Thursday, December 11, 2014

History of Industrial Controls Cybersecurity -- White Paper

Several months ago Mike Assante -- SANS project lead for Industrial Control
System (ICS) and Supervisory Control and Data Acquisition (SCADA) security -- and I were talking about some ideas for SANS Analyst white papers and an idea surfaced to prepare a white paper introducing the SANS reader to elementary industrial controls theory and to the chronology of ICS cybersecurity.

The paper has finally been posted at SANS and the link is: 

Overall it was a fun paper to research and write with some good stories about the first Programmable Logic Controllers (PLCs).  Also, the chronology built by Mike Assante and Tim Conway and included in the paper is a great way to get oriented to the challenges in this domain which are broader than Stuxnet.



Sunday, November 30, 2014

Hazards of Decommissioned Equipment

In my global travels while performing inspections of power plants, factories and other critical infrastructure I often see equipment that is "decommissioned."  It is understandable that the cost of removing large, heavy equipment is expensive; however, I have often wondered aloud why the factory managers do not tag or identify the equipment as decommissioned.

One idea I've proposed is to place a large hot orange/hot pink tag on the decommissioned equipment so that personnel will recognize its status.  Even the occasional auditor or inspector may even declare it as a "Good Practice."

In the November 2014 issue of Control Engineering magazine J. B. Titus wrote a short but useful article about the "12 hazards of unused machinery." (Page 24)

J. B. notes the following:

"Even though a machine may no longer be active in the production process, this does not mean that the machine has been rendered hazard free..."

J. B. continues to observe that a decommissioned machine may pose one or more of the following hazards:

  1. Live electrical connections
  2. Compressed gases or fluids
  3. Charged tie rods
  4. Compressed springs
  5. Gravity
  6. Hazardous materials
  7. Rust
  8. Flammable or combustible material
  9. Abandoned conduit as a route for hazardous vapors
  10. Leakage
  11. Blocking emergency access
  12. Other machine, application, or environmental considerations 

I heartily agree with JP and wished I had his article handy during my previous inspections where I've highlighted concerns about decommissioned equipment and the hazards posed. The plant or factory management needs to recognize the risks with these "turned off pieces of equipment" and mitigation actions taken.

Thanks to J. P. Titus for the brief article and thanks for giving more support for my arguements that decommissioned equipment is not a trivial issue.

### END ###

Wednesday, September 10, 2014

Fundamental Skills for Any Security Practitioner

As a consultant, teacher and author I am often asked about the key knowledge, skills and certifications required to be a "successful" CISO or security professional.  The questions are usually around such issues as "Should I get my CISSP or CISM?" etc.

My usual response is often focused on having the "fundamentals" down pat such as understanding the business and having strong communication skills -- especially with upper management and the groups you are supporting.

This past quarter in my Masters of Infrastructure Planning and Management at the University of Washington one of our assigned readings was in my Comprehensive Emergency Planning course (IPM501).  The reading was entitled, "Report of the 2013 Disciplinary Purview Focus Group: Scholarship and Research to Ground the Emerging Discipline of Emergency Management."

Sounds dull, doesn't it?

The report was written by a group of scholars studying the field of emergency management.  Their focus "...was to identify the body of scholarship and research related to emergency management's purview that could ground the discipline, particularly as it relates to the education of students."

The report had some interesting perspectives on the subject; however, my key takeaway -- and worthy of me spending time on this blog -- is Appendix J: Skills Emergency Management Students Should be Able to Demonstrate upon Graduation.

This Appendix lists the following skills -- of which I think any security professional should also have competence:

  • Verbal Communication
  • Written Communication
  • Interpersonal Communication
  • Group Communication
  • Network Building and Stakeholder Engagement
  • Analytical Thinking
  • Application of Research in Practice
  • Problem Solving
  • Decision Making
  • Leadership
So, to my friends, students and colleagues who ask me "What skills do I need to possess to be successful in the security field?"  The list to follow is above.....then work on your technical skills such as a CISSP, etc.

Thanks to my professor, Robert Schneider Ed. D. and Director of Emergency Management for Grant County, Washington for this reading requirement...Appendix J made it worth the read.


Tuesday, July 29, 2014

Mr. Gisli Olafsson -- A True and Proven Crisis Leader

I am currently a student in the University of Washington Masters of Infrastructure Planning and Management (IPM) program.  This quarter I am taking IPM501, Comprehensive Emergency Management.  As part of this course one of our required readings is an excellent crisis leadership book by Mr. Gisli Olafsson entitled The Crisis Leader.

We were very fortunate to "virtually meet" Mr. Olafsson on an Adobe Connect lecture on July 29th where Mr. Olafsson took 90 minutes to highlight his experiences as an urban search and rescue leader including his experience as a team leader for Iceland's International Urban Search and Rescue team (ICE-SAR) immediately after the tragic earthquake hit Haiti in 2010.

Overall, Mr. Olafsson is a very compelling and experienced emergency response manager and leader with some excellent -- albeit tragic -- stories from his experiences responding to disasters around the world.  In his lecture he raised some excellent comments and ideas about the role of leadership during a crisis.  Some of the key ideas and comments he raised are captured below:

CL = Y + T + R

The equation above is one way Mr. Olafsson tried to explain what crisis leadership includes and entails.  The terms are first interpreted as:

CL = Crisis Leadership
Y = You
T = Team
R = Response

In summary he used this equation as a way to help capture some key aspects of personal leadership.

