IETF Logo Mail Archive

Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt

"Johnson, Blake" <BlakeJohnson@alliantenergy.com> Fri, 24 January 2014 19:09 UTC

Return-Path: <prvs=110153de65=BlakeJohnson@alliantenergy.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FAED1A00F4 for <mile@ietfa.amsl.com>; Fri, 24 Jan 2014 11:09:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.836
X-Spam-Level:
X-Spam-Status: No, score=-4.836 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpaSdy9YurYl for <mile@ietfa.amsl.com>; Fri, 24 Jan 2014 11:09:05 -0800 (PST)
Received: from mx1.alliantenergy.com (out1.alliantenergy.com [198.7.45.145]) by ietfa.amsl.com (Postfix) with ESMTP id 6BEB91A0047 for <mile@ietf.org>; Fri, 24 Jan 2014 11:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=alliantenergy.com; s=alliantenergy; c=relaxed/simple; q=dns/txt; i=@alliantenergy.com; t=1390590543; x=1393182543; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=XkIak9R57dJRtksMAYqLB3sK1kjVAdEnpzP36NjaiIE=; b=kPAqJ641pVHToV4sR1awhV8U8iMx4FZb8r8G+5/+D06wLCR0XkO68jEavS4EBlXc KUThVRP7Cuwcj9SQ+11srPNKbarZZFCpng+6dpnRzD+O4e7msS1TJLaAu0UB2IQ2 fA/02GYdkzoVwS2evmNd6Pbe56gNZ3Nin0AUH01oeq4=;
X-AuditID: c6072d90-f79366d00000786f-e2-52e2ba4f5a21
Received: from email.alliant-energy.com ( [10.10.69.178]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by mx1.alliantenergy.com (Alliant Energy) with SMTP id 7C.8B.30831.F4AB2E25; Fri, 24 Jan 2014 13:09:03 -0600 (CST)
Received: from MSNWINMAILBOX2.ALI.PRI ([169.254.2.76]) by MSNWINMAILHC2.ALI.PRI ([10.10.69.178]) with mapi id 14.03.0174.001; Fri, 24 Jan 2014 13:09:03 -0600
From: "Johnson, Blake" <BlakeJohnson@alliantenergy.com>
To: Jerome Athias <athiasjerome@gmail.com>, "murillo@ieee.org" <murillo@ieee.org>
Thread-Topic: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
Thread-Index: AQHPGKmID+H3utsmqEmxpqGgRStvQpqT/YQAgAA/THA=
Date: Fri, 24 Jan 2014 19:09:02 +0000
Message-ID: <6855397E5430804F9E017DDE40F11303F1EC36@MSNWINMAILBOX2.ALI.PRI>
References: <20140122155745.18162.21877.idtracker@ietfa.amsl.com> <52E1CBB5.6000906@ieee.org> <CAA=AuEeREPVE5XtbfcVDjdkS=YiQReUyu8t23VxLx6Ro9+1tVA@mail.gmail.com>
In-Reply-To: <CAA=AuEeREPVE5XtbfcVDjdkS=YiQReUyu8t23VxLx6Ro9+1tVA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.10.69.249]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsXCxeW6Sdd/16Mgg95+bYtnK4+yWez538dk 8Xj2fnYHZo+ds+6yezydcJDJY8mSn0wBzFHcNkmJJWXBmel5+nYJ3Bm9+1ezFPQ7V9zZztLA +Nqsi5GTQ0LAROLI3ccsELaYxIV769m6GLk4hAS6mSROn3vPAuEsZJQ4sW8iWBWbgLnE8eaV YLaIQLDEjTUnwWxmAWWJEw1L2EBsYYFQiZUd26FqwiRW71nDDGFbSTyevZMVxGYRUJX4s3Am UxcjBwevgLfE1hnsELuWMUqsadjPDlLDKRAo0XnvAxOIzQh03fdTa5ggdolL3HoynwniagGJ JXvOM0PYohIvH/9jhbAVJA7uOMUOUa8jsWD3JzYIW1ti2cLXYPW8AoISJ2c+YZnAKDYLydhZ SFpmIWmZhaRlASPLKkaZ3OK81OLkxDxDvcScnMzEvBLd1LzUovRKveT83E2MwBg7xq47YQfj uXU2hxgFOBiVeHh1Zz0KEmJNLCuuzD3EKMHBrCTCO3czUIg3JbGyKrUoP76oNCe1+BCjNAeL kjjv8ZozQUIC6YklqdmpqQWpRTBZJg5OkG4uKZHi1LyU1KLE0pKMeFBcxxcDI1uqgZGt5xyH 97Lk7bOqJojUaa2dsFIqW2qvds/WI7+Em5aJflObE6J7koH5gO7Gh7K+8uq8nfNrND1uVei0 Nf2uM9poM+FJocAbH5+t6lPfvvu4wM3CPGneXqV7bCVGjPqaNrsY5E6n33Zkqk4Nux45WTXd UNr/j+yp5NYVG9/2fzx6vX9+/+fkfiWW4oxEQy3mouJEAIrIFUfIAgAA
Cc: "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 19:09:09 -0000

