Tuesday, February 17, 2015

Executive Order Promoting Private Sector Cyber Info Sharing

On February 13, 2015 -- a year plus one day after the President's Executive Order directing NIST to build the new Cybersecurity Framework -- President Obama issued an Executive Order entitled Promoting Private Sector Cybersecurity Information Sharing.

There are seven sections to the four-page Order including:

  1. Policy
  2. Information Sharing and Analysis Organizations (ISAO)
  3. ISAO Standards Organization
  4. Critical Infrastructure Protection Program
  5. Privacy and Civil Liberties Protections
  6. National Industrial Security Program
  7. Definitions

The fundamental aspect of the EO is to emphasis that "...entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible."  

The EO also notes that information sharing must:
  • ...be conducted in a manner that protects the privacy and civil liberties of individuals
  • ...preserves business confidentiality
  • ...safeguards the information being shared, and
  • ...protects the ability of the Government to detect, investigate, prevent and respond to cyber threats...
Certainly commendable policy and something the industry has needed/wanted for years.

Information Sharing and Analysis Organizations (ISAOs)

The Order directs the Secretary of the Department of Homeland security to "...strongly encourage the development and formation of..." ISAOs.

The Order offers some details on how the ISAOs should be organized and how their membership can draw on public or private sectors, and offers the option for the ISAOs to be formed as for-profit or nonprofit entities.

The National Cybersecurity and Communications Integration Center (NCCIC) is ordered to engage in "...continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information..."

ISAO Standards Organization

The Secretary of DHS is orderd to "...enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order."

Observations and Questions

It is commendable that President Obama has stepped forward -- again -- to help raise awareness and take action relative to the issue of cyberthreats to our country, economy and its businesses and citizens.  However, a question continues to be raised with this Executive Order.  That question really is ... "Aren't we already doing this with Information Sharing and Analysis Centers (ISACs)?"

ISACs have been around since May 1998 and were established under the auspices of Presidential Decision Directive 63 (PDD-63) signed by President Clinton.  If you look at the National Council of ISACs website you will note that the definition of an ISAC is:

ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors and with the government. ... Services provided by ISACs include risk mitigation, incident response, alert and information sharing.  The goal is to provide users with accurate, actionable, and relevant information.

And in another white paper on the subject, a description of an ISAC includes the following:

By definition, an ISAC is a trusted, sector-specific entity which performs the following functions: 
  • provides to its constituency a 24/7 secure operating capability that establishes the sector’s specific information sharing/intelligence requirements for incidents, threats and vulnerabilities; 
  • collects, analyzes, and disseminates alerts and incident reports to it membership based on its sector focused subject matter analytical expertise; 
  • helps the government understand impacts for its sector; 
  • provides an electronic, trusted capability for its membership to exchange and share information on cyber, physical and all threats in order to defend the critical infrastructure; and 
  • share and provide analytical support to government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional, accidental or natural events. 

Isn't an ISAC filling part of the role of the ISAO discussed in the Executive Order?  Can't ISACs continue with their current roles and capture the essence and elements of the Executive Order?

The idea of establishing a new bureaucracy and hierarchy of ISAOs that essentially parallel the current ISAC structure and functions does not appear to be very efficient and could lead to more confusion, increased bickering and "turf wars" and finally not help or encourage effective information sharing to better protect our country, economy, businesses or citizens.  At a minimum it is highly recommended that the Department of Homeland Security take time to compare the efforts of the ISACs to the Executive Order and build upon current efforts and not try to push through a distracting, parallel effort.


Tuesday, February 10, 2015

CIP-014 Implementation Update from NERC

On February 9, 2015, NERC posted an email regarding implementation of CIP-014-1, Physical Security.

In its email NERC offered three links to items of interest.  They included:
And, for the reader's reference, here is the link to CIP-014-1.  Also, I wrote a blog about CIP-014 back on July 22, 2014.

