Tuesday, August 11, 2015

Self-Development for Cyber Warriors

Because of my 15+ years in cyber security and roles in cyber security management I am often asked about career development and ideas on ways to advance their positions to CISO-level jobs.  I often suggest looking at certifications and experience as being the best starting points; however, I recently came across a really useful document from the Small Wars Journal written by Gregory Conti, James Caroland, Thomas cook and Howard Taylor.

http://smallwarsjournal.com/sites/default/files/893-conti.pdf


In 2011, Conti, et al wrote Self-Development for Cyber Warriors (screen shot above).  You can download the full article at http://smallwarsjournal.com/sites/default/files/893-conti.pdf .

Although this is intended for current military personnel advancing in the US Cyber Command there are many good -- no, EXCELLENT -- ideas written down to guide someone to becoming a smarter and more valuable cyber security professional.

Some key elements of this 34-page document include:

  • Key Categories of Cyber Expertise
  • Professional Reading (Books, Sci-fi)
  • Technology News, Magazines and Blogs
  • Cyber Warfare Journal and Magazine Articles
  • Doctrine and Policy
  • Professional Societies and Local Gatherings
  • Academic, Military, Government and Hacker Conferences
  • Videos and Podcasts
  • Movies
  • Training, Education, Certification and Self-Study
Starting on page 26 the authors provide five different "Self-Development Roadmaps" for military officers and NCOs in different stages of their cyber careers.  Regardless of the focus on the military career elements, the Roadmaps offer some great ideas for the new cyber student up to the more seasoned cyber expert.  You may want to look over the Roadmaps for ideas and then build your own.

Lastly, Table 12 offers a "heat map" if you will of various topics and based on which Cyber Workforce you are in (or want to be in) you can gauge the importance of various sectors and areas of specialization.  An excerpt of the table is included below:


Overall, I wish I had this resource when I was just starting out in the field.  And, even though this was written in 2011, the guidance is timeless and can provide a super foundation for your and your cyber-co-workers' career growth.

Well done to Messrs. Conti, Caroland, Cook and Taylor!  Thanks for the contribution to the cyber society!

###

Monday, August 10, 2015

Pervasive Sensing and Risk Implications

For the past four years I have been talking one class a quarter towards a Masters in Infrastructure Planning and Management offered by the College of Built Environments at the University of Washington in Seattle.

This program is very unique, the classes are entirely online, and I've not seen one like it in my global travels.  It is a fantastic program covering a broad range of critical infrastructure issues (e.g., transportation, water systems, emergency management, etc.) and also offers supporting training in areas such as capital budgeting/finance for government.  Overall I was very impressed with the faculty and level of education.

Well, the end is in sight!  The final assignment due this week is to submit the final Capstone and also prepare a summary presentation on YouTube the  Capstone contents (in 10 minutes!).

The title of my Capstone is: Pervasive Sensing and Industrial Control System Risk Implications.

https://www.youtube.com/watch?v=yyQbUBIVWIo


The YouTube link for the 10-minute narrated PowerPoint is at:  https://www.youtube.com/watch?v=yyQbUBIVWIo

I hope you will find this presentation informative and though-provoking.

Lastly, apologies to those of you made aware of this presentation via a separate Twitter and LinkedIN announcement a few days ago.

Cheers!

###

Thursday, July 9, 2015

Insurance and a US Electric Grid Blackout - A Compelling Read

On July 8, 2015, Lloyd's of London published an excellent report Business Blackout - The insurance implications of a cyber attack on the US power grid.  

(The same day as the United Airlines, Wall Street Journal and New York Stock Exchange cyber events...hmmm, any coincidence?)



This 65-page report is an excellent analysis of the insurance and economic impact on the US following a theoretical cyber attack on the US Northeastern corridor affecting Boston to Washington, DC.  The report is a compelling read for anyone in the cyber security or critical infrastructure domains -- at a minimum the analysis by Lloyd's and the Cambridge Center for Risk Studies Team (University of Cambridge Judge Business School) causes you to take pause to a) better understand the interdependency of infrastructures and b) better learn ways to consider economic impacts of such events.

Key sections of the report include:

  • Executive Summary
  • Introduction to the Scenario
  • The Erebos Cyber Blackout Scenario
  • Direct Impacts to the Economy**
  • Macroeconomic Analysis**
  • Cyber as an Emerging Insurance Risk**
  • Insurance Industry Loss Estimation
  • Annex A:  Cyber Attacks Against Industrial Control Systems since 1999
  • Annex B:  The US Electricity Grid and Cyber Risk to Critical Infrastructure
  • Annex C:  Constructing the Scenario - Threats and Vulnerabilities
** = Focus your reading here...

