Monday, February 24, 2014

Useful Industrial Control Security References from ENISA

ENISA - the European Union Agency for Network and Information Security has been quietly building a collection of useful references for industrial control system (ICS) security.  Since 2011 with their publication of Protecting Industrial Control Systems.Recommendations for Europe and Member States, Dr. Konstantinos Moulianos and his staff have done a nice job facilitating development of useful publications for those of us in this domain.

What I'd like to do is to continue to tell you of the other ICS-security-related products that have been published that may be useful references for students and practitioners of ICS security.

In 2011 as ENISA was publishing the referenced document above (and shown in the photo) they also produced five separate Annexes as part of the Recommendations document.  These documents were certainly foundational to the continued expansion of the ENISA ICS Security "product line."  One document I found to be a useful introductory discussion of ICS security was the ENISA document Protecting Industrial Control Systems, Annex I: Desktop Research Results.  Similar to NIST 800-82, Guide to Industrial Control System (ICS) Security, this document is a helpful background "textbook" on the basic issues associated with ICS security, emerging issues, the challenges with securing ICS systems, and known good practices as of 2011.

Later in 2013, ENISA was very busy publishing several useful documents to aid in improving cybersecurity in Europe but of course helping the rest of the world with its guidance and studies.  In particular ENISA facilitated and funded a study on identifying ways to improve on ICS component and system testing in the EU. (I was honored to have been included in the interview process for this study.)  The result was the ENISA document Good Practices for an EU ICS Testing Coordination Capability.  This document certainly raised some awareness on how to proceed in Europe with development of an ICS testing capability but it can also be used in other nations just beginning to  examine their ICS security reviews.

One very useful desk reference that came out of the EU ICS Testing Coordination project was publication of ICS Security Related Working Groups, Standardsand Initiatives (2013).  This particular document is an excellent collection of the various global standards, guidelines and studies conducted that focus on ICS security issues.  This one is a "keeper!"

Finally, in late 2013 the ENISA team was very busy with some white papers and briefings on ICS security issues we are all facing.  The documents and their links are listed below:
I trust you found this an enlightening review of the ENISA ICS Security work since 2011 and I'd suggest you keep them on your mind when looking for ICS security resources and references to help improve and harden your security programs.

Friday, February 14, 2014

Focus on Information Sharing for Cybersecurity

At the end of 2013 I was invited by the NATO Energy Security Centre of Excellence to submit an article regarding the barriers to information sharing and their impact on critical energy infrastructure protection.

The actual e-zine was posted today and contains seven well-written articles by some global thought-leaders relative to information sharing, cooperation and security of the energy supply.  The e-zine can be downloaded at: this LINK.  A picture of the Table of Contents is shown below.

This is probably one of the first publications exclusively focused on the subject of information sharing for critical infrastructure protection. I'm very honored to have been invited to participate.  Of note, the conversations in this publication will be especially germane to the dialogue raised by the new release of the NIST Cybersecurity Framework this week -- especially since one of President Obama's objectives in his Executive Order was to improve and increase two-way information exchange to better protect critical assets.

Thanks for reading!


Thursday, February 6, 2014

Industrial Control Security -- More Awareness Needed

I am an active reader of various blogs, e-magazines, websites, etc. regarding industrial control system (ICS) security.  This week I came across a rather disturbing survey that indicates more work is needed in the ICS security domain to raise awareness of the availability of useful ICS security resources.

This week I was looking at Control Engineering e-magazine and noted that they had a survey on ICS security.  The question posed was:

Do you follow cyber security resources to check for security vulnerabilities in the devices in your industrial networks, such as PLCs, RTUs, Ethernet switches, HMIs, DCSs, etc.?

The poll result is shown in the graphic below and you can add your own vote at Link.

What disturbs me about the poll results is the majority of those responding to this unscientific survey have " idea such a resource was available."  This tells me that the ICS security community needs to do more work publicizing its resources in order to help the field engineers make their ICS systems more secure.

So, to help in this regard, here are some resources you will find extremely useful in helping to better understand the current ICS security vulnerabilities and how to better defend your ICS networks:

Excellent "Textbooks" and Desk References:

Excellent Resources on ICS Security Vulnerabilities, Protective Actions

** ICS-CERT encourages U.S. asset owners and operators to join the Control Systems compartment of the US-CERT secure portal. Send your name, e-mail address, and company affiliation to

What Else?

There are many other resources that include vendor notifications and alerts as well as other resources from standards organizations such as ISA but the above list of links is an excellent starting point for you to gather references and subscribe to data feeds from ICS-CERT.

Overall, though, it is our job in the Security Community to help everyone realize what resources exist in the world to provide guidance on securing critical infrastructure and industrial control systems.