Monthly Archives: November 2010

30
NOV
2010

Cyber Security Baseline – Who is Responsible?
Posted by Rick Kaun

Hello. Last week we were in Colombia at a cyber security conference and we had some very interesting discussions, one of which spawned a number of subjects for me that I had promised to write about here when I next had the chance. And one of those subjects was the debate about who is responsible for security controls on systems—especially for new systems.

The discussion was between myself (a consultant) and an end user who has to manage all the systems on his plant floor. His problem is that whenever he has an upgrade or application added to his environment, the systems being installed are not locked down or secure. I agree that this is a problem and is not acceptable. However, his assertion is that it is up to the supplying party to lock the systems down and that he should simply be delivered a secure system. This is where we started to disagree. While I agree in principle that a supplier (like we often are) needs to at least stay in line with existing security standards, and if possible improve them (within our scope at least), I disagree that the “responsibility” for security standards on that system is up to me to establish. My premise is that I can lock down a system so far that it may not function in your environment with other systems you may have. Additionally, my security expectations around password refresh, complexity, shares, drives, etc may actually be more stringent than your corporate expectations or other systems you have installed. Management then of the various levels of security controls on different systems becomes a burden to the facility.

What I think has to happen is that all operational facilities should have a minimum security profile which all new and existing systems have to live up to—a profile that the facility is able to support and manage over time. That standard becomes an absolute requirement for potential suppliers to live up to and the expectation needs to be written right into the procurement language and project contracts. Many organizations already do this and I support it fully.

Now the one point I think my operational friend had that I have not yet addressed is the fact that he had neither the time or necessarily the skill set to establish a security standard—so I gave him one. Problem solved!

In summary, I think it is a combined effort for secure systems on the plant floor. Operators need to establish the minimum security profile they are willing to install and support and suppliers need to be able and willing to work to that standard. In other words, we are ALL responsible for security baselines. What do you think?

Leave a comment
Posted in General. Bookmark the permalink.
23
NOV
2010

Cultura y clima – NERC CIP and all things cyber related
Posted by Rick Kaun

Howdy folks.  I am sitting here in Colombia after an entire day of presentations, round tables and general discussion about cyber security and standards, and I have to say I see a common theme, regardless of the industry.  Point in fact—I was asked more than once what amounts to “why should we bother?” with respect to implementing and following standards.  Now I have a multitude of ideas as to how this should be answered but to properly deal with them would take more space here than I think you want to read, so how about this:  I am going to list all my objections to that statement, and then each of those subjects will be my next few blog entries so that we can do the subjects proper justice.

The issues that are spawned for me by that statement (and the subsequent discussion points it created) are as follows:

  • “Why bother?” totally misses the point of a security program—a program that I think is a victim of its own name.  Really, security is about the safe, reliable and expected operation of your facility.
  • Documentation (or paper pushing for compliance) is a waste of time.  Sure—if you see it as simply a paper exercise.  But I ask, why is there paper?  Is this a cover-your-behind practice, or is the intent of expecting documentation in fact a mechanism to force participation and verification?
  • Who is responsible for specific security controls/standards on new technology: the vendor supplying technology or the user purchasing it?  This one is a hot topic.  There is the obvious divide of chronology—the vendor has to walk away from the project at some point and leave it with the purchaser—but what about prior to implementation? 
  • Evolution of purchasing.  I suggested to an operator today that if I were to very securely configure a system and build that security as well as hand over the security controls to an operator, that my price would invariably be higher than my competition who does not include robust security controls and training.  So who budges first?  Very few organizations (the leaders do) have a basic security standard that is required of all proposed applications.  So when you are comparing the technology of an application against its peers, is there a line item in the procurement decision tree for robustness and completeness of security controls?  Or is the secure one simply more expensive?

Anyways, I will try to get these all fired out in the near term so that we can all chew on them and have some fun debating too.  In the meantime, our friends over at Control Global put out a great discussion with similar themes as it applies to NERC CIP.  You should check it out.  Until then, happy trails my friends.

