This Week In Security - Orlando Stevenson

Project Basecamp 2012 a Hit... Are We Really Ripe for More Attacks Like Stuxnet?-Researcher Ralph Langner says "Yes" at NATO Keynote.

2012-01-26T23:37:00.020-06:00

Project Basecamp A Hit- But Will It work?

Researchers participating in Project Basecamp clearly demonstrated just how extremely fragile and vulnerable many Industrial Control Systems (ICSs) remain to targeted cyber attacks during DigitalBond's S4 conference this month. Amazingly, a number of persistent vulnerabilities include poorly devised "features" in addition to a bucket load of underlying software flaws. Tools released include point and click easy Metasploit modules. All of this effort to extensively demonstrate persistent ICS security problems is ultimately intended to wake up C-level executives to help amp up pressure on the vendors for secure replacements ("a Firesheep moment"). Regardless, don't expect much soon as many experts agree we've seen ten years pass with few ICS vendor security improvements. DigitalBond's site continues dishing up excellent interviews (podcasts), videos, and blog entries worth paying attention to for those interested in ICS security.

What about Stuxnet - More to come or really just a one time event?

Here’s one of the most insightful, solid presentations available explaining how Ralph Langer & team pulled apart Stuxnet, what they found, and broader implications. While the Stuxnet windows “dropper” was top tier malware in many ways, including multiple zero-days, the real rocket science was approx. 15,000 lines of crafted industrial control system (ICS) malware payload “digital warhead” developed by seasoned engineers (Langner’s opinion- not just “hackers”) targeting specific nuclear enrichment ICS assets.

Ralph Langner's keynote "The first deployed cyber weapon in history: Stuxnet’s architecture and implications" (1:05) 6/2011 NATO Cooperative Cyber Defence Centre of Excellence - NATO CCD COE

Mr. Langner makes a solid case that this was a highly successful attack (like a missile) which invites an escalation for more to come. The code and modular approach itself is reusable in many ways. He’s also written a book "Robust Control System Networks: How to Achieve Reliable Control After Stuxnet" that ICS engineers, others can benefit from focusing on designing ICS systems with robust security baked in ..more.

Today (1/26) Safari Books Online has followed through on their promise to make Langner's book available to members at my request in 2011- oh yeah!

Specific OPSEC lapses may have helped also helped Stuxnet creators: An accurate IR-1 cascade model – langner.com 12/11/11 & The Prez shows his cascade shape - langner.com 12/07/11 / More: TED talk (10m) 3/11

From the man who discovered Stuxnet, dire warnings one year later - CSMonitor.com 9/22/2011

Welcome 2012: Leaping Into The Future With A Singularity Primer-"On track" per Ray Kurzweil as he answers the latest critics.

2012-01-12T22:39:00.034-06:00

The future is something I've always enjoyed focused, insightful perspective around and seems like a good topic to get my blogging mojo back in gear for 2012.

As I've touched on in a decade-plus forward look 2010 posting, Ray Kurzweil’s “Singularity is Near: When Humans Transcend Biology” 2005 book (672p) provides a science derived, profound view of how exponentially accelerating IT is driving ever increasing broader advancements. A very well executed, cited work in my opinion, with anticipated continuing advancements resulting in very dramatic changes affecting humanity over the next several decades (2020s genetics, 2030s, nanotech, followed by an intelligence take off, already in progress – i.e. technological singularity). One does not have to agree with all the points and conclusions raised in order to appreciate and gain much. This work was also released in 2011 as an Audible audiobook (unabridged, 25 hours).

Singularity Primer 2012:

Video: Futurist Ray Kurzweil Says Mankind Will One Day Live Forever, WSJ June2011 (10m) Quick overview.
Video: The Impact of Accelerating IT on War and Peace- Army 26^th Science Conference- Kurzweil Dec 2008) (55m) and supporting slides help explain his views. The talk was much broader than “War and Peace” and centered more around the implications for humanity in the not so distant future from continuing IT driven advancements. I found this a compelling update on his fascinating views- even if not all goes as predicted.
Video: Ray Kurzweil on "From Eliza to Watson to Passing the Turing Test" at Singularity Summit 2011 (65m) Ray Kurzweil kicked off the 2011 Singularity Summit with some specific updates in his projections and responses to the skeptics, e.g. Paul Allan’s recent essay (article).

More:

Seminar Podcast: “Kurzweil's Law”- Ray Kurzweil (106m) - The Long Now Foundation - audio download is free
Video/Article: “Kurzweil: 3 Supplements To Let You Live Until The Singularity (1m)” May 2011
- Coenzyme Q10
- Phosphatidylcholine (derived from lecithin)
- Vitamin D (perhaps the most critical of the three)
Movie: Transcendent Man (2009)- Netflix Instant Play Inventor and futurist Ray Kurzweil is the subject of this documentary that follows him on a world speaking tour in which he expounds on his ideas about the merging of man and machine, which he predicts will occur in the not-so-distant future. The visionary who invented the first text-to-speech synthesizer and much more raises eyebrows here with his wildly optimistic views of a technology-enhanced future. I give it B- rating.. but worth seeing once for most.

The Singularity is something that may utimately be an overwelming primary factor in shaping our future- very interesting indeed!

False Alarm? Russia Cyber Attack on Water System SCADA Reported-Cybersecurity back in limelight, asserting more intrusion(s)

2011-11-19T22:30:00.059-06:00

11/23/2011 Update - A False Alarm?

*** ANSWER: Yes ***
For the initial Nov14th report per DHS- with more "pr0f" (proof) hackery being demonstrated and investigated !

As the week of Nov 14th closed, a reportedly "confirmed" water system intrusion discovered after equipment damage prompted a sensitive fusion center advisory, quickly followed by more public coverage:

- Issue discovered Nov 8th after pump burned up due to power cycling.
- Believed credentials used stemmed from supplier/vendor breach (e.g. perhaps via phishing)
- May have been compromised for months with ongoing "instability glitches" dismissed
- Involved access from Russian Internet addresses.

A Nov 10th Illinois fusion center report serving as initial notice regarding this matter was obtained by Joe Weiss, crusader f or critical infrastructure security, who then broke the story providing some particulars to major media. A statement released by DHS spokesman Peter Boogaard downplayed the matter “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

11/23/2011 Update

Illinois intelligence fusion center reported Tuesday 11/22 that earlier reports of a water utility hacked cannot be substantiated, according to a DHS announcement. Joe Weiss's quote to Wired.com - “This smells to high holy heaven, because when you look at the Illinois report, nowhere was the word preliminary ever used,” Weiss said, noting that the fusion center — which is composed of Illinois state police, as well as representatives from the FBI and DHS — distributed the report to other critical infrastructure facilities in that state. “It was just laying out facts. How do the facts all of a sudden all fall apart?”

Following the initial DHS statement, a PGP signed posting by "pr0f" asserted evidence of gaining unauthorized access a second water treatment facility SCADA with five screen shots and statement, excerpt: "I dislike, immensely, how the DHS tend to downplay how absolutely F*****D the state of national infrastructure is....I've also seen various people doubt the possibility an attack like this could be done. So, y'know. The city of South Houston has a really insecure system. Wanna see? I know ya do... "

11/23/2011 Update

Sophos's Chester Wisniewski was contacted by the hacker "pr0f" regarding the South Houston, Texas intrusion. The hacker gained access through several methods (VNC variant, web portal) claiming he still has access. He also commented "Don't worry, I use my powers for good and such." And also pointed out, ".. I am under no illusions about my level of skill. These are the least secure systems. .. I was furious at the lack of proper government response. The response they gave was nothing more than 'Nothing happened. Probably.' When clearly something did happen."

What should utilities do?

Mr. Weiss provided some constructive broader recommendations in his post "Water System Hack - The System is Broken" Here are some specific suggestions for near term critical infrastructure cyber risk mitigation, especially for industrial control system (ICS) settings where cyber security may be lapsing, not addressed in a robust manner:

Identify all ICS systems and their organizational management owners.
Audit key baseline IT security controls, identify any serious remote and local access issues
- e.g. protected perimeter, all accounts have defined need, management approval/review, access activity logging for review, antivirus where feasible, patching.
Consider how to assert stronger positive owner access control, especially for remote access
-e.g. remote access normally disabled when not needed, logging all access events, multifactor token required/kept in house for vendor call in, protected jump box use instead of opening full throat network paths, segmentation when multiple vendor solutions are involved.
Note: A good place to start is closely studying NERC's July 2011 "Guidance for Secure Interactive Remote Access"
Implemented initial improvement options based on risk informed priority.
- proceed based on management engaged approval/direction, document and implement, monitor and report progress.
Pursue ongoing, broader ICS security improvements
- after getting basic IT-centric hardening measures in place, tools such as DHS's CSET (Cyber Security Evaluation Tool) - free for critical infrastructure organizations are available to build better understanding of ICS security susceptibilities and consequences, measure risk, and identify, prioritize further security improvements.

Any such attack damaging a water utility's pump is more akin to amateur antics than part of any organized nation state effort in my opinion. Regardless, even if this turns out to be a false alarm for causing of equipment damage, many related "what ifs" will be asked by media and others. We can expect various hats of hackers (white, grey, black) interest will also increase (SHODAN anyone?). Industrial control systems, including SCADA, are widely used to support a number of critical infrastructure functions. Secured communication paths and protected remote access must be ensured. Organizations that have blindly entrusted their vendor to adequately address cybersecurity in an increasing risk environment need to do more. People, process, technology requirements addressing security in such settings must be understood, documented, supported (with enforcement), and continue to be further developed.

More/sources:

- Cyber Intrusion Blamed for Hardware Failure at Water Utility- KrebsonSecurity 11/18/2011
- H(ackers)₂O: Attack on City Water Station Destroys Pump- Wired.com 11/18/2011
- Second Water Utility Reportedly hit by hack attack - The Register 11/18/2011
-proof of concept Intrusion
- Hacker targets South Houston Sewer System - The Houston Chronicle 11/19/2011
- What You Should Know About SHODAN and SCADA - DigitalBond 11/2/2010

11/23/2011 Update - False Alarm?
- Confusion Center: Feds Now Say Hacker Didn’t Destroy Water Pump - Wired.com 11/22/2011
- Interview with SCADA hacker pr0f about the state of infrastructure security - NakedSecurity, Sophos.com 11/22/2011
- The Illinois Water Hack Is a Test of the System for Disclosure – Is It Broken? - Joe Weiss, Unfettered Blog

EU BlackHat 2011: Cyberwar Overhyped, Escalating Cyber Conflict The Issue- EU Keynote counters Ex-CIA Official's Warning

2011-09-20T22:23:00.006-05:00

While imminent Cyberwar concerns have ramped up as of late, e.g., BlackHat 2011: Cyberwar is Coming- Ex-CIA Official Warns Black Hat 2011 Attendees, an insightful EU Black Hat 2011 - Keynote (video 1:15) with Bruce Schneier offers constructive and useful perspective:

“It’s not that that we’re fighting cyberwar, we’re increasingly seeing war-like tactics used in broader cyber conflicts. Non-nations can now deploy war-like tactics... a bunch of criminals getting tanks.. now what do you do?" - Bruce Schneier EU BlackHat 2011

Schneier points out that cyber war clearly is not happening now. Rhetoric surrounding cyberwar is exaggerated and harmful in its influence over policy. The debate language lacks good definitions - Don’t know when it starts, what it looks like, who is doing it, or when it’s over. Using the term “war” implies we’re helpless, we need to duck and cover, the government should handle it. Many measures merited in war time pose greater risk in peace time. Advantage is on the attackers side in cyber space with technology pushing capabilities out- so easy, kids can do it.

