Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
36 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings the gaps in information about the status of cybersecurity collected by going through custom checklists. Vulnerability and Robustness Testing While testing systems that provide open services and nodes in the telecommunication backbone (Web servers, routers, etc.) for vulnerabilities has a long history in cybersecurity research, supervisory control and data acquisition control system networks are new arenas for testing, and the focus has only recently shifted to critical infrastructure protec- tion. Testing the communication networks serving human/ machine interface systems and control systems often requires novel and custom tools, due to proprietary and closed-source solutions in contrast to the more open archi- tectures such as the Internet. Although various solutions exist, targeting known commu- nication system vulnerabilities such as malware and virus scanners, vulnerability scanners, and intrusion-detection systems, they are severely dependent on updates or train- ing. Therefore, it is equally important to scan communica- tion systems for unknown vulnerabilities and to verify their robustness. A dynamic analysis method known as "fuzz- ing" can test communication protocol stacks in industrial control systems (ICSs) for unknown vulnerabilities. Fuzzing relies on "fuzzy" logic (a method that recognizes more than just "true" or "false" values) and seeks to trigger completely unexpected behavior in the software under test. example, a suffcient information security policy document is approximately 10 to 15 pages and covers topics, including: • security and safety policy defnition, scope, goal, and strategy; • scope and assets; • supporting infrastructure security and safety; • criticality assessment; • security and safety related to third parties; • information security organization, including roles and responsibility, operational procedures, security/safety training and awareness; • security and safety requirements; • critical system operational security; • incident handling and management; • disaster recovery plans. Cybersecurity Auditing To audit control system information security, we use an approach based on crisis intervention and operability anal- ysis, which evaluates the control center personnel's abil- ity to handle all modes of operation safely and effciently. The method uses checklists and step-diagrammed sce- narios to capture chains of events that will potentially lead to accidents or incidents and to identify critical mitigating actions. 11 Scenario walkthroughs can uncover critical decision mecha- nisms and verify personnel's ability to handle surprises and recover to normal operations. Moreover, the scenarios fll in Ops. disrupted Disrupted Start op. Install new Fails SERVER PLC net Repairman Driller Dissatisfed employee Connect from terminal In this scenario, a driller's chair backup human/machine interface server fails irreparably and personnel replace it with a new computer. However, the server is connected to the drilling programmable logic controller network and the supervisory control and data acquisition network. A dissatis- fed employee connects to the new backup server from an offce terminal via remote desktop and accesses the programmable logic controller network to disrupt operations. Step diagram of a possible breach of network segregation on a vessel.