For some key "bullets" on the report and the scenario, the following were extracted from the Lloyd's web page:


  1. The attackers are able to inflict physical damage on 50 electric generators which supply electrical power in the Northeastern USA, including New York City and Washington, DC.
  2. While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers wider blackouts which leaves 93 million people without power.
  3. The total impact to the US economy is estimated at $243B, rising to more than $1T in the most extreme version of the scenario.
  4. Insurance claims arise in over 30 lines of insurance.  The total insured losses are estimated at $21.4B, rising to $71.1B in the most extreme version of the scenario.
  5. A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  6. The sharing of cyber attack data is a complex issue, but could be an important element for enabling the insurance solutions required for this key emerging risk.


Hat tip to Eireann Leverett, Senior Risk Researcher and member of the ENISA ICS Security Stakeholders Group for passing along this analysis.

CONCLUSION

If you are involved with critical infrastructure -- especially the electric grid -- take time to read this report cover-to-cover.  If you are worried about the economic impacts of cyber on your business -- read this report to understand the interdependencies.

###




Tuesday, June 30, 2015

Control Engineering 2015 Cyber Security Study

Yesterday I posted a review of the recent SANS State of Industrial Control Systems Survey.  You can find that posting here.

Today I'd like to tell you about another interesting and equally disconcerting survey about the status of today's industrial control system security posture.

Each year Control Engineering Magazine conducts a survey of its readers to evaluate cyber security implementation, resources and training for industrial control systems.  Their 2015 Cyber Security report was issued this June.  A summary of the study posted by Control Engineering is located here.


The Control Engineering report is essentially in presentation format and has a collection of graphs and data relative to the data collected.  It is a pretty easy and quick read and offers similar data to the SANS Survey.

Statistics and Findings

The Control Engineering analysis included data collected from 284 respondents in the first quarter of 2015.  The report includes the following summary findings:

1.  Threat Levels:  47% of respondents perceive their control systems to be "moderately" threatened by cyber attacks.  25% say theirs is "highly" threatened and 8% are at the "severe" threat level.

2.  Most Concerning Threat:  Their responses included:

  • 35% view the most concerning threat is malware from a random source
  • 18% worried about loss of intellectual property
  • 8% fear attacks from "hacktivists" with political or environmental agendas.
3.  Most Vulnerable System Components:  The components of most concern include:
  • Connections to other internal systems (SANS is similar)
  • Computer assets running commercial operating systems (Same as SANS)
  • Network devices
  • Wireless communication devices and protocols
  • Connections to the field SCADA networks
4.  Vulnerability Assessments:  39% of those surveyed said their last vulnerability assessment was performed within the last six months (Good!); while 16% have never executed one (Not So Good).

5.  Publicly Reporting Incidents:  66% of those surveyed say publicly reporting cyber-related incidents would benefit the industry.  36% agree that the biggest problem with public reporting is the fear of losing consumer confidence.

6.  Resources Used to Monitor Control System Cyber Security Events:
  • Anti-virus software (99%)
  • Network logs (89%)
  • Firewall logs (89%)
  • Intrusion Detection/Prevention (84%)
  • Whitelisting (76%)
Overall....

Overall this is a useful survey to examine and as I noted for the SANS ICS Security Survey, these reports should be reviewed and digested by security professionals responsible for ICS security and shared with their executive management to show them that security is a concern and should be theirs, too.

###










Monday, June 29, 2015

State of Industrial Control Systems Security - A SANS Survey

This month the SANS Institute published its annual State of Security in Control Systems Today.  The results were prepared by Messrs. Derek Harp (SANS) and Bengt Gregory-Brown (Sable Lion Ventures LLC).



You can download the report from the SANS Reading Room at:  https://www.sans.org/reading-room/whitepapers/analyst/state-security-control-systems-today-36042 

Some Thoughts...

The report is a quick and useful read.  I'd highly recommend that not only ICS Security Professionals read and digest this report but also it be shown to the skeptical executives in their organization.

So, here are some key bullets gleaned from my read:

  • Top four concerns by those surveyed include:
    • Ensuring reliability and availability (68%)
    • Lowering risk/improving security (40%)
    • Preventing damage (28%)
    • Ensuring health and safety (27%)
  • Rapid detection of security incidents on ICS is key because the longer the breaches remain unknown, the greater the potential impact.
  • The integration of IT into control system networks was chosen by 19% of respondents as the single greatest threat vector.  The top three threat vectors were a) External Threat, b) Internal Threat, and c) Integration of IT into the Control System Networks.
  • 74% of respondents believe that their external connections are not fully documented.  (Ugh!)  Simply identifying and detailing connections and attached devices in a network is a key step to securing it.
  • Another challenge highlighted in the survey is a lack of visibility into control system equipment and network activity.  Thus this inhibits progress in securing assets and decreases activity in accuracy of self-evaluations.
Read the Margin Notes!