Further cyberwar high-level analysis commentary addresses topics such as preparing the battlefield, conducting attacks, etc. All advanced nations will need to have some cyber offensive capability as it's part of the war fighting theater now. It's also understood that the most advanced nations have extensive capabilities, e.g., placing logic bombs into enemy systems, potentially before broader conflicts starts. Reoccurring examples of precursor cyber-attacks being followed by more traditional military conflicts. US continues dragging feet on pursing international rules and treaties involving cyber conflicts given a perceived advantage. This stance really feeds the cyber arms race problem where every side assumes the worse. Related offensive decisions also need to be made at higher levels of government- Stuxnet types of attacks are reasonable to view as an act of war.

Critical Infrastructure concerns include widely believed examples of non-US criminal extortions, blackouts from hacking, e.g. Brazil. History is rich with market failure examples where common defense not adequately addressed by private industry. Private industry can only go so far and why we need government, with regulations only part of answer. The US is clearly more vulnerable than other nations; with risk is increasing, it's important to further address.

More:
- 60 minutes exposé - Cyber War: Sabotaging the System 6/13/2010 (video 18:02)
- “Next war might start with blackout, not a bang.” “Art of the Possible”

BlackHat and Defcon 2011: Top 10 Scariest Hacks- Network World's take on a handful meriting the most concern

2011-09-06T20:48:00.023-05:00

Las Vegas hosted Black Hat USA 2011 and Defcon 2011 conferences dished up a number of interesting hacking demonstrations applicable for critical infrastructure organizations. The wide ranging top ten identified by Network World (full slide show) included SCADA issues (Siemens, of course) and even a pretty significant ERP system issue (SAP).

Summary:

Siemens S7 hack (top one!). Very scary considering just how dependent real world facilities are to systems with related security problems, issues go well beyond being specific to Siemens solutions!
VoIP botnet control. Clever data ex-filtration, command and control methods using VoIP channel, touch tones phones.
Powerline device takeover. Demonstrating a device that can tap into home power lines, monitor and control home alarm/security cameras, e.g., enable intruders to jam security gear then break in.
Hacker drone. Off-the-shelf electronics used to create WASP (wireless aerial surveillance platform) executing flight plans while doing its work (crack codes, pick up cellphone calls, etc).
Car hijack via phone networks. Using text messages over phone links to hack a Subaru Outback car alarm, unlock doors, starting vehicle. Similar to devices used in some critical infrastructure settings, raising concerns about knocking out power grids and water supplies.
Hack faces to find Social Security numbers. Acquiring a person's Social Security number using nothing more than social networking photo, face recognition software, and a deducing algorithm.. interesting!
Remotely shut down insulin pumps. Exposing a very difficult to resolve wireless security problem- could be fatal in wrong circumstances. The diabetic security researcher focused on issues with his own wireless pump.. "devices weren't designed with security in mind"
Embedded Web server menace. Embedded web servers in photocopiers, printers may them easier to administer and be compromised, potentially pilfering produced documents. Easy fingerprinting and attack approaches demonstrated.
Spreading false router tables. Demonstrated OSPF (open shortest path first) routing protocol having weaknesses permitting attackers to install false table entries on uncompromised routers, potentially affecting data streams (sending info to remote attacker) or just crippling networks.
SAP flaw- Authentication. Showed how SAP system can be broken into, gaining administrative privileges. The researcher determined that half the systems examined were vulnerable to this issue. Easy to locate target systems with Google search. SAP is working towards releasing a related security update.

More:
- Insulin pump attack prompts call for federal probe‎ - Register 8/19/2011- Committee urges investigation into security standards for wireless medical devices.
- Black Hat 2011 USA Archive video, audio, slides added since Aug 2011 conference
- DEF CON 19 Archive - site stood up 9/5 w/slides, etc from Aug 2011 conference

BlackHat 2011: Cyberwar is Coming- Ex-CIA Official Warns Black Hat 2011 Attendees

2011-08-24T21:21:00.035-05:00

Former U.S. counter-terrorism official Cofer Black, who warned of 9/11 terrorist attacks, raised the alarm earlier this month during his Black Hat 2011 keynote that cyberwar is an imminent threat.

Cyber warfare has been brought up as a significant concern by US intelligence, former officials for some time – even concerns of potential tampering with IT supply chains, etc. Most view US leading with others catching up in offensive capabilities. Turnabout is fair game. Besides the obvious appeal and resonance this official’s message has with the Black Hat community and media coverage, some related points that can be made:

Stuxnet is the most significant example of a cyber attack against another nation state’s critical infrastructure since the Russian gas pipeline explosion in June 1982. In the June 1982 attack, a CIA operation was launched that embedded a Trojan horse in gas pipeline regulator software the CIA knew would be stolen by the Russians. The Russians did indeed steal the software and used it in a production gas line in Siberia. The Trojan horse corrupted the gas pipeline regulation which resulted in a massive explosion, initially thought to be nuclear, until later evidence showed this wasn’t the case. The incident was classified, then later released and infamously documented in the Farewell Dossier. The KGB at the time said the blast was accidental. (Source: Defending Against Stuxnet Type Threats – invincea blog)
Government officials fear that foreign powers could surreptitiously design something into a component or printed circuit board that would end up in a piece of equipment used by the government "Maliciously tampered ICs cannot be patched," retired General Wesley Clark said in 2009. "They are the ultimate sleeper cell."
Many are very skeptical that a huge US electronic 9/11 or Perl Harbor event is imminent – a view I share. All advanced militaries have cyberattack capabilities, including EMP strike options against information technology based systems. We can expect significant nation state sponsored cyber incursions to continue, often for information gathering purposes. This may not be a true “war” but that doesn't mean we aren't losing.

Symantec's W32.Stuxnet Dossier- Breakthrough v1.3, Nov 2010 Dutch Profibus expert provides crucial pieces to the puzzle

2010-11-19T00:04:00.008-06:00

As of October, much had already been research and shared with critical infrastructure organizations around Stuxnet given the broader industrial control system, DCS, SCADA implications. As provided in the publicly available Symantec's research blog series and W32.Stuxnet Dossier white paper:

Stuxnet has been in play since at least 2009.
Specifically looks for Siemens PLC models S7-417 and S7-315-2, both widely deployed in the US.
PLC infection only occurs when the PLC contains the Profibus-DP communications processor
Windows 64-bit platforms not affected (32-bit targeted).
Malware package very sophisticated even with some sloppy controls (could’ve been more restricted and targeted, and stayed hidden longer).
The question of how to ensure the integrity of PLC code has not been addressed in detail.

Stuxnet raises the bar, serves as a road map even if not viewed as easy to repurpose by talented security researchers and hackers studying it. There has also been speculation that this type of malware may have been used to make several Iranian petrochemical facilities dramatically "go bang" in 2009.

On Nov 12th, Eric Chien's posting Stuxnet: A Breakthrough keyed in on important tips and insights provided by a Dutch Profibus expert that helps determine exactly the purpose for Stuxnet. Symantec's updated W32.Stuxnet Dossier v1.3 Nov 2010 white paper now more clearly describes how the malware targets and sabotages specific models of higher speed motor driving frequency converters over an extended time frame.

This additional insight underscores the need to increasingly manage similar potential "Advanced Persistent Threat" risks to critical infrastructure. Stuxnet's very clever payload is just one example of how similar hidden, targeted malware could pose a substantial threat to critical infrastructure even as this real world example has focused more on sabotaging systems akin to those used in uranium enrichment activities.

More:

Senate Committee Unanimously Passes Major Cybersecurity Bill- Risk mitigation shifting to continuous monitoring and dynamic response

2010-07-04T15:38:00.041-05:00

On June 24th, the Senate Homeland Security and Governmental Affairs Committee unanimously approved an amended 200 page version of a controversial The Protecting Cyberspace as a National Asset Act of 2010 cyber security bill which will move forward to the full Senate floor for consideration.

SANS Director Alan Paller’s related testimony (written – 17 pages, and discussed) at the June 15th Senate hearing: Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century (webcast) strongly emphasizes more effective risk management and less "paperchasing" as currently demanded by FISMA (with NIST standards and guidance mandatory). “When you demand that someone perform huge numbers of things, with limited budgets, you get dysfunctional results.”

The committee's bill includes a number of key elements, many of particular interest to critical infrastructure organizations:

Creates an Office of Cyberspace Policy in the President's Executive Office to be ran by a Senate-confirmed Director. The Director will advise the President on all cybersecurity matters, harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic.
Creates a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to be ran by the Director. This will elevate and strengthen the Department’s cyber security capabilities and authorities. The NCCC will include the United States Computer Emergency Response Team (US-CERT).
Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. Reforms will allow agencies to move towards real-time monitoring to secure critical systems (and away from the system of after-the-fact paperwork compliance).
Requires the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
Requires critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
Creates a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
Develops a comprehensive supply chain risk management strategy to address risks and threats to information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
Requires the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.

With respect to NERC Reliability Standards, including the cyber security focused CIPs, an extensive compliance paperchase remains underway in 2010 with both industry and regulatory bodies facing a substantial phase in of standards going through their first extensive audits. Much of the focus is based on the the language and intepretation of the Standards and associated Reliability Standard Audit Worksheets (RSAWS) - visit Resources at link. Even if this bill would become law today, it could be years before related expectations and improvements are signficantly reflected in the Standards.

More:

- Lieberman, Collins, Carper Unveil Major Cybersecurity Bill to Modernize, Strengthen, and Coordinate Cyber Defenses (w/video ~10m) 6/10/2010
- Other recent hearings, such as before the House Appropriations Committee, also emphasizing key elements in the bill: DHS Cyber Security Programs – What progress has been made and what still needs to be improved? 4/15/2010

Cybersecurity: Utilities are Contested Territories - Fact or Hype?

2010-03-17T23:26:00.017-05:00

SANS Director Allan Paller's recent EnergyBiz opinion piece Utilities are Contested Territories presents illuminating facts driving Advanced Persistent Threat (APT) cybersecurity concerns in utility settings.

The FBI reeled in 31 major utility executives for some forensic-grade calibration on how their systems have been unknowingly compromised over extended time frames.
The attacks, also affecting other areas of government and major businesses, are nation-state level in sophistication and persistence.
Weaponized email is the current preferred technique facilitating ongoing waves of attacks.
Key defenses were determined insufficient to prevent, detect, deter, and recover from the attacks.

The article goes on to assert that more advanced utilities have learned to treat their environments as though they do not have complete control of their systems as an underlying assumption. Many of these organizations are stated to have an unprecedented level of additional defensive measures now deployed to help manage APT risks (extensive encryption, access controls, monitoring, etc).

