Thursday, April 17, 2014

Two Views of Today's Cyber Risks

This week I've had the chance to view two reports that gave me -- and I expect others -- a powerful view of the cyber challenges we face.  One report was a global view our reliance on the Web and the "...increasing danger of global shocks initiated and amplified by the interconnected nature of the internet."

The second article was a survey done by Control Engineering magazine on the global views of cyber security of the industrial controls domain.  The survey revealed that almost 50% of the respondents perceive the control system threat in their organizations to be at a moderate level, but 25% cite a "high" or "severe" threat level in their systems.

So, rather than provide detailed reviews of each document, let me help aim you to the appropriate links with some summary notes added:

Risk Nexus - Beyond Data Breaches: Global Interconnections of Cyber Risk -- Zurich and Atlantic Council

This well-written report (30 pages) consistently raises the bar of the global risk relative to our reliance on the Internet and ecommerce in a manner similar to the annual World Economic Forum's Risk Reports.  Perhaps we are so closely connected to the Internet that we put our selves in harm's way relative to our economic -- and maybe even mental well being (?).

One quote that I find especially telling is:

"The internet of tomorrow will both initiate and amplify global shocks in ways for which risk managers, corporate executives, board directors, and government officials may not be adequately prepared."

Finally, take a look at Page 8 of the report...they include 7 aggregations of cyber risk that certainly made me think:

  1. Internal IT enterprise (hardware, software, servers, and related people and processes)
  2. Counterparties and partners (relationship between competing/cooperating entities, etc.)
  3. Outsourced and contract (IT and cloud providers, contract manufacturing)
  4. Supply chain (Exposure to a single country, counterfeit or tampered products, risks of disrupted supply chain)
  5. Disruptive technologies (internet of things, smart grid, embedded medical devices, driverless cars...)
  6. Upstream infrastructure (submarine cables, internet governance and operation)
  7. External shocks (major international conflicts, malware pandemics)

At a minimum I'd suggest you pass this report to your Board of Directors and Executive Management so they get a sense of another view of risks that need to be addressed and mitigated.

Control Engineering Cyber Security Study - April 2014 (Registration Required)

Compliments to the Director of Research for Control Engineering, Ms. Amanda McLeman and her colleague Mark Hoske for this summary report.  The report is based on a survey of about 190 respondents from February 7 to March 2, 2014.  So the data is fairly contemporary.

This summary report is a collection of graphs showing the demographics of the respondents as well as the summary results of the questions.

A good summary graph of the Threats considered by the respondents is below:

If you cannot adequately read the graphic above the top three system components the respondents are most concerned about are:

  1. Computer assets that are running commercial operating systems
  2. Connections to other internal systems
  3. Network devices
Finally a summary of key "bullets" from the report include:
  • 24% of respondents said they had NEVER performed a systems security vulnerability test
  • 25% of those surveyed indicated their computer emergency response team appears well trained and capable
  • 41% agreed having industry-required standards without government involvement would improve or enable their efforts to implement proper control system cybersecurity.  (So, maybe the NIST Cyber Security Framework has some hope?)
Thanks for taking the time to read my comments and have a good week!


Thursday, April 3, 2014

A Month-Long View of Industrial Controls Security Training

For the past four weeks I have been immersed in Industrial Controls Systems (ICS ) security training.  My journey began on March 12th where I spent five days in the SANS ICS training in Orlando followed by about 15 hours of web-based ICS training from ICS-CERT then two days in Burbank, California attending the ISA training on the ANSI/ISA-62443 Standards.  (By the way, the 62443 standard used to be called the ISA99 standard.)

What I'd like to do is offer a view of these different training options to give you a sense of why some professionals will need this training and how the ICS-CERT training can be especially helpful for managers and supervisors overseeing work on ICS.  Also, I'll let you know about free training that does not require travel or substantial resources.

Why am I Taking These Classes?

Right now my employer -- Securicon -- is focusing on industrial control security and the SANS certification program -- GICSP - discussed later -- may be a key cert to have in the company for future work at some select global energy/oil/gas companies.  Secondly, one vendor we work with has asked us to complete the ISA training on the ISA-62443 standards.  Therefore, I'm the designated player for the company and have been sent to these courses - not that I'm complaining!  I love this stuff and I'm up for another security certification in this domain.