Y = You

You need to know yourself -- you need to know how you react under times of stress and crisis and how you deal with events -- including those events with substantial amounts of death and destruction.  You need to understand your emotions, fears and how to deal with these psychological arrows so you can be an effective leader.

Mr. Olafsson pointed out that key to the "You" aspect is to realize that you need to trust your team and their capabilities in order to control and even block your fear.  You need to be prepared for the task at hand by knowing your own strengths and weaknesses.  You also need to be physically and psychologically fit to endure the long hours and stressful conditions.

T = Team

Paramount elements for leadership success includes being resilient (also referred to as "Semper Gumby" as a reference to the very flexible cartoon character).  Secondly, you need to always be preparing through planning and exercising.. 

Mr. Olafsson noted that as a rule of thumb from a World Bank document on Natural Hazards Unnatural Disasters that for every hour or preparation spent you can expect to save six hours of effort; similarly for every dollar spent you can expect to save six dollars.

You want to build your team so that you are a "...leader of leaders..." where the team members are empowered to not only do their job but also to fill the role as a leader as required for the situation and based on their technical specialties/expertise.  Don't be a micromanager but lead your "leaders" so they are effective and the job gets done.

R = Respond

Response to a crisis is a key reason why you are at the disaster.  But, you are surrounded by many challenges ranging from the disaster itself to the weather to the debris field to the emotional survivors and even to the smell.  First you need to focus -- block the external stimuli and do your task at hand.  Secondly, take advantage of the intelligence and help that can be provided by the local population affected by the disaster.  Apparently FEMA in the U.S. refers to this concept as "Survivor-centric Response."

Responding requires a team with solid morale.  As noted in Chapter 25, "Team Morale," Mr. Olafsson states, "No matter which way it starts out , one of your crucial roles as a leader is to ensure that you keep morale high, even during the most difficult times.  Your ability to do that depends on a number of things including:
  • Your rapport with team members...
  • Your ability to read others...
  • Your ability to understand how the situation is affecting people..."


If you are a leader of any sort -- but especially one placed -- or potentially placed -- into an emergency situation or worse yet a disaster, I would highly recommend you take time to read, digest and contemplate the excellent and field-proven advice offered in this book by Mr. Olafsson.  As a 40+ year leader myself, I found his advice to be "...right on..." and useful for my professional and personal leadership roles.

Mr. Olafsson's website is: and he can be followed on Twitter @gislio


Tuesday, July 22, 2014

FERC Requires Changes to NERC CIP-014 - Physical Security of Substations

On Thursday, July 17, 2014, the Federal Energy Regulatory Commission (FERC) published a Notice of Proposed Rulemaking (NOPR)  that proposed to approve CIP-014-1, Physical Security (PDF), with two modifications.

The NOPR did find that the proposed CIP-014-1 standard "...largely satisfies the directives in the (March 7, 2014 FERC) order.  However, the Commission proposes to direct NERC to develop a modification that would specifically allow governmental authorities, including FERC or another appropriate federal or provincial authority, to add or subtract facilities from an entity's list of critical facilities."

FERC does note in their announcement that they only expect the addition/subtraction of substations to be exercised only "rarely."

The second proposed modification from FERC directs NERC " revise wording that it believes could narrow the scope and number of identified critical facilities.  Specifically the NOPR seeks comment on the Commission's concern that NERC's use of the phrase 'widespread instability' rather than 'instability,' as stated in the March order, could create ambiguity since the term 'widespread' is not defined."

The NOPR also requests NERC submit two informational reports.  The first report would have NERC analyze whether CIP-014-1 should be applicable to additional types of facilities beyond substations.  The second report would have NERC provide analysis on grid resiliency exploring what can be done beyond CIP-014-1 to maintain reliable operation of the Bulk Power System when faced with the loss or degradation of critical facilities.

Crescendo of Activities Focused on Physical Security of Substations

In addition to the quick response by FERC when Pacific Gas & Electric's Metcalf substation was physically attacked in California on April 16, 2013, there have been several meetings and analyses produced examining how the industry should respond to physical attacks on critical substations.  For instance at the National Association of Regulatory Utility Commissioners (NARUC) summer meeting in Dallas on July 16, 2014, they passed a resolution on physical security of electric grid (PDF).

Overall, an excellent summary of the current situation regarding physical security concerns for the electric grid is the June 17, 2014 Congressional Research Service (CRS) report Physical Security of the U.S. Power Grid: High-Voltage Transformer Substations (PDF) .  This report is an encyclopedic review of the current state of physical security concerns and issues related to the larger transformers and substations.

A parenthetical observation from this report is on page 8 of the report regarding physical movement of the large transformers in an emergency.  The paragraph noted is cited below:

Within the United States, transportation of HV transformers is difficult. Due to their size and
weight, most HV transformers are transported on special railcars, each with up to 36 axles to
distribute the load. There are fewer than 20 of these railcars in the Unites States rated to carry 500 tons or more, which can present a logistical problem if they are needed in a transformer emergency. Some specialized flatbed trucks can also carry heavy transformer loads over public roadways, but the few such trucks that exist have less carrying capacity and greater route restrictions than the railcars because HV transformers may exceed highway weight limits.