A preview, request-only SANS Webcast delving into this topic is scheduled ahead of upcoming 2010 SCADA and Process Control Summit (March 24th - April 1st).

Hurry if you're interested in catching this free, one-time, by request only webcast:

Exclusive Webcast: Digging Deeper Into The Advanced Persistent Threat March 19, 2010 1:30pm EDT

The Summit's optional workshops (provided by DHS, INL NERC) include a very interesting new full day offering:

NERC Cyber Risk Preparedness Assessment for the BPS Asset Owners and Operators
This Summit workshop on April 1st should be of particular interest for utilities further developing cyber security exercises. Will cover useful scenarios to learn from and apply
- “Each entity will be provided an exercise development kit” -

2010 Blasts in with Regulatory Cybersecurity Bar Raising- NERC CIP-002-4 (Project 706 Ph II) and NRC RG 5.71- both with NIST Enhancements

2010-01-17T22:00:00.039-06:00

Last updated 1/24/2010
As 2010 opens, beefed up regulatory scope and rigor around cybersecurity on both the Bulk Electric System (BES) and commercial Nuclear Power Plant (NPP) fronts are forming up- even as expanding regulatory scrutiny has been focusing on assessing the status of current requirements and programs.

Draft NERC CIP-002-4 Released. Now in Phase II, NERC Project 706 (to address FERC Order 706-A), released draft standard CIP-002-4, Cyber Security - BES Cyber System Categorization (16 pages, w/VSLs) in December for an informal comment period through February 12th. This version calls for significantly more extensive risk assessment process:

Substantially addresses concerns raised in Assante’s April 2009 letter – see Assante Throws Down the Gauntlet on CIP-002 - DigitalBond.com.
Rather just focusing what to include, requires a complete inventory list of BES Cybersecurity systems for determinations to be made.
Getting NISTy (more) with graded BES impact assessment and commensurate controls- high, medium, low (catch all) impact ranking
Emphasizes functional assurance, not just security around functions.
Specific Violation Severity Levels (VSLs) penalties called for if mis-categorization is determined to have taken place.
NPP applicability- structures, components, equipment and systems of facilities within a nuclear generation plant not regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety.
More- effective date is two years after approval (“eighth calendar quarter”), bottom up conservative approach with granular assessment/engineering evaluation expectations, various impact categorizations for assessment addressing inadvertent/adverse changes, example fishbone diagramming dependencies- see Draft Guidance Document (10 pages)

Updated 1/24/2010
On Feb 3rd, 2010 at 1pm EST, NERC is scheduled to host a webinar "Proposed Revisions to CIP-002-4" (register)

NRC RG 5.71 Released. Following the November 23, 2009 deadline for NPPs to file required Cyber Security Plans for review and approval (per NRC Reg 10 CFR 73.54), the NRC released regulatory guide RG 5.71, Cyber Security Programs for Nuclear Facilities (copy, 100+ pages, including template/appendixes) earlier this month, source: NRC Regulatory Guides - Materials and Plant Protection (Division 5). This now public regulatory guide formally expands and supersedes prior NRC endorsed NEI 04-04 developed by the industry. Some argue it’s like going back to a blank piece of paper to stand up a new program – not entirely true but still very dense as regulatory guides go, and also getting more NIST aligned (more). Commercial nuclear has gone through a number of development steps over the last decade, see NEI Power Plant Security- Cybersecurity.

More perspective around RG 5.71 can be gained from reviewing NRC's Advisory Committee on Reactor Safeguards (ACRS) 567th Meeting- Nov2009 - Official Transcript (copy, - 330 pages, good place to start is page 98 for "cybersecurity", jump to page 275 for more specific RG 5.71 coverage). This guide is writen for the cybersecurity professional and covers aspects that others may miss when reading through it.

FERC Order 706-B - NRC/NERC MOU Released. FERC recognized a regulatory gap with Order 706B; the NRC, primarily focused on public safety and nuclear significant aspects of NPPs, does not have regulatory scope addressing continuity of power. FERC Order 706-B states that balance of plant systems at NPPs not regulated by the NRC must comply with NERC CIP Standards and requires NRC to make a compliance filing outlining implementation schedule. A NRC/NERC MOU released last week, establishes a working agreement consistent with FERC Order 706-B recommendations. FERC's Dec 17th filing expects additional compliance filing from NERC to more clearly address (i) how determinations of systems will be made that that fall under either program (NRC Cyber or NERC CIP), and (ii) establishing an exception process for exempting systems that fall under NRC Cyber from CIP compliance.

More:

Informal Comment Form: Project 2008-06 Cyber Security Order 706 CIP-002-4 (due 2/12/2010)
NRC and NERC Execute Memorandum of Understanding Regarding Enforcement of Cyber Security Requirements- Morgan Lewis Energy Lawflash, January 12, 2010
NRC Reg (10 CFR 73.54) Protection of digital computer and communication systems and networks.
NIST on a roll with "Historic" Security Controls Guidance (SP 800-53 Rev 3)

Security Challenges Into the Next Decade and Beyond- A Leap Into the Future with Kurzweil, Suarez & Joy

2010-01-09T00:48:00.036-06:00

Over the New Year's Holiday, I dusted off and finished pressing my way through a stunning, expansive view into the not so distant future with Ray Kurzweil’s tome The Singularity Is Near: When Humans Transcend Biology. In his richly cited work, huge advancements in renewable energy and storage efficiency, with microscopic fuel cells and other technologies, will capture abundant energy available for the taking in a distributed manner- intrinsically reducing unique security risks associated with centralized power stations.

Looking at accelerating trends continuing with information technology, Kurzweil argues that The Law of Accelerating Returns applies to many problems once sufficiently addressed with information technology based approaches. For example, rather than traditional experimental trial by error, exponentially improving computing environments are increasingly being used to effectively model and test medical treatments virtually. Expect significant life extension and expansion improvements over the next 20 years, as well as rapidly emerging non-biological intelligence fundamentally going beyond various narrow artificial intelligence applications widely used today. Related nanotechnology will drive expanding human intelligence and also result in new existential threats as we eventually transcend our biology- some heady prognostications.

If you haven’t read about or heard Ray Kurzweil in depth before, here’s an informative Dec 2008 Ray Kurzweil presentation from the 26th Army Science Conference The Impact of Accelerating IT on War and Peace - Dec 2008, video 54m) This talk was broader than the title implies, providing his updated views and supporting presentations slides (142 w/pdf, pptx formats) regarding IT driven advancements and unfolding implications.

Focusing on cyber security, non-biological computer infections or actions taken by malicious actors will increasingly be less just about compromising computers and more about harming the physical environment including humanity - who wants to let their bio or nano augmented substrate be chewed up and spit out as grey goo by rapidly replicating nano-nasties or otherwise adversely repurposed? So much promise and notable perils which many baby boomers may be able to witness if they stick around long enough. Kurzweil, turning 62 in Feb, is taking several hundred supplements daily and adhering to a strictly formulated diet- striving to bridge into his predicted, further life extended future bridges with continuing advancements in GNR (genetics, nanotechnology, and robotics).

From a more current perspective, the emerging best-seller “fiction” hit in 2009 Daemonby Daniel Suarez (audio clips at audible.com) provides a present day look into what could go wrong with runaway non-biological intelligence. His first book, and just released sequel Freedom (TM) provides subtle and ruthless ways civilization could be systemically torn down by a cleverly designed artificial entity savvy in human behavior, reaching out from cyber space via online gaming and other methods, recruiting and exploiting human agents, etc. While entertaining and recommended reading, his informative, non-fiction presentation Daemon: Bot-Mediated Reality- The Long Now Foundation (video 1:20) emphasizes underlying themes with concerns about how humanity is increasingly facing the prospects of a Darwinian struggle with non-biological intelligence. He emphasizes key strategies and controls needed now to address the growing risk.

For more on concerns about the perils – here’s a provocatively titled article “Why the future doesn't need us.”- Bill Joy, Wired, April 2000 “Our most powerful 21st-century technologies — robotics, genetic engineering, and nanotech — are threatening to make humans an endangered species."

More:

Top futurist, Ray Kurzweil, predicts how technology will change humanity by 2020 and
Ray Kurzweil's Crystal Ball - New York Daily News, Dec 2009
China blames online games for drugs, murder, teen pregnancy - bitbucket.kylewelsh.com, Dec 2009
Ray Kurzweil Explains the Coming Singularity (video, 7m) - bigthink.com, Apr 2009

Cyber Security Happy New Year 2010 - Perspective and Predictions

2010-01-02T22:45:00.036-06:00

First Cut 1/2/2009

2009 Perspective - hot stories and list of lists.

U.S. seeks 'top guns' for cybersecurity - ComputerWorld, Jul 27, 2009
Rogue Antivirus Operations Thrive in 2009 -eWeek, Dec 22, 2009
Obama names a cyber security chief - Boston Globe, Dec 22, 2009
Verizon Business Issues 2009 Data Breach Supplimental Report Profiling 15 Most Common Attacks (32p) Anatomy of a Data Breach' Sheds New Light on How and Why Attacks Occur
- Results from 600 incidents over five years make a strong case against the long-abiding and deeply held belief that insiders are behind most breaches.
- Top 15 threat action types (flckr link) from 2009 DBIR (page 6 of 32):
- Where should mitigation efforts be focused?
      a. Ensure essential controls are met.
      b. Find, track, and assess data.
      c. Collect and monitor event logs.
     d. Audit user accounts and credentials.
      e. Test and review web applications.

Top Security Stories of 2009 - eWeek, Dec 28, 2009
1. Conficker Countdown, see "The Internet is Infected" - 60 Minutes - April 2009
2. Cyber Security Coordinator (Czar)
3. Gonzalez and His Gang Taken Down (huge takedown!)
4. Social Networking and You (organizations, regulators wressle with privacy, security issues)
5. Apple iPhone Security Woes (Dutch teanager discovery leads to worm attacking jailbroken phones)
6. Hacktivists Stay Busy (twitter redirection to Iranina cyber army, DDos attacks, etc)
7. Electric Grid Lights Out (hacker spies causing power outages, infiltrating national defenses) see "Sabotaging The System" - 60 Minutes - Nov 2009
8. F-35 Fighter Plans Hijacked by Hackers
The Future of Threats and Threat Technologies: How the Landscape is Changing (24 p) TrendMicro, Dec 2009- Several threat area predictions that that came true in 2009:
- Social networking sites will grow as targets;
- Social engineering will become increasingly prevalent and clever - Unlike the global economy, the underground economy will continue to flourish.

More: Perspective One Year Ago

2010 and Beyond Predictions - more hot stories and list of lists.

The Future of Threats and Threat Technologies: How the Landscape is Changing (24 p) TrendMicro, Dec 2009
- No global outbreaks, but localized and targeted attacks.
- It’s all about money, so cybercrime will not go away.
- Windows 7 will have an impact since it is less secure than Vista in the default configuration.
- Risk mitigation is not as viable an option anymore—even with alternative browsers/OSs
- Malware is changing its shape—every few hours.
- Drive-by infections are the norm—one Web visit is enoughto get infected.
- New attack vectors will arise for virtualized/cloud environments.
- Bots cannot be stopped anymore, and will be around forever.
- Company/Social networks will continue to be shaken by data breaches.

