ICS Cyber Convergence

Cybersecurity is arguably the biggest challenge facing most companies today. We are undergoing a change in IT Security where it seems like every company is subjected to endless cyber-attacks. With the increase in Advanced Persistent Threats to traditionally consumer-oriented organizations, the adoption of cyber regulations within private companies is more prevalent than ever. Although compliance does not in itself guarantee security, it’s a good starting point, especially when combined with best practices and guidelines that regulate the industry.

Seeking to avoid having government regulations imposed on them to force IT security, a number of companies are moving towards adopting and complying to a general IT security regulation like the Federal Information Security Management Act of 2002 (FISMA). Their hope is that self-regulation will prevent government mandates.

According to David Lawson, Director, Risk Management and Compliance at Acumen Solutions, "More and more companies are getting requests for FISMA control assessments." FISMA, a regulation built for federal agencies, holds executives at those agencies responsible for the security of their data and accountable for implanting security controls that meet minimum security requirements.

A discussion on the virtues of FISMA couldn’t be more appropriate. It’s clear that businesses need to do more to fight cyber attacks and to better protect their businesses and customers, preventing huge losses in the process. A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail, for example, more than doubled from 2013 to an annual average of $8.6 million in 2014.

The Top Three Things to learn from FISMA

By following general FISMA guidelines, organizations can help bolster the security of their enterprise within the following areas:

Policies and Procedures:
FISMA can help organizations establish the policies and procedures designed to reduce information security risks in a cost-effective manner. This can often include building routines toward assessing cybersecurity that often bolsters an organization’s information security health throughout the year. Part of this proper regulatory planning includes periodic risk assessments that evaluate the potential damage and disruption caused by unauthorized access and procedures for detecting, reporting and responding to security incidents.

Training and Awareness:
Security awareness training for employees is a crucial element of proper enterprise security planning. Such topics covered should include security risks associated with day to day activities, and start with the basics such as the definition of the security roles and responsibilities, and users’ responsibility for complying with policies and procedures.

Testing and Evaluation:
FISMA does a good job at singling-out the need for an organization to perform effective analysis on information security policies, procedures, practices and controls. The frequency of these tests is up to the risk level of the organization, but most commonly are conducted annually.

Another best practice is to use technology for process automation and threat monitoring. Automation and centralized reporting tracking tools can increase the efficiency and quality of an organization's cybersecurity platform, not to mention the compliance efforts. This viewpoint on automation helps eliminate several manual reporting steps and leads to a reduction of redundancy.

Regulations are rapidly becoming an important part of cyber planning for organizations not traditionally impacted by compliancy, but which are very interested in becoming more secure. When used and understood properly, cyber regulations can help an organization new to cybersecurity build the foundation of a sound IT security platform that can help avoid headaches now and in the future.

Reference Links:

http://deloitte.wsj.com/cio/2013/06/03/fisma-takes-private-sector-by-surprise/

http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

http://www.bly.com/newsite/Pages/WP_FISMACompliance_062206.pdf

Read more

A necessary but relentless focus on regulatory compliance in the cybersecurity community may be shifting resources away from more complex threats. Although organizations focused on checking the compliance box are more likely to address the foundational solutions necessary in building a cybersecurity framework, this approach can also lead to a false sense of security.

The Ponemon Institute and Lockheed Martin recently surveyed 678 IT security leaders within the United States. The surveyed respondents were security practitioners familiar with their organizations’ defense against cybersecurity attacks and responsible for directing cybersecurity activities. (Download the Intelligence Driven Cyber Defense survey results.)

When asked about cybersecurity business priorities, compliance was rated the number one cybersecurity business priority (above confidentiality, interoperability, integrity and availability). The challenge with this common response is that compliance does not necessarily equal security. 

Achieving compliance provides organizations with a foundation to start becoming secure with. But there are ways they can be both compliant and remain vulnerable. For example, you can have a solid maintenance log to comply with a regulation or policy. However, how will that log be used to proactively defend infrastructure? Within the Utilities industry it’s one thing to comply with the NERC CIP requirement to map all networkable operational technology. However, what good does that do when protecting IP if you don’t actively monitor those devices for potential breaches?

