Wednesday, April 28, 2010

Cyber Security Article

Twitter® is becoming a very valuable tool for finding articles of interest on the Internet. Many writers are posting notices of their articles on Twitter (like I have been doing for over a year now) and other writers and info gatherers re-tweet those notes. That’s how I found this article on It is an interesting look at cyber security for industrial control systems at CFATS facilities written by Andrew Ginter, of Industrial Defender. The article provides some valuable advice for dealing with Risk-Based Performance Standard 8, Cyber Security. It provides a list of 13 “Key Implementation Challenges” with a brief discussion of each. They range from having a security policy to using a layered approach to security design. There are a couple that deserve special mention and I recommend reading the author’s description:
Awareness and training; Monitoring and incident response; System development and acquisition; and Interconnectivity of critical and non-critical systems.
Oh, yes; I was particularly impressed that Andrew discussed “Business continuity and disaster recovery” and did not resort to using the current buzz word, ‘Resiliancy’. He does note that a good “cyber-security posture should include planning to ensure continuity of operations and facilitate restoration of all critical cyber assets”. In my mind this disaster recovery is especially important when the facility cyber assets can potentially control the release of toxic chemicals, prevent mixing of incompatible materials, or maintain safety-critical storage conditions. If these 13 challenges were all that were contained in this article it would be a valuable information source for CFATS security managers. But Andrew provides a special bonus in a side-bar entitled: “Field Surveys Provide Troubling Findings”. He provides a summary of cyber security information that Industrial Defender has compiled from critical infrastructure assessments that they have done over the last couple of years. The three “widespread cyber-security issues” will point cyber security managers at important potential flaws in their security posture that are well worth looking at. I certainly recommend that all CFATS security officers and cyber security officers read this informative article. Once again, a single article will not make you a cyber security expert, but it will give you an appreciation of the potential problems and allow you to talk to a real expert without feeling foolish.

1 comment:

Edward said...

Agreed, this is a good article however there are dozens of similar articles throughout the net. These findings are also very similar to the ones we see during our assessments as well. The challenges are not necessarily identifying the the vulnerabilities, its mitigating the risk once they are identified.

Most facilities have a degree of cyber security already in place and most system administrators know where their vulnerabilities lie unless they are a 30 day wonder that has gone from Soup Cook to CISSP via a boot camp that "Prepares you to be a CISSP" but that's another issue. That said, performing a viable SVA on both the physical and cyber assets is vital to paint the entire risk picture. Once this risk profile has been identified, now comes the fun apart of mitigating the risk and even more of a challenge, how does DHS inspect / validate the effectiveness of the cyber security program.

Most leadership teams will not inoculate their company for a disease they have never contracted. In security terms, they are very conscious of and effective at pointing out the likelihood of the attack occurring and using that very low likelihood of occurrence to deny funding for advanced cyber security measures. Enter DHS inspectors. Do you really think these guys will be able to do more than read the facility cyber security policy and evaluate it against a checklist? Perhaps they will make a few spot checks on the latest patch on a work station or ask uses a few cyber security questions, but that is hardly a way to enforce regulatory requirements.

The last consideration is the Threat. What threat exists that has the capability and the motivation to cause a chemical incident via hacking a SCADA or other control system? This obviously fuels the likelihood discussion, but just because something is possible does not necessarily mean someone is actively preparing to conduct such an attack.

Facilities have the ability, much more so than the government to determine this as they own the networks that support the attacks and have the ability to identify cyber reconnaissance efforts for such an attack. The issue is that management, for the most part, will not spend the money to monitor and analyze network traffic for impending attacks.

While I think cyber security is going to be the wave of the future in this industry, thinking that the government can regulate this requirement effectively is naive. It is up to the facility to truly understand the threat and take the appropriate actions as opposed to striving for minimal compliance.

/* Use this with templates/template-twocol.html */