Industrial Control Systems Security: Information Exchange

There are a number of global information exchanges related to industrial control systems security. They offer useful guidelines and standards to help protect the environment.

The UK Centre for the Protection of National Infrastructure (CPNI) provides good practice and technical guidance as well as advice on securing industrial control systems.
Secure move to IP-based Networks (SCADA):

They also highlight the risks of wireless connectivity of physical security systems

Similar information exchange centres were established in Japan and Spain,

For the introduction to Industrial Control Systems Security see my previous blogs (Part I, Part II, Part II) or ICS Security Library

Third-party security assessments: applying SABSA

Organisations around the world are increasingly relying on third-party vendors to provide them with competitive advantage. Many companies in a race to optimise processes and reduce costs begin to outsource core functions. This leads to increased risk profile and new challenges of supplier oversight.

Dealing with third-parties has grown bigger than being just a procurement issue. Suppliers companies increasingly rely on, pose not only legal but also reputational risks that cannot be fully transferred. Security and privacy related incidents related to third-party providers are presenting new management challenges. Moreover, regulators are increasingly demanding the management of the third-party risk.

Suppliers, however, have their own challenges. Constant squeeze on costs from their clients reduces the profit margins making it increasingly difficult for vendors to prioritise security requirements implementation.

How do we make sure the suppliers we work with are trustworthy? How do we minimise the risk exposure from a potential incident? What level of assurance is required for a supplier?

These are the questions I’m going to answer in this blog.

Understanding business drivers and goals is essential for developing a third-party risk management approach. By analysing company’s corporate strategy I was able to derive multiple business attributes relevant to the shareholders. One of them stands out: Trusted. I’m going to disregard other attributes and focus on this one for the purposes of this case study. Not only it is important for the company to be trusted by its customers, but trustworthiness is also something I’m going to explore in this blog from the third-party relationship standpoint.

After a workshop with the CIO and IT managers in various business units, I’ve defined the following IT attributes supporting the main business attribute (Trusted): Transparent, Assured and Managed.

How does the security function support the wider IT objectives and corresponding attributes? After a number of workshops and analysing the security strategy document I’ve managed to create a number of security attributes. Below is a simplified example correlating to the business and IT attributes in scope:

1

Dealing with customers and managing relationships with them is one of the core activities of the company.  As discussed above, being trusted by the customers is one of the main values of the organisation. IT department through the implementation of their technology strategy supported the business stakeholders in Sales and Marketing to outsource customer relationship management platform to a third party provider. A cloud-based solution has been chosen to fulfill this requirement.

A combination of attribute profiling, trust modelling and risk analysis is used to assess the degree of assurance required and compare third-party providers. Below is a recommended approach based on the attributes defined.

2

Security attributes mapping

Based on the internal security policy the following questionnaire has been developed to assess the supplier. Responses from the supplier have been omitted to preserve confidentiality. Below is a short excerpt from one of the sections of the questionnaire related to cloud services.

Are terms of services and liabilities clearly defined in service agreements? Governed
Are escrow arrangements in supplier contract agreement and cloud service agreements registered with procurement and documented in cloud service register. Identified
Are physical security and environmental controls present in the data centre that contains company data? Integrated
Are procedures for user authentication, authorization and access termination documented? Access-Controlled
Has the Business Continuity Plan been reviewed and approved by the executive management? Governed
How often is the Business Continuity Plans and Disaster Recovery Plans tested? Available
Is there a specific Recovery Time Objective(s) (RTO) and Recovery Point Objective(s) (RPO)? If yes, specify the RTO and RPO for the company services. Available
Are default settings customized to implement strong encryption for authentication and transmission? Access-Controlled

Attribute compliance is assessed based on the questionnaire answers, as every question is mapped to a specific attribute. Where a specific combination of an attribute corresponds to multiple questions, all answers are rated separately then an average rating for that attribute weight is calculated. Exceptions apply where certain specific questions are identified to have priority (higher level of impact on attribute compliance) over the other questions mapped to the same attribute. Expert judgement is applied to analyse such situations.