A focus on compliance as a top priority may cause an unbalanced view of the controls and the vulnerabilities of a cybersecurity model. This, in turn, can prevent organizations from combating the most critical facet in risk management: the threats.

This unbalanced condition often results in a focus on incident response versus threat intelligence within the analyst realm. Threat intelligence is a critical element to an effective cybersecurity platform because attacks are ultimately caused by people, who are often unpredictable, non-constant and creative in their tactics. 

5 Tips on How to Achieve Compliance and Security

Compliance is an important aspect of cybersecurity and it should be a priority. The focus on protection, however, should be to measure compliance’s effectiveness rather than mere achievement of compliance. Below are five tips for achieving compliancy and security: 

  1. Map your environment Situational awareness is important, both inside and outside of the network. A common tenant for a majority of regulations is asset mapping. How much Operational Technology do you have? How much IT? Which assets are networked?

  2. Perform Due Diligence The comprehensive security analysis of many companies often ends at the door of the vendors and partners they work with. Yet vendors are often softer targets that attackers can exploit to gain access to your intellectual property (IP). Close this gap by working with your vendors to ensure that they remain not only compliant but also secure.

  3. Share, share and share Vigilance is the key to thwarting the most common threat to your network: the insider threat. A disgruntled employee or unauthorized person with some level of credentials looking to get behind the firewall and access your IP can be devastating. The key to stopping this is by sharing information outside the IT department and training employees on how they can help spot and stop cyberattacks.

  4. Eliminate redundancies Proper cybersecurity involves a lot of analysis. It’s easy to fall victim to analysis paralysis to generate redundant analytic results. Stop this by inventorying your reports, flagging redundancies and removing reports that take up space and add little value.

  5. Use compliance as a guide Compliance is a way to start building your cybersecurity footprint. It’s also a guide for maintaining a proactive cybersecurity approach. By adding the elements above with Intelligence Driven Defense®, your cybersecurity platform will grow beyond compliant and into the realm of the truly secure.

A functionally integrated cybersecurity platform places threats at the forefront. Architects, engineers and analysts adhere to a common methodology that incorporates threat analysis and threat intelligence across systems and processes. A threat-driven cybersecurity platform, tailored to fit with a compliant infrastructure is the combination that best ensures security in a strategic, tactical and operational manner.


Just In: Results of the Intelligence Driven Cyber Defense Survey

survey-ponemon-stylized
 

Get the survey >

 

Read more

Each year, the Internet of Things (IoT) makes strides towards transforming industries. IoT, or as it’s sometimes known as the Internet of Everything (IoE), are physical devices that placed on the Internet by installing wireless sensors on them. You see a lot of IoT in the consumer world, most commonly in home devices such as alarm systems, thermostats and electrical sockets to control lights remotely. Most of these devices are accessed by apps on your mobile device.

Within the last couple of years, IoT has slowly started to enter other markets. Sectors like healthcare and manufacturing are quickly learning about their potential value, particularly when combining IoT with business process management (BPM) programs. At face value, the benefits of this integration seem limitless. Real-time data analytics, immediate social and mobile capabilities to otherwise static and often hard to reach devices, and the ability to pair business-facing operations like inventory control and automated supply-chain capabilities with real-time consumer demand, creates a list of desired capabilities that is almost too appealing for any C level executive to resist.

But how safe are these devices? What can your organization do to protect itself from the danger associated with IoT? In past blogs you’ve heard us talk about the potential challenges between integrating Information Technology and Operational Technology. In many ways, this is very similar. On one hand you have a physical device, like an alarm system, which was built to interface with a live person, and therefore the device was designed from the ground up with accessibility as its core, data integrity as its next most important component, and confidentiality of data as the third priority. By integrating a sensor for wireless access, you’re now effectively opening the door to hackers by providing accessibility to a device that was not built primarily to protect the confidentiality of its data.