CIP-014 Memo to Industry

The memo to the industry is from the NERC Compliance Assurance organization.  The specific focus of the memo is on CIP-14 Risk Assessment and Third-Party Verifications.  Notably the memo's purpose is to highlight acceptable approaches when implementing Requirements 1 and 2 of CIP-014.

Requirements 1 and 2 required Transmission Owners to perform a risk assessment and third-party verification process to identify Transmission stations and Transmission substations that will ultimately be subject to a physical security assessment (Requirement 4) and the implementation of subsequent physical security plan(s) (Requirement 5).

Per the CIP-014 implementation plans, each applicable Transmission Owner must perform its Requirement 1 risk assessment by October 1, 2015.

Then, within 90 days of completing the R1 risk assessment (i.e., by December 30, 2015) the Transmission owner must ensure that the third-party verifier completes the verification.

Within 60 days of completing the verification the Transmission Owner must either 1) modify its risk assessment to be consistent with the recommendations of the verifier, if any, or 2) document the technical basis for not modifying its risk assessment in accordance with any recommendations.

The memo does need to be read in its entirety; however, a key comment at the end that is probably most useful is that applicable Transmission Owners "...are expected to demonstrate effective application for NERC and the Regional Entities to be able to fully understand, for example:

  • Why certain stations or substations are identified to meet the criteria in Requirement 1
  • Similarly, why certain stations or substations were not identified by Requirement 1
  • What are the defining characteristics of stations and substations identified by Requirement 1
  • How the third-party verifying the risk assessment meets the qualifications in Requirement 2 and the mean the third party used to ensure effective verification."

This document was prepared by the North American Transmission Forum (NATF) and issued on January 19, 2015.  The NATF is headquartered in Charlotte, NC and its members include investor-owned, state-authorized, municipal, cooperative, US federal, and Canadian provincial utilities.  The NATF "...promotes the highest levels of reliability in the operation of the electric transmission systems."

The intent of the document issued by NATF is to provide a general guideline for the risk assessment identified in R1 of CIP-014.  

The guideline offers five suggested steps for the Transmission Owner to follow to accomplish Requirement 1.  A high-level summary of the steps include:
  • Step 1:  The Transmission Owner identifies stations to be analyzed based on criteria in CIP-014-1, Section 4.1.1
  • Step 2:  The Transmission Owner identifies cases/system conditions to be analyzed.  Some cases could include -- summer vs winter peak load levels, shoulder peak load levels with system transfers, alternative generation dispatch assumptions or alternative load models.
  • Step 3:  The Transmission Owner defines the nature of the initiating event and how it will be modeled in the transmission assessment
  • Step 4:  The Transmission Owner is responsible for development of criteria/proxies for instability, uncontrolled separation or Cascading.
  • Step 5:  The Transmission Owner performs appropriate steady-state power flow and/or stability analysis.
There are substantially more details provided under each step in the Guideline.

NERC Physical Security Web Page

A third link in the NERC announcement is for their Physical Security web page (a screenshot is shown below).

This page appears to be an excellent resource for those focused in CIP-014 implementation and compliance.


This blog does not offer adequate details on the contents of the referenced documents, therefore, taking time -- and having your power engineers taking time -- to read the CIP-014 requirements and the guidance from NERC and NATF will be worthwhile.


NIST SP800-82 R2 (2nd Draft) Out for Comment

NIST SP800-82, Guide to Industrial Control Systems (ICS) Security, has been a key, seminal guide for those of us working in ICS security.  The original guide was published as a "final" version in June 2011.  Revision 1 to the 800-82 series went final in May 2013.  In May 2014 the Initial Public Draft of Revision 2 was promulgated for comment.  I wrote a blog about this initial public draft on May 20, 2014 and encouraged interested parties to submit their comments.

Brief History of SP800-82

A few months ago I wrote an article for SearchSecurity on the Evolution of SP 800-82.  As part of this article I researched the history of this document and its development and ultimately prepared the Visio timeline shown below.  One thing I was sure to do was to obtain Keith Stouffer's (principal author of SP800-82 series) approval on the timeline accuracy.