Expect More Discussion in the Future

With the recent announcement from FERC, the very recent resolutions from NARUC, the tragic events associated with current wars in Europe and the Middle East, it would not surprise me if there are more conversations regarding the physical protection of the electric and gas grids.  


Friday, June 20, 2014

Must Read for CyberWar Students and Spectators

I've just returned from an interesting and exhausting ICS security trip to Nigeria, Egypt and Dubai --- and as I was catching up on my reading I came across an excellent and well-written article regarding nation-state attacks on our critical infrastructure.  Kudos to Mike Riley and Jordan Robertson of Bloomberg!

The article in Bloomberg is UglyGorilla Hack of U.S. Utility Exposes Cyberwar Threat.

Rather than resummarize the article I'd strongly suggest you read it and think about the implications of the content.

It is pretty ugly.

Anyone who thinks we are ahead of the cyber attackers/criminals is sadly mistaken.

As noted by Representative Mike Rogers, R-Michigan: "This is as big a national security threat as I have ever seen in the history of this country that we are not prepared for."

Read and ponder....


Wednesday, June 11, 2014

OPINION: Does the NIPP Account for Infrastructure Neglect? Climate Change?

I am currently a candidate for a Masters in Infrastructure Planning and Management (IPM) at the University of Washington.  In my recent class on Transportation Infrastructure we prepared a response to a question regarding the Department of Homeland Security's (DHS) National Infrastructure Protection Plan (NIPP).

The question posed is in the box below....however, to answer the question a brief history of the NIPP and its development post 9/11 is summarized.

I think you will find this an interesting read and may make you wonder about the true value of the NIPP in today's environment.




Assigned Question

Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect? Should it? Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change? Would our national resources be better spent on maintenance activities as opposed to protection or adaption?


The question posed above is one that requires some background history and assimilation prior to finally offering a view.  Therefore, this discussion first highlights the history of the National Infrastructure Protection Plan (NIPP) – its genesis and modification.  Then at the end of the discussion responses to the questions posed above for this assignment are provided.

Genesis of National Infrastructure Protection Plan

On December 17, 2003, Homeland Security Presidential Directive - 7 (HSPD -7)[1] was issued by President George H. W. Bush.  The stated purpose of this Directive was:

1.  This directive establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks.

Similarly in the Policy portion of HSPD-7 the emphasis again was on protecting critical assets from terrorist attack.  Paragraph 7 notes:

Later in HSPD-7 regarding implementation of the HSPD, Paragraph 27 notes that the Secretary of Homeland Security is to “…produce a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection…  The remaining implementation requirements are shown below:

In summary, HSPD was originally focused on protecting critical infrastructure from terrorist attacks with assigned responsibilities to the Secretary of Homeland Security.  The implementation directive was not specific to terrorist threats; however, it was inferred in the purpose of the HSPD and ultimate implementation mandates.

In 2006 the first issue of the National Infrastructure Protection Plan (NIPP) was issued by Department of Homeland Security (DHS) Chertoff.  The specific goal of the NIPP was noted below from Page 1 of the document.  As the reader can observe the focus is intended to prevent, deter, neutralize, or mitigate effects…by terrorists…That is the key emphasis of this plan and in this writer’s opinion.  But, it is agreed that there is some parenthetical response to “…natural disasters and other emergency.”

The theme of Secretary Chertoff’s Preface in the first NIPP was still primarily focused on terrorist threats although there was some discussion about protection of CI/KR from natural disasters.  Overall, however, the term “Attacks” was used repeatedly throughout the document (I stopped counting at 20 instances) and not once was there reference to climate or climate change – only “natural disasters.” And upon a quick survey the term “natural disasters” was almost always used in the same sentence with “terrorist.”
The conclusion of the 2006 NIPP is that it was issued in response to the terrorist threat which was in keeping with HSPD-7 issued in 2003 following the terrorist events of 9/11.

2009 NIPP

A new version of the NIPP was promulgated in 2009.  The goal of the NIPP remained the same as the 2003 edition except it showed the evolution of the programs and processes first introduced in 2006 and was developed collaboratively with the CI/KR partners of all levels of government and private sector.
Again the emphasis still appears to be focused on terrorist attacks with minimal inclusion of references to natural disasters and no references to climate change.
On a statistical note the term “Attack” is used 114 times; “terrorist” is used 157 times; and “natural disaster” is used 37 times, and “climate change” is not used at all in the 2009 NIPP.

NIPP 2013 Partnering for Critical Infrastructure Security and Resilience

In February 2013, President Obama issued Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience[2], which explicitly calls for an update to the NIPP. As noted by the 2013 NIPP, this update is informed by significant evolution in the critical infrastructure risk, policy, and operating environments, as well as experience gained and lessons learned since the NIPP was last issued in 2009.  The revised NIPP expands the view of the threats to critical infrastructure as depicted in the graphic (Figure 2) from page 8 of the NIPP.

