELOPMENT PHASES
7 At Honeywell’s Cyber Solutions Lab, we have developed a cyber range for traditional systems and ICS solutions. With Honeywell’s background in various markets and deep engineering experience, we are able to provide a cyber range meeting the challenges of today’s cyber threats, and the threats of tomorrow. With minimal time from enumeration to emulation, Honeywell’s cyber range allows system owners to stop making assumptions regarding security and secure them with a higher level of confidence than ever before. CONCLUSION ICS are important to the nation’s infrastructure and yet ICS are some of the most neglected systems due to availability requirements. These systems have become essential to our way of life and the risk of examining the system to ensure its stability and security present too much risk to the system. IT/ICS Cyber ranges offer an affordable risk-based approach to securing IT/ICS; enhancing overall security posture of the system in a way that is impossible with other testing methodologies. Honeywell’s Cyber Range meets the demands of today’s customers and addresses tomorrow’s challenges. Courtney “Brock” Rabon is Honeywell Technology Solutions Inc. (HTSI)’s Cyber Evangelist and has 11 years of experience helping Commercial and Federal clients meet their cyber security goals. He manages their Cyber Security Technologies Lab in Charleston, SC and can be reached at courtney.rabon@honeywell.com. HTSI is a diverse professional and technical services leader offering world-class managed solutions to federal, commercial and international clients. HTSI’s core capabilities include engineering and space operations, physical and cyber security, engineering and development services, logistics, facility and equipment planning, and testing and calibration.
8 BIBLIOGRAPHY [1] “iTWire - Darkness in the Ukraine – hackers turn the lights off.” [Online]. Available: http://www.itwire.com/business-it- news/security/72709-darkness-in-the-ukraine-%E2%80%93-hackers-turn-the-lights-off.html. [Accessed: 10-Jun-2016]. [2] “Industrial_Control_Systems_at_Risk1.pdf.” . [3] “Year_in_Review_FY2015_Final_S508C.pdf.” . [4] “2011020-cyber_security_assessments_of_ics_gpg.pdf.” . [5] “IEEE Xplore Full Text PDF.” . [6] “Attacks Against SCADA Systems Doubled in 2014: Dell | SecurityWeek.Com.” [Online]. Available: http://www.securityweek.com/attacks-against-scada-systems-doubled-2014-dell. [Accessed: 10-Jun-2016]. [7] “NIST.SP.800-82r2.pdf.” . [8] “Industrial control systems: What are the security challenges?,” ComputerWeekly. [Online]. Available: http://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges. [Accessed: 13-Jun-2016]. [9] “RP_Patch_Management_S508C.pdf.” . [10] H. Winter, “System security assessment using a cyber range,” in 7th IET International Conference on System Safety, incorporating the Cyber Security Conference 2012, 2012, pp. 1–5.

Recommended

Cyber Ranges: The (R)evolution in Cybersecurity Training
Cyber Ranges: The (R)evolution in Cybersecurity TrainingCyber Ranges: The (R)evolution in Cybersecurity Training
Cyber Ranges: The (R)evolution in Cybersecurity TrainingMinsait
 
Building a Cyber Range for training Cyber Defense Situation Awareness
Building a Cyber Range for training Cyber Defense Situation AwarenessBuilding a Cyber Range for training Cyber Defense Situation Awareness
Building a Cyber Range for training Cyber Defense Situation AwarenessThibault Debatty
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest ResumeDhishant Abrol
 
Professor Chris Hankin
Professor Chris HankinProfessor Chris Hankin
Professor Chris HankinRoyal United Services Institute for Defence and Security Studies
 
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)NAFCU Services Corporation
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 

Recommended

Cyber Ranges: The (R)evolution in Cybersecurity Training
Cyber Ranges: The (R)evolution in Cybersecurity TrainingCyber Ranges: The (R)evolution in Cybersecurity Training
Cyber Ranges: The (R)evolution in Cybersecurity TrainingMinsait
 
