Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
Jerome Athias <athiasjerome@gmail.com> Fri, 24 January 2014 09:17 UTC
Return-Path: <athiasjerome@gmail.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F4F1A021A for <mile@ietfa.amsl.com>; Fri, 24 Jan 2014 01:17:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5S6sLXbMiNzd for <mile@ietfa.amsl.com>; Fri, 24 Jan 2014 01:17:42 -0800 (PST)
Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id 1EA261A01DD for <mile@ietf.org>; Fri, 24 Jan 2014 01:17:42 -0800 (PST)
Received: by mail-pa0-f48.google.com with SMTP id kx10so3029549pab.7 for <mile@ietf.org>; Fri, 24 Jan 2014 01:17:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+9VHLmTXVHYKZpe5UcADTbcLWK6YVHgGTGVVkciou8M=; b=nC0amPA/oWkSGaG2SlTg+6ka3OMA3Hy6XWAekTuV97DfPAKBQxPP0X58NTuG2mlmOr z0Ijwuldb/lf+G3FnHbfe2rFt0I7MzthTBEk+vYv9dxyllU50dJt83sjm4prUpZirW89 YrDUewsKu9N8eFz62UkrqZXUX+nG1aLRVpSJHhhphC++EO1fI0ctZkMxTjn9VarNOJbg MUEh5XMqBOq3E63p7EvJdLCOrGzkKB3mNdUFgRXs7VHUO0qufODL3kaKJ7xIx2IvcLrM ye6WvbUogcp3D7wI6oO0sMJ3zG61w+4h+cGG90/+l0GWkkTbRIYxN5rEOs5TuHkq5fPB U1ZQ==
MIME-Version: 1.0
X-Received: by 10.68.164.4 with SMTP id ym4mr13431510pbb.53.1390555061017; Fri, 24 Jan 2014 01:17:41 -0800 (PST)
Received: by 10.68.195.104 with HTTP; Fri, 24 Jan 2014 01:17:40 -0800 (PST)
In-Reply-To: <52E1CBB5.6000906@ieee.org>
References: <20140122155745.18162.21877.idtracker@ietfa.amsl.com> <52E1CBB5.6000906@ieee.org>
Date: Fri, 24 Jan 2014 12:17:40 +0300
Message-ID: <CAA=AuEeREPVE5XtbfcVDjdkS=YiQReUyu8t23VxLx6Ro9+1tVA@mail.gmail.com>
From: Jerome Athias <athiasjerome@gmail.com>
To: murillo@ieee.org
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 09:17:45 -0000
Hi, from what I know (which is limited), and as you mention, this ICS area is often also called Critical Infrastructures (CIs), or SCADA for a little bit of background, we could explore the Cybersecurity Framework Example references http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx http://www.ictqatar.qa/en/documents/download/National%20Industrial%20Control%20Systems%20Security%20Standard-English.pdf ANSI/ISA-99.02.01-2009 I don't have enough knowledge about the status and adoption of the different efforts in term of XML representation/format/standards http://xml.coverpages.org/emergencyManagement.html and resilience It would maybe be possible to obtain information from there http://ics-cert.us-cert.gov http://ics-isac.org/ My first feedback is that it looks like an interesting extension. I would suggest to focus on the reuse of existing Taxonomies, or references to them. As such, for [Industry], maybe http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012 ISO 3166 (Country Codes) [TargetSystems], I (personally) don't like the word "system" and prefer "asset" [CompromisedPhysicalInfrastrucute] (with a typo ;p) seems to be a category of "Infrastructure" (or group of assets) [EntryPoint] could be ok since it could be a little bit different from "endpoint" [PerpetratingParty] seems to reference "Threat Actor" or "Threat Agent" or "Attacker" [RecurrencePreventionMeasures] is this Security Controls? (and Mitigations/Remediations) Reference: https://web.nvd.nist.gov/view/800-53/control?controlName=AC-3&type=1 Describing an [Exploit] is not so easy (depending on the level of details wanted/needed) Figure 1 (or "Diagram 1") is interesting, (of course it is different from, i.e. CAESARS), it MAYBE could be more layered http://www.isa.org/InTechTemplate.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=94401 (To follow: ENISA CDXI) Some typos Next step: more XML focused ;) My 2 bitcents 2014/1/24 Martin Murillo <murillo@ieee.org>: > Dear all, > > Please find below a link to a proposed draft for extending IODEF for the > reporting of cyber-physical system incidents. These systems are often > referred as Operational Technology Systems, Industrial Control Systems, > Automatic Control Systems, or simply Control Systems. > > Cyber-Physical systems have been around for decades. However, they are now > at a higher risk to be the target of attacks by individual highly-skilled > attackers, organized groups, nation-states, or simply suffer repercussions > of mainstream IT cyber-attacks. While over 90% of critical control system > infrastructure is currently owned by private enterprises, these can have > direct repercussions on national security of world nations. Indeed, various > of these systems are key parts of nuclear reactor facilities, transportation > systems, electric power distribution, oil and natural gas distribution, > health care, water and waste-water treatment, dam