As the reader can observe the focus on terrorist attacks has been substantially reduced to a more balanced perspective along with extreme weather, accidents, cyber-attacks, etc.
Also, as a comparison, the term “terrorist” is only used six times in the 2013 NIPP thus demonstrating a more balanced approach to protection of critical infrastructure.

The 2013 NIPP also demonstrated a more balanced approach to critical infrastructure protection when it included the seven core tenants listed below:
  1. Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.
  2. Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.
  3.  Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.
  4. The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community
  5. Regional and State, Local Tribal and Territorial (SLTT) partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.
  6. Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance, and other cooperative agreements
  7.  Security and resilience should be considered during the design of assets, systems, and networks.

Overall, the NIPP from its inception in 2003 to the 2013 edition has evolved from one focused on terrorist attacks and defense to one of a more balanced, all-hazard approach.  The 2013 NIPP has also provided an updated approach to not only critical infrastructure security but also to resilience.

Responses to Discussion Questions

With the background history provided, my responses to the questions posed include the following:

·       Do you think that the infrastructure protection plan as proposed by the Department of Homeland Security accounts for infrastructure neglect?

o      Sadly, the NIPP of 2003 and 2009 were both very focused on terrorist attack and defense and as such infrastructure neglect was not even considered.  The 2013 NIPP does allude to a more holistic approach, especially in Tenant #7 that discusses “Security and resilience … considered during the design, of assets, systems and networks.” 

o      On page 18 of the 2013 NIPP there is a discussion focused on risk management that takes into consideration the following elements:

§  Identify, Deter, Detect, Disrupt, and Prepare for Threats and Hazards
§  Reduce Vulnerabilities
§  Mitigate Consequences

Of interest, the “Reduce Vulnerabilities” element includes a statement “Employ siting considerations when locating new infrastructure, such as avoiding floodplains, seismic zones, and other risk-prone locations.”  This appears to at least try to address some elements of extreme weather (possibly due to climate change) for new designs but again, I did not see any discussion specific to maintaining and upgrading current infrastructure.  That said, the “siting considerations” can be – and should be – included in current infrastructure maintenance and upgrades as well as for new critical infrastructure such as roads, etc.
Under the discussion “Mitigate Consequences” there is a bullet that also could be related to current infrastructure –Repair or replace damaged infrastructure with cost-effective designs that are more secure and resilient.”  Hence, there is a subtle element of support to improving infrastructure with “…designs that are more secure and resilient…” but only if they are damaged.  Not if they are currently usable but need upgrades for increased resilience.

·         Should it?

o      Yes, it makes sense that emphasis on infrastructure should be sustained as well as improved via such approaches as corrective and preventive maintenance, design upgrades and improvements, etc.  As a suggestion to the future editions of the NIPP there needs to be particular emphasis and focus on current assets as well as future ones.  Also, the future NIPP editions should allow for some means of assessment and prioritization of current assets for design upgrades and corrective/preventive maintenance regardless of whether the infrastructure has failed (yet) or not. 

o      As I prepared this discussion I was reminded of Professor Jan Whittington’s research report Making Room for the Future: Rebuilding California’s Infrastructure where her research along with David Dowall observed that “California has a deferred maintenance crisis in its hands…extensive deferred maintenance backlogs in…transportation facilities.”  Here was an example where there was no policy guidance in the state of California to perform maintenance on its key assets.  Hence, one could observe a parallel issue with the US NIPP and its failure to really emphasize performance of maintenance on critical assets such as roads and bridges.

·        Could this lack of maintenance of transportation infrastructure potentially be a much greater concern than terrorist attack or climate change?

o       As you look at this issue across the entire United States and across all transportation infrastructure one could make a case that the concern should be greater than that of a terrorist attack or climate change primarily due to the probability of occurrence is high for most transportation infrastructure and the number of opportunities for failure are high – especially when considering the number of vehicles traveling on the roads and each vehicle can offer a potential “event” and harm to the infrastructure.  Compare this to the number of hurricanes per season where the frequency of events is lower but the impact his much, much higher.

o       For instance when you do a risk analysis of risk vs. consequence, the terrorist consequence can be very high but the probability or likelihood of the event is low.  Hence we have the classic low probability – high consequence event.  The same applies to climate change when you look at such events as Katrina or Super Storm Sandy.  However, when you look at the probability of a transportation infrastructure failure anywhere across the US on a daily – or even hourly basis – the probability is high but the consequences may be less than (in most but not all cases) than a terrorist or major storm event.  So, in all, the integral of the equation so to speak may reveal that the transportation failures occur more frequently than terrorist attacks/climate change effects which could lead to higher costs in dollars and human life over a one year time period than the results of a year’s worth of terrorist attacks and climate change events such as storms.

o      The Federal Highway Administration includes an “integrated risk assessment” approach as alluded to in the paragraph above where they discuss climate change vulnerability assessment pilots.[3]

o      Optimally it would useful to have a comparison of the number of terrorist attacks for a specific geographic area versus the number of transportation infrastructure failures (e.g., bridges) for the same period of time to get a sense of probabilities.  As part of this thought experiment the following graphics were located on the Internet to help give a sense of “direction” for this comparison.  However, it is agreed that they are not a true “apples to apples” comparison.

Here is a graphic showing bridge failures.