Building a Cyber Range for training Cyber Defense Situation Awareness
Building a Cyber Range for training Cyber Defense Situation AwarenessBuilding a Cyber Range for training Cyber Defense Situation Awareness
Building a Cyber Range for training Cyber Defense Situation AwarenessThibault Debatty
 
Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Dhishant -Latest Resume
Dhishant -Latest ResumeDhishant -Latest Resume
Dhishant -Latest ResumeDhishant Abrol
 
Professor Chris Hankin
Professor Chris HankinProfessor Chris Hankin
Professor Chris HankinRoyal United Services Institute for Defence and Security Studies
 
Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)Cyber Safety Awareness Training (Brochure)
Cyber Safety Awareness Training (Brochure)NAFCU Services Corporation
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
santoskumaarResume - updated
santoskumaarResume - updatedsantoskumaarResume - updated
santoskumaarResume - updatedSantos Kumaar.S
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics EMC
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
The NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkThe NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkEMMAIntl
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers GuideExclusive Networks ME
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_dsArun Gopinath
 
David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson
 
Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellEC-Council
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 

More Related Content

What's hot

Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutionsZsolt Nemeth
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
santoskumaarResume - updated
santoskumaarResume - updatedsantoskumaarResume - updated
santoskumaarResume - updatedSantos Kumaar.S
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics EMC
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1Eelco Visser
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsZsolt Nemeth
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defenseZsolt Nemeth
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
The NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkThe NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkEMMAIntl
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superwormUltraUploader
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowInfosec
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestrationChadni Islam
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills AuditVilius Benetis
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationChadni Islam
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_dsArun Gopinath
 
David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson
 

What's hot (20)

Security assessment for financial institutions
Security assessment for financial institutionsSecurity assessment for financial institutions
Security assessment for financial institutions
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
santoskumaarResume - updated
santoskumaarResume - updatedsantoskumaarResume - updated
santoskumaarResume - updated
 
Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics Big data Propels SIEM into the era of Security Analytics
Big data Propels SIEM into the era of Security Analytics
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
SCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systemsSCIT Labs - intrusion tolerant systems
SCIT Labs - intrusion tolerant systems
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
Moving target-defense
Moving target-defenseMoving target-defense
Moving target-defense
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
The NIST Cybersecurity Framework
The NIST Cybersecurity FrameworkThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework
 
Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture, Assessing Risk: Developing a Client/Server Security Architecture,
Assessing Risk: Developing a Client/Server Security Architecture,
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
CompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to knowCompTIA cysa+ certification changes: Everything you need to know
CompTIA cysa+ certification changes: Everything you need to know
 
Multi-vocal Review of security orchestration
Multi-vocal Review of security orchestrationMulti-vocal Review of security orchestration
Multi-vocal Review of security orchestration
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
Cybersecurity Skills Audit
Cybersecurity Skills AuditCybersecurity Skills Audit
Cybersecurity Skills Audit
 
Architecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automationArchitecture centric support for security orchestration and automation
Architecture centric support for security orchestration and automation
 
Ibm app security assessment_ds
Ibm app security assessment_dsIbm app security assessment_ds
Ibm app security assessment_ds
 
David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016
 

Viewers also liked

Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellEC-Council
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 
Cybersecurity: Arm and Train US Warriors to Win Cyber War
Cybersecurity: Arm and Train US Warriors to Win Cyber WarCybersecurity: Arm and Train US Warriors to Win Cyber War
Cybersecurity: Arm and Train US Warriors to Win Cyber WarIxia
 
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...Ixia
 
How to Test High-Performance Next-Generation Firewalls
How to Test High-Performance Next-Generation FirewallsHow to Test High-Performance Next-Generation Firewalls
How to Test High-Performance Next-Generation FirewallsIxia
 
