Job Opportunity - Industrial Control System Security Lead

My good friend Dave Tyson -- CISO at SC Johnson -- has asked me to pass along his current opening for someone to help with his industrial control systems (ICS) security.  The job posting is below.

If you are interested or you are aware of another qualified candidate, feel free to contact Dave with a resume at dntyson@scj.com.

### - ###

Industrial Control System Security Lead 

Global Information Security Team

Reporting to the Leader, Global Information Security Business Advisory (GISBA) the lead for the Global Product Supply (GPS) Information Security program is responsible for developing and managing the GPS Information Security program. 

This leader will own and drive the global rollout of a more robust and formal approach to managing information security risk in the GPS environment. The structure of the program will be based on the goals, principles and strategy of the overall Global Information Security Enterprise Security Strategy at SCJ. At its core, this program will ensure appropriate security management while driving breakthrough performance in governing business appropriate risk to data and systems. The GPS security lead will optimize team processes to ensure efficient and effective delivery of services in a 24x7 ‘follow the sun’ operating model.

Position Overview:

We are seeking a professional with a deep background of Industrial Control Systems Cyber Security Engineering and Architecture. The candidate is expected to be a visionary technologist and demonstrate a combination of leadership, technical and program management skills. The successful candidate will lead both current security enhancement programs as well as the development of a sustainability effort to build a globally sustainable information security program.

Responsibilities:

·         Identify new technologies, processes and programs to enhance security, reliability and customer experience.

·         Identify operational issues and define design alternatives to address these issues.

·         Act as a technical advisor and subject matter expert to internal stakeholders and partners

·         Coordinate with the Global Information Security Operations team for malware analysis, and testing of remediation processes.

·         Perform detailed and technical analysis of ICS and help integrate cyber security solutions worldwide.

·         Maintain a superior knowledge of the cyber security capabilities of operating systems, networking devices, control systems, and vendor offerings.

·         Maintain a working knowledge of applicable cyber security standards involving critical infrastructure, including those relating to process networks

·         Understand technical issues and the implications to the business, and be able to communicate them to management and other business leaders.

 Capabilities:

   ·         Ability to effectively work in a matrix management environment

·         Strong communication and presentation skills

·         The ability to lead large groups and be a primary facilitator

·         Strong written skills

·         Comfortable working in a project based / client serving model

·         Ability to lead and shape client expectations

·         Help drive pursuits and engage in complex deals, matching outcomes to expectations

·         Ability to work easily with diverse and dynamic teams

·         Ability to work in a matrix management model

·         Readiness to travel 25-50% initially

·         Experience in working international organizations roles

Qualifications:

·         7-10+ years recent experience in large enterprise environment

·         Demonstrated experience with implementing and maintaining security in large, complex Industrial Control System environments, etc.)

·         Experience with securing SCADA, PLC, and HMI systems, etc.

·         Strong networking background with minimum 3 years of networking experience; and routing, switching, network security and packet analysis

·         Experience in the capabilities and/or configuration of cyber security controls, specifically those relating to firewalls, access control, authentication, anti-virus/anti-malware, patching and hotfix, logging and SIEM.

·         Ability to train, manage and assist co-workers on all aspects of security awareness, controls and compliance

·         Superior written, presentation, and verbal communication skills

·         Exceptional organizational, interpersonal and team skills

·         Ownership orientation to solving problems

·         Information security and data protection skills are desired

·         Experience managing and leading

·         Ability to pass a detailed security background screening

·         Education – Bachelor’s degree or equivalent education and experience

·         Professional Certification – CISSP, CPP or equivalent will be considered advantageous

Neuroscience, Risk and Security

For years I have been a student and practitioner of security – both cyber and physical.  My initial years focused on the “Security 101” elements with a “castle and moat” approach for both physical assets and cyber (i.e., the “walls” were “firewalls”).  Over time, however, I’ve realized that there is more to security than wondering about the bits and bytes or the sizes of chain link fence mesh.  Instead, I’ve begun to recognize more and more that the human element – that is the attacker and defender – needs to be studied and recognized as a key element.

(Artwork from Microsoft Open Source)

I’ve realized – with some considerable influence from Bruce Schneier in his seminal essay “The Psychology of Security,” and from other thought leaders in the security space such as Kirk Bailey at the University of Washington or Robert Coles at GlaxoSmithKlein -- that you need to understand what motivates the attacker and what helps the defender recognize new ways and means of defending against the wiley aggressor.

In other words, I came to realize that neuroscience should play a key role in helping security professionals understand the attacker’s “brain” so to speak and thus their motivations.

