Internet Modernization Critical Infrastructure Impacts · • Mitigations -executive championship...
Transcript of Internet Modernization Critical Infrastructure Impacts · • Mitigations -executive championship...
InternetModernizationCriticalInfrastructureImpacts
SAND2017-8869CCurtisKeliiaa
CISSP,IPv6ForumGoldCertifiedEngineerSeptember27,2017
SandiaNationalLaboratoriesisamultimissionlaboratorymanagedandoperatedbyNationalTechnologyandEngineeringSolutionsofSandia,LLC.,awhollyownedsubsidiaryofHoneywellInternational,Inc.,fortheU.S.DepartmentofEnergy'sNationalNuclearSecurityAdministrationundercontractDE-NA-0003525.
LearningObjectivesTounderstand:internetmodernizationimpactsacrossthe16DHSdefinedcriticalinfrastructuresectors;
howtoaddressevolvingoperationalandsecurityneeds;increasedcomplexityofinternetprotocolmodernization;
howtoaddressworkforcedevelopmentchallenges;increasedriskofinternetmodernization;andhowriskmitigationcanbemanaged
1
HighPerformanceComputing» FundingprofilesforScientificComputingatSandia:
1. NNSAAdvancedSimulationandComputing2. InstitutionalComputingprogram3. DOEOfficeofScience,AdvancedScientificComputingResearch
» ASCTri-LabNetworks/SystemsatSNL,LANLandLLNL:• ContinuousAccesstoLargeComputeSystems• ~60PF,~10BProcessorHours/Year
» Operations:• ScientificComputingPlatforms– 14clustersin4environments• SystemAcquisition,Maintenance&Operations• HighSpeedParallelFileSystems• HighPerformanceParallelNetworks• Multi-PetabyteDataArchiveSystems• FacilitiesImprovements• UserSupportPersonnel• Analysts&CodeDevelopment
CenterforComputingResearch» Computingresearchfocusedoncross-cuttingchallenges
andenablingcapabilities:• Streamingalgorithmstoprocesslargedatastreams• Algorithmstofindpatternsinlargegraphs• Machinelearningtechniquestodetectadversarial
behavior(e.g.phishingemails)• QuantumInformationSystems• CognitiveScience• NeuralNetworks• CyberEmulytics• ExascaleComputing• Remotesensingchallenges• CybersecurityEngineeringResearchInstitute
CollaborationwithIndustryandAcademia
IntroductiontoComputingatSandiaNationalLaboratories
2
InternetModernizationInformation&CommunicationTechnologyImpacts:
Multi-DomainIntegrationUnprecedentedGrowthIncreasedComplexity
IncreasedRisk
3
RadioFrequencyRFisa fundamentalenablerofmobility
FederalCommunicationsCommissionSpectrumAllocation
ExpandingCyberEcosystem: 5G,LTEMobility,MobileNetworks,NearFieldCommunications
4
InternetProtocol
ARINexhausteditsIPv4free-poolSeptember24,2015
ExpandingCyberEcosystem:IPv6,Cloud,IoT,Mobile,Information&OperationalTechnologyconvergence
IPisa fundamentalenablerofConnectivity
5
IPDualStackLatentThreat
TwopathwaysintoYourData• IPv4ingress/egresstraffic• IPv6ingress/egresstraffic• Mustmanageboth(dual-stack)• Allnodes– hostandnetwork• IPv6preferredbystandard• Dual-stackisIPv6halfdone
PROPERTY IPv4 IPv6Address size and network size 32 bits, network size 8-30 bits 128 bits, network size 64 bits
Packet header size 20-60 bytes 40 bytesHeader-level extension Limited number of small IP
optionsUnlimited number of IPv6
extension headersFragmentation Sender or any intermediate
router allowed to fragmentOnly sender may fragment
Control protocols Mixture of non-IP (ARP), ICMP, and other protocols
All control protocols based on ICMPv6
Minimum allowed MTU 576 bytes 1280 bytesPath MTU discovery Optional, not widely used Strongly recommendedAddress assignment Usually one address per host Usually multiple addresses per
interfaceAddress types Use of unicast, multicast, and
broadcast address typesBroadcast addressing no longer used, use of unicast, multicast
and anycast address typesAddress configuration Devices configured manually or
with host configuration protocols like DHCP
Devices configure themselves independently using stateless
address auto-configuration (SLAAC) or use DHCP
Differences between IPv4 and IPv6Source: National Institute of Standards and Technology (NIST) 6
ReducedThreatExposure
DualStack=increasedthreatsurface
Cybersecurityasadesignrequirement
DivestoldITandremovelegacydependencies
IPv6“only”reducesthreatexposure
Source: Sandia National Laboratories: Cyber-e Infrastructure Assurance 7
CyberSafeguardsforIT
» InformationTechnologyCybersecurity:• Confidentiality,Integrity,Availability• Secureinformationandcommunicationtechnologies(ICT)
• InformationavailabletoauthorizedusersSource: Sandia National Laboratories: Research Engineering Cyber Operations Intelligence Lab
8
Risks/Mitigations
Facts– Certainty• IPv4exhaustion• IPv6expansion• ICTinnovation
Risks– Ifthisrisk,thenthatconsequence• Iftechnicalrelevanceislost,thenorganizational
connectivitywillbeineffectual
Concerns– Whatifs• Whatifthecompetitionunderstandsnewtechnologyfirst?