Firewall Testing Methodology
Firewall Testing MethodologyFirewall Testing Methodology
Firewall Testing MethodologyIxia
 

Viewers also liked (6)

Building a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin CardwellBuilding a Cyber Range - Kevin Cardwell
Building a Cyber Range - Kevin Cardwell
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Cybersecurity: Arm and Train US Warriors to Win Cyber War
Cybersecurity: Arm and Train US Warriors to Win Cyber WarCybersecurity: Arm and Train US Warriors to Win Cyber War
Cybersecurity: Arm and Train US Warriors to Win Cyber War
 
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...
BreakingPoint & Crossbeam RSA Conference 2011 Presentation: Evaluating High P...
 
How to Test High-Performance Next-Generation Firewalls
How to Test High-Performance Next-Generation FirewallsHow to Test High-Performance Next-Generation Firewalls
How to Test High-Performance Next-Generation Firewalls
 
Firewall Testing Methodology
Firewall Testing MethodologyFirewall Testing Methodology
Firewall Testing Methodology
 

Similar to Cyber_range_whitepaper_cbr_070716_FINAL_DRAFT

How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonPatricia M Watson
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIRJET Journal
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
 
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...IJMIT JOURNAL
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfglan Glandeva
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automationjohnnywess
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsIRJET Journal
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management SystemIRJET Journal
 
IRJET-Managing Security of Systems by Data Collection
IRJET-Managing Security of Systems by Data CollectionIRJET-Managing Security of Systems by Data Collection
IRJET-Managing Security of Systems by Data CollectionIRJET Journal
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilitiesNirmal Thaliyil
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up ICS
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327vimal Kumar Gupta
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013qqlan
 

Similar to Cyber_range_whitepaper_cbr_070716_FINAL_DRAFT (20)

How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
Intrusion Detection System using Data Mining
Intrusion Detection System using Data MiningIntrusion Detection System using Data Mining
Intrusion Detection System using Data Mining
 
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONS
 
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...
 
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 DatasetAugment Method for Intrusion Detection around KDD Cup 99 Dataset
Augment Method for Intrusion Detection around KDD Cup 99 Dataset
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdf
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems Assessment and Mitigation of Risks Involved in Electronics Payment Systems
Assessment and Mitigation of Risks Involved in Electronics Payment Systems
 
Information security management guidance for discrete automation
Information security management guidance for discrete automationInformation security management guidance for discrete automation
Information security management guidance for discrete automation
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
Vulnerability Management System
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
 
IRJET-Managing Security of Systems by Data Collection
IRJET-Managing Security of Systems by Data CollectionIRJET-Managing Security of Systems by Data Collection
IRJET-Managing Security of Systems by Data Collection
 
Standards based security for energy utilities
Standards based security for energy utilitiesStandards based security for energy utilities
Standards based security for energy utilities
 
Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up Secure Your Medical Devices From the Ground Up
Secure Your Medical Devices From the Ground Up
 
David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016David Blanco ISHM 8280-2016
David Blanco ISHM 8280-2016
 
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresGeneric Security Framework for Multiple Heterogeneous Virtual Infrastructures
Generic Security Framework for Multiple Heterogeneous Virtual Infrastructures
 
Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327Secure architecture-industrial-control-systems-36327
Secure architecture-industrial-control-systems-36327
 
Best of Positive Research 2013
Best of Positive Research 2013Best of Positive Research 2013
Best of Positive Research 2013
 