Risky Business #137 -- Year in review special! - Patrick Gray, Dec 2009 (news and opinion)

More: Predictions One Year Ago

Cloud Security FUD Addressed with Executive Overview- guidance and news as 2009 comes to a close

2009-12-25T22:38:00.030-06:00

(Updated 11/24/2011)

Cloud computing technology and solutions hit many critical infrastructure organizations head on in 2009, transitioning from being a vague concept to a must-have, at times mandated, in-house technology for many, a.k.a. private clouds. During this time, vendor offerings hosted in public cloud settings increasingly also provided quick start, low cost, flexibility with extensive integration options.. without much of the extra lifting and hassles running all the footprint requirements in-house. While some state that clear cloud security standards are still years off, the reality is we're already well into the realm of having to deal with public and private cloud security issues- especially at the business network level.

The following provides a good executive thumbnail of what decision makers need to understand in addition to the latest in more specific guidance for secure cloud computing:

The Busy Executive’s Quick Cloud Computing Reference Guide - Virtualization Journal Dec 2009 — As an executive, you may be hearing many different viewpoints about Cloud Computing; some of them promising significant IT cost reductions and reductions in capital expenditures. Don't get caught off guard regarding all the technical complexities of developing and offering Cloud Computing services, the whole reason you're considering this option is so others will take care of these factors for you. Although you still need to be an educated consumer, you don't need to be in the weeds to ensure you're not caught with your pants around your ankles if you decide to use Cloud Computing services.

Guidance for Critical Areas of Focus in Cloud Computing- Version 2.1 - Dec 2009 (76 pages). The Cloud Security Alliance (CSA) newly released second version of guidance for secure adoption of cloud computing services provides more details with a good overview, addressing risks and timing, and helps simplify the decision process involved. This non-profit released their first version during the 2009 RSA Conference.
Excerpt- It is hard to believe that just seven short months ago, we pulled together a diverse group of individuals from all corners of the technology industry to publish the first “Security Guidance for Critical Areas in Cloud Computing.” Since its launch, this seminal publication has continued to exceed our expectations for helping organizations around the world make informed decisions regarding if, when, and how they will adopt Cloud Computing services and technologies. But over those seven months our knowledge, and cloud computing technologies, have evolved at an astounding rate. This second version is designed to provide both new knowledge and greater depth to support these challenging decisions.

11/24/2011 Update
The Cloud Security Alliance (CSA) released Security Considerations for Critical Areas of Cloud Computing- Version 3, 11/14/2011

NIST Cloud Computing Project Site. NIST's Role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards.

Of course, there is devil in the details which vendors are working feverishly to address and differentiate with. Microsoft's cloud undergoes annual audits for PCI DSS, SOX, and HIPAA compliance, as well as internal assessments throughout the year. Remarkably, the Microsoft cloud has also obtained IS/IEC 27001:2005 certification (this year) in addition to SAS 70 Type 1 and II attestations. ISO 27001 (formerly ISO 17799) remains one of the best information security standards available - a superset when compared with other standards (more). Microsoft's Azure branded public cloud computing platform long in development, is set to go live on New Year's Day. Plans include expanding the new technology into customer settings.

At a technology execution level, the release of vSphere in early 2009 extended VMware's lead with significant performance, features, and security improvements - a game changer - which includes robust Cisco Nexus 1000V software appliance support. Regardless of technology mix deployed, many organizations are coming to grips with virtualization's broader implications and working to spin up capabilities while the technology race presses on.

Bottom Line for Critical Infrastructure. The implications go well beyond the basic virtualization strategy of seeking tactical operational benefits with fewer physical servers and more virtual servers. For even the most critical infrastructure settings, private cloud (aka virtualization) computing is increasingly a must have for any new large investments going forward. The cloud technology benefits are compelling (fault tolerance, hot recovery, managing growing functional and regulatory complexity, layering defenses, etc) even while introducing its own complexity and risks to manage. The future will have layered information landscapes, and underlying systems, networks, and storage increasingly virtualized and extending deeper into and well beyond the comfort zone of today's typical organizational and outsourcing boundaries.

More:

FERC Hammers Florida Power & Light Co with $25M Civil Penalty - $5M to go above and beyond current regulatory requirements

2009-10-18T23:00:00.005-05:00

On Oct 8th, Florida Power & Light (FPL) agreed to pay a $25 million penalty after blunders by a field engineer led to a service outage affecting nearly a million customers - i.e. 2008 Florida Blackout.

This marks the first settlement resulting from a reliability investigation by the Federal Energy Regulatory Commission (FERC) enforcing a 2005 law establishing electric reliability standards. This fine won't be going to customers. Instead FPL, facing a potential of $1B+ in fines, agreed to pay $10M to the United States Treasury, $10M to the North American Electric Reliability Corp. (NERC). The remaining $5 million is to go towards measures beyond current reliability requirements in a regulatorily approved manner- otherwise, whatever remains of the last $5M will be evenly split between US Treasury and NERC.

"Today's settlement demonstrates the high priority the commission places on electric reliability,'' said Norman Bay, director of the commission's Office of Enforcement. ``The message to the industry is clear: Compliance with the standards is critical.''

Holly smokes! This civil settlement clearly marks the end of wrist slaps for reliability violations with a whole new level of realizable penalty levels. It's also worth emphasizing that NERC CIPs cyber security focus represents just one of fourteen reliability groupings in current NERC Reliability Standards. The process reaching this settlement clarifies how FERC will increasingly be taking a very active role in industry reliability investigations going forward. Industry compliance programs will need to be reviewed and appropriately bolstered to help ensure sufficient program measures are defined and being maintained. The settlement also speaks to the need for continuous improvement efforts by industry aiming well beyond meeting today's reliability requirements- i.e. increasing regulatory margin. Increasingly akin to commercial nuclear regulatory challenges and supporting programs- with heavy doses of auditable evidence required.

More:

October 8, 2009 - FERC approves settlement, $25 million fine for FPL's 2008 Blackout News Release Decision - ferc.gov
FPL to pay $25M for blackout blunder – Miami Herald (Oct 8, 2009)
FPL could face $1 billion in fines – SunSentinel.com, (Jan 28, 2009)
Interesting - FPL Conference Call with Major Media- Preliminary Investigation Results (Audio ~45m) - (Feb 29, 2009) - from FPL 2008 website posting. (updated link- 8/2011)

Striking the Right Balance: MS Windows Screensaver Locking - AutoIt: A Potential Cure for Headaches

2009-10-04T21:14:00.012-05:00

Updated 11-16-2010
While there has been plenty of higher stake cyber security challenges dominating my team's attention lately, I stumbled on an interesting approach to address an issue many organizations wrestle with.

The basic, consistent implementation of automatic locking Microsoft Windows PC screen savers, requiring password entry for access after a period of inactivity, poses a number of challenges. At least Microsoft's Active Directory (w/Group Policy Objects) makes implementation technically manageable. However, areas taking issue with implementing a required inactivity lockout often only have occasional legitimate business needs that are not suitable for a full exception. For example, personnel may give presentations and don't want to have disruptions, others may burn DVDs, view network traffic in a locked room, or occasionally engage in other unique activities where there is less interactive PC use- making realistic automatic screen locking burdensome.

To help address this issue, we've been looking at several "Egg Timer" type of PC utilities to provide the means of temporary relief when merited so we can pursue a more consistent implementation of mandatory inactivity screen saver lockouts technical policy measures company-wide. One particular commercial offering has not yet gone to a new release (that we've been waiting on since 4Q2008) with expected pricing $10-$20 per PC plus annual maintenance.

Alternatively, a very interesting, freeware scripting and compilation tool called AutoIt has been available and improving for years. I haven't coded seriously in a long time and wasn't aware of this tool or its capabilities until recently. Surprisingly, the tool and associated slick editor along with lots of sample code, and large community of users together helped rapidly put me at ease. Although I didn't have much time available over the weekend, I still plunged ahead anyway and developed a "Beta" solution for review and feedback. The CDS utility developed since with AutoIt seems to do pretty much what we need and compiles into a reasonably small, single executable file that can just be dropped on the menu or just the desktop - sweet. The latest version supports use of Active Directory groups to authorize specific systems and logs user startup, activation, and exit events (user, timeout) of CDS to the local Windows Application event log and a designated central logging server (if assigned and available).

This excursion is aimed at saving us some hard cash - a good thing in tough times - while also helping make the consistent implementation of screen saver technical controls easier to live with for all involved. Additionally, the sheer ease of using AutoIt underscores how open source-like technology tools are continuing to develop so even the free stuff can be the very good stuff.

Updated 11-16-2010
A SourceForge open source edition of the Corporate Delay Screensaver (CDS) utility - CDS-v100-Open- is now available for download with commented source code, use documentation, and an example AutoIT complied executable at

http://corpdelayscnsvr.sourceforge.net

BlackHat Smartgrid Worm Attack Simulation - Aug 27th Live Webcast: Smart Grid Device Security - Mike Davis, IOActive

2009-08-08T12:28:00.001-05:00

Updated 9-5-2009

Following BlackHat 2009 in July, the archived webcast below highlights critical research Mike Davis and other IOActive researchers performed on Smart Grid technology.

Smart Grid Device Security - Mike Davis, IOActive 8/27 - 4-5 pm CST
- References several video simulations of 22,000 node smart-meter worm propagation using GPS points gathered from geo-coded home addresses purchased from a bulk mailing list. Radio range and other factors are reflected once a compromised "Patient 0" meter is introduced. - Video 1, Video 2, Video 3
- BrighTALK.com registration required.

Davis and other IOActive researchers developed a proof-of-concept malicious code that self-propagated in a peer-to-peer fashion from one meter to the next as part of their effort to identify Smart Grid cyber security risks and threats. Webcast also addresses this attack simulation and discovered Smart Grid vulnerabilities to attack- such as susceptibilities to buffer overflows and root kits.

As one of the top Black Hat conference presentations, this has stirred up further attention to Smart Grid cyber security just as NIST is working to stand up and plow through developing related requirements and standards on an accelerated schedule. For those that missed out on the Blank Hat session, this recap is very informative.

Update 8-20-2009
Davis's Recoverable Advanced Metering Infrastructure presentation slides (23 pages, some thoughtful redactions) are now posted in the Black Hat USA 2009 Archive area.

NIST on a roll with "Historic" Security Controls Guidance & SmartGrid 3rd Workshop Aug 3-4-Plus: BlackHat Smartmeter Worm Attack Simulation

2009-08-02T09:24:00.003-05:00

NIST SP800-53 Rev 3 is Final
The voluminous NIST SP800-53 Revison 3 (~40 core pages plus supporting sections, 236 pages total) released on Friday addresses and deliverers a unifying cyber security framework for use across governmental, civilian, and critical infrastructure entities on Friday. The focus remains establishing a solid baseline security posture across eighteen control set families Consensus developed SANS Institute - 20 Critical Security Controls - Version 2.0 provides an updated mapping to this NIST release.