According to Earl Perkins, research vice president at Gartner,

The power of an Internet of Things device to change the state of environments and of itself will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities. IoT security needs will be driven by specific business use cases that are resistant to categorization, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.” Gartner

 The Gartner article continues to state a prediction that by 2020 the installed base of "things" that make up IoT, excluding PCs, tablets and smartphones, will grow to 26 billion. That’s a huge leap from the estimated 0.9 billion units in 2009.

Despite the prospective issues associated with IoT from a security standpoint, there are two major steps that your organization can take to mitigate the cyber threat of the technology.

1. Map and know your environment

One of the dangers with IoT is the idea that they will proliferate on networks to a great degree, which will make it difficult for organizations to keep track of them, even as they take on increasing responsibilities. Once you lose track of how many you have, then you have an issue. This is a similar problem with IT and OT integration, especially within the utilities industry, because organizations lose track of how many IT-OT enabled devices they have and spend a lot of time just mapping their environment and trying to catch up. Industrial Defender not only offers the capability for your organization to better map these technologies, but also provides a snapshot from a centralized dashboard and portal. You can't fix what you don't know about, so this mapping is a vital first step, as well as an ongoing one, before anything else can be accomplished.

2. Assess and Plug vulnerabilities

Once your environment is mapped, assessing which set of IoT devices are specifically dangerous and building an approach to plugging their vulnerability can go a long way in defending from potential future attacks.

IoT is here to stay, and its implication to business and CISCOs that are both good and bad are still being determined. What is known, however, is that by mapping, assessing and addressing known vulnerabilities, you can go a long way to protecting your network.

Read more

A discussion with Mel Greer, Senior Fellow and Chief Strategist at Lockheed Martin

In the last two years, IT security breaches have hit the White House, the State Department, the top federal intelligence agency, the largest American bank, the top hospital operator, energy companies, retailers and even the Postal Service. With the New Year upon us it seems fitting to take a moment and assess the state of the cyber challenges ahead and potential strategies to surmount them.

For this post I turned to Lockheed Martin’s Senior Fellow and Chief Strategist, Melvin Greer (M) to discuss the high level statistics every CISO should be considering:


C: Describe the overall state of cyber security in the US.

M: This year has brought big news, significant changes and increased awareness of the evolving cyber-threat landscape. From a threat landscape perspective, we have seen some important developments.

Let’s start with the stark realities:

  • Credit and debit cards are among the most commonly breached credentials, together representing 62% of all information breaches
  • In healthcare industry, there were almost 2 million people affected by medical identity theft in 2012. They incurred about $12B in out of pocket cost due to these thefts.
  • In higher education, 50% of colleges and universities allow for the unencrypted transmission of sensitive information over email. 25% of these institutions actually advise applicants to send personal information via unencrypted email to admissions and financial offices
  • In the communications industry, less than half of all mobile device owners use security software on their devices. There are over 1M malicious and high risk apps on the market today that target the Android platform
  • Retail websites are the #1 target for hackers

C: What are the biggest threats?

M: Multiple new digital battlefields have emerged including critical infrastructures, Cloud Computing, Social Networks, Big Data and the Internet of Things.

9 out of 10 intrusions involve the following patterns:

  • POS Intrusions
  • Web App Attacks
  • Insider misuse
  • Physical Theft/Loss
  • Miscellaneous Errors
  • Crimeware
  • Card Skimmers
  • DoS Attacks
  • Cyber-espionage
(Also see Verizon 2014 Data Breach Investigations Report)

C: How can the enterprise protect themselves?

M: The evolution of cyber threats requires a new leadership approach, given that no matter what the security solution is to an existing problem, the problem itself will evolve and the leadership strategy driving the security solution must evolve with it.

Key first steps include:

C: What should individuals do to protect themselves?

M: Individuals actions and their subsequent education is directly tied to the strategy of the enterprise they are aligned with.  We know that threat sophistication has significantly changed; attack vectors, propagation methods, and even the ultimate objectives of the attacker have evolved.