Cyber_range_whitepaper_cbr_070716_FINAL_DRAFT

  • 1. This whitepaper assesses how modern security assessment’s fail as a means to assess Information Technology (IT)/Industrial Control Systems (ICS), how cyber ranges work, and how the future of ICS cybersecurity depends on the use of Cyber Ranges as a means of assessment. SECURING OUR FUTURE WHY TODAY’S SOLUTIONS CANNOT SOLVE TOMORROWS PROBLEMS
  • 2. 1 SECURING OUR FUTURE WHY TODAY’S SOLUTIONS CANNOT SOLVE TOMORROWS PROBLEMS INTRODUCTION INDUSTRIAL CONTROL SYSTEM (ICS)s are control systems including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other configurations using programmable logic controllers (PLC) to provide a desired function, often in unauthenticated network environments. ICSs are a critical component to important national infrastructure, yet ICS are many times forgotten in an organization’s security plan and one of the biggest cyber threats. ICS have a history of making the news when compromised and have real world consequences when penetrated and exploited by a perpetrator. Examples such as the Ukrainian power utility hack left 225,000 people without power in March of 2015, prove the threat ICS hacks pose[1]. At the Risk Management Summit, Applied Control Systems surmised of the 750 ICS hacks reported, the financial cost has been $30 billion dollars[2]. ICS-CERT responded to 295 ICS incidents across a wide variety of industries in 2015 as indicated in Figure 1. A IT/ICS. A cyber range includes hardware and software simulating and emulating a system for operation and security testing and training. An IT/ICS Cyber range for testing is crucial to ensure information assurance, safety, and correct functionality. As the Centre for the Protection Of National Infrastructure stated, “Another significant advantage of a KEY POINTS Industrial Control Systems (ICS) impact almost every aspect of life in America and it is one of the Department of Homeland Security’s leading initiatives. Every effort must be taken to ensure its security. Cyber Ranges represent the next step in securing our nation’s critical infrastructure for tomorrow’s threats. Communications 5% Government Facilities 6% Unknown 10% Critical Infastructure 44% Critical Manufacturing 35% Incidents Responded to by ICS-CERT in 2015 FIGURE 1 INCIDENTS RESPONDED TO BY ICS-CERT IN 2015
  • 3. 2 laboratory assessment is the ICS will be separate from the production version. This fact means the team will have a green light to non-destructively test any and all parts of the ICS without the possibility of causing a real-world impact.”[4] Cyber ranges allow for a more thorough and accurate assessment of ICS without the fear of compromising the ICS. An IT/ICS Cyber Range will allow for cyber analyst to test devices beyond what they were designed for and determine what functions they are capable of performing. Cyber ranges allow for a more thorough and accurate assessment of ICS without the fear of compromising the ICS. AUDITS ARE NOT ENOUGH An IT/ICS cyber range should be part of information security programs because audits are inadequate to ensure the systems are secure. Audits indicate if a security mechanism is in place and configured according to industry standards without specifying if the mechanism is effective. A router SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) may tell a tester if administrators locked a router according to Defense Information Systems Agency (DISA) standards. The STIG neglects to tell the tester if the lock improves the security posture of the system, resulting in systems locked to an arbitrary standard but no more secure as a result. STIGs and audits such as DoD Information Assurance Certification and Accreditation Process (DIACAP) and Risk Management Framework (RMF), fail to account for traffic and integration. CPNI states, “A secure ICS does not exist, which means that hidden vulnerabilities are still possible in an ICS, even after a clean report from a cybersecurity assessment”[4]. For example, a penetration test exploits the vulnerabilities in a system, as it exists compared to assuming an all-purpose approach such as DIACAP and RMF. Pairing a penetration test on your ICS equipment in a cyber range gives you a more accurate assessment of how secure your system is than an audit, which seeks to determine the status of security settings. Using a cyber range for security assessments addresses these issues and allows additional testing including penetration tests without fear of compromising the system and save millions by preventing significant loss of data or personally identifiable information (PII). Auditors use tools; testing components of a system in isolation, but the tools fail to test how the system works when the system is running. Auditors conducting an assessment use tools such as ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS) testing security settings, but