Search Results

Daniel Ehrenreich, Consultant and Lecturer, SCCE March 2020 Educating ICS cyber security shall be high on the priority list of top-floor executives. This article explains how to do this. Introduction Educating ICS cyber security shall be high on the priority list of top-floor executives. That process shall involve a) ICS operators and engineers who must expand their cyber security knowledge, b) IT experts who must learn ICS basics and also learn key topics related to ICS architectures and finally c) managers who need to make correct decisions related to allocation of resources. ​ Boosting the awareness and knowledge of your workforce is the “P-People” part of the PPT (People-Policies-Technologies) Triad and it has the highest return on investments. This paper will highlight the most important measures and actions towards selecting the most appropriate program for your organization. ​ Differentiating among IT and ICS Employees interested becoming ICS cyber security experts, must learn the basic principles. Once understood these guidelines, they are a step ahead towards dealing with ICS. Prior dealing with cyber security, they must study ICS basics, which are primarily focusing on layers 0-2 of the Purdue Model. Important visiting few fields sites to learn the details. The main differences are, that IT experts are focusing on assurance of Confidentiality-Integrity and Availability, and ICS experts must focus on Safety-Reliability and Productivity. Cyber defense measures for IT and IC are different. While pen-testing of IT may cause an unexpected shutdown, ICS pen-testing might lead to damage and risk of lives. IT experts are constantly patching, updating and upgrading their systems. ICS experts cannot do that, as every change or update represent a risk to operating safety and reliability. While there is no single cyber defense method to prevent an attack, the best you can do is deploying layered cyber defense combined the principles of the PPT Triad. ​ Analyzing Cyber risk factors Understanding the attack vectors and the attack surface is a key principle. You may correlate these paths with the 7-steps of the LM Industrial Cyber Kill Chain Refer to the following: Non-attack factors: Consider 2 options which might affect the ICS process a) failure of a sensor, PLC or a software bug and b) incorrect action done by an authorized person. Negligence of people: Consider actions such and inserting a foreign USB stick, failure to detect social engineering attack, supply chain processes, use of simple password, etc. System oriented attacks: The adversary may attack the ICS through an internal or external utility system in buildings (HVAC, generators, data center cooling, UPS, etc. Attacking the ICS: Access to the network through a “backdoor” connection, might lead to an MitM access, DDoS attack on the ICS network, leaking out information. Attacking the process: Considering attacks on the HMI, Engineering station, PLCs, field sensors, which might manipulate the process. ​ ICS Cyber defense methods Deployment of cyber defense on ICS shall be selected based on the risk factor, calculated by the probability of occurrence and the impact of the attack. Adhere to corporate policies related to secured maintenance of the ICS appliances Deploy hierarchical zoning among segments which must communicate each with other Use of ICS oriented firewalls, DMZ or Data Diode between the IT and ICS sections Use strong authentication prior connecting any device to the ICS network Prevent remote access to the ICS unless it becomes mandatory for a critical purpose Use of IDS for detecting anomaly conditions at levels 0,1,2 of the Purdue Model Conduct periodic ICS-related assessment and detect hidden vulnerabilities Perform updates for the OS, antivirus and application program only after intensive testing Strengthen the physical security for all field-sites which attackers might access ​ Methods for educating the staff Experts know well that very high % of “successful” cyber-attacks were possible and not detected due to lack of awareness and experience. Therefore, educating of all personnel shall be considered as a mandatory requirement for ICS Cyber security awareness. Operators and ICS maintenance engineers must upgrade their ICS cyber security skills IT cyber personnel who must learn how ICS architectures can be correctly protected Decision makers who must understand this for properly approving the budget ​ Summary Organizations must have a methodology for educating employees related to cyber risk and response. These actions will help you preventing incidents that might risk lives, cause operating outages, damages to machinery and severely damage the reputation of your organization and complying with regulations. Therefore, management’s attention to ICS cyber security shall be high on the priority list, and investment budgets shall be approved ahead of time. ********************** Daniel Ehrenreich, BSc. is a consultant and lecturer at Secure Communications and Control Experts in Israel, teaches in colleges and present at industry conferences worldwide on integration of cyber defense with ICS; Daniel has over 27 years’ experience with ICS and OT systems for: electricity, water, gas and power plants as part of his activities at Motorola, Siemens and Waterfall Security. LinkedIn

