Audit of Industrial Control System Security at Select DOE Locations

Audit of Industrial Control System Security at Select DOE Locations Karen S. White 10/6/19 Control System Cyber Security Workshop 2019 ORNL is managed by UT-Battelle, LLC for the US Department of Energy

Security of Industrial Control Systems US Government focus on cyber security has increased due to the costs and impact of successful attacks Each government agency required to identify and protect government systems, including industrial control systems US Department of Energy (DOE) uses industrial control systems to supports missions related to energy, scientific research, environmental cleanup and national security Can include systems used for “physical security, heating, ventilation, cooling, electrical, and water systems, as well as supervisory control and data acquisition systems”. Words in green mean this applies to control systems used to 2 controls accelerators at national laboratories Open slide master to edit

Audit DOE Inspector General conducted audit of “Security over Industrial Control Systems (ICS) at Select DOE Locations” and released their report in June 2019 Audited 8 ICS’ at 4 undisclosed selected locations Previous audits focus on enterprise type IT systems Report summary and report available: https://www.energy.gov/ig/downloads/audit-report-doe-oig-19-34 https://www.energy.gov/sites/prod/files/2019/06/f63/DOE-OIG-19-34 1.p df 3 Open slide master to edit

Findings (from the report) DOE sites reviewed had not always implemented security controls over selected systems as in accordance with requirements Some facilities did not have complete inventories of their ICS’ Some facilities did not properly categorize the impact of their ICS’ on external systems Some had weaknesses in: – documentation of security controls – vulnerability management (e.g. systems not patched) – physical or logical access control 4 Open slide master to edit

Standards DOE Chief Information Officer requires DOE and DOE facility management contractors to comply with National Institute of Standards and Technology (NIST) requirements detailed in : – NIST SP 800-53 Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations – NIST SP 800-82 Rev2 Guide to Industrial Controls (ICS) Security Audit was conducted against these standards 5 Open slide master to edit

Areas of Interest (realistic?) Asset management – consistent identification of high values assets, proper classification and accurate inventory Documentation of security plan - ICS should have own controls rather than rely on enterprise controls Vulnerability Management – be sure patches are up to date, software is not obsolete, is supported Physical Security – should have badge access by role, keep list up to date Access privileges – periodic password changes Tension between need for security and operational demands 6 Open slide master to edit

Recommendations For DOE CIO Determine what types of operational technology and IT systems should be defined as an information system to ensure consistency with Federal requirements and codify the decision within the Department’s cybersecurity order. For Administrator for the National Nuclear Security Administration, Under Secretary of Energy, Under Secretary for Science, and Assistant Secretary for Electricity: Identify, inventory, and assess the allocation of resources for the protection of industrial control systems, including high value assets, and ensure sites exercise appropriate security authorization processes for industrial control system assets. 7 Open slide master to edit

Recommendations For Management of audited sites Resolve or mitigate specific weaknesses identified within this report and during technical vulnerability scanning and penetration testing performed at selected locations; and Ensure the appropriate risk management processes are implemented, including developing adequate documentation to support security processes, implementing effective continuous monitoring processes, and developing/evaluating risk tolerance levels related to system operations. We also recommend that the Management of Site 4, direct the Contracting Officer to ensure current Federal cybersecurity requirements are included in site-level contracts in a timely manner. 8 Open slide master to edit

Be prepared – self assessment Evaluate you system using NIST Cyber Security Evaluation Tool (CSET) NIST Cybersecurity Framework (CSF) to Cyber Resilience Review (CRR) Crosswalk NIST has on-line training 9 Open slide master to edit