Samad Aidane PMP

Last night I had a fascinating discussion on this very subject with my friend and colleague Mr. Samad Aidane.  Samad and I first met in 2004 or so when I was the information security manager/CISO at the Port of Seattle.  Samad was a newly hired project manager.  Since then we have both expanded our horizons and Samad has evolved his expertise in the realm of neuroscience and project management as well as risk.

Anyway, our conversation tonight revolved around Samad’s new research and focus on the neuroscience behind effective project management and risk.  In fact, Samad has even begun a blog at Neurofrontier.com to expand his and his reader’s awareness of neuroscience and leadership.  I’d like to suggest you take a look at his blog and get a sense of his perspectives on this new science.

A key take-away from my conversation with Samad was that how the brain functions when analyzing risk may be excellent knowledge for security and risk professionals to leverage when dealing with risk analysis decisions.  Similarly, understanding how the brain functions when establishing attack and defense concepts may be very useful to the cyber and physical security defender.  And, of course, if you lean on the concept of “Assumption of Breach”[1] for your enterprise cyber and physical defense, perhaps knowing how the brain functions and reacts could be very useful.

I am excited about the new ideas raised by Samad last evening and I look forward to our next meeting and discussions.  In the meantime, take a moment to look at Samad’s website and review some of his ideas.  You may see a sliver of some new concepts for the security profession to lean on as we try to stop the bad guys!

---

[1] For my past articles on this subject please go to my article in Asian Power at http://asian-power.com/node/11144 or my article in SearchSecurity at http://searchsecurity.techtarget.com/tip/Assumption-of-breach-How-a-new-mindset-can-help-protect-critical-data

NIST CYBERSECURITY FRAMEWORK - COMMENTS DUE FRIDAY 12/13!

A few weeks ago I prepared a blog for Tofino Security summarizing the key aspects of the DRAFT NIST Cybersecurity Framework.  I guess I hit the target because the blog has been posted on a few other sites and referred to in some Tweets.

(From Cover of National Infrastructure Protection Plan - http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf)

Anyway, as one of my readers, my original submittal for the Tofino blog is posted below.

But, don't forget, NIST has requested comments on the Cybersecurity Framework by Friday, December 13th.

Take care, have a great and safe week, and here is the blog.................Ernie

########################################

You may have heard a bit of buzz in the US national and even international press about the release of the Cybersecurity Framework Draft from the US National Institute of Standards and Technology (NIST).  However, you may not know about its background or what it may mean to you as a control systems manager.  As such, this is intended to give you a high level overview of the genesis of this document and give you some points of reference.

Background

As we realize more and more everyday our national infrastructure – in Canada, the US or any country for that matter – is very important to our economies as well as our own national defense.  Because of concerns over continued cyber attacks on US national infrastructure – such as the electric grid, water systems, transportation networks, banks/financial institutions, critical manufacturing, etc. – President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” on February 12, 2013. 

This document is fondly referred to as the “EO.”

The EO also called for development of a voluntary Cybersecurity Framework to provide a “…prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to thus manage cybersecurity risk.

Critical infrastructure is defined in the EO as “…systems and assets – whether physical or virtual – so vital to the US that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  Example industry sectors – and the corresponding Federal oversight agency -- considered as “critical infrastructure” include[1]: 

As a follow up to the EO and PPD, NIST was assigned responsibility for development of the Framework in collaboration with industry feedback.  The Framework is intended to provide guidance to an organization on managing cybersecurity risk.  A key objective of the Framework is to encourage organizations to consider cyber security risk as a priority similar to financial, safety and operational risk while factoring in larger systemic risks inherent to critical infrastructure.

In other words, cybersecurity risk and considerations need to be included in the day-to-day discussions at your company or organization as you expand your business, build new facilities, install new equipment and hire new people.

Let’s Talk About the Framework

First, the EO instructed NIST to be the lead in developing the Framework.  As such you can find the Framework DRAFT document and supporting information at www.nist.gov.

And, what does the Framework contain?  The Cybersecurity Framework shall:

• include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
• shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
• shall be consistent with voluntary international standards when such international standards will advance the objectives of this order.

And, what is the Framework supposed to do?  The Framework:

• shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  
• shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  
• will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  
• should provide guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processed developed to address cyber risks.  And,
  
• shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

So, with the guidance above – and with input from industry – the draft of the Framework is intended to provide a common language and mechanism for organizations to:

• Describe their current cybersecurity posture (and a semblance of maturity level)
  
•  Describe their target state for cybersecurity
  
•  Identify and prioritize opportunities for cybersecurity improvement within the context of risk management
  
• Assess progress toward the target state, and
  
•  Foster communications among internal and external stakeholders.