By: Jeff Hussey, President and CEO of Tempered Networks March 2020 Facility managers, technology leaders and others witnessing the blend of IT (information technology) ‎and OT (operational technology) in the modern industry likely feel an ironic connection to the 1966 ‎classic spaghetti western, The Good, the Bad and the Ugly.‎ Read about how to survive in this world. Facility managers, technology leaders and others witnessing the blend of IT (information technology) and OT (operational technology) in the modern industry likely feel an ironic connection to the 1966 classic spaghetti western, The Good, the Bad and the Ugly. We all know there are substantial benefits to be realized from a hybrid creation between the two previously disparate business units (the good). But we also understand that numerous villains lie in wait for access to the extra security loopholes created by such a convergence (the bad). Lastly, we want to prevent system downtime, costly data breaches or acts of international espionage (all ugly). Let’s dive into what it means for  IT and OT to be aligned. Living On The Edge If the data center is the heart of your network, then consider OT to live on the edge. That edge could consist of a manufacturing floor, a building, a city street or a ship at sea. In essence, it’s whatever comprises all the endpoints of a network that require connectivity by nature of the expanding industrial internet of things (IIoT). Why do we want a machine on a ship in the ocean to communicate with the heart of its network? It’s simple: data. Big data was a concept that began many years ago, but as the IIoT continues to grow, so does the impact of data. The ability to acquire real-time information from various networking endpoints has huge benefits to nearly all industries. This is where the “good” in our scenario starts to shine. The Good Simply put, actively harnessing your data enables process efficiencies, better products and lower costs. A fully connected edge also brings about the convenience of a centralized location to manage all network assets. This effectively eliminates the need for technicians at remote locations to activate, deactivate or repair devices on the outer edges of the network. Also, consider the potential for increased collaboration between IT and OT teams. With shared data, these two previously separate business units will now have more common ground, which should inspire creative solutions that could benefit the entire business ecosystem. The Bad If the eventual harmony of IT and OT convergence is Clint Eastwood — also known as Blondie from the aforementioned film —then the countless bad actors, hackers and other network intruders represent the “bad.” Melding IT and OT not only increases the potential for more data, greater convenience and improved collaboration, but it also increases the attack surface. More devices often equate to more exposure. If businesses attempt to converge IT and OT networks by force-fitting traditional network and security tools (e.g., VPNs, firewalls and VLANs), the increased exposure will only lead to more frequent, more damaging attacks. The Ugly This is a problem that’s not lost on the U.S. government. The supply chain residing on the OT side has become a big target for acts of foreign espionage. There has been growing suspicion that the Chinese and Russian governments have led efforts to attack supply chains of companies, with the goal of stealing U.S. government intellectual property. As such, there is currently a bi-partisan bill (believe it or not) to counteract this particularly dangerous form of cyberattack. If the broadened attack surface is problematic enough to make the government apprehensive, manufacturing companies, utilities, transportation and virtually all industries with a presence on the edge should be taking action as well. The stakes are high when foreign interests use the supply chain as an access point to steal military and commercial secrets, disrupt utilities or endanger public safety. Working Together To Find The Treasure It’s still the early days, but I do meet business leaders who recognize the importance of addressing both IT and OT initiatives. Recognizing this need is one thing, but execution remains a challenge for most people I speak with. Some businesses are looking to integrators with a keen understanding of both IT and OT priorities, like KPMG, a company that brings clarity to the blurry lines between the two worlds. I find that most solution providers and systems integrators still need to invest and educate their teams on IT and OT integration strategies. Those providers that do are better equipped to create a balanced strategy to unearth that buried gold for their clients. Set a solid foundation to prepare for IT and OT convergence by ensuring both IT and OT leadership are included in the journey. It’s vital they are closely aligned in their decision criteria. Consider these key imperatives for success: • IT must be cognizant of the criticality for 24/7 operations of OT systems, which may be new to your IT staff. • Reduce inherent risks with vulnerable OT systems by preventing cyber exploits and reducing human errors in network management. Both may cause catastrophic equipment failure, environmental failures or injuries. • Realize you can reduce cost and complexity by leveraging your existing untrusted networks — no rip and replace — for secure communications and operational availability and integrity Connecting "things" using traditional networking is not your biggest problem. The challenge is the growing attack surface created by inadequate networking of sensors, unconventional endpoints and outdated operating systems. Instead, modern zero-trust networking with automated, policy-based orchestration tools to provide ease-of-use and scalability should be on the agenda for organizations. The risks are too severe to continue moving forward in any other way. Bad actors and international threats have forced our technological hands. Nobody wants to have an itchy techno-trigger finger, but the time to act is now. Leaders must recognize that the world is a richer place with IT and OT teams at the same table. Because IT and OT have historically operated in silos with different objectives, a transformative networking solution is required to keep the bad guys out and prevent the ugly side effects. Follow Tuco’s advice from the film: Don’t let anyone’s spurs come into your network doors, windows or internet of things (IoT) devices. Adopt forerunners' IT/OT convergence strategies and seek zero-trust networking to reap the rewards of an expanded IIoT world, rather than lament its challenges. Note: This article was previously published on Forbes.com