It’s imperative that individuals become actively engaged in protecting their data.

  • Use personal anti-virus and firewall security on all personal devices
  • Always use strong passwords (greater than 8 characters, upper & lower case, number & symbol)
  • Do not click on links embedded in emails regarding financial transactions from banks, merchants or other sensitive parties.
  • Always go to the respective party's site by directly entering the URL in the browser in order to avoid phishing scams.
  • Employee awareness and training programs

In our experience most organizations find themselves woefully behind in implementing what they arguably know to be best practices. Perhaps the first step to take is collaboration. Talk with your peers and leading vendors in the space to get a more accurate picture of the threat facing your industry.

For more cyber security insights from Mel Greer register for his upcoming webinar on cloud security:

Understanding the Cloud Computing Threat Landscape

New Call-to-action

Read more

The “consumerization” of business technology is a relatively recent trend that continues to pick-up speed. Defined as the introduction of consumer technology within the corporate environment and for the use of work activities, the consumerization of business technology is best reflected in policies such as Bring Your Own Device (BYOD), which have become prevalent in most corporate environments.

mobile-devices-lowAs this trend continues to grow, the need to plan and deal with BYOD from the level of Chief Information Security Officer (CISO) and even Chief Information Officer (CIO) has been augmented to include home or personalized applications. Now, Bring Your Own Application (BYOA) is becoming a focal point in the IT security planning of many organizations.

These trends are natural. In many ways, our place of work is much like our home. We personalize our office spaces and socialize with our colleagues, and in recent years the corporate infrastructure has been changing to reflect this consumerization. BYOD and BYOA have become natural parts of the consumerization ecosystem, from the introduction of social media within organizations to improve collaboration to the migration toward cloud for business services—including an emphasis on accessible and consumer-like product and service tracking.

At the end of the day, all of these services and all of this consumer integration are focused around one greater need—the ability to provide end-users with mobility. Tech-agnostic computing, or the ability to work from any device at any time, is here today and not going away any time soon. So how should organizations react?

If your company is going to permit BYOD and BYOA, and allow teams of employees to integrate their own personal applications with corporate data, it becomes important to set expectations, produce procedures and rules, and explain those policies and regulations to your employees. This approach to protecting your enterprise must start with answering some basic questions:

  • How do we detect when people are conducting nefarious activities?
  • Do we have the proper monitoring currently on our network?
  • Do I have the controls in place?
  • Do my employees have proper authentication and application protection around BYOD?

These questions are important to answer before addressing the Mobile Device Management policies of your organization. Whether you have smartphones, tablets, or laptops in the workplace, you have an organized approach toward deploying, securing, monitoring, integrating and managing these mobile devices.

It’s also critical to answer these and other questions when addressing information management policies around the use and protection of intellectual property. This includes examining application security and control.

When these policies and procedures are established, it then becomes important to address user and device authentication. At this point, you begin to ask additional questions: How will a user authenticate on premise versus remotely? Can we track when they’re local versus remote? How will mobility impact the security?

Finally, data loss prevention becomes a crucial element in determining if sensitive data is on a mobile device. Once that capability is determined, you can begin to explore how to continue to protect it.

Mobility and the disruptive technologies fueling this trend, such as BYOD and BYOA, can be daunting from a CISO and CIO level. We know it’s here to stay. We also know that new mobile technologies continue to proliferate at alarming rates. Answering these seemingly basic “block and tackle” questions first can give your company a solid footing that will enable you to weather any BYOD or mobility-related storm.

Read more

Last week, we looked at the second of three oil and gas deep dives when we examined the role that operational technology and information technology play within this sector.

Specifically, we addressed the challenges in protecting IP in oil and gas since accessibility of data is such a crucial element within this industry. IP provides the competitive advantage that sets each company apart from others in a highly integrated industry. It also helps oil and gas companies better understand the current environment to deliver better future results.