One editorial and formatting aspect of the report I liked was inclusion of marginal notes called TAKEAWAYs.  These notes are useful helpful ideas for the ICS security person to implement -- or at least consider -- when trying to protect their ICS systems.  A few examples of the TAKEAWAYs are:
  • Know what is normal.  Lack of visibility into control system networks is one of the greatest barriers to securing these resources.  Without awareness of normal communications and activity, it's impossible to properly evaluate or improve security of assets.  Operations and security staff must be able to visualize and verify normal network operations to detect and assess possible abnormalities and respond to potential breaches.
  • Gain visibility into control system networks.  Map all devices, physical interconnections, logical data channels and implemented ICS protocols among devices, including read coils, write registers, scans and time stamps.  Establish a fingerprint of normal control network activity and communication, including communication patterns, schedules and protocols.  Then, establish device logging, strict change management and automated log analysis based on your baseline data.
  • Integrate security into procurement and decommissioning processes.  Establishing security of software or devices is cheaper, easier and more effective prior to deployment.  The burden of maintaining security is lighter when you start from a secure state.  And, security should be included in the decommissioning and removal of devices to avoid opening serious vulnerabilities.
Again, a great job by SANS, Derek and Bengt!  Take the time to download and read this report and take advantage of the ideas to improve the security of your ICS networks.

###

Friday, June 5, 2015

NIST Publishes Updated ICS Security Guide (Rev 2)

Just a quick note...

NIST Announced today that they have published Rev 2 of the Guide to Industrial Control Systems (ICS) Security SP 800-82!

Great news!  This is a super document to use as a daily reference for ICS security and general knowledge and a great starting point for those who want to learn more about ICS.


You can read more about this release at:  http://www.nist.gov/el/isd/201506_ics_security.cfm

You can download the document (for Free) at:  http://dx.doi.org/10.6028/NIST.SP.800-82r2

CONGRATULATIONS TO KEITH STOUFFER AND HIS TEAM!  WELL DONE!

###





Sunday, May 31, 2015

Useful CIKR Resources

This Blog is focused on offering the reader information on two very useful resources focused on Critical Infrastructure and Key Resources (CIKR).  And, because of the George Mason Monthly CIP Report, I was informed about another European-centric CIKR resource the student and professional may be interested.

GEORGE MASON UNIVERSITY - MONTHLY CIP REPORT


Each month the George Mason University School of Law, Center for Infrastructure Protection and Homeland Security, publishes a newsletter focused on a different sector of CIKR.  This past month was on International Issues.  (BTW: The Center is moving to the School of Business in the next few months.)

You can subscribe to The CIP Report at no charge by going to this LINK.

You can visit the George Mason team at:  http://cip.gmu.edu/the-cip-report/   (The page view is below:)


Each month I look forward to this newsletter which is really more like a Journal focused on Critical Infrastructure Protection issues facing the US as well as globally.  As a CIKR professional you should benefit from the contemporary commentary in these monthly analyses.

(PS: The format is changing from a PDF to more of a web-based approach; however, the publication will still be sent out monthly.)

CIPEDIA (C): A CRITICAL INFRASTRUCTURE PROTECTION AND RESILIENCE RESOURCE

This month the immediate benefit from The CIP Report is an article prepared by three very notable European experts in the field of critical infrastructure and resilience.  The article is prepared around the CIPedia (www.cipedia.eu) web site which is a "...Wiki-based body of common knowledge for the wide international community of critical infrastructure (CI) protection and resilience stakeholders such as policy makers, researchers, governmental agencies, emergency management organizations, CI operators and even the public."

CIPedia Home Page www.cipedia.eu

According to the article in The CIP Report the CIPedia is developed within the European Critical Infrastructure Preparedness and Resilience Research Network (CIPRNet) project. 

Essentially, CIPedia is an international glossary on CIKR information.  CIPedia went public in mid-2014.

Of note, CIPedia is more than just a glossary -- as a CIKR portal it provides access to a list of CIP-related conferences, a table with web pointers to CIKR sector-specific glossaries and a pointer to the CIP bibliography.

Below is a screen shot of the CIPedia user links (left hand column).  You can see the links offer some more depth into other CIP-related areas:


CONCLUSION

If you are involved with Critical Infrastructure as a student or policy professional you will probably find the George Mason monthly report very useful and timely.  Secondly, access to the CIPedia and to the CIPRNet will increase your access to new documents and papers on CIKR from an European perspective.  For myself, just wandering around the sites for a few minutes surprised me at some of the work being done in Europe on cascading events studies, as an example.

Take the time to subscribe to The CIP Report and be sure to save the links to the CIPedia and CIPRNet.

###