[mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
Alexey Melnikov <alexey.melnikov@isode.com> Fri, 25 April 2014 15:41 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CCC91A0342 for <mile@ietfa.amsl.com>; Fri, 25 Apr 2014 08:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.628
X-Spam-Level: *
X-Spam-Status: No, score=1.628 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, RP_MATCHES_RCVD=-0.272] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YxVgn9wVJGpf for <mile@ietfa.amsl.com>; Fri, 25 Apr 2014 08:41:19 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id 281121A0572 for <mile@ietf.org>; Fri, 25 Apr 2014 08:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1398440472; d=isode.com; s=selector; i=@isode.com; bh=UqJVz0iMGjE4h6qTwwe18rikjYuOwqOIBqMQu75ieYo=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qRAKWIKAjdEa0jSaP/0TB0a04ItcWxPErglbJR7OtVENFsqAkkDhGdaKPYpsEi7VZQAfpf ACEs43gpq8wydXhY2cK/zuotdsHzSOBBDJ4jF9YqE9u8gISteIGc0YxPJpiOYX+PQVXkuZ EFHFz/J+iSpBRWC+2L+nmT9TC+sIdC8=;
Received: from [172.17.128.46] (richard.isode.com [62.3.217.249]) by waldorf.isode.com (submission channel) via TCP with ESMTPA id <U1qCEABYHogv@waldorf.isode.com>; Fri, 25 Apr 2014 16:41:10 +0100
Message-ID: <535A8229.8000905@isode.com>
Date: Fri, 25 Apr 2014 16:41:29 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
To: mile@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/mile/KAygPOdBLdKm_iqaMNc5Gxo3AVM
Subject: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 15:41:22 -0000
Takeshi has troubles posting to the mailing list, so he asked to forward his email. -------- Original Message -------- > -----Original Message----- > From: Takeshi Takahashi [mailto:takeshi_takahashi@nict.go.jp] > Sent: Wednesday, April 23, 2014 2:29 PM > To: murillo@ieee.org; 'mile@ietf.org' > Subject: RE: [mile] Fwd: New Version Notification for > draft-murillo-mile-cps-00.txt > > Hi Martin, > > I've read through the drafts. Thank you very much for sharing your expertise > here. > It was a new use case for me, and was really interesting. > > I am wondering if we can minimize the number of extension fields by using > the existing IODEF fields. > By minimizing the number of similar fields, I hope we can simplify the draft > and minimize the burden of implementations. > > From this viewpoint, let me ask several checking questions. > > 1. IncidentType element and IncdntType Attribute > What are the difference between them? I think your current draft has > them as place holders. I would like to hear a bit further. > > 2. The IncidentTitle element > Can we use the Description element inside the IODEF:Incident class for > this purpose, instead of having new field here? > It would be useful to have title or such information that can hint the > content of the IODEF document, but I feel like that it would be helpful > to have this type of information at the shallower level of IODEF document > rather than having it in the deeper level of IODEF document (inside > additionalData) > > 3. The ReportingParty element > Can we use the IODEF:contact class instead of having new field? We could > extend it further if needed. > > 4. The ReportReliability element > Can we use the IODEF:confidence class instead of having new field? We > could extend it further if needed. > > 5. The TargetSystems element > Can we extend the IODEF:system class instead of having new field? We > could extend it further if needed. > > 6. type attribute of the IODEF:Impact class > When we use this extension, what value should be set for the type > attribute of the IODEF:Impact class? > > By the way, here are small questions. > > 1. should [SFC] be [SFK], since the acronym seems to come from the initials > of the authors of the reference (Stouffer, K., Falco, J., and K. Scarfonw) ? > > I might have misunderstood your draft, so please correct me if I am wrong. > > Kind regards, > Take > > > > -----Original Message----- > > From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Martin Murillo > > Sent: Wednesday, January 29, 2014 10:11 AM > > To: Johnson, Blake; Jerome Athias > > Cc: mile@ietf.org > > Subject: Re: [mile] Fwd: New Version Notification for > > draft-murillo-mile-cps-00.txt > > > > Have read the links posted by Jerome and info on the Experience > > Sharing Tool (EST). It is my impression that a revision under the > > light of the EST would be very appropriate, and one of the first uses > > of the extension, given its report-based nature. Look forward to seeing > the reviews in this light. > > > > As Jerome mentioned, focusing on referencing already existing > > taxonomies (and when necessary reusing them and referencing their xml > > implementations, if publicly available) would be the best approach; > > given the early stages in the field, I tend to think that atomic data > will need to be used. > > > > Regarding the term "Asset" vs "System", I believe system provides a > > more general connotation, while asset, seem to focus more on > > mainstream