NIST said the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

Significant changes include:

A simplified, six-step risk management framework
Additional enhancements for advanced cyber threats;
Prioritizing or sequencing security controls during implementation or deployment;
New references section in revised security control structure;
Supplemental guidance security requirements eliminated;
Addresses risk management framework for legacy information systems and for external providers of information system services;
Current threat information and known cyber attacks factored into security control baselines updates.
Addresses organization-level security controls for managing information security programs;
Guidance on the management of common controls within organizations; and
Strategy for harmonizing Federal Information Security Management Act security standards and guidelines with international security standard ISO/IEC 27001.
Tailoring industrial control systemsm, including compensating controls- Appendix I

NERC emphasized ISO/IEC 27001 (aka ISO 17799) with the introduction of CIPs and 40+ security requirements; this major enhancement to SP 800-53 should help towards NERC CIPs getting even more NISTy.
NIST SmartGrid Workshop - Aug 3rd -4th
Third major NIST Smart Grid workshop - web/teleconference options:
A key objective of the public workshop is to engage standards development organizations (SDOs) in addressing standards-related priorities. Sessions will be devoted to discussing individual SDO perspectives on the evolving roadmap for Smart Grid interoperability standards, reaching agreement on which organizations should resolve specific standards needs, and developing plans and setting timelines for meeting these responsibilities.

Webcast information will be posted on this link before the first session begins (more)Agenda worth checking out, e.g. Tuesday – Cyber Security Strategy - 8am start (CST) , workshop wrap-up Tuesday PM includes report out from multiple topic tracks.

Smart Meter Worm Could Spread Like A Virus - Black Hat Presentation.
At Black Hat last week, IOActive’s Mike Davis and team created a simulation demonstrating how, over a period of 24 hours, about 15,000 out of 22,000 homes had their smart meters taken over by a software worm that placed the devices under the control of the worm’s designers. More: Smart Meter Worm Could Spread Like A Virus
Some speculation- the simulation likely focused on a single managed smart grid environment (not across multiple, independent smart-grid settings). The meter manufacturer reportedly first dismissed the claims until they were proven. The vulnerabilities are similar to what happens when computers are linked over the Internet. By exploiting weaknesses in the way computers talk to each other, hackers designed attacks can size control. The Recoverable Advanced Metering Infrastructure presentation information is not posted yet in the Black Hat USA 2009 Archive area.

Black Hat and Defcon draws some of the best talent around to crack security e.g. Black Hat Researchers Find 'Free' Parking in San Francisco and more news.

Securing the Modern Electric Grid from Physical and Cyber Attacks - Homeland Security Committee Hearing 7/21/2009

2009-07-26T22:50:00.000-05:00

The Homeland Security Committee hearing “Securing the Modern Electric Grid from Physical and Cyber Attacks” on 7/21/2009 provided solid industry perspective on improving cyber security. Additionally, serious committee attention now is also focusing on the growing threat of physical damage from EMP (Electromagnetic Pulse) threats. An EMP attack, using one or several high attitude nuclear detonations, risks taking out all digital and electrical infrastructure across wide swaths of North America. The EMP threat is not new; however, there is growing risk of a deliberate attack from either a rouge group or nation sponsored effort, e.g. Iran sea based delivery testing for such a device with high attitude explosion. Our vulnerability to this issue serves to increase risk. EMP is a national security issue long overdue for realistic mitigation - there is a need to get beyond just studying the issue. Congress sees the potential consequences from the EMP threat as unacceptable, the cost to substantially mitigate reasonable, and is challenging industry to get after EMP risk mitigation.

Mr. Fabro, from Lofty Perch, helped bolster the perspective that industry is substantially improving cyber security- good technical, constructive views, recommendations and responses to congressional Q&A.
NERC’s CSO Mr. Assante emphasizing progress since joining NERC in September of 2008- e.g. cyber event reporting, communicating more effectively with +1800 entities, improving analysis of threats and industry alerting. He also clearly stated the grid is not immune to cyber or physical threats. and more will be done with industry engaged, factoring NIST in further CIPs development. NERC also still views a need for more FERC authority to better address the risk of immediate, severe threats in a timely manner.
Some committee members remain very skeptical about industry treating cyber security seriously, emphasizing concerns about being lied to by industry, lack of progress. Now questions are also focusing on what industry is really doing about the EMP threat - whether from a premeditated attack or natural in origin, e.g. solar storms. Nothing?
- Rep. Bill Pascrell, JR’s (from NJ) plainly spoken, eviscerating comments and questions provide an instructive example of some hardball congressional Q&A (jump to about 1:16:05 in recorded hearing)
NERC. working with DOE, formed up special invitation-only group July 2nd to further look at high impact, low probability, or better stated - low frequency, events (EMP, solar weather, terrorism, etc)

More:
- An avoidable catastrophe – Opinion Commentary. – Washington Times 7/20/2009
- Report of the Commission to Assess the Threat to the United Status from Electromagnetic Pulse (EMP) Attack, April 2008 (208 pages) - Well organized update to the 2004 report, walks through key scenarios and consequences.

Yes- Omaha's Infotec09 Rocked !

2009-04-15T22:09:00.000-05:00

After taking a year off and regrouping, Infotec09 April 14-15, 2009 rocked.

This bargain conference offered excellent keynotes, including Erik Wahl's phenomenal opening "Art of Vision" message (website), and a broad set of innovation themed tracks addressing security, infrastructure, collaboration, leadership, culture and more. There were plenty of excellent, oft published speakers, industry leaders- one of my favorites being the pragmatic, candid security leadership guru Mike Rothman. Also well represented, a sponsor mix across a wide solution space of products and services. It was also great seeing some folks I haven't seen in a while, catching up and talking shop, and making new contacts.

Infotec's solid comeback with an unofficial 600+ reportedly attending this week at Qwest Center Omaha made its mark- a success to build on bolstered with online and informative session blog summaries w/slides.

Feds Backing Up Rhetoric with Cybersecurity Action -plus Joe Weiss's latest testimony

2009-04-06T06:54:00.000-05:00

Lawmakers and the Obama Administration continue ratcheting up federal level attention to private sector critical infrastructure cyber security defenses. Concurrently, with a 60-day review ordered by the Administration yet underway (interim update -3/3), the Senate is developing sweeping legislation that would Federalize Cybersecurity. Many of the proposals stem from recommendations provided within the seminal Cybersecurity for the 44th Presidency study submitted last year by the Center for Strategic and International Studies, including:

appointing a White House cyber security "czar" with the authority to shut down government and private computer networks during a cyber-attack
charging the National Institute of Standards and Technology (NIST) to establish "measurable and auditable cyber security standards"
mandating an ongoing, quadrennial review of the nation's cyber defenses
requiring licensing and certification of cyber security professionals.

Also notable, NSA’s increasing role in such developments is causing growing concerns about privacy and pursuing an inherently flawed strategy by charging the organization with both ongoing intelligence gathering and an expansive new mission around national cyber defenses. The resignation of Rod Beckstrom from an executive-level cyber security federal government position underscores such concerns.

FERC Order - Nuclear "Regulatory Gap" Update.
The Federal Energy Regulatory Commission (FERC) is pressing forward to resolve commercial nuclear cyber security jurisdictional “regulatory gap” concerns raised last year. A FERC issued “clarification” (~17 pages; Docket No. RM06-22-000; Order No. 706-B) on March 25th addresses previously requested industry input. It also concludes with a determination insisting that the portions of a nuclear power plant, not specifically addressed with tighter security program coverage in the forthcoming regulations from the Nuclear Regulatory Commission (NRC), will be required to adhere to NERC Critical Infrastructure Protection (CIP) Reliability Standards. This rule became effective March 25, 2009. The combination of enhanced NRC requirements and the addition of FERC/NERC expectations into the mix make addressing cyber security an even more important licensing and compliance challenge for commercial nuclear power. Some good news- FERC is providing implementation schedule flexibility which will first be addressed by the Electric Reliability Organization (ERO). NERC, as ERO, is is required to submit related compliance filing to FERC within 180 days.

Congressional Hearing- Latest Round on Cybersecurity w/Joe Weiss.
On Thursday, March 19, 2009, the US Senate Committee on Commerce,Science, and Transportation held a hearing titled Cybersecurity: Assessing Our Vulnerabilities and Developing an Effective Defense (webcast-jump 12m to session start, testimony) Among the witnesses offering testimony was Mr. Joseph Weiss, a nuclear and industrial controls system (ICS) engineer, who long has been critical of most vendor, industry, and governmental/regulatory measures addressing related cyber security risks. His statement included pointing out how industrial control systems have experienced at least 125 significant cyber security incidents during the past decade (written testimony). The effects include environmental damage, mechanical damage and in once case, death. He said that a coordinated attack could have devastating consequences, "taking months to recover." (Editorial note: Potential physical and other electronic systemic attacks yet to be substantively experienced remain a noteworthy risk with conceivably even lengthier recovery periods.) Worth watching as each of the witnesses had their perspective backed with solid points followed by Q&A that pressed for answers around concerns raised and improvement approaches needed.

It's increasingly clear that cyber security in critical infrastructure settings, especially the Electric Sector, will continue gathering growing attention at a national level that goes well beyond sensationalized media coverage.

Assante Pressing NERC Cyber Security Program Forward -Tim Roxey appointment and NERC Alerts changes

2009-03-21T23:15:00.000-05:00

Updated 3/29/2009
Michael Assante continues making program progress at NERC since his appointment in August 2008 into a newly formed Chief Security Officer (CSO) position. His focus- establishing Critical Infrastructure Protection (CIP) as one of the mainstream functions at NERC alongside continuing standards development, compliance and enforcement, and reliability assessment programs. Some notable developments:

The recent appointment of Tim Roxey as NERC as Manager of Critical Infrastructure Protection.
- Mr. Roxey has extensive commercial nuclear power physical and cyber security program experience.
- He instrumentally promoted and supported the commercial nuclear power industry initiative addressing cyber with NEI 04-04 Cyber Security Program for Power Reactors as a NRC endorsed “acceptable method” - well ahead of related further regulatory framework development and guidance now firming up. I had an excellent learning opportunity working with Tim Roxey and team as an active Computer Security Standing Committee member back in 2006. The focus then was getting NEI 04-04 packaged up into rollout templated, presentation form for the fall 2006 NITSL workshop.
- He extensively helped assess and address Aurora vulnerability mitigations- working with NEI to help ensure commercial nuclear generation stepped up and robustly addressed the issue. Tim Roxey also effectively provided congressional testimony on actions taken and completion status - a stark contrast to FERC and NERC testimony.
- Bottom Line: Tim Roxey's solid industry experience, connections, dedication and savvy add up to a very good move for NERC.
A new NERC CIP Alert Communication Process.
- Communication will use specific email subject lines/levels:
_ ADVISORY: (Title) - No Response Required
_ RECOMMENDATION: (Title) - Response Required.
_ ESSENTIAL ACTION: (Title) - Response Required.
- Entities acknowledgement required in 24 hours if issue rated higher than Advisory. Grace period on this requirement extends to March 31, 2009 after which responses received after the 24-hour acknowledgement period will be noted as late or non-responsive. Additionally, more sensitive acknowledgement response information may need to be sent via paper until more secure electronic communication facilities established.
- New alert handling signifiers will future clarify distribution restrictions.
_ PUBLIC (Green): No Restrictions. Will be posted to NERC’s website alert page.
_ PRIVATE (Yellow): Restrict to Internal Use and Necessary Consultants / Third-Party Providers
_ SENSITIVE (Red): Internal Use Only (Do Not Distribute Outside Your Company)
_ CONFIDENTIAL (Black): Limited Internal Distribution Decided Upon by an Officer of the Company
- An “alerts manual” instructions book will be developed and released by March 31, 2009 to help entities better understand, organize, and train staff to support the alerts process.
- More background: Alerts Distribution, Reporting & FAQ - Michael Assante & Doug Newbauer Jan 22, 2009

- Update 3/28- On March 24th, Doug Newbauer, Manager of NERC Alerts, indicated that the deadline for mandatory 24 hours response on alerts will be extended: "In response to feed back from registered entities and because NERC is replacing the current Alerts application, NERC is delaying the 24 hour response requirement scheduled to begin April 1, 2009, until the new application is on line and operational."
- The application is expected to be prepared and released 3Q2009.