Attributes are evaluated with three main levels:

  • High level of compliance with policy (Green),
  • Medium level of compliance with policy (Amber),
  • Low level of compliance with policy (Red)

3

 

SC Awards, BSides London and Infosecurity Europe

It was a busy week for security professionals in London; InfoSecurity Europe, BSides London and SC Magazine Awards were happening almost simultaneously.

IMG_4721

We were provided with a booth at the InfoSecurity Europe conference & exhibition to host another NextSec event entitled “Finance and Cyber Security: How Banks Are Evolving To Combat The External Cyber Landscape”. Two global financial institutions discussed how they are reacting to the cyber threats that affect them, and how they are looking to combat that threat.

Attendees had an opportunity to gain insight into how financial institutions are dealing with cyber threats on both strategic and operational levels as well as to understand challenges and approaches to managing information security risk in large financial organisations

cyber-academy-service-478x185

I was also invited to attend the SC Magazine Awards as part of KPMG’s Cyber Academy team. I helped to develop KPMGs IT Security Concepts course and also delivered it internally. It was a great honour to know that the course’s quality was recognised beyond the firm.

BSides2015

Finally, BSides London 2015 was great as always. KPMG were running a lockpicking competition, where I managed to make it to the Top 30. It was also nice to catch up with Thom, Javvad, Lawrence, Iggi and other great professionals in the field.

Secure by design

V4tS8p5F_C0

Have you seen security controls being implemented just to comply with legal and regulatory requirements? Just like this fence. I’m sure it will pass all the audits: it is functioning as designed, it blocks the path (at least on paper) and it has a bright yellow colour just as specified in the documentation. But is it fit for purpose?

It turns out that many security problems arise from this eager drive to comply: if the regulator needs a fence – it will be added!

Sometimes controls are introduced later, when the project is well passed the design stage. It might be the case that they just don’t align with the real world anymore.

n0saycKzykM

Safety measures, unfortunately, are no exception. The solution may be poorly designed, but more often, safety requirements are included later on with the implementation not fit for purpose.

IbHF452Usk0tuLB7kjBazs

Same holds for privacy as well. Privacy professionals encourage to adopt the Privacy by Design principle. Is it considered on the image below?

2Tx1qKFQzfoB5nli4NoEG4

Global Industrial Cyber Security Professional (GICSP)

I’ve recently passed my GICSP exam. This certification is deigned to bridge together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.

This unique vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organisations that design, deploy, operate and/or maintain industrial automation and control system infrastructure.

GICSP assesses a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments.

Here are some useful links for those of you who are interested in sitting the exam:

Exam FAQ

Flashcards

Certification Handbook

Application Security Project

ID-1008705.jpg

Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network.  I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:

  • Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
  • Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
  • Embedded continuous application testing capabilities.
  • Helped raise awareness of application security issues within internal development teams and third parties.
  • Prompted the decommissioning of legacy applications.

Image courtesy Danilo Rizzuti / FreeDigitalPhotos.net

Change Management

Information security professionals not only have to deal with change, more often than not they represent change. It might be changing the way a company manages access to its systems, works with third-parties or anything else.

To be effective with the change management process, security professionals should work with the business, demonstrating the value of security.

John Kotter in his book Our Iceberg is Melting tells a story about a penguin colony, which demonstrates basic principles of successful change management:

  1. Establish a sense of urgency
  2. Create a guiding coalition
  3. Develop a change vision
  4. Communicate the vision for buy-in
  5. Empower broad-based action
  6. Generate short-term wins
  7. Never let up
  8. Anchor new approaches into the culture

Database Security Project

ID-100187848

A company experienced a significant data breach from a malicious source which led to the loss of strategically sensitive information. I was called in to manage a security remediation project. Given that data at rest is a critical asset, remediating and hardening the company’s business critical databases was a key component of this program.

The client designed a solution for database security but was struggling to implement it and gain the required stakeholder buy-in. Furthermore, the client’s business critical landscape was highly dispersed – with application management spread across multiple business units based out of a number of countries and database management was overseen by third-party IT vendor.

I was a part of the project management team, which was established to coordinate multiple stakeholders in order to implement the end-to-end solution for database security consisting of monitoring, reporting and remediation of business critical databases.