Bengt Gregory-Brown, (CS)²AI Co-Founder and President March 2020 (CS)²AI Founder and President Bengt Gregory-Brown addresses concerns about the cyber security practitioner shortage Signs of the skilled security practitioner shortage abound, it seems.  Breaches and incidents continue to increase in scope and frequency. Market analysts predict high year-over-year growth in cyber security budgets, including both increased hiring and expanded training for existing personnel. Numerous reports, including recent releases from ISACA and Tripwire, highlight the length of time it takes to fill positions, the number of organizations unable to fill open cybersecurity spots on their team, and those planning to increase their open positions even further in the next year.  RSA 2020 opened with talks about addressing the need by expanding our definitions of desired team members, noting that “unemployment is running as high as 80% in the neurodiverse talent pool. We need to consider potential not just expertise when we hire." Answering the needs of this workforce is the core driver of every part of what we do. Our work establishing and growing local chapter groups enables people in and entering the ICS/OT cyber security field to find and form professional communities of interest; to learn from each other; to start and improve their careers. Our ongoing series of Virtual Meetups helps educate ICS defenders and allow our members to engage directly with subject matter experts. Our ICS cyber security research projects answers questions crucial to understanding what’s going on in many areas of the (CS)2 field. The feedback we get from members is tremendous and motivating and could only be improved by more volunteers to help us go further and achieve even more of our mission goals.  We are accomplishing great things and with the increased bandwidth that comes with more people joining the effort we know that we will accomplish even greater ones.  So reach out today and find out how you can be part of answering the cyber security practitioner shortage.

By Derek Harp November, 2019 It is easy for our daily workloads, our meetings, emails and phone calls to become routine.  We start to focus on tasks and neglect to view the big picture or to even look around.  We don’t "smell the roses," and make sure to include re-energizing activities in our life.  Don't get me wrong - as an entrepreneur, creating and developing organizations is what I love doing, so much so that it might be less a career choice and more a calling, but we all periodically need to get some distance from the tactical aspects of what we're doing. For me, the SecurityWeek ICS Cyber Security Conference in Atlanta last month was just the thing I needed. I dropped out of nearly all of my regular routines to stay present, in the moment, at the conference. In addition to the privilege of being able to speak in two general sessions and attending some great workshops, (CS)²AI Co-Founder Bengt Gregory-Brown and I staffed a (CS)²AI booth at the event.   That was the first time (CS)²AI has done that.  As a non-profit organization we didn't have the glamourous tchotchkes that all the vendors did (though we did have a book from one of our partners to give out - thanks Waterfall!) but a steady stream of people still came up to talk with us at all times every day.  Some were already familiar with (CS)²AI, some already members looking to find out more about what the global organization does beyond their local chapters, and some were companies who wanted to get involved as a partner.  Others didn't know much about us yet and were eager to learn more, plainly stating that this is just what they needed to help them and their teams and asking how to get chapters started in their home areas. I talked to a lot of ICS security professionals, telling the story of how (CS)²AI came to be what it is today and sharing the vision of where we see this “members working for members” organization going in the future.  Sharing things I find exciting never fails to rev me up, and this was no exception.  On top of that, though, I did a lot of listening.  People told me about their situations, their work environments, the ICS security challenges they were dealing with, and their sense that, prior to meeting us at the conference, they were alone, the only ones dealing with these problems.  Every conversation just reaffirmed to me how critically important our mission of uniting peers in the industry was and continues to be. One aspect of being an entrepreneur is that I always have routine work to get done, and that can compete with allocating time to passion projects like (CS)²AI.  Among all of the things I took away from my week at the conference, the interaction with colleagues who see the importance of this work as clearly as I do may be the most meaningful.  As we are about to start the Thanksgiving holiday here in the United States next week, I am thankful for all the volunteers locally and globally that make (CS)²AI what it is today.