And here is a graphic showing terrorist attacks:

Unfortunately I could not locate any data for the same time period to do an honest comparison either by events per year or costs per year.

·        Would our national resources be better spent on maintenance activities as opposed to protection or adaption?

o      This is a balancing act that requires policies to help ensure the funds and resources are spent on the right things.  Again, as shown in Dr. Whittington’s study, the State of California is not tasked with anti-terrorism activities yet they still did not spend money on infrastructure maintenance due to population rapid growth and focus on new assets.  Also, with most infrastructure being covered by the states and local entities, you again have a conflict between anti-terrorism dollars (Federal), dollars for climate change remediation (unknown contributor – Federal or State), and dollars for infrastructure maintenance State and local).  However, it is important to note that with the minimal amount of funds being used to pay for infrastructure maintenance today, any increase in resources to improve current asset integrity and safety would be better than the status quo.  This is especially true since replacing all the assets with new, safer and more secure facilities is not financially reasonable or fiscally reasonable.  And, the added taxes for such efforts would not be accepted by the general population because they don’t have ready visibility to how bad the current circumstances are in spite of the studies from the American Society of Civil Engineers.


"Bridges 101 - What Causes a Bridge Failure." Because I Can. January 31, 2012. (accessed May 10, 2014).
Department of Homeland Security Science and Technology Center of Excellence, University of Maryland. "National Consortium for the Study of Terrorism and Responses to Terrorism: Annex of Statistical Information." US Department of State. April 2014. (accessed May 10, 2014).
Dowell, David E., and Jan Whittington. Making Room for the Future: Rebuilding California's Infrastructure. Research Publication, San Francisco: Public Policy Institute of California, 2003.
US Department of Homeland Security. "Homeland Security Presidential Directive - 7: Critical Infrastructure Identification, Prioritization, and Protection." US Department of Homeland Security. December 17, 2003. (accessed May 10, 2014).
US Department of Homeland Security. National Infrastructure Protection Plan (2006). Washington, D.C.: US Department of Homeland Security, 2006.
US Department of Homeland Security. National Infrastructure Protection Plan (2009). Washington, DC: US Department of Homeland Security, 2009.
US Department of Homeland Security. National Infrastructure Protection Plan 2013: Partnering for Critical Infrastructure Security and Resilience. Washington, D.C.: US Department of Homeland Security, 2013.
US Department of Transportation Federal Highway Administration. Climate Change Vulnerability Assessment Pilots. March 27, 2014. (accessed May 10, 2014).

Tuesday, May 20, 2014

NIST SP800-82 Rev 2 - Guide to ICS Security -- Comments Requested

Last week the National Institute of Standards and Technology (NIST) published the initial public draft of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security.  This particular revision to the highly popular 800-82 versions 0 and 1 is a positive step change in the volume of information contained in the document.

In summary -- and extracted from page iv of the 255-page report -- the updates to this revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management, recommended practices, and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
The report also has added new tailoring guidance for NIST SP800-53, Rev 4, Security and Privacy Controls for Federal Information Systems and Organizationssecurity controls including the introduction of overlays.  Also, the report has added an ICS overlay for NIST SP800-53, Rev $, security controls that provides tailored security controls for Low, Moderate, and High impact ICS.

As a member of the Industrial Controls Security Joint Working Group (ICSJWG) Standards Committee I had the opportunity to review chapter 3, "ICS Risk Management and Assessment," which is a new expansion from the earlier versions.  This chapter alone provides some expanded views of the risks posed by ICS environments.

Appendix C, "Threat Sources, Vulnerabilities and Incidents," is a useful compilation of text and tables covering such topics as ICS Threat Sources, Vulnerabilities and Predisposing Conditions, System Vulnerabilities and a list of documented incidents.

Of note, Appendix F, "References," is an excellent list of 80 different references not only used in developing the document but also would be an excellent resource for the ICS security student or practitioner. However, I am a bit surprised and disappointed that Eric Knapp's Industrial Network Security book was not included since it is one of the best resources published on this topic.

Call to Action

First, if you are interested in Industrial Controls Security, download this new version and put it on your reference shelf for your ICS projects.  It is free and provides even more insight into the ICS arena.

Secondly, if you are an IT Security instructor be sure to show this to your students and perhaps include ICS security as part of your curriculum.  SP800-82 would be an excellent textbook and again it is no charge except for the cost to print.

Thirdly, SP800-82 R2 is out for public comment until July 18, 2014.  If you are so inclined take some time to read the new document and offer your comments via email at or you can mail them to:

National Institute of Standards and Technololgy
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD  20899-8930

Thanks again and happy reading!


Thursday, April 17, 2014

Two Views of Today's Cyber Risks

This week I've had the chance to view two reports that gave me -- and I expect others -- a powerful view of the cyber challenges we face.  One report was a global view our reliance on the Web and the "...increasing danger of global shocks initiated and amplified by the interconnected nature of the internet."

The second article was a survey done by Control Engineering magazine on the global views of cyber security of the industrial controls domain.  The survey revealed that almost 50% of the respondents perceive the control system threat in their organizations to be at a moderate level, but 25% cite a "high" or "severe" threat level in their systems.

