Work In Progress - Cybersecurity Curriculum. Development Initiated by Public Interests. Benjamin Arazi1 and Adel S. Elmaghraby. Department of Computer ...
Session S2D
Work In Progress - Cybersecurity Curriculum Development Initiated by Public Interests Benjamin Arazi1 and Adel S. Elmaghraby Department of Computer Engineering and Computer Science, The University of Louisville, Louisville, KY 40292 {ben.arazi,adel}@Louisville.edu Abstract - The investigators are engaged in developing Cybersecurity curriculum and tutorial material that illuminate this essential issue from the public interest point of view. This concerns needs, priorities, and specific relevant technologies, based on sources published by the Federal government and public organizations. As a whole, the material will cover a complete 500-level (graduate, open to undergraduates) 3 credit-hours course, with a limited prerequisite in computer networks. The work mainly consists of compiling slides, to be downloaded by interested instructors from a dedicated website developed by the investigators. The material will be organized in a way that also facilitates the use of various parts of it as supplementary material to courses in business and management, computer science, electrical engineering and information systems. It is further intended to address a wide range of students' populations and education institutes, including continuing education and institutes granting associate degrees. Index Terms - Cybersecurity education, public references, Internet security INTRODUCTION The investigators are engaged in the development of curriculum that illuminates Cybersecurity from the public interest point of view, regarding needs, priorities, and specific relevant technologies. Figure 1 depicts the backbone of the proposed curriculum. Organizational aspects of Cybersecurity The public perspective
Cybersecurity aspects of critical infrastructures
Prerequisite: A basic course in computer networks Internet vulnerabilities and their mitigations
FIGURE 1 THE THREE MODULES OF THE PROPOSED CURRICULUM.
The developed material will be disseminated by building a dedicated website that offers a comprehensive collection of slides to be downloaded by interested instructors. This will be accompanied with detailed specifications of the sources used in compiling the material, in the case the instructor wishes to elaborate further on specific issues, or teach the material in a manner other than slide projection. 1
As a whole, the curriculum covers a 500-level (graduate, open to undergraduates) 3 credit hours course. A prerequisite is a basic course in computer networks. Under another frame, each of the three modules will be self-contained, to be used as supplementary material in various courses in business and management, computer science, electrical engineering and information systems. The first and second modules are intended to have no prerequisite. ORGANIZATIONAL ASPECTS OF CYBERSECURITY THE PUBLIC PERSPECTIVE
The National Strategy to Secure Cyberspace document, published by the White House in February 2003 [1], and subsequent published reviews and criticisms, will be treated in the introductory part of the curriculum. An additional main source for the curriculum development is a 47-page Broad Agency Announcement, published in September 2004 by the Department of Homeland Security (DHS) [2]. This document, which specifies "technologies [that] protect the nation's cyber infrastructure", is an excellent updated comprehensive source for studying in detail the DHS view on the meaning of Cybersecurity. It treats three topics: • Tools and methodological advances needed for the creation of more secure systems; • Technologies that protect the national critical information infrastructure, and that specifically address issues that may not be at the forefront for the commercial sector; • Tools and methodological advances needed for technologies to assist industry and law enforcement communities in responding to hostile cyber threats. Three comprehensive documents will form the main source for studying Cybersecurity Laws and Guidance: • NIST (National Institute of Standards and Technology Information Technology) Security Practices & Checklists [3], developed under The Cyber Security Research and Development Act and last updated in July 2004; • The NIST Network Infrastructure Security Technical Implementation Guide from October 2004 [4]; • The NSA (National Security Agency) Index of National Security Systems Issuances from September 2004 [5]. Additional issues to be included: The US Patriot Act (HR 3162); Presidential Decision Directive 63; MR-993OSD/NSA/DARPA; National Security Directive 42 (NSD-
Benjamin Arazi is a Visiting Professor from Ben Gurion University, Israel
0-7803-9077-6/05/$20.00 © 2005 IEEE October 19 – 22, 2005, Indianapolis, IN 35th ASEE/IEEE Frontiers in Education Conference S2D-6