Opportunities– Whatcouldbe• ICTCybersecurityreadyfortheforeseeablefuture
Challenges– Obstacles• Workforcereadinessisthe#1challenge
Risks/Mitigations• Organizational• Administrative• Operational• Technical
Source: DHS Cybersecurity Framework 9
Resilience
LevelofConcern• LifeSafety• Energy• Communications• RolesandResponsibilities• BusinessContinuityPlanning
• EmergencyManagement• ContinuityofOperations• ITDisasterRecovery
• HighAvailability• Redundancy• AlternateFacilities• Cyber-PhysicalSecurity
LevelofEffort• Multi-jurisdictional• SupplyChain• Inter-organizational• Organizational• Administrative• Operational• Technical
Is our cyber dog digging in for
resilience or just burying her head
in the sand?
ExternalThreatVectors• NaturalDisaster• PhysicalDisruption• CyberDisruption• ResourceDisruption
10
CriticalInfrastructureSectorsIT&CommunicationsSectorImpacts:
Multi-DomainIntegrationUnprecedentedGrowthIncreasedComplexity
IncreasedRisk11
CriticalInfrastructureSectors
» DepartmentofHomelandSecuritydefinedcriticalinfrastructuresectors
» InnovationsintheIT&Communicationssectorsareapplicableacrossallothersectors
Source: Sandia National Laboratories: Resilient Infrastructure Systems
Ö
Ö
12
CyberSafeguardsforOT
» OperationalTechnologyCybersecurity:• Availability,Integrity,Confidentiality• Secureindustrialcontrolsystems (ICS),supervisorycontrolanddataacquisition(SCADA)
• Serviceavailabletoauthorizedcustomers
13
Cyber and Infrastructure Security
Source: Sandia National Laboratories: Cyber and Infrastructure Security
IT;Communications;GovernmentFacilities;FinancialServices;
CommercialFacilitiesInformationAssurance
14
InformationAssurance
» DataGovernance» CrosscuttingICTDependencies» ITCybersecurity» Multi-DomainIntegration» EmergentCyberEcosystemTechnologies
Source IPv6 Forum: http://www.ipv6forum.org (accessed 8-9-2017)15
EmergencyServices;HealthcareandPublicHealth;Transportation;DefenseIndustrialBase;CriticalManufacturing
Communications
16
EmergencyCommunications» EmergencyServices
• 911» Enhanced911(E911)
• Geo-Location,automatednumber&locationinformation
» NextGeneration911(ng911)• Voice,Video,Data
» FirstNet• Emergent- Nationalbroadbandpublicsafetynetwork
» APCOProject25• Emergent:700-800MHzDigitalNarrowBanding• ITBackendRadioManagementSystems• Legacy:LandMobileRadio
Source: Sandia National Laboratories: Resilient Infrastructure Systems 17
MobileCommunications
» Space• Satellitebroadband
» Air• Manned/Unmannedaerialvehiclefleets
» Land• Manned/Unmannedterrestrialvehiclefleets
» Sea• Oceanicshippingfleets
» Tracking• Distributedsensornetworks• Personnel• Materials• Provenance
SpaceSatellite
AerialAircraft/UAV
TerrestrialFleets/Automated
Self-Driving
OceanicShipping/Tracking
DistributedSensorNetworks
Materials,Personnel,&Provenance
IPv6Internet
18
Energy;Dams;Water,WasteWaterSystems;Nuclear
Reactors,Materials,&Waste;Food&Agriculture; Chemical
IndustrialControlSystems,SupervisoryControlandDataAcquisition
19
IndustrialControlSystems,SupervisoryControlandDataAcquisition
» OT/IT» Cyber/Physical» GridModernization» SmartGridTechnology» SmartMeters» DistributedSensorNetworks
20
Multi-DomainInnovation
» MeshNetworks• Constrainedcompute,communications,powerdevices
» MobileNetworks• Space,air,land,sea
» HighPerformanceComputing• MachineLearning• Petatoexascale
» DistributedSensorNetworks• InternetofThings• Machine-to-machinecommunications
» InformationCentricNetworks• Nameddatanetworks/namedbasedrouting
» QuantumComputing• Quantum-scalephenomenaforcomputationaldata• Encryption
MeshNetworks
MobileNetworks
HighPerformanceComputing
DistributedSensor
Networks