Significant, targeted attacks even against ISPs?-Absolutely! (just ask Time Warner)

2009-03-01T18:39:00.000-06:00

One might think that larger financial institutions and other entities with directly exploitable financial or personal information remain the major nexus of criminal cyber problems. However, even consumer grade ISPs are increasing facing challenges. Time Warner's drawn out efforts now in the limelight represent just the latest example of an organization scrambling to address service and reputation impacts from a disrupting cyber security attack.

February 28, 2009

During the past week, hackers have launched a series of attacks on Time Warner Cable's servers. Time Warner Cable is working with law enforcement agencies to resolve these crimes.

As a result of these attacks, you may have experienced a temporary "outage" when attempting to surf the Web, including an intermittent "page cannot be displayed" error message. The outages did not result in services being 100% unavailable; and were limited to sporadic timeouts which appeared to be random events. Some users may have experienced a total disconnect, however. These types of attacks are not uncommon, especially for a network as large as ours. We suspect that the attackers are using "zombie computers," or hijacking unsuspecting subscribers' machines to perpetrate the attack without its owner's knowledge.

All of us at TWC take these attacks extremely seriously. As previously mentioned, we are working with the appropriate law enforcement agencies that specialize in investigating these types of crimes. We will pursue prosecution of all perpetrators to the fullest extent of the law. We apologize for the inconvenience that these attacks may have caused and encourage you to report any suspicious activity. Instructions for reporting security abuse are located at http://help.rr.com.

Sincerely,
Time Warner Cable

More: Google News Search: Time Warner Attack

The persistent assault centers on impacting Time Warner’s domain naming system (DNS) services. Given that DNS supports domain name to Internet address resolution functions, e.g., when Internet surfing, an easy mitigation for customers is to use an alternative provider, such as OpenDNS. I've been using both Time Warner and OpenDNS in my home networking environment for years with great results. OpenDNS also helps protect users from visiting known harmful and other inappropriate Internet sites.

Much attention is put on specific, in-scope compliance issues within critical infrastructure organizations. The obvious twist is that even basic, persistent attacks increasingly are a factor in considering overall business risk to service and reputation. Additionally, cyber security problems that affect non-operational, business network settings, also increase the risk of "pivot attacks" creating more serious operational issues that regulators and senior management are acutely concerned with.

From a broader perspective, this issue saliently points out how even narrow, basic attacks can impact an organization and their customers. Critical infrastructure organizations risk even larger potential impacts steming from such issues- driving the need for ongoing cyber security improvements.

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

2009-02-10T22:45:00.002-06:00

Updated 8/2/2009
I regularly walk past a humorous list of posted reasons why a corporate project management office is not needed based on Jim Chapman’s 1996 list of “Top 10 Reasons NOT to Use Project Management” Considering the focus on cost and change challenges many IT organizations are facing, this insightful list inspired me to come up with my own Top 10- enjoy:

Top 10 Reasons to NOT Have a Corporate Cyber Security Program

10. Our internal and external customers really love us, so they do not care if company information and systems are appropriately and consistently secured.

9. Corporately organizing to manage cyber security risk is not compatible with our culture, and the last thing we need around this place is change.

8. All cyber security work is easy, with little guidance, direction, or accountability needed, and does not have cost, schedule, or any other significant technical, managerial or operational risks anyway.

7. We are not smart enough to develop an enabling cyber security strategy, program, or architecture without stifling creativity and offending our silos of technical and managerial geniuses.

6. We might have to understand our customers’ requirements and document a lot of stuff for review, input and approval which then would need to be maintained and that is such a bother.

5. Understanding, applying, and maintaining specific, definitive cyber security measures and clearly communicating actual status requires integrity and courage, so they would have to pay me extra.

4. Our bosses will not provide support needed for results; they want us to ensure regulatory and legal requirements, congressional concerns, and other related risks are managed through magic.

3. We would have even lengthier debates and still end up applying arbitrary, overly burdensome cyber security measures to all projects regardless of size, complexity, or risk and that would be stupid.

2. I know there is well-developed cyber security body of knowledge that is applicable to the work I am doing, but it is too hard to understand, apply and help us improve with anyway.

1. We figure it is more beneficial to put increasing time and money into cyber security independently in various areas and accept a growing, uneven and obscure patchwork of results than to have an organized, more transparent company approach.

Disclaimer: While there may be times when one or more of the Top 10 resonate, an effective cyber security program should help clearly refute this list at every opportunity.

There continues to be sporadic debate about whether or not IT Security should be viewed as a profit center versus the cost center realty that the vast majority of practitioners work in, e.g., Mike Rothman’s recent commentary: Compliance is SO a Cost Center. Regardless of how security is organized and executed, the best justification approach around security improvements focuses on business benefit in the form of cost savings or value, centered on mutually well understood reality.

Many organizations are under increasing pressure to deliver more with internal resources, including addressing growing security expectations, and keeping costs contained. While the means and alignment to meaningfully execute and maintain security improvements remains vital, an even more important success factor in my opinion to manage such risk over the long term requires clearly articulating an overall company program. The program - however thick or thin in scope and resourcing - provides the means for ongoing leadership driven attention to risk management, policy, goals, results, preparations, with sufficient transparency and organizational support across various groups, compliance programs, and increasingly interested and engaged management.

Cyber Security Happy New Year 2009 - Perspective and Predictions

2009-01-06T00:16:00.001-06:00

Updated 1/31/2009

2008 Perspective - hot stories and list of lists.

Most Popular Sites Were Hacked in '08 - eWeek, Jan 22, 2009
More Cyber Security Regulations Recommended - Washington Post, Dec 8, 2008
Cisco: Cyber Attacks Are Growing More Sophisticated, Targeted, TMCnet, Dec 15, 2008 - more: “Cisco Annual Security Report” for 2008
US Homeland Security Still Without Cybercrisis Plan, CNET News, Dec 19, 2008
Top Five Cyber Security Stories - Information Security Magazine, Dec 29, 2008
1. SQL injection attacks
2. Hannaford Brothers supermarket breach
3. Dan Kaminsky and DNS dangers
4. Microsoft Vista adoption issues
5. Slowing the spam surge
Also noted:
- Linux Kernel attack code worries security experts
- Microsoft addresses XSS in Internet Explorer
- New attacks reveal fundamental problems with TCP i.e. sockstress
- Microsoft releases Out of Cycle Windows patch to stop worm attack
Top Ten SCADA Security Stories of 2008 - Digital Bond
1. Vulnerabilities now being discovered by non-control system companies e.g. Core
2. Process Control System Forum (PCSF) demise
3. FERC throws NERC under the bus / Congress warms to regulation
4. Published control system exploit code in form of metasploit module - yikes
5. Blue Ribbon CSIC cyber security recommendations for Obama
6. Very active SCADASEC list started
7. Control System vulnerabilities as “Candy To The Press”
8. Bandolier Security Audit Files audit hundreds of configuration elements.
9. CIA FUD quote from Tom Donahue from CIA
10. Water Sector roadmap progress.

2009 Predictions - more hot stories and list of lists.

Cyber security issues take center stage in 2009, Control Engineering, IL - Jan 5, 2009
Cyber Crime: The 2009 Mega Threat- CSO Magazine, Dec 16, 2008
Combating Cyber Crime: Global Network Operates 24/7, FBI, Jan 14, 2009- “sophistication of our adversaries is growing”
Hackers to exploit economic downturn in 2009 - VNUNet.com, UK - Jan 20, 2009
McAfee publishes 2009 threat predictions IT Examiner, India - Jan 21, 2009
Spam still causing IT headache: reports Computer Business Review, UK - Jan 22, 2009
Security Expert: Fight Cyber-Crime Through Procurement, Government Technology, CA - Jan 30, 2009
Top 9 security predictions for 2009, ZDNet Australia, Jan 5, 2009
1. More bang for the buck: Security consolidation and then some
2. Information security lockdown e.g. mandatory PCI application firewalls
3. Web 2.0 vulnerabilities multiply
4. Bigger pipes, faster speed: Letting in the good, bad and ugly
5. The next biggest threat to mobile security: 3G
6. More cash to flow in the digital underground
7. Let the games begin – more cyber mayhem in the gaming world
8. Premeditated, targeted attacks on the rise
9. Law enforcement unite online
SANS Technology Institute: 2009 Security Predictions – Jan 21, 2009
Broad mix of contributions: more control system issues, compromise of large PCI compliant company (fulfilled), etc

Cyber Security Debacle- Update on World Bank 'Unprecedented Crisis'

2008-12-28T20:45:00.000-06:00

It’s been months of stonewalling and denials during a series of FOXNews.com reports covering a variety of in-house World Bank scandals including (i) targeted cyber security attacks breaching their most sensitive financial data and (ii) corruption issues with sanctions against at least one supplier determined guilty of wrongdoing. The latest twist, a leading India-based information technology vendor, Satyam Computer Services was barred in February from all business with the bank for a period of eight years — the ban started in September.

Some highlights:

The World Bank provides financial and technical assistance to developing countries, governed by a board of 180+ member nations, with the mission “Working for a World Free of Poverty.”