Session S2D 42); National Security Decision Directive 145 (NSDD-145); National Telecommunications and Information Systems Security Policy; National Information Assurance Acquisition Policy; Executive Order 13231; Government Information Security Reform Act (GISRA); Federal Information Security Management Act (FISMA); DoD Directive 8500. CYBERSECURITY ASPECTS OF CRITICAL INFRASTRUCTURES A comprehensive federal source for updated documents that address the organizational and administrative aspects of Critical Infrastructure Cybersecurity is the US GAO (General Accounting Office). Documents to be covered in the curriculum include: • "Cybersecurity for Critical Infrastructure Protection" [6]. A 223-pages document from May 2004; • Critical Infrastructure Protection: Challenges and efforts to Secure Control Systems" [7], from March 2004; • Critical Infrastructure Protection: Efforts of the Financial Services Sector " [8], from January 2003; • Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors" [9], from February 2003. This part of the curriculum can also be integrated in the first module (organizational aspects of Cybersecurity from the public perspective), forming, if so desired, an extended selfcontained module. The curriculum also addresses reports of a technical nature. A main source here is the PCSRF - Process Control Security Requirements Forum, founded by NIST and intended "to improve the IT security of the computer control systems...with an emphasis on industries considered to be part of the Nation's Critical Infrastructure." A leading document is the PCSRF System Protection Profile - Industrial Control Systems [10]. Other reports of a technical nature to be covered in the curriculum include: NERC/CIPC - North American Electric Reliability Council/ Critical Infrastructure Protection Committee - Security Guidelines for the Electricity Sector [11]; NERC Cybersecurity Standard 1300 [12]; EA/DOE Energy Assurance/Department of Energy - "Vulnerabilities in Critical Infrastructure Control Systems" [13]; ISA SP99: Cyber security technologies for control systems [14] Another major aspect of critical infrastructures is SCADA - Supervisory Control and Data Acquisition, used in controlling the operation of utilities like electricity, water and gas. A SCADA system receives information from the field and sends control signals over communication networks. The American Gas Association (AGA) SCADA Encryption Committee is working to identify appropriate means to secure SCADA communications for the utilities industries. Their reports are compiled "through the collaborative efforts of organizations including the Gas Technology Institute (GTI), the Institute of Electrical and Electronics Engineers (IEEE), NIST, gas and electric utilities operators, SCADA and cryptographic vendors and security industry experts." A main source for the proposed curriculum will be the comprehensive 110-page AGA report from November 2004 [15].
Additional SCADA sources to be used include: A comprehensive NIST paper; SCADA Systems in water security; Cyber Security in SCADA Networks, published by The President's Critical Infrastructure Board and the Department of Energy; Report of the IEEE Power Engineering Society; Reports of EPRI/EIS; A report of the DHS on electric infrastructure vulnerability assessment methodology and presentations made in a joint DOE/DHS SCADA meeting. INTERNET VULNERABILITIES AND THEIR MITIGATIONS Internet is the backbone of cyber communication. The main source for the study of Internet vulnerabilities and their mitigations will be the SANS Top 20 Internet list [16]. This list is "a consensus list of vulnerabilities that require immediate remediation". A few years ago, the SANS security efforts were joint with the FBI. The participants in the compilation of the current list include among others: The Department of Homeland Security, National Infrastructure Security Coordination Centre, Communication Electronic Security Group, Department of Defence, Department of Transportation and the Department of Energy. The Top 20 list actually consists of two separate Top 10 lists, relating to Windows and UNIX vulnerabilities. Each described vulnerability is followed by several subsections, such as "How to Determine if You are Vulnerable" and "How to Protect Against It". For each vulnerability there is an "Additional Information" section. This list forms an objective, professional and comprehensive source for coverage of the entire issue of Internet security from the public interest perspective. SANS have announced that as of their first publication for 2005 they will further include a list of Cisco products vulnerabilities and their mitigation REFERENCES [1]
http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf
[2]
http://www.homelandsecurity.az.gov/documents/ cyberBAA_FINAL.pdf
[3]
http://csrc.nist.gov/pcig/cig.html
[4]
http://csrc.nist.gov/pcig/STIGs/network_stig_v6r0.pdf
[5]
http://www.nstissc.gov/Assets/pdf/cnss_index_sep_04.pdf
[6]
http://www.gao.gov/new.items/d04321.pdf
[7]
http://www.mipt.org/pdf/gao04354.pdf
[8]
ttp://www.gao.gov/new.items/d03173.pdf
[9]
http://www.gao.gov/new.items/d03173.pdf
[10] http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.doc [11] ftp://www.nerc.com/pub/sys/all_updl/cip/CIPC-0904a.pdf [12] ftp://www.nerc.com/pub/sys/all_updl/standards/sar/ Draft_Version_1_Cyber_Security_Standard_1300_091504.pdf [13] http://www.ea.doe.gov/pdfs/vulnerabilities.pdf November 2003 [14] http://www.isa.org/Template.cfm?Section=Shop_ ISA&Template=/Ecommerce/ProductDisplay.cfm&ProductID=7372 [15] http://www.gtiservices.org/security/AGA12Draft4r1.pdf [16] http://www.sans.org/top20/
0-7803-9077-6/05/$20.00 © 2005 IEEE October 19 – 22, 2005, Indianapolis, IN 35th ASEE/IEEE Frontiers in Education Conference S2D-7
