Automated Assessment Of Compliance With Security Best Practices
- 969 Downloads
Several standards and best practices have been proposed for critical infrastructure protection. However, the scale and complexity of critical infrastructure assets renders manual compliance checking difficult, if not impossible. This paper focuses on the automated assessment of security compliance of electrical power grid assets. A security model based on predicate calculus is used to express infrastructure elements (e.g., devices, services, protocols, access control implementations) as “facts” and security standards and best practices as “rules” that specify constraints on the facts. A tool chain is applied to automatically generate the security model from specifications and to check compliance with standards and best practices. The tool chain also supports the visualization of network topology and security assessment results to reveal possible points of attack.
KeywordsSecurity best practices compliance assessment first order logic
- 1.American Gas Association, Cryptographic Protection of SCADA Communications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5, Washington, DC (www.gtiservices.org/security /AGA12Draft5r3.pdf), 2005.
- 2.AT'T Research, Graphviz — Graph Visualization Software, Florham Park, New Jersey (www.graphviz.org).
- 3.British Columbia Institute of Technology, Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, National Infrastructure Security Co-ordination Centre, London, United Kingdom, 2005.Google Scholar
- 4.British Columbia Institute of Technology, Industrial Security Incident Database, Burnaby, Canada.Google Scholar
- 6.Cooperative Association for Internet Data Analysis, The CAIDA web site, La Jolla, California (www.caida.org).
- 7.R. Dacey, Critical Infrastructure Protection: Challenges in Securing Control Systems, Report GAO-04-140T, United States General Accounting Office, Washington, DC (www.gao.gov/new.items/d04140t.pdf), 2004.Google Scholar
- 8.Distributed Management Task Force, Common Information Model (CIM) Infrastructure Specification, Document DSP0004 Version 2.3 Final, Portland, Oregon (www.dmtf.org/standards/published_documents /DSP0004V2.3_final.pdf), 2005.Google Scholar
- 9.Federal Energy Regulatory Commission, Mandatory Reliability Standards for Critical Infrastructure Protection, Docket No. RM06-22-000; Order No. 706, Washington, DC (ferc.gov/whats-new/comm-meet/2008/011708/E-2.pdf), 2008.Google Scholar
- 10.Industrial Automation Open Networking Association, The IAONA Handbook for Network Security, Version 1.3, Magdeburg, Germany (www.iaona.org/pictures/files/1122888138-IAONA_HNS1_3-reduced_050 725.pdf), 2005.
- 11.Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
- 13.D. Maynor and R. Graham, SCADA security and terrorism: We're not crying wolf! presented at the Black Hat Federal Conference, 2006.Google Scholar
- 14.J. Meserve, Sources: Staged cyber attack reveals vulnerability in power grid, Cable News Network, Atlanta, Georgia (www.cnn.com/2007/US /09 /26/power.at.risk), September 26, 2007.Google Scholar
- 15.National Institute of Standards and Technology, Standards for Security Categorization of Federal Information and Information Systems, FIPS Publication 199, Gaithersburg, Maryland, 2004.Google Scholar
- 16.M. Rash, psad: Intrusion detection for iptables (www.cipherdyne.com /psad).
- 17.R. Ross, A. Johnson, S. Katzke, P. Toth, G. Stoneburner and G. Rogers, Guide for Assessing the Security Controls in Federal Information Systems, NIST Special Publication 800-53A, National Institute of Standards and Technology, Gaithersburg, Maryland, 2008.Google Scholar
- 18.SourceForge.net, AfterGlow (afterglow.sourceforge.net).Google Scholar
- 19.Y. Stamatiou, E. Skipenes, E. Henriksen, N. Stathiakis, A. Sikianakis, E. Charalambous, N. Antonakis, K. Stolen, F. den Braber, M. Sodal Lund, K. Papadaki and G. Valvis, The CORAS approach for model-based risk management applied to a telemedicine service Proceedings of the European Medical Informatics Conference, pp. 206–211, 2003.Google Scholar
- 20.K. Ziegler, NERC cyber security standards to become mandatory in United States Electric Energy Industry News, January 21, 2008.Google Scholar