So, rather than provide detailed reviews of each document, let me help aim you to the appropriate links with some summary notes added:

Risk Nexus - Beyond Data Breaches: Global Interconnections of Cyber Risk -- Zurich and Atlantic Council

This well-written report (30 pages) consistently raises the bar of the global risk relative to our reliance on the Internet and ecommerce in a manner similar to the annual World Economic Forum's Risk Reports.  Perhaps we are so closely connected to the Internet that we put our selves in harm's way relative to our economic -- and maybe even mental well being (?).

One quote that I find especially telling is:

"The internet of tomorrow will both initiate and amplify global shocks in ways for which risk managers, corporate executives, board directors, and government officials may not be adequately prepared."

Finally, take a look at Page 8 of the report...they include 7 aggregations of cyber risk that certainly made me think:

  1. Internal IT enterprise (hardware, software, servers, and related people and processes)
  2. Counterparties and partners (relationship between competing/cooperating entities, etc.)
  3. Outsourced and contract (IT and cloud providers, contract manufacturing)
  4. Supply chain (Exposure to a single country, counterfeit or tampered products, risks of disrupted supply chain)
  5. Disruptive technologies (internet of things, smart grid, embedded medical devices, driverless cars...)
  6. Upstream infrastructure (submarine cables, internet governance and operation)
  7. External shocks (major international conflicts, malware pandemics)

At a minimum I'd suggest you pass this report to your Board of Directors and Executive Management so they get a sense of another view of risks that need to be addressed and mitigated.

Control Engineering Cyber Security Study - April 2014 (Registration Required)

Compliments to the Director of Research for Control Engineering, Ms. Amanda McLeman and her colleague Mark Hoske for this summary report.  The report is based on a survey of about 190 respondents from February 7 to March 2, 2014.  So the data is fairly contemporary.

This summary report is a collection of graphs showing the demographics of the respondents as well as the summary results of the questions.

A good summary graph of the Threats considered by the respondents is below:

If you cannot adequately read the graphic above the top three system components the respondents are most concerned about are:

  1. Computer assets that are running commercial operating systems
  2. Connections to other internal systems
  3. Network devices
Finally a summary of key "bullets" from the report include:
  • 24% of respondents said they had NEVER performed a systems security vulnerability test
  • 25% of those surveyed indicated their computer emergency response team appears well trained and capable
  • 41% agreed having industry-required standards without government involvement would improve or enable their efforts to implement proper control system cybersecurity.  (So, maybe the NIST Cyber Security Framework has some hope?)
Thanks for taking the time to read my comments and have a good week!


Thursday, April 3, 2014

A Month-Long View of Industrial Controls Security Training

For the past four weeks I have been immersed in Industrial Controls Systems (ICS ) security training.  My journey began on March 12th where I spent five days in the SANS ICS training in Orlando followed by about 15 hours of web-based ICS training from ICS-CERT then two days in Burbank, California attending the ISA training on the ANSI/ISA-62443 Standards.  (By the way, the 62443 standard used to be called the ISA99 standard.)

What I'd like to do is offer a view of these different training options to give you a sense of why some professionals will need this training and how the ICS-CERT training can be especially helpful for managers and supervisors overseeing work on ICS.  Also, I'll let you know about free training that does not require travel or substantial resources.

Why am I Taking These Classes?

Right now my employer -- Securicon -- is focusing on industrial control security and the SANS certification program -- GICSP - discussed later -- may be a key cert to have in the company for future work at some select global energy/oil/gas companies.  Secondly, one vendor we work with has asked us to complete the ISA training on the ISA-62443 standards.  Therefore, I'm the designated player for the company and have been sent to these courses - not that I'm complaining!  I love this stuff and I'm up for another security certification in this domain.

SANS ICS410 ICS/SCADA Security Essentials (~$4,395 + $599 for GICSP test)

This course is offered in a classroom (and now as an online option) by SANS.  I was privileged to be in a class in Orlando with about 57 other students from literally around the globe.  The instructor was Mr. Justin Searle who is by far one of the best IT security instructors I have ever experienced as either a student or co-instructor.

The course runs for five consecutive days with class beginning at 9 AM and ending at 5 PM with breaks and a lunch in between.  The days were broken down into the following:

  • Day 1 - Industrial Control Systems (ICS) Overview
  • Day 2 - ICS Attack Surface
  • Day 3 - Defending ICS Servers and Workstations
  • Day 4 - Defending ICS Networks and Devices
  • Day 5 - ICS Governance and Resources 
Each day some hands-on exercises were included.  

At the end of the training you receive a certificate of completion; however, the true goal for myself and many others is to pass the Global Industrial Controls Security Professional (GICSP) certification from SANS.

The GICSP certification involves a separate test which requires the student pass with a minimum passing score of 69%.  I hope to take this test before the end of April.

For more details on the GICSP and the class please go to these links:  GICSP, ICS410, SANS ICS Security.

ISA - Using the ANSI/ISA-62443 Standards to Secure Your Control System (~$1,510)

I just finished this course on April 2nd in Burbank, CA.  The class is a two-day event and this recent course was taught by Mr. John Cusimano -- again, another very good and knowledgeable instructor.  The class size was very conducive to open dialogue with the instructor and other students.