The challenge with IP in the oil and gas sector is determining how to best keep the IP safe, yet accessible to those that need it. Industrial Defender and Lockheed Martin, its parent company, have approached this challenge by successfully combining the IT and OT landscapes. The result is a robust solution towards IT and OT security that includes people (e.g. training), the processes (e.g. policy and procedures) and the technology to address modern security challenges.

However, there’s more that the oil and gas industry can do to improve their cyber maturity and cyber capabilities.  One suggestion is to examine whether oil and gas companies can take an approach towards oil and gas that in some ways mirrors their Health, Safety and Environment (HSE) policies. To better explain what I mean, let’s take a brief look at HSE.

The oil and gas industry always carries the dangers associated with dealing with a combustible element in extreme and often remote conditions. Add to those dangers the often unpredictable nature of sociopolitical events with the often inclement weather of drilling locations, and the very nature of finding, transporting and refining oil and natural gas becomes daunting.

Losing money by drilling into a dry well, while damaging to the revenue stream, appears less drastic when compared to the damages incurred on any one of the major disasters that occurred over the last 30 years. If something goes wrong in this industry it puts lives, local habitats and even global economies at risk.

That’s one of the key reasons why this industry has led the implementation of HSE as an organizational pillar that is universal in this sector. Few industries triage and escalate prospective HSE near misses for the purpose of predicting incidents with the same thoroughness as oil and gas companies. Fewer private sector companies promote the value of such seemingly innocuous acts as holding the handrails when climbing or descending stairs, or making sure to start each presentation with a safety slide describing the precautions or actions attendees must know about in the event of an emergency.

In oil and gas, cyber attacks have the risk of slowing, if not outright stopping, production. But because they also have the potential to become critical safety issues, cyber security should be addressed within this industry in a similar way as HSE. The ability to record, monitor, track and forecast cyber incidents and IT near-misses, regardless of how benign or innocuous sounding they are, should be tracked universally within this industry.

Only then can oil and gas companies begin to forecast their potential security issues and gaps, mitigating cyber attacks that do occur, and stopping others well before they can do any damage.


How can the Oil & Gas industry translate their disciplined approach to health, safety, and the environment (HSE) to cybersecurity?

wp-cybersecurity-oil-gasFind out how an integrated and intelligent approach to energy industry cybersecurity can help your organization move towards a more stringent application of cybersecurity.

Download the whitepaper Cybersecurity in the Oil and Gas Industry

New Call-to-Action

 

Read more

On May 29, 2009, the President of the United States gave a speech on securing our nation's cyber infrastructure. Despite the fact that we were in the height the great recession at the time, the importance for cyber security prompted immediate attention and awareness by the Executive office. 

When recounting, then recent attacks that led to the need to address cyber security, President Obama remarked, “In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes. A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million. It's been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.”

One trillion dollars! Wow. Even if a fraction of that figure is accurate, the loss is still shocking. In reading the speech over, the one area of cyber security that the President’s points did not address is the vulnerabilities that cyber-attacks exploit, specifically within our Energy and Utilities space

Recently, I discussed how a virus in 2012 impacted two of the largest oil companies in the world.  This week, I want to dive deeper into the oil and gas sector to discuss how the integration of Information Technology (IT) and Operational Technology (OT) present one of the largest vulnerabilities for this sector.

Operational Technology is hardware and software that a company uses to monitor or control an environment. OT commonly detects, measures, and in some cases executes a change, or event, within a given physical area. Most commonly associated with physical access devices or within manufacturing, OT has increasing become integrated within the IT backbone of many organizations. This integration is most commonly associated with the introduction of network devices for remote access, and the integration of ‘off-the-shelf’ or common technologies.

By making OT live on a network, organizations are placing that intellectual property (IP) in a place that could be discoverable during a successful attack. In the oil and gas industry, OT is a conduit for much of the Intellectual Property produced. From volume, velocity and variety readings to geophysical equations, the data that flows throughout every part of an upstream, midstream, and downstream company is as varied as it is sacred to the present and future health of each organization.