By Larry Frenchwood CISSP, CISM, GICSP, CEH EnscoRowan – Lead Cyber Security Specialist IT/OT September, 2019 To better understand the relationship of safety implications of OT (Operational Technology) security, we must first explore the differences between IT & OT security. Often times IT & OT security get bundled together as general cyber security. Nothing could be further from the truth. They are both very different in implementation, operation and architecture.   IT computing environments are based on information and data.  OT or Industrial Control System environments (ICS) are based on processes.  These processes can involve or produce valuable data, but it’s the process that is the main component in an ICS environment.   Protecting information is fundamentally different than protecting processes. They also can have different consequences. If the company loses data or information due to a cyber-attack or breach, the impact often can mean financial losses and or reputational damage.  If the company losses critical processes, the impact could result in not only financial losses, but also loss of human life or damage to the environment.  This leads us to the topic of this discussion.  Why is OT Security just as important as Safety? For decades in OT environments, safety has been the #1 priority. No matter the industry, wherever ICS environments are present, historically safety has been the #1 driver in operations. Only in recent years has cyber security become a priority in OT, and this is mainly due to the increase of successful high profile cyber-attacks against ICS networks. In reality, cyber security has an ever increasing impact on safety, and it is for this reason that we need to marry safety and security. In this new era of inter-connectivity and growing business appetite for control systems data, it is imperative that we explore the evolving risks this brings into the picture.  This can best be explained through an example of how cyber security can directly impact safety.   Let’s say we are operating a production process that manufactures a product. Creating this product involves processes that combine chemicals at various stages of production. These chemicals must be regulated at certain temperatures before mixture in order to avoid serious chemical reactions. These temperatures are normally controlled by process logic controllers (PLC) which controls the equipment that regulates temperatures of the chemicals. Typically there are set points configured in the control system that provide the acceptable conditions for operating these processes. If the temperature exceeds the parameters of the configured set point, stop the process and alert someone. Safety systems can also be tied to these control systems to ensure the processes do not function beyond set limits. What if an attacker is able to modify or disable the safety systems and notifications? What happens if an attacker is able to manipulate the set points? They can essentially cause the system to allow temperatures in the chemicals that would cause a reaction that could also result in damage, or harm to people and or the environment. This would also lead to financial loss, reputational damage as well as potential legal liabilities.  Now we begin to understand the importance cyber security in relation to safety in operational technology environments and especially for ICS. There are a myriad of examples you could apply that all potentially have huge negative consequences.   I believe we have surpassed the days of elevating safety as the #1 priority for business or operations. In my opinion safety and security should be married to one another. You can’t have safety without security, and you can’t have security without safety. Both should be given equal priority from senior management in every organization. It is impossible to eliminate all risks, but it is completely possible to manage risks to acceptable levels. Providing robust and effective management of risks associated with safety and cyber security is essential for ensuring the company’s safe and effective delivery of products and services.

By Derek Harp August 2019 Security Culture is something I am giving a lot of thought to these days.  After two decades of contributing to more technical efforts to increase cybersecurity, it is clear that we are still so incredibly vulnerable to our individual behaviors. From the kings to the cooks in our castles we still give so much away freely.  One might argue that if we don’t fix that it doesn’t matter what we spend on cybersecurity technology. Our Security Culture collectively does not get a good score and we are beholden to our common denominator, team members. A new norm where people routinely don’t trust other connections, messages, connectivity and make isolated exceptions vs continually accepting everything everywhere at face value is the shift we all need to make. It’s a paradigm shift that calls for us as human beings to change fundamentally how we relate with connected technology.   The origin of this infrastructure springs from research projects connecting trusted technology, but that is not where we find ourselves today at all. I won’t claim to have all the answers but, rather, ask the question “What can we {all of us} and CS2AI, as an organization, do to increase “buy-in” regarding the necessity to raise all of our cyber behaviors to a new level?"