The focus of these two days was on the following key topics:

Day 1:
  • Introduction to Control Systems Security and ISA/IEC62443 Standards
  • Terminology, Concepts, Models and Metrics
  • Networking Basics (Do you know your OSI Model??)
  • Network Security Basics
Day 2:
  • Creating an ICS Security Management Program
  • Designing/Validating Secure Systems
  • Developing Secure Products and Systems
And like the SANS Course, some hands-on exercises were included using tools such as Wireshark and the command line (e.g., Netstat -a).

Upon completion of this test you are eligible to take a proctored test called the ISA99 Exam.  Passing this test will give you the ISA99 certificate from ISA that demonstrates your knowledge and capabilities with the ISA standards used to secure industrial control systems.

For more information you can go the ISA Cybersecurity site.

I hope to take this test before the end of April.

ICS-CERT Online Training -- Excellent Resource! (Free)

Finally, for my "spare time" between the SANS and ISA training I've been working on two courses offered at no charge by the US Department of Homeland Security ICS-CERT organization.

The two courses are both web-based and only require that you register with the Training Portal.

The first class I took was 100W - Operational Security (OPSEC) for Control Systems.  This is a one-hour on-line class that is focused on ways to protect your industrial control systems by being cautious about releasing network information outside the company or to those who don't have a need to know.  The course also addresses phishing attacks, etc.  You get a certificate "...suitable for framing..." at the end of the course.

The second course -- which I highly recommend to executives, managers, supervisors and engineers interested in learning more about ICS security -- was 210W - Cybersecurity for Industrial Control Systems.  This course was excellent and took about 15-20 hours to complete.  

There are 10 separate modules that are listed below:
  • Differences in Deployments of ICS
  • Influence of Common IT Components on ICS
  • Common ICS Components
  • Cybersecurity within IT and ICS Domains
  • Cybersecurity Risk
  • Current Trends (Threats)
  • Current Trends (Vulnerabilities)
  • Determining the Impacts of a Cybersecurity Incident
  • Attack Methodologies in IT and ICS
  • Mapping IT Defense-in-Depth Security Solutions for ICS (longest but best module!)
Again, this training does not require any money but only requires your time to take the modules (which you can stagger over time).


ICS security continues to get focus from the industry and government.  That is why SANS, ISA and ICS-CERT are continuing to bring in training modules for a broad range of players from journeymen electricians to utility executives.  Take advantage of the training -- at least the free classes -- so you better understand how to best defend your Industrial Control systems.


Wednesday, March 26, 2014

Today's Cybercrime - The Market is "Growing Up"

I've been a student of cybercrime since my full-time entry into cybersecurity in 2001.  When I had some time on my hands recovering from an accident I actually spent a month reading every document I could find on the Internet covering the subject.

Well, I wouldn't recommend that you spend a month recuperating in front of the Internet but you will find a report from RAND Corporation on today's cybercrime market fascinating and disturbing and will give you a sense of the maturity of the cybercrime market and its "workers and leaders."

The Rand report (picture above) is 83 pages of discussion about today's black market for such things as credit cards, passwords, identities, etc.  To quote the preface of the report...

This report describes the fundamental characteristics of these markets and how they have
grown into their current state in order to give insight into how their existence can harm the
information security environment. Understanding the current and predicted landscape for
these markets lays the groundwork for follow-on exploration of options that could minimize
the potentially harmful influence these markets impart. This report assumes the reader has a
basic understanding of the cyber, criminal, and economic domains, but includes a glossary to
supplement any gaps.

The final take-away to offer is another quotable quote from the report:

In certain respects, the black market can be more profitable than the
illegal drug trade; the links to end-users are more direct, and because worldwide distribution
is accomplished electronically, the requirements are negligible.

Action:  To my fellow security professionals, take a moment to give this to your boss and maybe the CEO and Board of Directors.  They need to see that the threat is real and the opportunities for the miscreants are increasing.  Hence, you need more resources - money, qualified staff, tools, techniques -- to do your job.


Thursday, March 6, 2014

New Policy Approaches to Address Cyber Threats Impacting the Electric Grid

In February the Bipartisan Policy Center released a report focused on cybersecurity and the North American Electric grid.  At first I was worried that this report would be another collection of the same ol' ideas of leaning on the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards as the panacea -- fortunately, this report is very good and really has some excellent ideas to help protect the electric grid from and during a cyber attack.

In a simple way I'd strongly suggest you skim this report if you are in any way/shape/form involved with electric grid cybersecurity defense, policy, funding or response.

The key areas of discussion in the report include:

  • The Existing Landscape for Electric Grid Cybersecurity Governance
  • Standards and Best Practices for Cybersecurity
  • Information Sharing
  • Responding to a Cyber Attack on the North American Electric Grid
  • Paying for Electric Grid Cybersecurity
The report is very refreshing and offers some new ideas on ways to defend the grid and respond to cyberattacks.  

One idea that has some merit is the concept of implementing an "Institute" similar to the Institute of Nuclear Power Operations (INPO) that would focus in continuous improvement of cybersecurity of the electric grid.  I sent the following email to one of the Advisory Board members supporting this idea.  In my email I observed:

The Institute of Nuclear Power Operations (INPO) was used as a model agency for oversight of the security of the grid.  I worked at INPO from 1986 to 1992 and when I left I was the Secretary of the Corporation and an evaluation Team Manager.  