The real potential danger in merging these two types of technology comes with adding off-the-shelf technology, such as desktop machines running common operating systems, with OT. In technology, we often classify IT and off-the-shelf tech as designed with confidentiality, integrity and availability (CIA) at its core. This means that IT prioritizes the protection of data before making it accessible. OT is the opposite. OT was built with Accessibility at its core, followed closely by Integrity and finally Confidentiality (AIC).   

With these two technologies seemingly at odds, you can start to understand how something as seemingly trivial as patching a desktop connected to an OT device could have negative results on the OT device itself.

The challenge in protecting IP in oil and gas is the accessibility of data crucial to the complete operation of the industry. To enhance exploration and production, for example, IP is being used not only to find new sources of oil and gas, but to reduce the non-productive time (NPT) of assets by predictive maintenance of critical components such as ESPs (electric submersible pumps). IP is even being used to help reduce the Health, Safety and Environment incidents within drilling and production, and provide end-to-end views of hydrocarbon reservoirs and advanced pattern detection.

In refining and manufacturing, IP is used to reduce the NPT of assets through the predictive maintenance of critical components such as rotary equipment. IP can also include the data used to improve asset performance management through real-time metrics across different subsystems.

IP provides the competitive advantage that sets each company part from the other in a highly-integrated industry. It also helps oil and gas companies better understand the current environment to deliver better future results.

The challenge with IP in the oil and gas sector is determining how to best keep the IP safe, yet accessible to those that need it. Industrial Defender and Lockheed Martin, its parent company, have approached this challenge by successfully combining the IT and OT landscapes. The result is a robust solution towards IT and OT security that includes people (e.g. training), the processes (e.g. policy and procedures) and the technology to address modern security challenges.


Download Chandra's Oil & Gas Industry Threat Briefing

Oil_and_Gas_Industry_Threat_Briefing_thumb  
Download Briefing
Read more

Understanding the art and science of securing your environment

Cybersecurity is a gigantic topic. It’s more than just technology. It’s a careful mixture between art and science. Understanding the mechanics behind protecting, identifying and thwarting attacks, although crucial to the science of cybersecurity, represents only one side of the coin. Knowing your enemy, understanding the sociopolitical nuances of your environment, and predicting where you’re most likely to get attacked, that’s art.

Enveloping these two sides of the coin is your knowledge of your industry; not just the cogs you make and sell, but where you sell them, how you make them and how they’re used. All these input go into creating a sound cybersecurity infrastructure.

These next several blogs are dedicated to understanding the industry aspect of cybersecurity, starting with a look at the oil and gas sector.

It’s a hot topic, these days, especially with the sociopolitical landscape in much of the world’s oil reserves. Whether it’s the terrorist organization known as the Islamic State of Syria and Iraq (ISIS) in Iraq, or the Ebola outbreak in West Africa, the unrest in much of the oil producing regions of the world is palpable. Yet our need and demand for hydrocarbons, and petrochemicals, remains unyielding.

The U.S. Energy Information Administration projects that world energy consumption will increase 56% by 2040. Much of that demand increase is driven by developing economies and by the geometric demand predicted predominately in China.

To meet this demand, oil and gas companies must do two things:

  1. Produce more from the conventional fields or use techniques to unlock newly discovered reserves and extrapolate new reserves from previously known deposits.
  2. Maintain Operational Excellence to minimize unplanned downtime, costly mistakes, and production disruption from cyber and physical threats.

Admittedly, I am not a geophysicist or geologist so I can’t provide any direction with finding oil. On the cybersecurity, front, however, I can say that the landscape looks perilous.

Depending upon who you talk to, the statistic on cyber-attacks varies on how much cyber-attacks are increasing per year. According to a recent Symantec study there was a 91 percent increase in targeted attack campaigns in 2013, which includes a 62 percent increase in the number of breaches.

A different report by IBM stated a more conservative estimate that in the United States, alone, there was an estimated 1.5 million monitored cyber-attacks in 2013. That equates to roughly a 12 percent year to year increase in security events.

