Saturday, November 11, 2017

Report from SecureWorld Seattle - Being an Effective CISO Speech

This past week I attended the Seattle edition of SecureWorld.  The first keynote speaker was Mr. Demetrios Lazarikos (aka Laz) (laz@blue-lava.net) and his talk really hit home to me as a security practitioner and former CISO.  He offered some excellent advice regarding the characteristics of a cybersecurity leader, where they should report in the organizational structure, and offered some succinct recommendations to be considered.

So, this is a trip report of sorts but I also thought his comments were "dead on" and I heartily endorse his opinions.

Characteristics of Today's Cyber Leader

His key points about today's successful cybersecurity leader included:

  • Curious and a life-learner
  • Critical thinker
  • Patient and able to influence
  • Understand the value of the cybersecurity  program
  • Understand and can articulate the risks to revenue and sales enablement (It's the Money!)
  • Works closely with IT audit and regulators
  • Is in it for the PASSION
  • Never lets a cybersecurity opportunity go to waste -- EVER!
  • Tries to remain vendor agnostic

Organizational Reporting

Laz explicitly said the "CISO NEEDS TO REPORT TO THE CEO!"

I heartily agree!  The CISO is a very, very key cog in the gears of the organization and without an unencumbered communication to the chief decision-maker, the CISO's hands are tied (which I know from experience).

Talking to the Board of Directors

Laz again offered some terrific advice on ways to report and communicate to the Board of Directors.  Because you usually only have 10-15 minutes for your discussion, his suggestions included:

  • Ensure the reports are in terms THEY understand.  Not technical gobbly-gook.
  • Be streamlined
  • Quantify risk and loss exposure in dollars - not bits/bytes
  • Provide specific recommendations for moving ahead and protecting the enterprise
  • Emphasize the risk to revenue and risk to the brand -- not what the best firewall is

Recommendations

In closing, Laz offered some terrific recommendations for consideration by current and future CISOs:

  • Incorporate cybersecurity in all areas of your business -- from the individual employee to the CEO; from the mundane janitorial services to the strategic planning
  • Be an enabler -- always consider risk to revenue and sales enablement
  • Meet and know the CEO --- don't meet them for the first time during a data breach
  • Understand and report to the business in "business terminology"
  • Collaborate, Collaborate, Collaborate!
Overall, Laz's speech was one I could understand and equate to due to my time in the trenches and my own experience.  Thanks to SecureWorld for inviting Laz to speak! 

### ###

Tuesday, November 7, 2017

Resources to Learn About ICS Security

I had an interesting conversation with a colleague yesterday.  He called to ask for some advice on ways to advance his career in the industrial controls security space.  He held a Certified Information Systems Security Professional (CISSP) certificate and a Masters in Information Security.  However, he was frustrated on determining ways to move ahead in ICS security.

As I considered his questions I realized that a person who can advance in the areas of industrial controls security is someone with factory or process plant experience, and understanding of basic controls theory, and a solid understanding of factory/process plant operations and maintenance.  These are very fundamental to one understanding the causes and effects of ICS security.

CLASSROOM / ONLINE TRAINING

Besides the “floor” experience, an individual interested in ICS security probably needs some formal training on the key aspects of ICS security you don’t learn when studying for your CISSP.  My recommendations include:

ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.

·         ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.




·    SANS ICS 410: ICS/SCADA Security Essentials: If you take the course, you’ll essentially have the necessary training to pass the SANS GICSP – Global Industrial Cyber Security Professional certification.  The details on the 5-day class are located here.  Of note, you don’t need to take the course but can instead pay to take the test.

·    ISA Cybersecurity TrainingThe International Society for Automation (ISA) offers a series of four different classes covering ICS security.  These class titles include:
o    Industrial Networking and Security (TS12)
o    Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C)
o    Using the ANSI/ISA99 Standard to Secure Your Control System (IC32)
o    Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
o    IACS Cybersecurity Design & Implementation (IC34), and
o    IACS Cybersecurity Operations & Maintenance (IC37)
As I understand, each course has an associated certificate (not certification) with each class which you can receive after you satisfactorily pass a written test.
Overall, the ISA training has come a long way and should help with understanding practical ICS security.
You can find out more information regarding the ISA classes here.

READING RECOMMENDATIONS

In regards to reading, I’d highly recommend the following documents to read and establish your baseline knowledge of ICS security. 
  • Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 R2:  Even though this is issued by the National Institute of Standards and Technology (NIST) it is a decent “textbook” prepared to give the reader a comprehensive view of ICS and the security issues associated with “operational technology (OT).”  I’d recommend the student read this document before moving ahead to any of the training above.  By the way, this is free.
  • An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity, SANS:  This document is a high-level introduction to industrial controls, control theory, the history of industrial controls and a history of the security issues affecting ICS – including the infamous Stuxnet.  This information will be very helpful to the reader as they progress through the courses above and in their work.  Again, another resource available at no charge.
  • Industrial Network Security, by Eric D. Knapp and Joel Thomas Langill, Syngress Press:  Although a $40 investment, this book offers excellent information on ICS and ICS security you will not normally see in the resources above or in other books written on SCADA security.  Messrs. Knapp and Langill provide excellent, real-world perspective on ICS security.  So, if you’re serious about your ICS security training, I strongly recommend you get this book and read/study it.


I’ve been lucky in my past 45+ years of work where I’ve operated power plants, evaluated various factories, and had a chance to practice “practical ICS security.”  Fortunately, my background has given me the tools to advance in this area but I’ve also taken advantage of the resources above.

### END ###