(Apologies for the overlay with the right margin; however, if the chart goes too small then it is hard to read.  Thanks for understanding.)

What are the Revisions?

The new document out for comment is the second revision to NIST SP800-82.  From the NIST Website, updates in this new revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management recommended practices and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
  • New tailoring guidance for NIST SP800-53, Revision 4 security controls including the introduction of overlays, and
  • An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High Impact ICS.

When are Comments Due?

The public comment period is from February 9th to March 9th, 2015 (on month).  You can email your comments to nist800-82rev2comments@nist.gov.  You are encouraged to use a comment template form (Excel File) to collect your feedback for submittal.

Your comments are requested to make this a better, more thorough document for the industry.  Thank you!



Monday, February 2, 2015

ENISA - Identifying Critical Information Infrastructure (CII)

The European Union Agency for Network and Information Security (ENISA) has published a new and interesting document entitled Methodologies for the Identification of Critical Information Infrastructure Assets and Services.  The report documents a study performed by ENISA staff to tackle the problem of identification of Critical Information Infrastructures (aka CII) in communications networks.  However, because of the broad scope of the critical infrastructure inspected for this report, there are ideas herein to help countries and large enterprises identify their critical assets.

The study of 23 Member States did reveal that a "...significant number of Member States present a low level of maturity and lack a structured approach regarding identification of Critical Information Infrastructure..." However, this report does offer an overview of methodologies in the identification of CII assets and services which may be useful to other geographic regions, nation states and even large multi-national corporations.  Some key aspects of the methodologies are summarized below.

Identification of Critical Sectors

One of the first steps listed in Section 4.3 is the identification of critical sectors.  On pages 22-24 the report identifies 14 critical sectors including critical subsectors and critical services to be considered when identifying critical assets.  The table showing this useful list is below:

Identification of Critical Services

Section 5.2 offers a suggested process of using criticality criteria in order to identify critical assets.  The report notes that criticality is the (1) level of contribution of an infrastructure to society in maintaining a minimum level of national and international law and order, public safety, economy, public health and environment, or (2) impact level to citizens or to the government from the loss or disruption of the infrastructure.

Again, ENISA offers a table (below) showing eight different criteria with an explanation:

Assessment of Dependencies

The next step in this process is to examine critical infrastructure (system) for the following types of dependencies:

  • Interdependencies within a critical sector (intra-sector)
  • Interdependencies between critical sectors (cross-sector), and, especially for CII
  • Interdependencies among communication network assets (both physical and logical connectivity)

In the United States we have some guidance when identifying critical infrastructure for the electric grid -- this guidance is mainly in the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.  Even the US Department of Homeland Security (DHS) has identified a list of critical national sectors. However, the ENISA document would be an excellent resource for a large regional organization or nation state or even large, transnational corporation to identify the critical sectors of concern and the critical assets to be protected.

My compliments to ENISA for this document and the guidelines offered.


Saturday, January 31, 2015

World Economic Forum - Global Risks 2015

Each January the World Economic Forum (WEF) has a grand meeting in Davos, Switzerland.  This meeting brings together the major decision makers and influencers in the world to review the current state of the world and its risks.

As part of this annual event the WEF compiles and publishes its Global Risks assessment.  The 10th Edition was published this for assessing the global risks for 2015.  A picture of the report's cover is below.  The report can be downloaded at: http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report.pdf 

As a student of infrastructure and security I find this report to offer tremendous insight into the challenges faced by society today.  Also, the report includes some excellent graphics to help the reader get a better sense of the interplay between the various risks and what they refer to as "risk constellations."

The authors have first established five categories of risk including economic, environmental, geopolitical, societal and technological.  Then, for each category there are a collection of different risks that are graded and assessed.  The individual risks are then evaluated on a quadrant (below) assessing the risk's Impact and Likelihood.