disregarding the effectiveness of security settings. This is a flawed but accepted security testing approach, because it lacks empirical evidence to support the assertion the system is secure. Imagine if you went to a mechanic with an error code appearing on the console in your car and for some reason the car is smoking when you accelerate. You tell the mechanic your issue and show him the error code. He tells you to come back in 2 days. When you return he tells you he has resolved the error code, you pay your bill and leave. You get 2 miles away to find the error code returns and the car continues to smoke. When you return to the mechanic, he tells you he resolved the error code but failed to crank the car to see if the actual issue was resolved. Doesn’t make sense, does it? Only by testing the performance of the car can you have an accurate idea of the performance. Modern tools are limited in their assessment of security because they fail to account for the system operating. By using a cyber range and simulating the traffic a system will experience, your testing tools will give you a more accurate assessment of the system. Testing the system using a IT/ICS cyber range allows integrated assessment, Security Goals of Traditional IT versus ICS IncreasingImportance Confidentiality Integrity Availability Availability Integrity Confidentiality IncreasingImportance Confidentiality Integrity Availability Availability Integrity Confidentiality FIGURE 2 SECURITY GOALS OF TRADITIONAL IT VS ICS
  • 4. 3 reflecting how the system will function when operational where other methods ensure implemented settings without addressing how the system works when it is operating. Audits fail to address the effect traffic will have on the system, such as bottlenecks or capacity issues. Winters states, “A good example of such tests is investigating shifts in traffic workload patterns. Adding new components such as workstations in an office or new sensors or reporting thresholds in an industrial control system can cause unexpected critical traffic flow changes in parts of the system quite remote from the location where the new components were added. This, in turn, can make a single router in yet another part of the system a critical component.”[6] While security has been the focus of cyber ranges, ranges also have tremendous implications for engineers in observing traffic in an operational system. While engineers can plan and design for capacity, unless a system is operational the engineer cannot be sure the design has addressed the actual system bandwidth requirement. Cyber ranges would allow engineers to model and test systems using realistic traffic while identifying where potential issues may occur once a system is running. ICS TOO CRITICAL TO SECURE As ICS’ adopt Internet Protocol (IP) or similar protocols, the risk of hacking increases. Dell reported, “Dell SonicWALL saw global SCADA attacks increase against its customer base from 91,676 in January 2012 to 163,228 in January 2013, and 675,186 in January 2014.”[7] This warrants security reviews, which may also pose a risk to the system due to the risk of an auditor breaking the system during testing. As NIST reported, “The nature of ICS means that when an organization does a risk assessment, there may be additional considerations that do not exist when doing a risk assessment of a traditional IT system. Because the impact of a cyber incident in an ICS may include both physical and digital effects, risk assessments need to incorporate those potential effects.”[8] Through various ways, a security auditor may break a system by accident. Tools have design flaws with unintended operational consequences. One, now defunct, security testing application had a “Mitigate All’ button, which fixed identified security issues. The unintended consequence of locking these features resulted in a computer, ICS attacks have seen a sharp increase over the last few years due to the ease of conducting ICS cyber attacks and the growing number of attackers with access to the tools and internet access to conduct the attacks. 0 100000 200000 300000 400000 500000 600000 700000 800000 2012 2013 2014 Global SCADA Attacks FIGURE 3 GLOBAL SCADA ATTACKS