infrastructure; because the inclusion of IoT-related > > infrastructure (anywhere from centralized home control to self-driving > > cars), I wonder whether "Asset" is too an specific term. > > > > Martin > > > > Martin > > > > On 1/24/2014 2:09 PM, Johnson, Blake wrote: > > > This is an interesting application of IODEF that I had not considered. > > Most industry sharing that takes place in this space, from my > > perspective, is in the form of in person and telephone threat > > briefings. These are facilitated by the FBI, DHS, and the ISAC's. > > > > > > At least a handful of the ISAC's have started sharing structured > > > threat > > indicator data, and the taxonomy for this extension could cover what > > the Electric Sector ISAC currently refers to as 'Experience Sharing.' > > I can review this proposal as it relates to information captured by > > the ES-ISAC's Experience Sharing tool, using IEC/ANSI 62443 (ISA99) as > > an informative reference. > > > > > > Blake Johnson > > > Threat Intelligence Analyst > > > Alliant Energy | Infrastructure Secruity > > > Office: 608-458-6320 | Cell: 608-843-2790 > > > > > > > > > -----Original Message----- > > > From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Jerome Athias > > > Sent: Friday, January 24, 2014 3:18 AM > > > To: murillo@ieee.org > > > Cc: mile@ietf.org > > > Subject: Re: [mile] Fwd: New Version Notification for > > > draft-murillo-mile-cps-00.txt > > > > > > Hi, > > > > > > from what I know (which is limited), and as you mention, this ICS > > > area is often also called Critical Infrastructures (CIs), or SCADA > > > > > > for a little bit of background, we could explore the Cybersecurity > > > Framework Example references > > > http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx > > > > > > http://www.ictqatar.qa/en/documents/download/National%20Industrial%20C > > > ontrol%20Systems%20Security%20Standard-English.pdf > > > ANSI/ISA-99.02.01-2009 > > > > > > I don't have enough knowledge about the status and adoption of the > > > different efforts in term of XML representation/format/standards > > > http://xml.coverpages.org/emergencyManagement.html > > > and resilience > > > > > > It would maybe be possible to obtain information from there > > > http://ics-cert.us-cert.gov http://ics-isac.org/ > > > > > > My first feedback is that it looks like an interesting extension. > > > > > > I would suggest to focus on the reuse of existing Taxonomies, or > > > references to them. > > > > > > As such, for [Industry], maybe > > > http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012 > > > ISO 3166 (Country Codes) > > > > > > > > > [TargetSystems], I (personally) don't like the word "system" and > > > prefer > > "asset" > > > > > > [CompromisedPhysicalInfrastrucute] (with a typo ;p) seems to be a > > > category of "Infrastructure" (or group of assets) > > > > > > > > > [EntryPoint] could be ok since it could be a little bit different > > > from "endpoint" > > > > > > [PerpetratingParty] seems to reference "Threat Actor" or "Threat > > > Agent" or "Attacker" > > > > > > [RecurrencePreventionMeasures] is this Security Controls? (and > > > Mitigations/Remediations) > > > Reference: > > > > https://web.nvd.nist.gov/view/800-53/control?controlName=AC-3&type=1 > > > > > > > > > Describing an [Exploit] is not so easy (depending on the level of > > > details wanted/needed) > > > > > > Figure 1 (or "Diagram 1") is interesting, (of course it is different > > > from, i.e. CAESARS), it MAYBE could be more layered > > > > > > http://www.isa.org/InTechTemplate.cfm?template=/ContentManagement/Cont > > > entDisplay.cfm&ContentID=94401 > > > > > > (To follow: ENISA CDXI) > > > > > > > > > Some typos > > > > > > > > > > > > Next step: more XML focused ;) > > > > > > > > > My 2 bitcents > > > > > > 2014/1/24 Martin Murillo <murillo@ieee.org>: > > >> Dear all, > > >> > > >> Please find below a link to a proposed draft for extending IODEF > > >> for the reporting of cyber-physical system incidents. These systems > > >> are often referred as Operational Technology Systems, Industrial > > >> Control Systems, Automatic Control Systems, or simply Control > Systems. > > >> > > >> Cyber-Physical systems have been around for decades. However, they > > >> are now at a higher risk to be the target of attacks by individual > > >> highly-skilled attackers, organized groups, nation-states, or > > >> simply suffer repercussions of mainstream IT cyber-attacks. While > > >> over 90% of critical control system infrastructure is currently > > >> owned by private enterprises, these can have direct repercussions > > >> on national security of world nations. Indeed, various of these > > >> systems are key parts of nuclear reactor facilities, transportation > > >> systems, electric power distribution, oil and natural gas > > >> distribution, health care, water > > and waste-water treatment, dam infrastructure, missile > > >> and defense systems, and others. The disruption of these