This is an interesting application of IODEF that I had not considered. Most industry sharing that takes place in this space, from my perspective, is in the form of in person and telephone threat briefings. These are facilitated by the FBI, DHS, and the ISAC's.

At least a handful of the ISAC's have started sharing structured threat indicator data, and the taxonomy for this extension could cover what the Electric Sector ISAC currently refers to as 'Experience Sharing.' I can review this proposal as it relates to information captured by the ES-ISAC's Experience Sharing tool, using IEC/ANSI 62443 (ISA99) as an informative reference.

Blake Johnson
Threat Intelligence Analyst
Alliant Energy | Infrastructure Secruity
Office: 608-458-6320 | Cell: 608-843-2790


-----Original Message-----
From: mile [mailto:mile-bounces@ietf.org] On Behalf Of Jerome Athias
Sent: Friday, January 24, 2014 3:18 AM
To: murillo@ieee.org
Cc: mile@ietf.org
Subject: Re: [mile] Fwd: New Version Notification for draft-murillo-mile-cps-00.txt

Hi,

from what I know (which is limited), and as you mention, this ICS area
is often also called Critical Infrastructures (CIs), or SCADA

for a little bit of background, we could explore the Cybersecurity Framework
Example references
http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx
http://www.ictqatar.qa/en/documents/download/National%20Industrial%20Control%20Systems%20Security%20Standard-English.pdf
ANSI/ISA-99.02.01-2009

I don't have enough knowledge about the status and adoption of the
different efforts in term of XML representation/format/standards
http://xml.coverpages.org/emergencyManagement.html
and resilience

It would maybe be possible to obtain information from there
http://ics-cert.us-cert.gov
http://ics-isac.org/

My first feedback is that it looks like an interesting extension.

I would suggest to focus on the reuse of existing Taxonomies, or
references to them.

As such, for [Industry], maybe
http://www.census.gov/cgi-bin/sssd/naics/naicsrch?chart=2012
ISO 3166 (Country Codes)


[TargetSystems], I (personally) don't like the word "system" and prefer "asset"

[CompromisedPhysicalInfrastrucute] (with a typo ;p) seems to be a
category of "Infrastructure" (or group of assets)


[EntryPoint] could be ok since it could be a little bit different from
"endpoint"

[PerpetratingParty] seems to reference "Threat Actor" or "Threat
Agent" or "Attacker"

[RecurrencePreventionMeasures] is this Security Controls? (and
Mitigations/Remediations)
Reference: https://web.nvd.nist.gov/view/800-53/control?controlName=AC-3&type=1


Describing an [Exploit] is not so easy (depending on the level of
details wanted/needed)

Figure 1 (or "Diagram 1") is interesting, (of course it is different
from, i.e. CAESARS), it MAYBE could be more layered
http://www.isa.org/InTechTemplate.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=94401

(To follow: ENISA CDXI)


Some typos



Next step: more XML focused ;)