SANS ICS410 ICS/SCADA Security Essentials (~$4,395 + $599 for GICSP test)

This course is offered in a classroom (and now as an online option) by SANS.  I was privileged to be in a class in Orlando with about 57 other students from literally around the globe.  The instructor was Mr. Justin Searle who is by far one of the best IT security instructors I have ever experienced as either a student or co-instructor.

The course runs for five consecutive days with class beginning at 9 AM and ending at 5 PM with breaks and a lunch in between.  The days were broken down into the following:

  • Day 1 - Industrial Control Systems (ICS) Overview
  • Day 2 - ICS Attack Surface
  • Day 3 - Defending ICS Servers and Workstations
  • Day 4 - Defending ICS Networks and Devices
  • Day 5 - ICS Governance and Resources 
Each day some hands-on exercises were included.  

At the end of the training you receive a certificate of completion; however, the true goal for myself and many others is to pass the Global Industrial Controls Security Professional (GICSP) certification from SANS.

The GICSP certification involves a separate test which requires the student pass with a minimum passing score of 69%.  I hope to take this test before the end of April.

For more details on the GICSP and the class please go to these links:  GICSP, ICS410, SANS ICS Security.

ISA - Using the ANSI/ISA-62443 Standards to Secure Your Control System (~$1,510)

I just finished this course on April 2nd in Burbank, CA.  The class is a two-day event and this recent course was taught by Mr. John Cusimano -- again, another very good and knowledgeable instructor.  The class size was very conducive to open dialogue with the instructor and other students.

The focus of these two days was on the following key topics:

Day 1:
  • Introduction to Control Systems Security and ISA/IEC62443 Standards
  • Terminology, Concepts, Models and Metrics
  • Networking Basics (Do you know your OSI Model??)
  • Network Security Basics
Day 2:
  • Creating an ICS Security Management Program
  • Designing/Validating Secure Systems
  • Developing Secure Products and Systems
And like the SANS Course, some hands-on exercises were included using tools such as Wireshark and the command line (e.g., Netstat -a).

Upon completion of this test you are eligible to take a proctored test called the ISA99 Exam.  Passing this test will give you the ISA99 certificate from ISA that demonstrates your knowledge and capabilities with the ISA standards used to secure industrial control systems.

For more information you can go the ISA Cybersecurity site.

I hope to take this test before the end of April.

ICS-CERT Online Training -- Excellent Resource! (Free)

Finally, for my "spare time" between the SANS and ISA training I've been working on two courses offered at no charge by the US Department of Homeland Security ICS-CERT organization.

The two courses are both web-based and only require that you register with the Training Portal.

The first class I took was 100W - Operational Security (OPSEC) for Control Systems.  This is a one-hour on-line class that is focused on ways to protect your industrial control systems by being cautious about releasing network information outside the company or to those who don't have a need to know.  The course also addresses phishing attacks, etc.  You get a certificate "...suitable for framing..." at the end of the course.

The second course -- which I highly recommend to executives, managers, supervisors and engineers interested in learning more about ICS security -- was 210W - Cybersecurity for Industrial Control Systems.  This course was excellent and took about 15-20 hours to complete.  

There are 10 separate modules that are listed below:
  • Differences in Deployments of ICS
  • Influence of Common IT Components on ICS
  • Common ICS Components
  • Cybersecurity within IT and ICS Domains
  • Cybersecurity Risk
  • Current Trends (Threats)
  • Current Trends (Vulnerabilities)
  • Determining the Impacts of a Cybersecurity Incident
  • Attack Methodologies in IT and ICS
  • Mapping IT Defense-in-Depth Security Solutions for ICS (longest but best module!)
Again, this training does not require any money but only requires your time to take the modules (which you can stagger over time).


ICS security continues to get focus from the industry and government.  That is why SANS, ISA and ICS-CERT are continuing to bring in training modules for a broad range of players from journeymen electricians to utility executives.  Take advantage of the training -- at least the free classes -- so you better understand how to best defend your Industrial Control systems.