Friday, December 27, 2013

Job Opportunity - Industrial Control System Security Lead

My good friend Dave Tyson -- CISO at SC Johnson -- has asked me to pass along his current opening for someone to help with his industrial control systems (ICS) security.  The job posting is below.

If you are interested or you are aware of another qualified candidate, feel free to contact Dave with a resume at

### - ###

Industrial Control System Security Lead 

Global Information Security Team

Reporting to the Leader, Global Information Security Business Advisory (GISBA) the lead for the Global Product Supply (GPS) Information Security program is responsible for developing and managing the GPS Information Security program. 
This leader will own and drive the global rollout of a more robust and formal approach to managing information security risk in the GPS environment. The structure of the program will be based on the goals, principles and strategy of the overall Global Information Security Enterprise Security Strategy at SCJ. At its core, this program will ensure appropriate security management while driving breakthrough performance in governing business appropriate risk to data and systems. The GPS security lead will optimize team processes to ensure efficient and effective delivery of services in a 24x7 ‘follow the sun’ operating model.
Position Overview:

We are seeking a professional with a deep background of Industrial Control Systems Cyber Security Engineering and Architecture. The candidate is expected to be a visionary technologist and demonstrate a combination of leadership, technical and program management skills. The successful candidate will lead both current security enhancement programs as well as the development of a sustainability effort to build a globally sustainable information security program.
·         Identify new technologies, processes and programs to enhance security, reliability and customer experience.
·         Identify operational issues and define design alternatives to address these issues.
·         Act as a technical advisor and subject matter expert to internal stakeholders and partners
·         Coordinate with the Global Information Security Operations team for malware analysis, and testing of remediation processes.
·         Perform detailed and technical analysis of ICS and help integrate cyber security solutions worldwide.
·         Maintain a superior knowledge of the cyber security capabilities of operating systems, networking devices, control systems, and vendor offerings.
·         Maintain a working knowledge of applicable cyber security standards involving critical infrastructure, including those relating to process networks
·         Understand technical issues and the implications to the business, and be able to communicate them to management and other business leaders.
   ·         Ability to effectively work in a matrix management environment
·         Strong communication and presentation skills
·         The ability to lead large groups and be a primary facilitator
·         Strong written skills
·         Comfortable working in a project based / client serving model
·         Ability to lead and shape client expectations
·         Help drive pursuits and engage in complex deals, matching outcomes to expectations
·         Ability to work easily with diverse and dynamic teams
·         Ability to work in a matrix management model
·         Readiness to travel 25-50% initially
·         Experience in working international organizations roles
·         7-10+ years recent experience in large enterprise environment
·         Demonstrated experience with implementing and maintaining security in large, complex Industrial Control System environments, etc.)
·         Experience with securing SCADA, PLC, and HMI systems, etc.
·         Strong networking background with minimum 3 years of networking experience; and routing, switching, network security and packet analysis
·         Experience in the capabilities and/or configuration of cyber security controls, specifically those relating to firewalls, access control, authentication, anti-virus/anti-malware, patching and hotfix, logging and SIEM.
·         Ability to train, manage and assist co-workers on all aspects of security awareness, controls and compliance
·         Superior written, presentation, and verbal communication skills
·         Exceptional organizational, interpersonal and team skills
·         Ownership orientation to solving problems
·         Information security and data protection skills are desired
·         Experience managing and leading
·         Ability to pass a detailed security background screening
·         Education – Bachelor’s degree or equivalent education and experience
·         Professional Certification – CISSP, CPP or equivalent will be considered advantageous

Tuesday, December 17, 2013

Neuroscience, Risk and Security

For years I have been a student and practitioner of security – both cyber and physical.  My initial years focused on the “Security 101” elements with a “castle and moat” approach for both physical assets and cyber (i.e., the “walls” were “firewalls”).  Over time, however, I’ve realized that there is more to security than wondering about the bits and bytes or the sizes of chain link fence mesh.  Instead, I’ve begun to recognize more and more that the human element – that is the attacker and defender – needs to be studied and recognized as a key element.

(Artwork from Microsoft Open Source)

I’ve realized – with some considerable influence from Bruce Schneier in his seminal essay “The Psychology of Security,” and from other thought leaders in the security space such as Kirk Bailey at the University of Washington or Robert Coles at GlaxoSmithKlein -- that you need to understand what motivates the attacker and what helps the defender recognize new ways and means of defending against the wiley aggressor.

In other words, I came to realize that neuroscience should play a key role in helping security professionals understand the attacker’s “brain” so to speak and thus their motivations.

Samad Aidane PMP

Last night I had a fascinating discussion on this very subject with my friend and colleague Mr. Samad Aidane.  Samad and I first met in 2004 or so when I was the information security manager/CISO at the Port of Seattle.  Samad was a newly hired project manager.  Since then we have both expanded our horizons and Samad has evolved his expertise in the realm of neuroscience and project management as well as risk.