control > > systems > > >> could have a significant impact on public health, safety, and lead > > >> to large economic losses. > > >> > > >> Among the issues that catalyze this higher risk are: > > >> > > >> i) these systems are gradually becoming more interconnected, ii) > > >> legacy systems do not have proper cybersecurity protection, iii) > > >> the existence of highly-skilled individuals and motivations, iv) > > >> some these systems are generally considered critical, v) these are > > >> a natural extension of IT cyber-attacks, vi) the emergence of the > > >> Internet of Things (IOT), and vi) these attacks can be carried out > > remotely and quite inexpensively. > > >> > > >> While there might exist national approaches to deal with incidents, > > >> there's the need of a global international approach that will > > >> engulf governments, private organizations and other stakeholders. > > >> IETF, as a leading global Internet standards organization, seeks to > > >> satisfy this need through open standards that seek to encompass > > >> issues that are critical for the global community. > > >> > > >> Feedback at two levels are welcome: > > >> > > >> 1. On the existence and inclusion either by utilizing any already > existing > > >> industry formats (XML- encoded) and/or by utilizing atomic data > > >> 2. Contributions on making the extension (and background > > >> information) more comprehensive, accurate and principally useful > > >> for the community > > >> > > >> Look forward to feedback and other input! > > >> > > >> Martin Murillo > > >> > > >> A new version of I-D, draft-murillo-mile-cps-00.txt has been > > >> successfully submitted by Martin Murillo and posted to the IETF > > >> repository. > > >> > > >> Name: draft-murillo-mile-cps > > >> Revision: 00 > > >> Title: IODEF extension for Reporting Cyber-Physical System > > >> Incidents > > >> Document date: 2014-01-21 > > >> Group: Individual Submission > > >> Pages: 24 > > >> URL: > > >> http://www.ietf.org/internet-drafts/draft-murillo-mile-cps-00.txt > > >> Status: > > https://datatracker.ietf.org/doc/draft-murillo-mile-cps/ > > >> Htmlized: > http://tools.ietf.org/html/draft-murillo-mile-cps-00 > > >> > > >> > > >> Abstract: > > >> This draft document will extend the Incident Object Description > > >> Exchange Format (IODEF) defined in [RFC5070] to support the > > reporting > > >> of incidents dealing with attacks to physical infrastructure > through > > >> the utilization of IT means as a vehicle or as a tool. These > systems > > >> might also be referred as Cyber-Physical Systems (CPS), > Operational > > >> Technology Systems, Industrial Control Systems, Automatic Control > > >> Systems, or simply Control Systems. These names are used > > >> interchangeably in this document. In this context, an incident > is > > >> generally the result of a cybersecurity issue whose main goal > > >> is > > to > > >> affect the operation of a CPS. It is considered that any > > >> unauthorized alteration of the operation is always malign. This > > >> extension will provide the capability of embedding structured > > >> information, such as identifier- and XML-based information. In > its > > >> current state, this document provides important considerations > for > > >> further work in implementing Cyber-Physical System incident > > reports, > > >> either by utilizing any already existing industry formats (XML- > > >> encoded) and/or by utilizing atomic data. > > >> > > >> In addition, this document should provide appropriate material > for > > >> helping making due considerations in making an appropriate > decision > > >> on how a CPS reporting is done: 1) through a data format > > >> extension > > to > > >> the Incident Object Description Exchange Format [RFC5070], 2) > > forming > > >> part of an already existing IODEF-extension for structured > > >> cybersecurity information (currently draft > > >> draft-ietf-mile-sci-11.txt), or others. While the format and > > >> contents of the present document fit more the earlier option, these > > >> can also be incorporated to the later. > > >> > > >> > > >> > > >> Please note that it may take a couple of minutes from the time of > > >> submission until the htmlized version and diff are available at > > tools.ietf.org. > > >> > > >> The IETF Secretariat
- [mile] Fwd: New Version Notification for draft-mu… Martin Murillo
- Re: [mile] Fwd: New Version Notification for draf… Jerome Athias
- Re: [mile] Fwd: New Version Notification for draf… Johnson, Blake
- Re: [mile] Fwd: New Version Notification for draf… Martin Murillo
- [mile] Fwd: New Version Notification for draft-mu… Alexey Melnikov
- Re: [mile] Fwd: New Version Notification for draf… Takeshi Takahashi
- Re: [mile] New Version Notification for draft-mur… Eric Burger
- Re: [mile] New Version Notification for draft-mur… Takeshi Takahashi
- Re: [mile] New Version Notification for draft-mur… Kathleen Moriarty
- Re: [mile] New Version Notification for draft-mur… Martin J. Murillo