  • 5. 4 which would no longer function. Certain ICS’ being broken for a security test has the potential to cause serious injury. Mimicking an ICS using a cyber range and testing it mitigates the risk of perilous harm. Testers cannot test many ICS implementations because ICS functions are essential and testing risks shutting down the system. As the Centre for the Protection of National Infrastructure states, “For example, several tools employed in such a test could have a serious impact on the ICS itself. Various ICS’ will malfunction or halt completely when security tools, such as scanners, are run on the network. Therefore, the asset owner and assessment team must understand the potential implications of testing on a production system. Whenever possible, cyber security tests should be performed on a backup or offline ICS.”[4] At a scientific research station in the Artic, testing would be life threatening if it broke the HVAC. However, this poses a security risk like the 2013 breach of Target’s payment system, initiated with the HVAC system, which seen in the diagram below. Auditor inability to test ICS with traditional tools leaves few options to ensure maintenance of security. Creating a virtualized version and testing security issues through a cyber range delivers higher assurance of system resilience to hacking. When loss of human life is a non-determinant, like the Artic example above, for testing an ICS, a company’s bottom line may be the issue preventing accurate security assessment. As Ashford reports “This means almost 100% availability is required, which in turn means it is difficult and expensive to interrupt these systems for things like security updates.”[9] Ashford maintains when detecting malware there is little that can be done because of the fear of breaking a system. “It is not uncommon for organisations responsible for critical infrastructure to continue running control systems even though a malware infection has been detected.”[9] In one example an engineer shutdown a bottling plant’s systems because they changed a timer for a maintenance controller; resulting in a $100,000 loss for the company. Using a cyber range to test ICS’ security system strength avoids the cost of a shutdown associated with a hack and reduces the risk of a shutdown because of testing. BUT DOES IT WORK? Cyber ranges are for security purposes but have tremendous potential for other forms of testing. OS updates, configuration changes and patching in ICS remain an issue because of the difficulty determining how patches or upgrades may affect a particular ICS. The Department of Homeland Security states, “As mentioned earlier, patch testing is of special importance in control systems because of the requirement for very high uptime. The following recommendations should be included in patch FIGURE 4 CAPTION TO BE ADDED FIGURE 5 2013 TARGET POS BREACH
  • 6. 5 testing: Test bed/simulation hardware should be dedicated for testing purposes”[10]. Again if we use a little common sense to the idea of testing we have all been the recipient of a patch or upgrade to our operating system on our computer which had unforeseen consequences. Cyber ranges address this issue by allowing developers to determine how changes affect functionality without applying the patch to production systems. Developers could also test new security devices, determining if they will damage system functionality without risking system shutdown. This would include new hardware and software tests against a system assessing how it would function against a specific ICS environment. One important illustration regarding a cyber range’s use to test new security hardware can be found in Winter’s work (Figure 5) where he notes “A recent example of such testing in the FCR found an intrusion prevention device deployed in a system model that could be made to fail open when subjected to the right kind of overloading. It would simply give up and pass all traffic through, good or bad. This is not something you would want to find out in a real system under attack.”[5] This illustrates the requirement to perform additional levels of scrutiny on products before adding them to an ICS. In this case, a simple flood attack resulted in a complete breach of the ICS although the ant-intrusion device was intended to prevent intrusion into the network. Security testing could also include unintended use of ICS devices. Consider the Nest Thermostat, which has an Application program interface (API) allowing third party developers to create new applications with the thermostat. What would happen if malicious manipulation occurred through the API? Without simulating traffic, functional testing offers a limited assessment of a system, lacking identification of unknown traffic created issues. Cyber ranges allow new hardware test and integration for specific environments and identify unknown hardware issues pre-installation. Functional Testing follows a script as indicated in the diagram to the right. These scripts list the steps and procedures to verify the system functions as expected, and can be automated or manual. The problem with testing this way is it fails to account for traffic and therefore how the system will function when operational. For example, what if 100 users on a network attempt to access the same resource at the same time. But the system is integrated in a way allowing 1 user access at any given moment. Here we can see where a cyber range is the only way to discover this type of bottleneck. FIGURE 6 FAILED IPS DEVICE FIGURE 7 RANGE BASED FUNCTIONAL TESTING