"From 2003 through 2008, as FOX News reported, the World Bank paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations. The engagement scope involved overseeing data that ranged from accounting and personnel records to trust funds administered for many of the world's richest nations."
"Satyam was straying badly across the bank's ethical warning lines. In 2005, the bank's chief information officer, Mohamed Muhsin, was ousted after being accused of improperly buying preferential stock options from Satyam, even as he awarded the firm major contracts. A top-secret investigation led to Muhsin being banned permanently from the bank in January 2007. But for reasons that remain unclear, Satyam was allowed to remain in control of the bank's information network until early October 2008"
According to FoxNews.com reporting in October, World Bank employees were ordered to change their passwords three times over a three month period as a response to the attacks, which spanned somewhere between 18 and 40 servers in multiple hacks. According to the report, there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews obtained apparent internal e-mail messages regarding the attacks characterizing a complicated series of events and the agency’s response to them.
“In a frantic midnight July 22nd e-mail, e-mail to colleagues, the bank's senior technology manager Rakesh Asthana, referred to the situation as an "unprecedented crisis” and that "the passwords that have been compromised may have accessed data." An e-mail from July 10 explains that a minimum of 18 servers may have been compromised and that five of them contained sensitive data. Yet an Aug. 19 memo from the bank's CIO, Guy-Pierre De Poerck, downplays the severity of the situation. The staff memo says that controls on external Web sites have been tightened, that passwords have been reset, and that RSA SecurID tokens have been deployed for Web mail access. It concludes that "there is no evidence that bank staff personal information is at risk from the recent external attempts."
Editorial note: Guy-Pierre De Poerck no longer works at World Bank.
“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software in April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007.
“It may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."
Video Interview: World Bank Hack - FOXNews 10/10/2008

Some thoughts:

While this isn't your typical bank, banking and the financial sector as a whole is known to generally have much better cyber security than most sectors. It’s alarming that this situation drug out for so long after surfacing internally.

Besides the alleged repeated CIO-level inside dealing by a gorilla-scale outsourcer, a more fundamental issue was the abdication by management in addressing information security risks. Having CIOs released from employment and named security leadership temporarily in charge will help. Perhaps large gaps in fundamental information security controls are now finally being addressed. Certainly a lack of programmatic incident handling preparations contributed to the problems before Fox News broke the story.

Before saying “It can’t happen here.”

How well is your incident handling program developed? What happens to you and your organization if or when breached by targeted attacks? What about your increasing exposure with outsourcing and how risk is being managed? How about robust enclaves for your critical systems? Do you really have defense in depth with graded, inside-out protective measures? Are there definitive, complimentary, and auditable MOT controls, i.e., managerial, operational, and technical, in place for your more critical settings that clearly provide and support defense in depth capabilities, i.e., deny, detect, deter, recover? Who is watching the watchers? How is management being kept abreast of status? Are there regular, transparent reviews involving key internal stakeholders? Are there improvement planning cycles involving decision makers and are the plans being completed and results objectively reviewed?

- Think could only happen in the financial sector?

What if emergent problems persisted and pulled you and your information security team deeper into the mix after repeated missteps? How do you ensure that your response is viewed as part of the solution and not increasingly part of the problem? What if your organizational leadership "duck and covers" when pressed by providing a shifting story while investigative reporting eagerly pry out pieces of the truth and report it all?

- Are you just another easy mark?

Just how developed is your incident handling policy and procedures with senior management support to help address when escalating cyber security problems really hit the fan?

- Still comfortable?

More:
- World Bank Besieged By Hackers, Or Not, Information Week, 10/10/2008
- World Bank Removes Chief Information Officer, FOXNews.com, 11/27/2008
- World Bank Admits Top Tech Vendor Debarred for 8 Years, FOXNews.com, 12/24/2008

Clock is Ticking for First Round of Pending Changes to NERC CIP Standards - Comments due Jan 5th

2008-12-07T11:28:00.000-06:00

Driven by Cyber Standards Final Rule - FERC Order 706, the first revision to NERC CIPs addressing cyber security requirements for bulk electric operations is out for review and comments by Jan 5th, 2009. This round of changes include removal of significant amount of wiggle room based on "business judgement", includes explicit senior management approval of risk methodology (not just critical assets lists), background checking must be completed before permitting access (not in parallel), and tightens up timeframe requirement for addressing security issues among other changes.

"Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources. "
While this process with NERC CIPs may seem difficult, at least there is the benefit of continuity. Congressional testimony last year and this year raised serious questions about NERC's ability to be an effective ERO for FERC - NERC Aurora handling and arguably misleading testimony creating much of this pain, NERC still not out of the woodshed. Last year testimony also suggested getting rid of CIPs and starting fresh based more on NIST standards as recommended by Mr. Joe Weiss (jump to 2:12:50 for his opening comments in video):
- “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” - Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Oct 17th, 2007 (video/submittals)

Better buckle up, this is just the first round of Order 706 driven changes.

"The SDT met on October 6–8, 2008 and because of the extensive scope and varying complexity of the issues and work in these revisions, the team decided on a multiphase approach for revising this set of standards. This posting of the cyber standards for industry comment only relates to Phase I of the project. "

More:
- Cyber Security (Project 2008-06 Site) - The Cyber Security SDT posted its first draft of revised Cyber Security standards (CIP-002-1-CIP-009-1) for a 45-day public comment period starting November 21, 2008 and ending on January 5, 2009. Both clean and redline versions (zip files) are available for download and review.
- Revised NERC CIP standards out for 45 day comment period, Digital Bond 11/24/2008
- Cyber Standards Final Rule - FERC Order 706, NERC Workshop Presentation (informative 72 slides), 5/13/2008
- Drafted Changes Summary, NERC Comment Form

My Top Cyber Security Sites - Bookmark This!

2008-11-22T23:12:00.011-06:00

Last Updated: 1-10-2010

Here's my developing list of top cyber security sites and podcasts with supporting rational.

A. Situational Awareness:

US-CERT: United States Computer Emergency Response Team
This is the very first place I check every day for a quick take on relevant threatscape information - i.e. Current Activity and Alerts. Simple click to drill in on full listing of active national Technical Security Alerts, Bulletins, Vulnerabilities, etc. Clean, well organized site with great coverage of a number of key cyber security topics.
DHS Daily Open Source Infrastructure Report
A must read, great source of daily critical infrastructure protection related news organized by sectors and key assets as defined by the National Infrastructure Protection Plan with linked open source references. e.g. Energy, Nuclear Reactors, Government Facilities, Information Technology, Communications, etc.
SANS Internet Storm Center- Handler's Diary
Especially useful for developing situations- these are the folks that go deep into nitty-gritty details addressing the latest Internet security problems.

B. Program Development:

CISOHandbook.com: Resource site for CISO's, CSO's, and security professionals.
Metrics, tools, opinions, and most importantly access to CISO's, CSO's, experts, and other professionals in the field of security. Shares information, ideas, tips, and techniques for addressing security issues faced by today's professional. Content is free; however, some areas require using a registration logon for access. Their latest book goes beyond program centered engagement specifics to provide a deeper understanding into what it takes for longer term results. It explains and underscores what really matters in organizations to ensure security programs - regardless of budget and expertise applied to form them up- do not devolve as many do, like an ice sculpture melting into a useless puddle, while internal areas look on- recommended reading: CISO Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives
Security Manager's Journal - ComputerWorld
Since 2002, a regular series of timely security manager articles addressing real world situations very simliar to a number of challenges many organizations face. The specific companies and assorted ghostwriters remain anonomous to help protect sources while gaining insight from often entertaining real-world hard knocks. Think your job is tough?
CSO Online - Security and Risk
A sister publication of CIO Magazine, this is the primary trade magazine many follow with the latest enterprise views: headlines, data protection, identity & access, business continuity, physical security, leadership, and some solid blogs.
NIST, Computer Security Division, Computer Security Resource Center
Regulatory trajectory is promising to get more "NISTy" for critical infrastructure organizations and this site provides a front door to the National Institute of Standards and Technology well regarded Special Publications, related FIPS requirements, and drafts organized by topic clusters, etc. Great complement to an overall framework.
CERT's Podcast Series: Security for Business Leaders
Robust cyber security is increasingly a non-negotiable requirement for organizations. Moving corporate culture forward cooking security in poses challenges that must be overcome. CERT has a well done podcast series addressing key principles and strategies: Governing for Enterprise Security, Measuring Security, Privacy, Risk Management and Resilience, Security Educations and Training, Threats, Trends and Lessons Learned, Tips from the Trenches.

C. Perspectives and Professional Development:

KrebsonSecurity: In-depth security news and investigation.
Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators.
Digital Bond: Control System Security Research and Consulting
Digital Bond is a control system security research and consulting practice. They have years of security experience from the National Security Agency (NSA), National Labs, large asset owners and leading security equipment providers.perspective. Resources include the well maintained blog, monthly podcast with industry expertise, presentations, annual "S4" research conference proceedings, research, and a solid SCADApedia reference.
ITRadio.com.au: Risky Business Podcast with Patrick Gray
Excellent latest news coverage and regularly featured interviews all professionally done. Great, timely coverage of hot security topics from the experts closest to the action- all done in a way to help ensure those listening are entertained and gain valuable perspective.
Manager Tools Podcasts
Want to become a more effective leader and manager? This weekly podcast helps with fresh tools and easy techniques for real-world settings that go beyond theory into specific actions that can be used right away to improve your performance. A key set of "the basics" provide a strong starting point you can immediately apply and build on!

Helpful input welcome.

FTC Will Delay 'Red Flags' Rule Enforcement for Six Months

2008-11-02T21:43:00.000-06:00

Some Good News on FACTA!
Looks like a number of utilities will get a break in enforcement action with FTC granting a six-month delay. However, this repreave is just for FTC enforcement, and won't affect other federal agencies' enforcement of the original Nov 1, 2008 deadline.

>FTC Will Grant Six-Month Delay of Enforcement Action , FTC Announcement
>More on FACTS (Fair and Accurate Credit Transactions Act) - Wikipedia Overview/Links

Microsoft Emergency Security Update (Ouch)- Can't Patch Control Systems?- Sockstress TCP Vulnerability Issues Next?

2008-10-26T01:39:00.000-05:00

On Thursday 10/23, Microsoft spiced up our lives with a emergency security update (i.e. Microsoft Security Bulletin MS08-067 – Critical) to address a “wormable” vulnerability specifically exploiting “Server” service via remote network remote procedure calls (RPC). Similar to Blaster, unmitigated vulnerable machines can be directly attacked at a network level and immediately, completely compromised. This particular problem is also extremely exploitable once understood; security firm Immunity was able to craft a working exploit within two hours after the release of the security fix.

Don’t Neglect Control Systems- especially Critical Infrastructure. While many business network environments are going through the test and deployment process (not without some problems – e.g. some reported breakage of IPSEC), there’s also a need to be thinking about critical infrastructure as it increasingly is depending on Microsoft based solutions. These type of problems underscore how the network environment and it’s management infrastructure are such an important and fundamental starting point for establishing and sustaining a defined, effective, defense-in-depth security posture. Many may assume that the environments are well separated by definition; however, when you don’t get the control system network right (or at least sufficient), it undermines everything else being done in the name of security.

Beyond layered network segmentation with strict boundary communication controls as a vital starting point, basics that are increasingly expected include protective network chokepoints (firewalls, gateways, etc), and secure information transfer facilities (DMZs, Data Diodes, NIPS, etc). Other important steps often overlooked include basics such as server system hardening and endpoint protection measures (e.g. AV, HIPS, white listing, etc). As more is done in the name of security, the solutions themselves need to be managed and protected in a scalable manner- perhaps with a distinct network security management environment- also with commensurate protection.

Having well formed mitigations in place in control system settings will help directly address risks from emergent security problems such as this and be in a good position when facing related regulatory scrutiny. Typical business network environments are strikingly different – often quite porous and flat, with less definitive countermeasures- and therefore pressing forward with patches and security updates on a regular basis across a substantial IT foot point. These are very different environments only suited for very specific, understood and controlled interactions - having solid network security controls between the two environments is an essential part a well articulated cyber security architecture.