My 2 bitcents

2014/1/24 Martin Murillo <murillo@ieee.org>:
> Dear all,
>
> Please find below a link to a proposed draft for extending IODEF for the
> reporting of cyber-physical system incidents. These systems are often
> referred as  Operational Technology Systems, Industrial Control Systems,
> Automatic Control  Systems, or simply Control Systems.
>
> Cyber-Physical systems have been around for decades.  However, they are now
> at a higher risk to be  the target of attacks by individual highly-skilled
> attackers, organized groups, nation-states, or simply suffer repercussions
> of mainstream IT cyber-attacks. While over 90% of critical control system
> infrastructure is currently owned by private enterprises, these can have
> direct repercussions on national security of world nations.  Indeed, various
> of these systems are key parts of nuclear reactor facilities, transportation
> systems, electric power distribution, oil and natural gas distribution,
> health care, water and waste-water treatment, dam infrastructure, missile
> and defense systems, and others.   The disruption of these control systems
> could have a significant impact on public health, safety, and lead to large
> economic losses.
>
> Among the issues that catalyze this higher risk are:
>
> i) these systems are gradually becoming more interconnected, ii) legacy
> systems do not have proper cybersecurity protection, iii) the existence of
> highly-skilled individuals and motivations, iv) some these systems are
> generally considered critical, v) these are a natural extension of IT
> cyber-attacks, vi) the emergence of the Internet of Things (IOT), and vi)
> these attacks can be carried out remotely and quite inexpensively.
>
> While there might exist national approaches to deal with incidents, there's
> the need of a global international approach that will engulf governments,
> private organizations and other stakeholders. IETF, as a leading global
> Internet standards organization, seeks to satisfy this need through open
> standards that seek to encompass issues that are critical for the global
> community.
>
> Feedback at two levels are welcome:
>
> 1. On the existence and inclusion either by utilizing any already existing
> industry formats (XML-   encoded) and/or by utilizing atomic data
> 2. Contributions on making the extension (and background information) more
> comprehensive, accurate and principally useful for the community
>
> Look forward to feedback and other input!
>
> Martin Murillo
>
> A new version of I-D, draft-murillo-mile-cps-00.txt
> has been successfully submitted by Martin Murillo and posted to the
> IETF repository.
>
> Name:           draft-murillo-mile-cps
> Revision:       00
> Title:          IODEF extension for Reporting Cyber-Physical System
> Incidents
> Document date:  2014-01-21
> Group:          Individual Submission
> Pages:          24
> URL:
> http://www.ietf.org/internet-drafts/draft-murillo-mile-cps-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-murillo-mile-cps/
> Htmlized:       http://tools.ietf.org/html/draft-murillo-mile-cps-00
>
>
> Abstract:
>    This draft document will extend the Incident Object Description
>    Exchange Format (IODEF) defined in [RFC5070] to support the reporting
>    of incidents dealing with attacks to physical infrastructure through
>    the utilization of IT means as a vehicle or as a tool.  These systems
>    might also be referred as Cyber-Physical Systems (CPS), Operational
>    Technology Systems, Industrial Control Systems, Automatic Control
>    Systems, or simply Control Systems.  These names are used
>    interchangeably in this document.  In this context, an incident is
>    generally the result of a cybersecurity issue whose main goal is to
>    affect the operation of a CPS.  It is considered that any
>    unauthorized alteration of the operation is always malign.  This
>    extension will provide the capability of embedding structured
>    information, such as identifier- and XML-based information.  In its
>    current state, this document provides important considerations for
>    further work in implementing Cyber-Physical System incident reports,
>    either by utilizing any already existing industry formats (XML-
>    encoded) and/or by utilizing atomic data.
>
>    In addition, this document should provide appropriate material for
>    helping making due considerations in making an appropriate decision
>    on how a CPS reporting is done: 1) through a data format extension to
>    the Incident Object Description Exchange Format [RFC5070], 2) forming
>    part of an already existing IODEF-extension for structured
>    cybersecurity information (currently draft
>    draft-ietf-mile-sci-11.txt), or others.  While the format and
>    contents of the present document fit more the earlier option, these
>    can also be incorporated to the later.
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
>
> _______________________________________________
> mile mailing list
> mile@ietf.org
> https://www.ietf.org/mailman/listinfo/mile
_______________________________________________
mile mailing list
mile@ietf.org
https://www.ietf.org/mailman/listinfo/mile

v2.23.0 | Report a Bug | By Email