I identified that the most significant obstacle was business application owner understanding of the system, the processes, and the benefits of implementation. I initially engaged in extensive stakeholder communication and business change management to ensure the required buy-in.

I drove the progress of system implementation through stakeholder management, delivery management, information gathering and providing technical expertise and management reporting. I worked within the client’s project management methodology whilst leveraging my experience and expertise in project management to ensure timely delivery.

As a result, the business critical databases in scope were brought into the known state of compliance, drastically reducing the attack surface. Moreover, awareness of the importance of application security and secure behaviours to support databases was raised significantly.

I embedded the processes to implement the system into the client’s run and maintain activities, ensuring that future changes to their business critical landscape do not introduce new database vulnerabilities. I also developed an asset inventory for business critical databases which improved upon any previous client efforts.

Image courtesy ddpavumba / FreeDigitalPhotos.net

Gamification for security

Oxford dictionary defines gamification as the application of typical elements of game playing (e.g. point scoring, competition with others, rules of play) to other areas of activity to encourage engagement with a product or service:

Bringing an element of fun helps to achieve lasting change in human behaviour, as demonstrated by The Fun Theory project. Here are some videos to get an idea how gamification can drive behavioural change to address social and business challenges:

Gamification can also be a powerful learning tool when applied to information security.

For example, CyberCIEGE enhances information assurance and cyber security education and training through the use of computer gaming techniques such as those employed in SimCity™. In the CyberCIEGE virtual world, users spend virtual money to operate and defend their networks, and can watch the consequences of their choices, while under attack.

In its interactive environment, CyberCIEGE covers  significant aspects of computer and network security and defense. Players of this video game purchase and configure workstations, servers, operating systems, applications, and network devices. They make trade offs as they struggle to maintain a balance between budget, productivity, and security. In its longer scenarios, users advance through a series of stages and must protect increasingly valuable corporate assets against escalating attacks.

CyberCIEGE includes configurable firewalls, VPNs, link encryptors and access control mechanisms.  It includes identity management components such as biometric scanners and authentication servers.   Attack types include corrupt insiders, trap doors, Trojan horses, viruses, denial of service, and exploitation of weakly configured systems.   Attacker motives to compromise assets differ by asset and scenario, thereby supporting scenarios ranging from e-mail attachment awareness to cyber warfare.

More information along with introduction and demonstration movies are also available on the official website.

Cybersecure: Your Medical Practice is another example of using gamification to educate people but not in the context of the HIPAA regulation compliance.

hipaa

This web-based security training module uses a game format that requires users to respond to privacy and security challenges often faced in a typical small medical practice.  Users choosing the right response earn points and see their virtual medical practices flourish.  But users making the wrong security decisions can hurt their virtual practices.  In this version, the wrong decisions lead to floods, server outages, fire damage and other poor outcomes related to a lack of contingency planning.

Gamification can also be applied in user awareness training to change the behaviour of users in the organisation. One instance of this might be helping to recognize phishing links.

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.

phil

User studies have found that user education can help prevent people from falling for phishing attacks. However, it is hard to get users to read security tutorials, and many of the available online training materials make users aware of the phishing threat but do not provide them with enough information to protect themselves. Studies demonstrate that Anti-Phishing Phil is an effective approach to user education.

Apozy and Wombat Security Technologies also focus on gamification in raising awareness about security risks.

There is a free online course on gamification available. This course will teach you the mechanisms of gamification, why it has such tremendous potential, and how to use it effectively.

Cyber Attacks and Data Breaches Visualised

breaches 2

To keep up to date with the recent data breaches, one can use DataLossDB. It is a research project aimed at documenting known and reported data loss incidents world-wide.

For something more visual, Information is Beautiful presented world’s biggest data breaches as bubbles of various size depending on the amount of records lost. Short stories and explanations are also available for some of the incidents.

Breaches

For real-time information, Google developed the Digital Attack Map. It is a live data visualization of DDoS attacks around the globe, built through a collaboration between Google Ideas and Arbor Networks. The tool surfaces anonymous attack traffic data to let users explore historic trends and find reports of outages happening on a given day.

DDoS