More- DHS Control Systems Security Program, Idaho National Laboratory offers the following tools:

Catalog of Control Systems Security: Recommendations for Standards Developers
Control System Cyber Security Self-Assessment Tool (CS2SAT)
CSSP Documents
Critical Infrastructure and Control Systems Security Curriculum
Cyber Security Procurement Language for Control Systems
Recommended Practices
- Control Systems Cyber Security Defense in Depth Strategies
- Creating Cyber Forensics Plans for Control Systems
- Good Practice Guide on Firewall Deployment
- Hardening Guidelines for OPC Hosts
- Mitigations for Security Vulnerabilities Found in Control System Networks
- Securing Control System Modems
- Securing WLANs Using 802.11i (draft)
- Securing ZigBee Wireless Networks in Process Control System Environments (draft)
- Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft)
Training - including several introductory web based courses:
- Cyber Security for Control Systems Engineers & Operators
- OPSEC for Control Systems (NEW)

What's Next- Sockstress Issues? How about long standing weaknesses involving TCP network stack vulnerabilities recently gaining attention with "Sockstress" that can be exploited to cause reachable systems to lockup, denial-of-service (DOS)? Indications are that even an attack at one packet per second can take systems down - e.g. dialup Internet. Because this is a state based attack, can't use spoofed packets but even small bot farms are sufficent to carry this attack out.
> Vendors fixing bug that could crash Internet systems Computerworld, Norway - Oct 2, 2008
> SecurityNow! Episode 164: Sockstress - Oct 2, 2008

Cyber Security Awareness Month In Full Force-Threats to Security Never Sleep!

2008-10-21T23:17:00.001-05:00

Every year my group helps support a company wide awareness campaign and that coincides with National Awareness month. Videos, games, posters, online question and answers... and of course booty with some great top prizes (ipods, security system, etc). Yes, enthusasim isn't enough- folks need to enage and submit correct answers to be in drawings. As for the goodies being drawn, we continue to get much of it just for the asking from our suppliers ahead of the event (explaining our internal campaign and asking "would they like to help us out", etc ) - no strings.

Nationally, many "free" resources continue to be developed by non-profits and governmental sources. Some the best of these online sources follow and are worth taking note of as this month winds down.

> National Cyber Security Alliance
- Top 8 Cyber Security Practices

Protect your personal information. It's valuable.
Know who you're dealing with online.
Use anti-virus software, a firewall, and anti-spyware software to help keep your computer safe and secure.
Be sure to set up your operating system and Web browser software properly, and update them regularly.
Use strong passwords or strong authentication technology to help protect your personal information.
Back up important files.
Learn what to do if something goes wrong.
Protect your children online.

> EDUCAUSE's Online Cyber Resource Kit

> MS-ISAC Multi-State Information Sharing and Analysis Center
- webcast, Cyber Security Tool Kit, etc.

> OnGuardOnline.gov
- more information, phamplets, etc

Neat DHS/NCSD Cyber Security Vulnerability Assessment Tool (CSVA) + CS2SAT

2008-10-18T19:37:00.000-05:00

Last updated 8-2-2009
DHS’s National Cyber Security Division (NCSD) has been working to develop an objective, comprehensive cyber security vulnerability assessment (CSVA) tool for some time and revving through Betas. Using a simplified methodology, the CSVA is aimed to quickly assess an organization, facility or system’s cyber vulnerabilities and recommend options with extensive helpful explanations and examples. Critical infrastructure sectors are encourage by DHS to use this tool to analyze their cybersecurity posture.

I recently got my hands on and fired up CSVA BETA 5 - some thoughts:

Best if performed with prepared team and good facilitation. Cyber security knowledgeable folks familiar with the assessment environment can get a running, upfront start.
An initial determination is made regarding if a Business Network or a Control System is being assessed and adjusts approach- very good!
Truth over harmony needed here folks - some questions are combination issues and not all the answers to pick from fit well. Pick the most conservative answers and capture views in comments to get through the process.
Credibility bolstered in assessment process with a virtual informed third-party (DHS/NCSD) cooked in.
Can save assessment, go back and make adjustments for what ifs or actual improvements and see results.
Strives to leverage concepts from recognized cybersecurity standards and guidance- e.g. ISO,COBIT, NIST, etc
Offers great benefit lift ratio for effort required. Being "free" helps too!

Bottom line. The CSVA journey is a short, easy trip and the results are well worth it. The tool offers a solid approach to further develop shared understanding of cybersecurity posture with various stakeholders to build on and prioritize improvements, For more information or a copy of the tool, contact the Critical Infrastructure Protection / Cyber Security Program within the DHS National Cyber Security Division at ncsd_cipcs@hq.dhs.gov
-
Next- the CS2SAT. For those needing to go beyond the CSVA’s high-level approach and focus on more specific risk particulars- factoring in consequences, network topology, requirements, etc - there’s the Control System Cyber Security Self Assessment Tool (CS2SAT) Haven't looked at it yet but planning to give it a whirl at some point - list pricing, e.g., $1800, is waived ("free") for many energy organizations.

Update 8-2-2009 - Per DHS, the CSVA will be integrated into upcoming versions of the CS2SAT . The latest Version 2 of the CS2SAT is now specifically configurable to address NERC CIP, SANS, etc for assessment activities. Works a lot like the CSVA - but focused on control system space for now (until CSVA transitioned). DHS is very committed to the CS2SAT approach- given freely at one day Industrial Control System cyber security courses - worth checking out.

Protecting the Electric Grid from Cyber-Security Threats

2008-09-14T23:52:00.000-05:00

On Thursday 9/11/08, the Subcommittee on Energy and Air Quality (of the Committee on Energy and Commerce) held a hearing on the state of Cyber Security with respect to the electric grid. FERC, NERC, and APPA were represented. The focus is taking drafted legislation forward to provide FERC more cyber security emergency authority to address new and often rapidly developing cyber security risks.

Protecting the Electric Grid from Cyber-Security Threats
Subcommittee on Energy and Air Quality
Committee on Energy and Commerce
- 9/11/2008 testimony, audio, and drafted legislation

CSPAN Video now available (requires Realmedia player)

Opening comments emphasized views that the risk is increasing with at least twenty incidents of cyber security problems impacting electric systems service. There’s a strong concern in addressing underlying control systems, vital to reliable service, given growing risk with increasingly interconnectivity and use of widely available technology. The risk picture will continue to be developing with the trends toward Smart Grid and other control system dependent technology developments.

FERC Interviews. Testimony emphasized FERC findings from interviews with 30 utilities – including particular actions taken to address NERC voluntary Aurora Vulnerability advisory in 2007:

Of the 30, seven were viewed as in full compliance with the advisory.
All took some steps - one still still using all default passwords, another had a 10 year plan.
Only 2 went sufficiently far enough to fully address the Aurora vulnerability.
A number of organizations shrunk scope too small - not sufficiently addressing critical assets/facilities that can affect the bulk electric system.
Cost estimates addressing the Aurora Vulnerability were not gathered in the process- but viewed as important by the committee with FERC in agreement- more relevant going forward.

The conclusion- self-interest alone is not sufficient for most utilities to take appropriate actions to specifically address the Aurora Vulnerability. This situation fueling strong congressional concerns about how well the regulators and utilities are addressing overall cyber security risk.

Existing FERC/NERC regulatory mechanisms are viewed as insufficient, either lacking enforcement strength (e.g. voluntary NERC Advisories) or take too long following 215 process. APPA emphasized cooperation with FERC staff in developing drafted legislation giving DOE/FERC emergency order making powers address cyber security issues- with still a few remaining points in disagreement.

OWASP - Ira Winkler & Jeremy Poteet Videos

2008-07-06T22:15:00.000-05:00

From time to time, I come across some gems.. in particular, the second video available at link below helps provide some solid perspective on the growing challenges with application security. While many firms don't face the extreme dynamics and poll changing stakes associated with a national political campaign's web site, utility organizations often have legacy systems that are at increasing risk from the same sort of evolving threats.

Also, to give Ira Winkler some credit after bashing his utility sector remarks, his presentation below on organizational security, including risk and how people are a very key element in a security program, are spot on. Focusing more on applications, the second presentation below provides some great insights into defense in depth strategies with some real world perspective.

Videos(2)
(1) Index 00:00:00 - Secrets of Superspies- Ira Winkler
(2) Index 01:01:00 - In the Line of Fire: Defending Highly Visible Targets - Jeremy Poteet
Google Video Link (122 min - Oct 13, 2006)

More: Open Web Application Security Project (OWASP) - www.owasp.org

Enjoy!

GAO Report Rips TVA at “Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid” Hearing

2008-05-26T23:48:00.010-05:00

Scathing GAO testimony/findings from GAO's assessment of TVA cyber security should be of special interest for many electric utility organizations. TVA issues cited included problems stemming from lacking a corporate-level cyber security program and significant security posture weaknesses, unevenness in both operational and corporate network settings. All of which TVA’s COO (William R. McCollum, Jr.) reported significant focus and progress addressing with a strong commitment to continue improving.

The hearing is available for viewing (~90m) at C-SPAN Video Library: Security of the Electric Grid - May 21, 2008 (updated 1/23/2011)

In my opinion, looking hard at referenced NIST standards to further address specific cyber security topic areas makes sense for NERC CIPs as does looking at broader information security frameworks to help scope and tailor well governed corporate level programs based on recognized frameworks, .e.g. ISO 17799:2005 , COBIT, etc.

Anyone with a stake in cyber securing critical infrastructure will benefit from reviewing the hearing and a close study of the 62 page May 2008 GAO report "Information Security- TVA Needs to Address Weaknesses in Control Systems and Networks"

More:

TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds - Washington Post 5/21/2008
Regulators Want Authority to Require Security Upgrades Industry-wide

Ira Winkler - love him, hate him- he's making headlines..

2008-05-18T22:46:00.000-05:00

Experts hack power grid in no time - Network World
Apr 9, 2008 ... "We had to shut down within hours," Winkler says... "

Press releases around Ira Winkler's assertions regarding how easy it remains to hack from the Internet into the deepest parts of electric utility critical infrastructure has caught the attention of media, regulators, senior utility management, and security professionals. While Ira's comments go over the top in my opinon when it comes to nuclear reactors and more centered on distributed SCADA- he is a practitioner that doesn't pull punches.

Video
(1) RSA 2008 - Ira Winkler (ISAG) (7m). Was able to get to nuclear controls - that should have no business network connectivity? Also no "off switch for nuclear" (rant- WTH is he talking about... how about the "off" switch provided by independent safety systems and SCRAM functions??).

Would you hire Ira to do your next organizational penetration testing? Please comment and/or vote.

Welcome

2008-05-18T21:07:00.000-05:00

Given all the excellent podcasts and blogs around information assurance aka cyber security, you may wonder why yet another security blog? For me, this is a commitment to post periodically my musings and more serious thoughts related to security with a focus on critical infrastructure topics. Those that are interested in the topics or sharing related views are welcome and encouraged to contribute in a reasonably civil manner - I'll work to hold myself to a simliar standard.