Of note, the recently published Cybersecurity Framework (CSF) has an approach very similar to INPO's.  That is the CSF is "performance-based" rather than "compliance-based" which is an approach that INPO pursued.  INPO published a document entitled Performance Objectives and Criteria for Operating and Near-Term Operating Nuclear Plants that really focused on what would be viewed as optimal performance in particular areas (e.g., management, administration, operations, maintenance, etc.) with a collection of criteria that supported the performance objectives (similar to the CSF).  However, the process was not focused on compliance to the performance objectives but instead to how the plant truly performed.

An example to demonstrate this approach would be relative to CIP-008, incident response.  The NERC approach to reviewing CIP-008 is to actually sight the utility's incident response procedure; however, they do not check to see that it actually is a workable, accurate document (i.e., are the phone numbers/email addresses accurate, can it truly be used as written, is it practiced, etc.).  On the other hand the INPO approach would be to view the document but with emphasis on watching the utility perform the incident response process and observe strengths, weaknesses, etc. and highlight areas needing improvement.

In other words the assessment was based on the true performance of the utility; not a simple view of its paperwork -- a serious flaw with the NERC approach (in my opinion).

I am very pleased with the tone, content and ideas put forth in this report and I look forward to the "new" dialogue that surfaces in this domain different from the old, stale ideas that really don't solve the problem for the entire electric grid from generator to transmission line to distribution system to the toaster in your home.

Again, compliments to the authors and advisory group on this report!


Monday, March 3, 2014

Funding Terrorism via Poaching and Organized Crime

In early January 2014 Mr. Johan Bergenas of the Stimson Center prepared a report called Killing Animals, Buying Arms.  This brief 17-page report woke me up to the concerns of rhino and elephant poaching in East Africa and its eventual financial support for local and global terrorists.  It is a disconcerting state of affairs.

Some disturbing facts that are not well publicized include:

  • Wildlife has become the 4th largest illicitly traded product in the world.  It is a $19B USD industry.  Illegal wildlife trade is larger than illicit trafficking of small arms, diamonds, gold and oil.
  • Transnational criminals and terrorist organizations such as Al-Shabaab and the Lord's Resistance Army make hundreds of thousands of dollars every month by partaking directly or indirectly in the killing and sale of animal parts.  Part of their proceeds go towards buying guns and bombs, paying their members, and planning and executing terrorist attacks.
  • The Elephant Action League -- an independent organization fighting elephant exploitation and poaching -- asserts that Al-Shabaab exports poached ivory via southern Somalia ports.  The tusks are cut into blocks and hidden in crates of charcoal.  Their monthly income is reported to be $200,000 to $600,000 USD per month.  The ivory sells for $3,000 per 2.2 pounds (kilogram) in China.
  • A rhino horn is worth $50,000 USD per pound on the black market -- more than gold or platinum.  A rhino is killed by a poacher every 11 hours.
The United Nations Office on Drugs and Crime (UNODC) has published several studies on organized crime and its global and regional impact.  In its seminal report issued in 2010, the UNODC depicted the geographic challenges with ivory export as shown below:

In its 2013 regional report on organized crime in Eastern Africa (UNODC) the theme of money being made from ivory continued.  In the report they note "It is estimated that between 5,600 and 15,400 elephants are poached in Eastern Africa annually, producing between 56 and 154 metric tons of illicit ivory, of which two-thirds (37 tons) is destined for Asia, worth around US$30 million in 2011."  But the area is also a concentration of illegal -- and profitable -- activities such as human trafficking, heroin transportation, and piracy -- besides ivory and rhino horn poaching.

At a US Senate hearing in May 2012, Mr. Tom Cardamone of Global Financial Integrity observed in his  written testimony that ever since the terrorist attacks of 9/11 and actions taken by Congress/Administration to target terrorist financing has nearly eliminated shell banks and decapitated Al Qaeda's central command.  As such the terrorists are cash-starved and looking for new sources of funding.  Hence, illicit trafficking of wildlife is one way the Al Qaeda affiliates have chosen to raise money.  As an example, two Bangladesh-based Islamic terrorist groups affiliated with Al Qaeda are raising funds for their operations via illegal poaching of ivory, tiger pelts and Rhino horns in the jungles of northeastern India.  And, during its years of war with Northern Sudan, the Sudan People’s Liberation Army  is alleged to have poached “...elephants with grenades and rocket‐propelled guns.”

And...when it comes to Al-Shabaab, the same 2013 report notes,  "Members of Al-Shabaab have been linked to ivory poaching in Kenya and to a Tanzanian Islamist group reportedly linked to heroin trafficking. They have also allegedly taxed pirates working from the ports they control..."

The Elephant Action League says it best, "If you buy ivory, you kill people."  But as noted in all three of the reports cited above, each one says that the task at hand is difficult and requires money and resources to even slow the poaching and subsequently the flow of money to the terrorists.  Border security needs to be stronger, needs to be enforced and the markets for the ivory and illicit items need to be closed.  Also, oversight of cash transfers need to be tightly regulated in the more "suspicious" parts of the world.

Sadly, this sounds daunting and challenging.  I hope this blog raises awareness and guides some action.