Then, based on the above mapping/assessment the top 10 risks are determined by Likelihood and Impact as shown in the next graphic.

Finally, an aspect I normally consider with these lists are those risks listed in both columns.  These include:

  • Water Crises
  • Unemployment or Underemployment
  • Failure of Climate Change Adaptation
Even though this is a short list, please consider how they are interrelated and how the water crises are aggravated by failure of climate change adaptation which can result in job loss thus unemployment.

Overall, I would highly recommend that you review the report and especially get a sense of the risk themes raised and how they impact your profession and personal life.



Tuesday, January 27, 2015

ENISA Publishes Cyber Threat Analysis of 2014

Our friends at the European Union Agency for Network and Information Security (ENISA) has published the ENISA Threat Landscape 2014 on 27 January 2015.  The report includes some details on developments made in 2014 relative to the top cyber threats and emerging threat trends - mainly in the cyber arena.

You can download a copy of the report (Free) at:  http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

From the Executive Summary of the report, below are some of the "positives and negatives" of today's cyber threat landscape from ENISA's point of view.

Many of the changes in the top threats can be attributed to successful law enforcement operations and mobilisation of the cyber-security community (bolding by Ernie Hayden):

  • The take down of GameOver Zeus botnet has almost immediately stopped infection campaigns and Command and Control communication with infected machines.
  • Last year’s arrest of the developers of Blackhole has shown its effect in 2014 when use of the exploit kit has been massively reduced.
  • NTP-based reflection within DDoS attacks are declining as a result of a reduction of infected servers. This in turn was due to awareness raising efforts within the security community.
  • SQL injection, one of the main tools used to compromise web sites, is on the decline due to a broader understanding of the issue in the web development community.
  • Taking off-line Silk Road 2 and another 400 hidden services in the dark net has created a shock in TOR community, both at the attackers and TOR users ends.

But there is a dark side of the threat landscape of 2014:

  • SSL and TLS, the core security protocols of the internet have been under massive stress, after a number of incidents have unveiled significant flaws in their implementation .
  • 2014 can be called the year of data breach. The massive data breaches that have been identified demonstrate how effectively cyber threat agents abuse security weaknesses of businesses and governments.
  • A vulnerability found in the BASH shell may have a long term impact on a large number of components using older versions, often implemented as embedded software.
  • Privacy violations, revealed through media reports on surveillance practices have weakened the trust of users in the internet and e-services in general.
  • Increased sophistication and advances in targeted campaigns have demonstrated new qualities of attacks, thus increasing efficiency and evasion through security defences.
The report does include a summary table of trends (Page 4) that the reader may find useful.  A copy of the table is shown below with some highlights on the areas declining and a note about ransomware.

Lastly, one area the report raises as a new focus is "Cyber-Physical Systems."  These are engineered systems that interact with computing equipment and integrated to control, manage and optimize physical processes.  The areas they mention of concern are power supply, medical systems/healthcare, industrial systems and manufacturing, transportation, telecommunication, etc.  The report includes a table (below) of the Top Emerging (Preliminary) Threats to CPS (Page 67):

Overall, the report is of excellent quality and is a useful summary of the cyber issues of 2014.


Thursday, December 11, 2014

History of Industrial Controls Cybersecurity -- White Paper

Several months ago Mike Assante -- SANS project lead for Industrial Control
System (ICS) and Supervisory Control and Data Acquisition (SCADA) security -- and I were talking about some ideas for SANS Analyst white papers and an idea surfaced to prepare a white paper introducing the SANS reader to elementary industrial controls theory and to the chronology of ICS cybersecurity.

The paper has finally been posted at SANS and the link is:  http://ics.sans.org/media/An-Abbreviated-History-of-Automation-and-ICS-Cybersecurity.pdf 

Overall it was a fun paper to research and write with some good stories about the first Programmable Logic Controllers (PLCs).  Also, the chronology built by Mike Assante and Tim Conway and included in the paper is a great way to get oriented to the challenges in this domain which are broader than Stuxnet.