A key aspect of the Framework is that it is not intended to replace an organization’s existing business or cybersecurity risk management process and cybersecurity program.  Instead, the organization can use its current processes and leverage the Framework to identify areas to improve its cybersecurity risk management.  Also, the Framework can be helpful to a company that does not have a currently existing cybersecurity program so they can build in key elements raised by the Framework.

So, What Should You Do with the Framework?

First of all, take a look at the list of the critical infrastructures listed above.  Does your company fall into any of those categories?  If not, is your company substantially reliant on any of those key infrastructures for your success and even existence?  If the answer to either is YES then I’d suggest you take time to read the Framework as it stands and figure out how you can apply it to your current cybersecurity risk management.

Secondly, acquaint your Executive Management and Board Members with the Framework.  Give them a sense of how your company stands today relative to the Framework Implementation Tiers listed.  Use this as a means of highlighting your organization’s “…cybersecurity maturity level…” and if you aren’t at the top, use it to highlight the resources (i.e., people, time and money) you need to raise your game.

Thirdly, take a hard look at the Framework and even “test drive” it as it stands.  Be sure to provide comments back to NIST as described at their page “Request for Comments on the Preliminary Cybersecurity Framework.”  Comments are requested before December 13, 2013.

Final Thoughts

When you read the draft Framework, recognize that it is not a “checklist” or a simple “compliance” item to be fulfilled.  Instead it provides a set of performance objectives for your cybersecurity risk program to achieve for your prioritized list of key assets.  But also, it is not a “how-to” on building a security program.

So, even for our Canadian friends, be sure to take time to look the Framework over. 

---

[1] From the corresponding President Policy Directive (PPD) 21 “Critical Infrastructure Security and Resilience” that was issued at the same time as the EO. Link: http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

White Paper Available - Introduction to Microgrids

As a follow-up to my presentations on Microgrid Security you may be interested in a white paper published at Securicon on Introduction to Microgrids.

You can view or download a copy of the paper HERE.

Cities Under Threat from Natural Disasters -- A Risk Assessment

In a report issued by the Swiss Reinsurance Company (cover and link below), an integrated view of the risks posed to cities around the world was offered.  The report notes that "...the growing concentration of people, assets and infrastructure also means that the loss potential in urban areas is high and rising."

http://media.swissre.com/documents/Swiss_Re_Mind_the_risk.pdf

The report summary also notes that "...physical prevention measures alone do not suffice to build a resilient city, since damage from the most severe catastrophes cannot be fully averted.  An important part of resilience is how well urban societies are able to cope with financial consequences of a disaster..."

One Tables 3 and 4 of the report (below) are a summary of their findings relative to the top 10 global cities affected by the five perils of river flood, earthquake, wind storm, storm surge and tsunami.

With the continued conversation about climate change affecting sea levels and the comments noted above regarding storm surge it appears that flooding catastrophes are risks cities need to plan and prepare for.

At a minimum you may want to at least read the Preface, Introduction, and glance at the tables prepared to gain a sense of the Swiss Re approach and conclusions.  The key conclusions are:

• Asia's cities are the most at risk from natural disasters
• Saving lives is and should be the highest priority in risk mitigation efforts
• Investments to infrastructure are vital to strengthen the resilience of metropolitan areas
• Investments in infrastructure would also help cities cope better with natural disasters and other shocks such as human pandemics and acts of terrorism. 

Anyway, as an "infrastructure geek" I found this review interesting and consistent with the other lessons learned from Super Storm Sandy, the 2011 Tohoku earthquake in Japan and the recent typhoon in the Philippines.

Microgrids and Security -- More News...

For the past three days I've been attending and speaking at the 3rd Military and Commercial Microgrids Summit in Del Mar, California -- just north of San Diego.  I was invited to speak on a panel entitled "The Role of Microgrids in Military and Commercial Cyber Security" as a result of my article in Jesse Berst's Smart Grid News about this subject back in May.

Overall, this was a very interesting conference organized by Infocast that included a pre-summit technology showcase reviewing microgrid technologies followed by a day and a half summit.  There were approximately eight case studies, seven panel discussions, 11 presentations and over 115 registered attendees.  The topics ranged from microgrid controls and inverters through to commercializing and financing microgrids.  The next microgrid summit is slated for the U.S. East Coast in May 2014 and I'd highly recommend you consider attending due to its content and how well this recent conference was organized.

Now regarding security of microgrids -- the conference dialogue was very refreshing.  Of note, the first three presentations by San Diego Gas & Electric, PriceWaterhouseCoopers and IPERC highlighted the need to include cyber and physical controls in the microgrid deployments.  The IPERC presentation was especially interesting from a controls security perspective in that the microgrid controller communications they have developed are intended to be secure.

The best discussion regarding efforts to overtly include cybersecurity into microgrid deployments was the session on SPIDERS -- an effort paid by the US Department of Defense and led by Sandia National Labs.  As you can see in the graphic below from Sandia Labs, the SPIDERS effort includes four phases and cybersecurity is an intended foundation for these deployments at Joint Base Hickam, Hawaii; Fort Carson, Colorado; Camp Smith, Hawaii; and future deployments.

So, the good news is that I am not the lone voice in the forest worrying about microgrid security; however, it still has a long ways to go -- in my opinion -- before the security elements are built into the microgrid designs and deployments as a standard operating process.

So, what needs to be done?  Here are some ideas:

1)  Build a cybersecurity standard for microgrids that weaves in physical, IT, and Industrial Controls/OT security elements.  Perhaps an extension of NISTIR-7628, Guidelines for Smart Grid Cybersecurity, may be a good start.

2)  Leverage the work done by Sandia Labs in their Microgrid Cyber Security Reference Architecture.

3)  Establish some training modules on microgrid security -- perhaps this could be done under sponsorship of the Electric Power Research Institute (EPRI) or other similar organization to assure vendor neutrality.

It was obvious from the conference that we will be hearing more about microgrids in the future -- let's hope the news is about their cybersecurity resilience rather than weaknesses.

PS -- Happy Thanksgiving to my US readers!  Have a safe week!

Electric Grid Cyber Exercise - GridEx II

During the past month or so there has been a considerable emphasis on the resilience of the U.S. Electric Grid.  For instance the National Geographic Channel ran a program on a simulated cyber attack of the electric grid that resulted in a substantial national blackout (please see my blog comments HERE).

Secondly, the SANS Institute posted a well-produced video showing how a cyber attack could occur on a electric utility in the U.S.  You can view this very enlightening, eight-minute-long video HERE.

Thirdly, on Wednesday, November 13th, the North American Electric Reliability Corporation (NERC) began conducting a two-day national cyber war game to determine how resilient the electric grid and its many utility operators and supporters are to such an attack.  My friend Andy Bochman wrote about this exercise in his BLOG and Mr. Matthew Wald of the New York Times wrote an interesting article summarizing the drill.  NERC's very brief press release regarding the exercise is HERE.

Some key summary notes about the exercise include (Thanks to Mr. Wald's article for most of these "facts."):

• The exercise was named "GridEx II" (the first Grid Exercise -- aka GridEx -- was held in 2011)
• More than 200 industry and government organizations participated in the cyber and physical security exercise
• The exercise was designed to enhance and improve cyber and physical security resources and practices within the industry. 
• Each hour of drill time was meant to simulate four hours of actual activity -- the drill ran for eight hours on Wednesday and four hours on Thursday
• The exercise gave participants the opportunity to check the readiness of their crisis action plans through simulated attacks/events to self-assess response and recovery capabilities, and to adjust actions and plans as needed, while communicating with industry and government organizations.
• The simulated attacks included:
• injected computer malware
• cyber denial of service attacks
• bombed transformers and substations
• knocked out power lines
• 150 simulated "casualties" including seven deaths of police officers, firefighters and utility workers investigating the attack scenes who were "shot" by attackers still at the damaged location
• One main aspect of the drill was a log of all phone and email communications to determine whether the participants could promptly reach the appropriate people at power companies, police stations or distant cybersecurity centers, and whether they could communicate the appropriate information. 
• According to Mr. Wald's article even the Royal Canadian Mounted Police (RCMP) participated in GridEx II. -- Don't forget that the electric grid we rely upon is the "North American" electric grid and Canadian electric companies are major providers of power to the U.S.

If done right exercises are an excellent way to really stress your policies, procedures and resources and to see how well prepared your company/state/region/country is for the "real thing."  My exposure to GridEx II -- albeit limited -- has certainly given me a sense that this was a good test and worthwhile for the electric grid operators, managers, regulators and policy makers.  

I'm looking forward to the formal after-action report.

And, just to show the value of such exercises, here is a quote from Mr. Wald's NYT article that make me take notice:

At the Southwestern Electric Power Company, a subsidiary of American Electric Power that serves parts of Louisiana, Arkansas and eastern Texas, attackers used guns and bombs against a power plant and a transformer, and 108,000 of the company’s 520,000 customers lost power. “There were certainly surprises for us,” said Venita McCellon-Allen, the president and chief operating officer. “I sat up straight in my chair.”

Thanks to the GridEx team!  Well done!