Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt

[Jerome Athias <athiasjerome@gmail.com>]

Hi,

from what I know (which is limited), and as you mention, this ICS area
is often also called Critical Infrastructures (CIs), or SCADA

for a little bit of background, we could explore the Cybersecurity Framework
Example references
http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
http://www.ictqatar.qa/en/documents/download/National%20Industrial%20Control%20Systems%20Security%20Standard-English.pdf
ANSI/ISA-99.02.01-2009

I don't have enough knowledge about the status and adoption of the
different efforts in term of XML representation/format/standards
http://xml.coverpages.org/emergencyManagement.html
and resilience

It would maybe be possible to obtain information from there
http://ics-cert.us-cert.gov
http://ics-isac.org/

My first feedback is that it looks like an interesting extension.

I would suggest to focus on the reuse of existing Taxonomies, or
references to them.

As such, for [Industry], maybe
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012
ISO 3166 (Country Codes)


[TargetSystems], I (personally) don't like the word "system" and prefer "asset"

[CompromisedPhysicalInfrastrucute] (with a typo ;p) seems to be a
category of "Infrastructure" (or group of assets)


[EntryPoint] could be ok since it could be a little bit different from
"endpoint"

[PerpetratingParty] seems to reference "Threat Actor" or "Threat
Agent" or "Attacker"

[RecurrencePreventionMeasures] is this Security Controls? (and
Mitigations/Remediations)
Reference: https://web.nvd.nist.gov/view/800-53/control?controlName=AC-3&type=1


Describing an [Exploit] is not so easy (depending on the level of
details wanted/needed)

Figure 1 (or "Diagram 1") is interesting, (of course it is different
from, i.e. CAESARS), it MAYBE could be more layered
http://www.isa.org/InTechTemplate.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=94401

(To follow: ENISA CDXI)


Some typos



Next step: more XML focused ;)


My 2 bitcents

2014/1/24 Martin Murillo <murillo@ieee.org>:
> Dear all,
>
> Please find below a link to a proposed draft for extending IODEF for the
> reporting of cyber-physical system incidents. These systems are often
> referred as  Operational Technology Systems, Industrial Control Systems,
> Automatic Control  Systems, or simply Control Systems.
>
> Cyber-Physical systems have been around for decades.  However, they are now
> at a higher risk to be  the target of attacks by individual highly-skilled
> attackers, organized groups, nation-states, or simply suffer repercussions
> of mainstream IT cyber-attacks. While over 90% of critical control system
> infrastructure is currently owned by private enterprises, these can have
> direct repercussions on national security of world nations.  Indeed, various
> of these systems are key parts of nuclear reactor facilities, transportation
> systems, electric power distribution, oil and natural gas distribution,
> health care, water and waste-water treatment, dam infrastructure, missile
> and defense systems, and others.   The disruption of these control systems
> could have a significant impact on public health, safety, and lead to large
> economic losses.
>
> Among the issues that catalyze this higher risk are:
>
> i) these systems are gradually becoming more interconnected, ii) legacy
> systems do not have proper cybersecurity protection, iii) the existence of
> highly-skilled individuals and motivations, iv) some these systems are
> generally considered critical, v) these are a natural extension of IT
> cyber-attacks, vi) the emergence of the Internet of Things (IOT), and vi)
> these attacks can be carried out remotely and quite inexpensively.
>
> While there might exist national approaches to deal with incidents, there's
> the need of a global international approach that will engulf governments,
> private organizations and other stakeholders. IETF, as a leading global
> Internet standards organization, seeks to satisfy this need through open
> standards that seek to encompass issues that are critical for the global
> community.
>
> Feedback at two levels are welcome:
>
> 1. On the existence and inclusion either by utilizing any already existing
> industry formats (XML-   encoded) and/or by utilizing atomic data
> 2. Contributions on making the extension (and background information) more
> comprehensive, accurate and principally useful for the community
>
> Look forward to feedback and other input!
>
> Martin Murillo
>
> A new version of I-D, draft-murillo-mile-cps-00.txt
> has been successfully submitted by Martin Murillo and posted to the
> IETF repository.
>
> Name:           draft-murillo-mile-cps
> Revision:       00
> Title:          IODEF extension for Reporting Cyber-Physical System
> Incidents
> Document date:  2014-01-21
> Group:          Individual Submission
> Pages:          24
> URL:
> http://www.ietf.org/internet-drafts/draft-murillo-mile-cps-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-murillo-mile-cps/
> Htmlized:       http://tools.ietf.org/html/draft-murillo-mile-cps-00
>
>
> Abstract:
>    This draft document will extend the Incident Object Description
>    Exchange Format (IODEF) defined in [RFC5070] to support the reporting
>    of incidents dealing with attacks to physical infrastructure through
>    the utilization of IT means as a vehicle or as a tool.  These systems
>    might also be referred as Cyber-Physical Systems (CPS), Operational
>    Technology Systems, Industrial Control Systems, Automatic Control
>    Systems, or simply Control Systems.  These names are used
>    interchangeably in this document.  In this context, an incident is
>    generally the result of a cybersecurity issue whose main goal is to
>    affect the operation of a CPS.  It is considered that any
>    unauthorized alteration of the operation is always malign.  This
>    extension will provide the capability of embedding structured
>    information, such as identifier- and XML-based information.  In its
>    current state, this document provides important considerations for
>    further work in implementing Cyber-Physical System incident reports,
>    either by utilizing any already existing industry formats (XML-
>    encoded) and/or by utilizing atomic data.
>
>    In addition, this document should provide appropriate material for
>    helping making due considerations in making an appropriate decision
>    on how a CPS reporting is done: 1) through a data format extension to
>    the Incident Object Description Exchange Format [RFC5070], 2) forming
>    part of an already existing IODEF-extension for structured
>    cybersecurity information (currently draft
>    draft-ietf-mile-sci-11.txt), or others.  While the format and
>    contents of the present document fit more the earlier option, these
>    can also be incorporated to the later.
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
>
> _______________________________________________
> mile mailing list
> mile@ietf.org
> https://www.ietf.org/mailman/listinfo/mile