Anyway, our conversation tonight revolved around Samad’s new research and focus on the neuroscience behind effective project management and risk.  In fact, Samad has even begun a blog at to expand his and his reader’s awareness of neuroscience and leadership.  I’d like to suggest you take a look at his blog and get a sense of his perspectives on this new science.

A key take-away from my conversation with Samad was that how the brain functions when analyzing risk may be excellent knowledge for security and risk professionals to leverage when dealing with risk analysis decisions.  Similarly, understanding how the brain functions when establishing attack and defense concepts may be very useful to the cyber and physical security defender.  And, of course, if you lean on the concept of “Assumption of Breach[1] for your enterprise cyber and physical defense, perhaps knowing how the brain functions and reacts could be very useful.

I am excited about the new ideas raised by Samad last evening and I look forward to our next meeting and discussions.  In the meantime, take a moment to look at Samad’s website and review some of his ideas.  You may see a sliver of some new concepts for the security profession to lean on as we try to stop the bad guys!

[1] For my past articles on this subject please go to my article in Asian Power at or my article in SearchSecurity at

Saturday, December 7, 2013


A few weeks ago I prepared a blog for Tofino Security summarizing the key aspects of the DRAFT NIST Cybersecurity Framework.  I guess I hit the target because the blog has been posted on a few other sites and referred to in some Tweets.

(From Cover of National Infrastructure Protection Plan -

Anyway, as one of my readers, my original submittal for the Tofino blog is posted below.

But, don't forget, NIST has requested comments on the Cybersecurity Framework by Friday, December 13th.

Take care, have a great and safe week, and here is the blog.................Ernie


You may have heard a bit of buzz in the US national and even international press about the release of the Cybersecurity Framework Draft from the US National Institute of Standards and Technology (NIST).  However, you may not know about its background or what it may mean to you as a control systems manager.  As such, this is intended to give you a high level overview of the genesis of this document and give you some points of reference.

As we realize more and more everyday our national infrastructure – in Canada, the US or any country for that matter – is very important to our economies as well as our own national defense.  Because of concerns over continued cyber attacks on US national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing, etc. – President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. 
This document is fondly referred to as the “EO.”

The EO also called for development of a voluntary Cybersecurity Framework to provide a “…prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

Critical infrastructure is defined in the EO as “…systems and assets – whether physical or virtual – so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  Example industry sectors – and the corresponding Federal oversight agency -- considered as “critical infrastructure” include[1]

As a follow up to the EO and PPD, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback.  The Framework is intended to provide guidance to an organization on managing cybersecurity risk.  A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk while factoring in larger systemic risks inherent to critical infrastructure.

In other words, cybersecurity risk and considerations need to be included in the day-to-day discussions at your company or organization as you expand your business, build new facilities, install new equipment and hire new people.

Let’s Talk About the Framework
First, the EO instructed NIST to be the lead in developing the Framework.  As such you can find the Framework DRAFT document and supporting information at

And, what does the Framework contain?  The Cybersecurity Framework shall:
  • include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
  • shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
  • shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.

And, what is the Framework supposed to do?  The Framework:
  • shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  • will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  • should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processed developed to address cyber risks.  And,
  • shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

So, with the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:

  • Describe their current cybersecurity posture (and a semblance of maturity level)
  •  Describe their target state for cybersecurity
  •  Identify and prioritize opportunities for cybersecurity improvement within the context of risk management
  • Assess progress toward the target state, and
  •  Foster communications among internal and external stakeholders.

A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cybersecurity risk management process and cybersecurity program.  Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cybersecurity risk management.  Also, the Framework can be helpful to a company that does not have a currently existing cybersecurity program so they can build in key elements raised by the Framework.

So, What Should You Do with the Framework?
First of all, take a look at the list of the critical infrastructures listed above.  Does your company fall into any of those categories?  If not, is your company substantially reliant on any of those key infrastructures for your success and even existence?  If the answer to either is YES then I’d suggest you take time to read the Framework as it stands and figure out how you can apply it to your current cybersecurity risk management.

Secondly, acquaint your Executive Management and Board Members with the Framework.  Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed.  Use this as a means of highlighting your organization’s “…cybersecurity maturity level…” and if you aren’t at the top, use it to highlight the resources (i.e., people, time and money) you need to raise your game.

Thirdly, take a hard look at the Framework and even “test drive” it as it stands.  Be sure to provide comments back to NIST as described at their page “Request for Comments on the Preliminary Cybersecurity Framework.”  Comments are requested before December 13, 2013.

Final Thoughts
When you read the draft Framework, recognize that it is not a “checklist” or a simple “compliance” item to be fulfilled.  Instead it provides a set of performance objectives for your cybersecurity risk program to achieve for your prioritized list of key assets.  But also, it is not a “how-to” on building a security program.

So, even for our Canadian friends, be sure to take time to look the Framework over. 

[1] From the corresponding President Policy Directive (PPD) 21 “Critical Infrastructure Security and Resilience” that was issued at the same time as the EO. Link: