Saturday, November 11, 2017

Report from SecureWorld Seattle - Being an Effective CISO Speech

This past week I attended the Seattle edition of SecureWorld.  The first keynote speaker was Mr. Demetrios Lazarikos (aka Laz) ( and his talk really hit home to me as a security practitioner and former CISO.  He offered some excellent advice regarding the characteristics of a cybersecurity leader, where they should report in the organizational structure, and offered some succinct recommendations to be considered.

So, this is a trip report of sorts but I also thought his comments were "dead on" and I heartily endorse his opinions.

Characteristics of Today's Cyber Leader

His key points about today's successful cybersecurity leader included:

  • Curious and a life-learner
  • Critical thinker
  • Patient and able to influence
  • Understand the value of the cybersecurity  program
  • Understand and can articulate the risks to revenue and sales enablement (It's the Money!)
  • Works closely with IT audit and regulators
  • Is in it for the PASSION
  • Never lets a cybersecurity opportunity go to waste -- EVER!
  • Tries to remain vendor agnostic

Organizational Reporting

Laz explicitly said the "CISO NEEDS TO REPORT TO THE CEO!"

I heartily agree!  The CISO is a very, very key cog in the gears of the organization and without an unencumbered communication to the chief decision-maker, the CISO's hands are tied (which I know from experience).

Talking to the Board of Directors

Laz again offered some terrific advice on ways to report and communicate to the Board of Directors.  Because you usually only have 10-15 minutes for your discussion, his suggestions included:

  • Ensure the reports are in terms THEY understand.  Not technical gobbly-gook.
  • Be streamlined
  • Quantify risk and loss exposure in dollars - not bits/bytes
  • Provide specific recommendations for moving ahead and protecting the enterprise
  • Emphasize the risk to revenue and risk to the brand -- not what the best firewall is


In closing, Laz offered some terrific recommendations for consideration by current and future CISOs:

  • Incorporate cybersecurity in all areas of your business -- from the individual employee to the CEO; from the mundane janitorial services to the strategic planning
  • Be an enabler -- always consider risk to revenue and sales enablement
  • Meet and know the CEO --- don't meet them for the first time during a data breach
  • Understand and report to the business in "business terminology"
  • Collaborate, Collaborate, Collaborate!
Overall, Laz's speech was one I could understand and equate to due to my time in the trenches and my own experience.  Thanks to SecureWorld for inviting Laz to speak! 

### ###

Tuesday, November 7, 2017

Resources to Learn About ICS Security

I had an interesting conversation with a colleague yesterday.  He called to ask for some advice on ways to advance his career in the industrial controls security space.  He held a Certified Information Systems Security Professional (CISSP) certificate and a Masters in Information Security.  However, he was frustrated on determining ways to move ahead in ICS security.

As I considered his questions I realized that a person who can advance in the areas of industrial controls security is someone with factory or process plant experience, and understanding of basic controls theory, and a solid understanding of factory/process plant operations and maintenance.  These are very fundamental to one understanding the causes and effects of ICS security.


Besides the “floor” experience, an individual interested in ICS security probably needs some formal training on the key aspects of ICS security you don’t learn when studying for your CISSP.  My recommendations include:

ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.

·         ICS-CERT Cyber Security Industrial Control Systems (210W):  This is a free course available on the ICS-CERT Virtual Learning Portal.  The training is all self-paced and requires between 10 to 15 hours to complete.  It is a great way to begin your ICS security knowledge journey.

·    SANS ICS 410: ICS/SCADA Security Essentials: If you take the course, you’ll essentially have the necessary training to pass the SANS GICSP – Global Industrial Cyber Security Professional certification.  The details on the 5-day class are located here.  Of note, you don’t need to take the course but can instead pay to take the test.

·    ISA Cybersecurity TrainingThe International Society for Automation (ISA) offers a series of four different classes covering ICS security.  These class titles include:
o    Industrial Networking and Security (TS12)
o    Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C)
o    Using the ANSI/ISA99 Standard to Secure Your Control System (IC32)
o    Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
o    IACS Cybersecurity Design & Implementation (IC34), and
o    IACS Cybersecurity Operations & Maintenance (IC37)
As I understand, each course has an associated certificate (not certification) with each class which you can receive after you satisfactorily pass a written test.
Overall, the ISA training has come a long way and should help with understanding practical ICS security.
You can find out more information regarding the ISA classes here.


In regards to reading, I’d highly recommend the following documents to read and establish your baseline knowledge of ICS security. 
  • Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 R2:  Even though this is issued by the National Institute of Standards and Technology (NIST) it is a decent “textbook” prepared to give the reader a comprehensive view of ICS and the security issues associated with “operational technology (OT).”  I’d recommend the student read this document before moving ahead to any of the training above.  By the way, this is free.
  • An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity, SANS:  This document is a high-level introduction to industrial controls, control theory, the history of industrial controls and a history of the security issues affecting ICS – including the infamous Stuxnet.  This information will be very helpful to the reader as they progress through the courses above and in their work.  Again, another resource available at no charge.
  • Industrial Network Security, by Eric D. Knapp and Joel Thomas Langill, Syngress Press:  Although a $40 investment, this book offers excellent information on ICS and ICS security you will not normally see in the resources above or in other books written on SCADA security.  Messrs. Knapp and Langill provide excellent, real-world perspective on ICS security.  So, if you’re serious about your ICS security training, I strongly recommend you get this book and read/study it.

I’ve been lucky in my past 45+ years of work where I’ve operated power plants, evaluated various factories, and had a chance to practice “practical ICS security.”  Fortunately, my background has given me the tools to advance in this area but I’ve also taken advantage of the resources above.

### END ###

Monday, October 23, 2017


Last week I attended and spoke at the North American Electric Reliability Corporation (NERC) GRIDSECCON – electric grid security conference in St. Paul, Minnesota.  The meeting was very well attended with around 500 attendees from around the US, Canada, and even Japan.  My compliments to the organizers!  It was a terrific meeting and worth everyone’s time.

I’d like to raise three key points that surfaced during the meeting and go into more detail on one of them.

  1. There were several presentations regarding the risks to critical infrastructure by commercially available drones.  This was a bit of a surprise to many attendees since the drone threat has not really be recognized as one.
  2.   A major threat to electric utilities is the challenges of INSIDER THREAT.  This is an issue that makes one wonder “why would anyone want to attack my company from the inside?”  Well, the NERC Electricity-Information Sharing and Analysis Center (E-ISAC) team mentioned this risk repeatedly.  So, take some time to be sure you are paying attention to the inside of your company for both physical and cyber-attacks and disruptions.
  3.   The third threat of mention is of the “bad guys” trying to harvest credentials that can be used against the company.  This is where I’d like to spend a few extra lines of text.

Right now, the current and potential attackers are trying to harvest and collect credentials used for cyber access into a utility/energy company.  These credentials can make the attacker’s life much easier and using ill-gotten credentials has been demonstrated in such notorious attacks as in the Ukraine. 

The attackers try to harvest credentials via the “normal” means such as using PHISHING attacks on email.  But the attackers are also surveying and monitoring social media for a user’s credentials and password access answers. 

For example, if I know a person works at Utility X, then I can monitor their social networking – including non-work-related posts – for such things as the names of their kids, pets, mother’s maiden name, etc.  All good information to use when you are trying to reset a password.  Also, by monitoring their social networking I may be able to glean information about upcoming utility operations such as a planned outage that keeps Dad or Mom away from their kid’s soccer game. 

Useful information for the attacker.

One particular issue that is really disconcerting is how individuals use the same username and password for their social networks and personal email as they use for work.  THIS IS REALLY DANGEROUS AND SHOULD NOT BE DONE!  If I can hack into your social network and determine your username and password, that allows me to “pivot” to the utility username and log in and enter the utility network.

Such a practice should not be condoned by any organization and, in fact, should be an Employee Awareness posting at least every six months.


NERC GRIDSECCON was a useful meeting and I look forward to next year’s event – somewhere in the Western Electric Coordinating Council (WECC) territory.  This meeting raised some very key points of concern and as you’ve seen above the utility and critical infrastructure management needs to pay attention to Drones, the Insider Threat, and Credential Harvesting.

Thanks for reading!

Friday, June 9, 2017

WannaCry Ransomware and Industrial Control Systems

The following article was posted on my LinkedIn account and was prepared by me with assistance from several of my colleagues at my employer, BBA (  
The actual article can be located at this LINK.
There’s been substantial discussion in the media and on the interwebs about the ransomware called “WannaCry”. This malicious software (malware), which blocks access to data until a ransom is paid, has been destructive. It’s caused financial consequences as well as extreme inconveniences for critical businesses across the globe, such as the National Healthcare Service in the United Kingdom, which was one of the first and most significant victims of the attack (a total of 300,000 computers in 150 countries had been locked by WannaCry as of the end of May 2017).


Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from a cyber program that blocks access to data until a ransom is paid. It displays a message requesting payment to unlock the data.
Where did ransomware originate? The first documented case appeared in 2005 in the United States, but quickly spread around the world.
How does it affect a computer? The software is normally contained within an attachment to an email that masquerades as something innocent.
How much are victims expected to pay? The ransom demanded varies. Victims of a 2014 attack in the UK were charged $864. However, there’s no guarantee that paying will get your data back.
How did WannaCry operate? It appears to have used a flaw in Microsoft's software, discovered by the National Security Agency and leaked by hackers, to spread rapidly across networks locking away files.


However, it appears that the ransomware was focused on the Enterprise IT systems and not the Operations Technology (OT), also known as Industrial Controls Systems (ICS), although a small number of U.S. critical infrastructure operators were reportedly affected. In any case, understanding the difference between these two types of systems is crucial to ensure the cybersecurity of your plant or facility… and whether or not ransomware like WannaCry can affect them.
The above figure illustrates the typical separation between Enterprise Information Technology (IT) and Operational Technology (OT), also known as ICS. Enterprise IT is composed of systems used to run a business: emails, time sheet reporting, finance, expense reporting, purchasing, etc. These systems are normally Windows-based, including Windows Servers and Windows operating systems.
On the OT side of the business, most of the “computers” are small and specialized machines, such as programmable logic computers (PLCs), distributed control systems (DCSs), engineering work stations, historians (basically focused, real-time databases), etc. Some Windows operating systems are used on the OT side, but there are also many other types of industrial communications protocols for data exchanges beyond normal TCP/IP.
Most importantly, Enterprise IT networks are usually connected to the Internet, while OT networks tend to be separated from the world wide web. There’s normally no direct communication links between IT and OT networks. That’s why WannaCry ransomware is affecting applications and data on Enterprise IT systems more than on the OT systems.
To date, a handful of cases where ICS were infected were reported. Nonetheless, “the news should put all companies that rely on industrial control systems (ICS) on high alert because the choices available to protect the systems within an industrial process facility are much more limited than those in corporate IT”, explained PAS Global CEO this week. Indeed, there are opportunities for WannaCry to locate and encrypt an unpatched Windows system in any ICS.
As of this time, there are no verified examples where WannaCry attacked and “bricked” a human machine interface (HMI) on a factory floor or caused an industrial system to fail quietly or catastrophically. But the opportunities are present wherever Windows operating systems are installed in the ICS in such places as HMIs, ICS engineering workstations, etc. ICS components of a plant are not patched or updated as often as IT systems components for a simple reason: reboot activities and software uploads require a production shutdown or the production lines must be in “safe mode” to avoid undesirable consequences on the production systems.


Here are four basic recommendations to ensure that ransomware, such as WannaCry, doesn’t endanger your production line and operations:
  1. Make sure the ICS is separated from the Enterprise Information Technology (IT) network and from the Internet where the WannaCry malware could migrate.
  2.  ICS operators/engineers/security personnel should make it a high priority to patch the Windows systems as soon as practical to reduce the risk and impact of the WannaCry malware.
  3. ICS operators should ensure that any portable media (e.g., USB drives) and/or laptops/test equipment capable of “carrying” the WannaCry malware (or any malware in all cases) is checked for known malware before the portable media even comes into contact with the ICS and its components.
  4. ICS operators, engineers and security personnel should make it a point to closely monitor the US ICS-CERT alerts and advisories or subscribe to their mail alert.


Simply stated, WannaCry can impact ICSs and susceptible components; it takes hard work and constant, 24/7 due-diligence to stay on top of the security of your ICS. Assuming the risks of a breach or successful attack should be a mantra and should always be at the top of everyone’s minds.

Monday, January 9, 2017

DHS Designates Election Infrastructure as a Critical Infrastructure Subsector

On Friday, January 6, 2017, Secretary of the US Department of Homeland Security announced that DHS has designated the US Election System as "CRITICAL INFRASTRUCTURE."

In the press release, Johnson noted that "Given the vital role elections play in our country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure."

According to the press release, "Election Infrastructure" is defined as:

  • Storage facilities
  • Polling places
  • Centralized vote tabulation locations
  • Information and communications technology to include:
    • Voter registration databases
    • Voting machines
    • Other systems to manage the election process and report and display results on behalf of state and local governments

Johnson reiterated that this designation does not mean a federal takeover, regulation or oversight or intrusion concerning elections in the US.  The designation does not change the roles state and local governments have in administering and running elections.

However, the designation as Critical Infrastructure does mean that election infrastructure does become a priority within the National Infrastructure Protection Plan (NIPP).


Saturday, October 22, 2016

US Elections System as Critical Infrastructure?

What is "Critical Infrastructure?"

According to the US Department of Homeland Security "Critical Infrastructure" includes those assets, systems, and networks whether physical or virtual, that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

Presidential Policy Directive-21 (PPD-21), "Critical Infrastructure Security and Resilience," identifies 16 critical infrastructure sectors.  These sectors include:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials, and Waste Sector
  • Transportation Sector, and 
  • Water and Wastewater Sector

What About the US Elections System/Sector?

In the news these past six weeks there has been an elevated discussion regarding the US election system and whether or not it should be identified as "Critical Infrastructure" and thus protected in the same way and means as the other 16 identified infrastructures.  This is aggravated by Mr. Trump questioning the integrity of the US election system and elevated concerns raised by the media that our country's enemies may take action to negatively impact the results of the voting on Tuesday, November 8th.

In early August, Secretary of the Department of Homeland Security, Jeh Johnson, observed:

"There's a vital national interest in our election process, so I do think we need to consider whether it should be considered by my department and others as critical infrastructure."  However ... 
 "There's no one federal election system. There are some 9,000 jurisdictions involved in the election process," Johnson said. (Link)

So, Johnson's perception is that there is no single "Election Infrastructure Sector" per se and it may be challenging to quickly and effectively identify it as "Critical Infrastructure."

I even heard of this issue at a recent conference held by the North American Electric Reliability Corporation (NERC) where a "new" critical infrastructure sector could be the US election system.

With some investigation by this writer, an article published on September 13, 2016, in Fedscoop, was located noting DHS Assistant Secretary for Cybersecurity, Andy Ozment, said that DHS will not classify election systems as critical infrastructure before the November 2016 presidential election.

Ozment's quote continued:

"This is not something we're looking to in the near future.  This is a conversation we're having in the long term with state and local government, who are responsible for voting infrastructure.  We're focused right now on what we can usefully offer that local and state government will find valuable.

"From our perspective, it gives us more ability to help.  It does not put DHS in charge."

It will be fascinating to see how this conversation progresses -- especially if Mr. Trump's noisy questioning of the integrity of the voting process continues through and after the presidential election.

At a minimum, perhaps the "Election System Sector" could be included under the auspices of the "Government Sector" Critical Infrastructure designation rather than adding "Number 17."


Tuesday, October 18, 2016

Review - WEF Global Competitiveness Report

This September 2016 the World Economic Forum (WEF) published its annual Global Competitiveness Report 2016-17.  This report is almost 400 pages of a fairly comprehensive analysis of each country in the world and its relative competitiveness based on 12 separate factors (shown below):

And based on these 12 factors, the factors themselves are broken down into key elements for:

  • Factor-Driven Economies
  • Efficiency-Driven Economies, and
  • Innovation-Driven Economies
For instance Institutions and Infrastructure are key "Basic" requirements necessary for an economy to thrive and compete.

The WEF analysis then used these factors to ascertain the competitiveness of a country relative to the rest of the world as well as to its geographic region in many cases.  For instance, the top 10 most competitive countries using this methodology are:

And the bottom 10 are:

Infrastructure Factor

The elements reviewed to calculate each factor are listed in the "Technical Notes and Sources" section at the end of the report.  Since this blog is focused on infrastructure there is interest on the elements included in this calculation.  These include the following:

  • Quality of overall infrastructure
  • Quality of roads
  • Quality of railroad infrastructure
  • Quality of port infrastructure
  • Quality of air transport infrastructure
  • Available airline seat kilometers
  • Quality of electricity supply
  • Mobile-cellular telephone subscriptions
  • Fixed telephone lines
At first glance, this list is missing such elements as fresh/potable water supply, food availability and distribution, etc.  However, the "Technological Readiness" factors include the following that could be considered part of the strength of a country's infrastructure:

  • Availability of latest technologies
  • Firm-level technology absorption
  • Foreign Direct Investment and technology transfer
  • Internet users
  • Fixed broadband Internet users
  • Internet bandwidth
  • Mobile broadband subscriptions


As usual, the quality and content of this report are very good.  It is compelling and interesting and a useful reference for country policy development.