Leave a comment
Posted in General, Power – NERC CIP. Bookmark the permalink.
16
NOV
2010

The “Tragedy” of CIP 002 v4
Posted by Rick Kaun

Howdy folks.  Sitting here thinking about the amount of effort that has gone into NERC CIP 002-009 thus far and an interesting thought struck me.  Bear with me for a moment as I set the scene.  As it stands today, we have quite the storied path from inception to where we currently sit.  In essence, the first version of 002-009 was not well received, and since its inception subsequent iterations have been drafted, offered, edited and ultimately put into place.  As of this writing we are on the precipice of the 4th version (6th if you include Urgent Action 1200 and 1300) of the standard, with a significant number of hours and effort poured into the body of work to date.

Here is the interesting part.  The SDT, which has labored over many details, comments, complaints, politics, etc etc, have put significant personal and professional investment into this.  And as of their last meeting they, in essence, realized they have not quite got it right yet and actually encouraged the voting public to REJECT their work!  Not so interesting you say?  Fair enough.  How about adding the notion that many people believe that regardless of what the vote is, FERC is either going to adopt it anyway or impose their own version of 002 to hike up participation.  The result is the fact that, to the pessimist, all the effort, blood, sweat and tears shed thus far by the SDT is for naught.  The SDT sets out a standard, tells everyone not to vote for it and in the end it will not matter anyway?

The situation seems absurd and if this is how the CIP 002-009 plays out then it is also tragic.  Just my two cents.

Until next time, happy trails my friends.

Leave a comment
Posted in General, Power – NERC CIP. Bookmark the permalink.
10
NOV
2010

Convergence of Safety and Security
Posted by Rick Kaun

Howdy folks!  A while back I wrote to you from the ISA show in Houston.  For a while now they have been working on the concept of safety and security merging.  And I know that I get on my soap box (whenever the good folks at ISA let me!) and talk about how one day security programs will be treated like safety programs are.  After all, the parallels are numerous.  In both disciplines, the goal is to provide safe, reliable, expected operation/behavior of people and equipment.  In both cases, the end goal is to have the users and employes adopt the ideas and concepts into their daily work culture.  Now I have stated on more than one occasion that the day I drive up to a facility and see a security sign next to the safety sign boasting of the number of days since an incident, I will believe we have arrived at an appropriate level of awareness and adoption of security concepts.

What is interesting is that the day I look forward to seems to be inching closer.  This week the NIST released the SAL Vector paper which basically uses the safety world concept of “Safety Integrity Levels” (SILs) in applying rankings of risk and consequences to security.  Ergo: Security Assurance Levels (SALs).  The number of people who are starting to see the parallels and the opportunity to remove overlap and redundancy between safety and security programs seems to be exploding.  Now maybe I am a little too optimistic here, but if this level of dialogue and support continues into action then maybe, just maybe I will get to see my security sign next to a safety sign next time I head to site.

I guess time will tell.  Until next time my friends, happy trails.

Leave a comment
Posted in General, ISA. Bookmark the permalink.
02
NOV
2010

Stuxnet Rant Part 2
Posted by Rick Kaun

Howdy folks. A couple weeks ago I got on my soapbox about vendors who claim that their product would stop Stuxnet and I pointed out a couple of things. First I was trying to point out the irresponsibility of that claim, a message that seemed to resonate with a number of fellow bloggers such as Eric Byres at Tofino and our friends at Control Global. My problem is that the bigger picture I was trying to highlight and get people to focus on was the stance that security issues are going to happen.

The natural follow-on from accepting that point should result in a host of efforts in the area of containment and recovery. If I could draw one common lament out of the complaints directed at the control system vendor involved in this, it was the area of communication.  Now I know a couple of outfits are working on getting their house in order so that they’re better prepared for if/when a incident like Stuxnet happens to them, but so far these have been internally focused.

I would posit that for a proper fire drill, you would need to have a scenario in which a control vendor participated fully and was a part of the response/communication plan. I know the government sponsors Cyber Storm exercises which involve government labs and control facilities and that the major vendors are participants, but how about getting a scenario started where the vulnerability is specific to a particular flavor of control system?  Just like we saw with Stuxnet.  What do you all think?

Happy trails, friends.

Leave a comment
Posted in General. Bookmark the permalink.