InformationCentric
Networks
QuantumComputing
IPv6Internet
21
LegacyDependencyRisk» LegacyTechnologyDependence
• Ifanorganizationreliestooheavilyonlegacytechnologies,thenthe:- businesscontinuityriskofinsufficientconnectivityisincreased- riskofinsufficientinformationassurancethroughlackofnewtechnologyprotection
mechanismsisincreased- riskofreducedlife-safetyresponseisincreasedinemergencycommunications- riskofinsufficientOT/ITintegrationisincreased- riskinsufficientoperationaltechnologysecurityisincreased- riskofinsufficientcriticalinfrastructureserviceavailability,diversification,andsecurityis
increased• Mitigations- IT/Communications/OT/ICS/SCADAmodernizationwithcyber
security,physicalsecurity,andresilienceasdesignrequirements22
EmergentTechandAutomationRisk» EmergentTechnology
• IfanorganizationdoesnotappropriatelysecureemergingIT,communications,OT,andICS/SCADA,thenariskofinsufficientcybervisibility,protection,andincidentresponsecapabilityisincreased
• Mitigations- executivechampionshipforaskilledcyberworkforcewithcybersecurity,physicalsecurity,andresilienceasdesignrequirements
» Automation• Ifanorganizationdoesnotappropriatelysecureautomatedcomputational,
networked,andvirtualizedinformationservices,thenariskofunseeninformationassetcompromiseisincreased
• Mitigation- executionofstandards-based&industrybestpracticeswithcybersecurity,physicalsecurity,andresilienceasdesignrequirements
23
ReduceRiskExposureor“CPRforInformationSystems”
CPR“Baked-in”DesignRequirements• Cybersecurity• PhysicalSecurity• Resilience
Science-basedCyberResearchandDevelopment• Obfuscation,Emulytics,Provenance,Correlation
Fourphaseautomateddefenseconcept• Behavior,Situational,RapidResponse• Cyber/Physical
• HomelandSecurityAdvisorySystem• Low,Guarded,Elevated,High,Severe
Source: Sandia National Laboratories: Cyber-e: National Cyber Defense High Performance Computing & Analysis: Concepts, Planning and Roadmap
24
So…Whatcouldgowromg?
» NaturalDisaster• SuperStormSandy(2012),HurricaneHarvey
» HumanError• Underpressure,fatigue,lackoftrainingorskills
» MaliciousIntent• SnipertakessubstationSanJoseCalifornia(2013)
» Misconfiguration• Manualorautomatedwhentechnologychanges
» UnintendedConsequences• Duetolackofknowledgewithembedded/newtechnology
» LocalCausalitytoWideAreaDisruption• TreestakeoutNortheastgrid(2003)
» CyberCausalitytoPhysicalDisruption• CyberdisruptionwithICSconsequences,i.e.smartgrid
» PhysicalCausalitytoCyberDisruption• Physicaldisruptionwithcyberconsequences,i.e.facilitiesorcommunicationsfailure
NYCAfterTropicalStormSandy-Localmicrogridsprovidedenergy
reliability,security,andmissionassurance
Source: Sandia National Laboratories: Energy Storage 25
GridModernization
Source: Quadrennial Energy Review/ Second Installment | Department of Energy 26
CyberWorkforceCalltoAction
Training,Education,andAwareness• Who- Everyonewithcyberorphysicalaccess• What- recognizeandreportunusualcontentandactivity• Why- importanceofpoliciesandprocedures• How- Training,certification,andhighereducation
NewSkilledCyberWorkforceFundamentals• IPv6:“basicstoexpert”tomeetrolesandresponsibilities• Cybersecuritybigpicture:Humanelement,information,
services,applications,systems,network,operations• SecureAppDevelopment:programming+security
Source: Sandia National Laboratories: Cyber Engineering Research Laboratory, Research Engineering Cyber Operations Intelligence Lab
27
Practices,Standards,&Teaming
BestPractices• (ISC)2 Certifications• CenterforInternetSecurity:20Criticalcontrols
Standards-basedIT/OTIntegration• InternetEngineeringTaskForce• InstituteofElectricalandElectronicsEngineers• NationalInstituteofStandardsandTechnology