  • 7. 6 MAKING IT ALL WORK Cyber Ranges go through five phases of development. In the first phase, the system goes thorough documentation for the Cyber Range to approximate the actual network. Details included during this phase would resemble the documentation included in system accreditation packages such as the number of laptops, printers, versions of software and hardware. One important aspect of the system captured during the enumeration phase is traffic analysis. This is accomplished with a mix of passive and active network traffic analysis tools; striking a balance between collecting detailed traffic patterns and operational network performance. Network SME’s make assumptions during the enumeration phase if the system is in development and traffic patterns are unavailable. In the next phase of cyber range development, we reconstruct the system in a virtual environment. Next, we replicate details gathered during the enumeration phase through virtual machines (VMs) of the target system. If replicating a non-operational system, VMs can be produced which mirror the clients you intend to integrate. Once created, settings are verified through a functional test in the 3rd phase, Testing. The testing phase resembles a functional test and ensures the virtualized system functions. In the 4th phase, we model the target system by adding traffic to the virtualized network. We do this by configuring traffic emulators with the data gathered during the enumeration phase. The fifth and final stage is where the real value of the cyber range comes in. Sample uses of a cyber range include: Red/Blue Exercises Testing Hardware Testing Software Modeling and Simulation Independent Validation and Verification Research and Development Tabletop Exercises Comparative Solution Analysis Integration Environment Patch Testing Load Testing Configuration Testing Functional Testing Penetration Testing Certification Training Hypotheses Testing Team Assessment FIGURE 8 CYBER RANGE DEVELOPMENT PHASES
  • 8. 7 At Honeywell’s Cyber Solutions Lab, we have developed a cyber range for traditional systems and ICS solutions. With Honeywell’s background in various markets and deep engineering experience, we are able to provide a cyber range meeting the challenges of today’s cyber threats, and the threats of tomorrow. With minimal time from enumeration to emulation, Honeywell’s cyber range allows system owners to stop making assumptions regarding security and secure them with a higher level of confidence than ever before. CONCLUSION ICS are important to the nation’s infrastructure and yet ICS are some of the most neglected systems due to availability requirements. These systems have become essential to our way of life and the risk of examining the system to ensure its stability and security present too much risk to the system. IT/ICS Cyber ranges offer an affordable risk-based approach to securing IT/ICS; enhancing overall security posture of the system in a way that is impossible with other testing methodologies. Honeywell’s Cyber Range meets the demands of today’s customers and addresses tomorrow’s challenges. Courtney “Brock” Rabon is Honeywell Technology Solutions Inc. (HTSI)’s Cyber Evangelist and has 11 years of experience helping Commercial and Federal clients meet their cyber security goals. He manages their Cyber Security Technologies Lab in Charleston, SC and can be reached at courtney.rabon@honeywell.com. HTSI is a diverse professional and technical services leader offering world-class managed solutions to federal, commercial and international clients. HTSI’s core capabilities include engineering and space operations, physical and cyber security, engineering and development services, logistics, facility and equipment planning, and testing and calibration.
  • 9. 8 BIBLIOGRAPHY [1] “iTWire - Darkness in the Ukraine – hackers turn the lights off.” [Online]. Available: http://www.itwire.com/business-it- news/security/72709-darkness-in-the-ukraine-%E2%80%93-hackers-turn-the-lights-off.html. [Accessed: 10-Jun-2016]. [2] “Industrial_Control_Systems_at_Risk1.pdf.” . [3] “Year_in_Review_FY2015_Final_S508C.pdf.” . [4] “2011020-cyber_security_assessments_of_ics_gpg.pdf.” . [5] “IEEE Xplore Full Text PDF.” . [6] “Attacks Against SCADA Systems Doubled in 2014: Dell | SecurityWeek.Com.” [Online]. Available: http://www.securityweek.com/attacks-against-scada-systems-doubled-2014-dell. [Accessed: 10-Jun-2016]. [7] “NIST.SP.800-82r2.pdf.” . [8] “Industrial control systems: What are the security challenges?,” ComputerWeekly. [Online]. Available: http://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges. [Accessed: 13-Jun-2016]. [9] “RP_Patch_Management_S508C.pdf.” . [10] H. Winter, “System security assessment using a cyber range,” in 7th IET International Conference on System Safety, incorporating the Cyber Security Conference 2012, 2012, pp. 1–5.