infrastructure, missile > and defense systems, and others. The disruption of these control systems > could have a significant impact on public health, safety, and lead to large > economic losses. > > Among the issues that catalyze this higher risk are: > > i) these systems are gradually becoming more interconnected, ii) legacy > systems do not have proper cybersecurity protection, iii) the existence of > highly-skilled individuals and motivations, iv) some these systems are > generally considered critical, v) these are a natural extension of IT > cyber-attacks, vi) the emergence of the Internet of Things (IOT), and vi) > these attacks can be carried out remotely and quite inexpensively. > > While there might exist national approaches to deal with incidents, there's > the need of a global international approach that will engulf governments, > private organizations and other stakeholders. IETF, as a leading global > Internet standards organization, seeks to satisfy this need through open > standards that seek to encompass issues that are critical for the global > community. > > Feedback at two levels are welcome: > > 1. On the existence and inclusion either by utilizing any already existing > industry formats (XML- encoded) and/or by utilizing atomic data > 2. Contributions on making the extension (and background information) more > comprehensive, accurate and principally useful for the community > > Look forward to feedback and other input! > > Martin Murillo > > A new version of I-D, draft-murillo-mile-cps-00.txt > has been successfully submitted by Martin Murillo and posted to the > IETF repository. > > Name: draft-murillo-mile-cps > Revision: 00 > Title: IODEF extension for Reporting Cyber-Physical System > Incidents > Document date: 2014-01-21 > Group: Individual Submission > Pages: 24 > URL: > http://www.ietf.org/internet-drafts/draft-murillo-mile-cps-00.txt > Status: https://datatracker.ietf.org/doc/draft-murillo-mile-cps/ > Htmlized: http://tools.ietf.org/html/draft-murillo-mile-cps-00 > > > Abstract: > This draft document will extend the Incident Object Description > Exchange Format (IODEF) defined in [RFC5070] to support the reporting > of incidents dealing with attacks to physical infrastructure through > the utilization of IT means as a vehicle or as a tool. These systems > might also be referred as Cyber-Physical Systems (CPS), Operational > Technology Systems, Industrial Control Systems, Automatic Control > Systems, or simply Control Systems. These names are used > interchangeably in this document. In this context, an incident is > generally the result of a cybersecurity issue whose main goal is to > affect the operation of a CPS. It is considered that any > unauthorized alteration of the operation is always malign. This > extension will provide the capability of embedding structured > information, such as identifier- and XML-based information. In its > current state, this document provides important considerations for > further work in implementing Cyber-Physical System incident reports, > either by utilizing any already existing industry formats (XML- > encoded) and/or by utilizing atomic data. > > In addition, this document should provide appropriate material for > helping making due considerations in making an appropriate decision > on how a CPS reporting is done: 1) through a data format extension to > the Incident Object Description Exchange Format [RFC5070], 2) forming > part of an already existing IODEF-extension for structured > cybersecurity information (currently draft > draft-ietf-mile-sci-11.txt), or others. While the format and > contents of the present document fit more the earlier option, these > can also be incorporated to the later. > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > > > > _______________________________________________ > mile mailing list > mile@ietf.org > https://www.ietf.org/mailman/listinfo/mile
- [mile] Fwd: New Version Notification for draft-mu… Martin Murillo
- Re: [mile] Fwd: New Version Notification for draf… Jerome Athias
- Re: [mile] Fwd: New Version Notification for draf… Johnson, Blake
- Re: [mile] Fwd: New Version Notification for draf… Martin Murillo
- [mile] Fwd: New Version Notification for draft-mu… Alexey Melnikov
- Re: [mile] Fwd: New Version Notification for draf… Takeshi Takahashi
- Re: [mile] New Version Notification for draft-mur… Eric Burger
- Re: [mile] New Version Notification for draft-mur… Takeshi Takahashi
- Re: [mile] New Version Notification for draft-mur… Kathleen Moriarty
- Re: [mile] New Version Notification for draft-mur… Martin J. Murillo