InterdisciplinaryTeaming• ITCybersecurity• OTCybersecurity• PhysicalSecurity• Resilience• CriticalInfrastructureStakeholders Source: International Information Systems Security Certification
Consortium: www.isc2.org/certifications28
ReturnonInvestment» Internetmodernizationoffersafavorablereturnoninvestmentas
vastasthenewcyberecosystemitself» Procurementsince2010hasIPv6inallmodernoperatingsystems» Trainingisashort-terminvestmentwithlong-termgain» Executivechampionshiptopromotetheworkforceskill
developmentrelevanttotheneedsofthefuture» OT/IT/Communications/ICS/SCADAreadyforthefuture» Criticalinfrastructuremodernized,secure,protected,andresilient
29
Cuspofa NewCyberEcosystem» Aprofessionallyqualifiedcyberworkforceisrequiredtoseizeopportunitiesinadvancedinfrastructureservicesanddeliversufficientprotectioninanexpandingcyberecosystem
» Reducethreatexposureandcomplexitybymovingawayfromoldtechnologiestonewtechnologies
» Reduceriskinnewtechnologydeploymentwithcyberandphysicalsecurityandresilienceasdesignrequirementsfromthestart
30
References» APCOProject-25DocumentSuite:ReferenceP25SDR,January14,2010» APCOProject25StatementofRequirements(P25SoR),March32010» NationalPublicSafetytelecommunicationsCouncil,PublicSafetyBroadbandHigh-LevelLaunchRequirements:StatementofRequirementsforFirstNetConsideration,
December7,2012» CiscoWhitePaper:AStandardizedandFlexibleIPv6ArchitectureforFieldAreaNetworks:SmartGridLast-MileInfrastructure,ReferencingBCHydro IPv6deployment
,January2014» IoT– IPv6integrationhandbookforSMEs:M.R.Palattella,L.Ladid,SZiegler,WKastner,M.Jung,M.Kofler,D.D.Drajic,SKrco,G.Nam,R.M.Perez,May19,2014» UnitedStatesGovernmentAccountabilityOffice,TestimonyBeforetheCommitteeonCommerce,Science,andTransportation,U.S. Senate:PreliminaryInformation
onFirstNet’sEffortstoEstablishaNationwideBroadbandNetwork,March11,2015» NamedDataNetworkingNextPhase(NDP-NP)Project,May2015– April2016AnnualReport,PrincipalInvestigators– V.Jacobson,J.Burke,L.Zhang,T.Abdelzaher,
B.Zhang,kcclaffy,P.Crowley,J.A.Halderman,C.Papadopolis,L.Wang» iCenS:AnInformation-CentricSmartGridNetworkArchitecture,R.Tourani,S.Misra,T.Mick,S.Brama,M.Biswal,D.Ameme,DepartmentofComputerScienceand
ElectricalEngineering,NewMexicoStateUniversity,ReceivedApril4,2017» U.S.DepartmentofEnergy,QuadrennialEnergyReview- TransformingtheNation’sElectricitySystem:TheSecondInstallmentoftheQER,January2017:
https://energy.gov/epsa/quadrennial-energy-review-second-installment» InternationalInformationSystemsSecurityCertificationConsortium(ISC)2 ,Booz|Allen|Hamilton,CenterforCyberSafetyandEducation:2017GlobalInformation
SecurityWorkforceStudy:U.S.GovernmentResults,EducatingTheWorkforceinCyber» IPv6SecuritybyScottHoggandEricVyncke:ISBN-13978-1-58705-594-2,ciscopress.com ©2009CiscoSystemsInc.» DeployingIPv6NetworksbyCiprian Popoviciu,EricLevy-Abegnoli,andPatrickGrossetete:ISBN:15870552105,SixthPrintingJuly2011©2006CiscoSystemsInc.» ScientificAmerican,The2003NortheastBlackout—FiveYearsLater: https://www.scientificamerican.com/article/2003-blackout-five-years-later/» IPv6Forum:http://www.ipv6forum.org» AmericanRegistryforInternetNumbers:https://www.arin.net/vault/announcements/2015/20150924.html,
https://www.arin.net/knowledge/preparing_apps_for_v6.pdf» InstituteofElectricalandElectronicsEngineers(IEEE):https://www.ieee.org/index.html» InternetEngineeringTaskForce(IETF):https://www.ieee.org/index.html 31
MahaloNuiLoa,Thankyou!» Questionsplease
CISSPIPv6GoldCertifiedEngineerSandiaNationalLaboratories
CompSysSecurityAnalysisR&DTheopinionsexpressedaremyownandnotnecessarilythoseofmyemployer