Regardless of the numbers, one common trend in cybersecurity is clear, the number of attacks are going up at alarming rates. Over the past 30 years the oil and gas sector has been a victim of several attacks. One of the most famous, the Saudi Aramco attack of 2012, was aimed at stopping oil and gas production in Saudi Arabia, the biggest exporter in the Organization of the Petroleum Exporting Countries.

This attack targeted 30,000 computers and paralyzed the organization for months. However, an important lesson from the attack was the Business Continuity Planning (BCP) takeaways resulting from its aftermath. Could your organization run on paper, if it had to? Could your organization access thousands of new hard drives if it needed to replace all of its computer systems? What procedure would your employees follow and how would they know what to do?

As devastating as the attack was on Saudi Aramco, in some respects it was fortunate. The cyber-attack focused on damaging 32-bit machines leaving the 64-bit servers intact. The attack on RasGas Company Ltd. just two weeks later, included a variant of the Aramco virus augmented to infect 64-bit machines as well, making that devastation more severe.

The main takeaway from these attacks is how fast the attacks can occur, and how much faster attackers learn from their mistakes.

Next week we’ll dive further into the oil and gas sector including a look at how the integration of information and operational technologies plays a role in the cybersecurity infrastructure of this sector.


How can the Oil & Gas industry translate their disciplined approach to health, safety, and the environment (HSE) to cybersecurity?

wp-cybersecurity-oil-gasFind out how an integrated and intelligent approach to energy industry cybersecurity can help your organization move towards a more stringent application of cybersecurity.

Download the whitepaper Cybersecurity in the Oil and Gas Industry

New Call-to-Action

 

 

Read more

We are wrapping up October, which is National Cyber Security Awareness Month, so today I want to share the ways citizens can help to support and build greater cyber resiliency.  

The purpose of National Cyber Security Awareness Month is to engage and educate public and private sector partners through events and initiatives with the goal of raising awareness about cyber security.  According to the Department of Homeland Security, Cyber Awareness Month aims to increase the resiliency of the nation in the event of a cyber incident.

The role of citizens is growing by leaps and bounds as it relates to thwarting and potentially curbing cyber attacks. In my mind, this role can be bolstered by the following three actions:

1. Get involved

Cyber security is about crime prevention and crime remediation. As a society, we all benefit from crime prevention when we get involved and support an effort or an organization that fights crime. Cyber security is no different. There are several groups that can benefit from our time and involvement.
Websites like Stay Safe Online, which are operated by the National Cyber Security Alliance aim to “educate and therefore empower a digital society to use the Internet safely and securely at home, work, and school, protecting the technology individual’s use, the networks they connect to, and our shared digital assets.”

2. Become vigilant

A large portion of cyber attacks that comprise stolen intellectual property come from digital espionage. It’s not always the hacker that finds the vulnerability, but rather the co-worker or disgruntled employee that steals the company’s secrets or compromises sensitive data.
An industry that’s currently experiencing the pronounced need for cyber-vigilance is the healthcare sector. Recently a report by Reuters stated that medical records are of more value to hackers and cyber criminals than even credit cards. By being vigilant about your own data, protection and the people around you, you can prevent unnecessary  data loss.

3. Be informed

Take a more prominent role in preventing cyber security is to simply learn more about it. Keep abreast of the latest attacks and learn the statistics. For more information about the number of cyber security attacks and the studies concerning cyber security. You can learn more at Stay Safe Online.

How can you turn awareness into meaningful actions?

Read our post on how to leverage cyber security awareness to open up a dialogue about measuring risk and implementing action plans for industrial control systems environments. >

Read more

The cloud might not be raining on industrial control rooms anytime soon, but IT departments in critical infrastructure industries will want the cost advantages and flexibility offered by cloud computing in all its forms. As IT and OT collaborate on projects to secure industrial control systems environments, cloud security will be an emerging topic. 

The complexity between hybrid clouds introduces a new paradigm of vulnerabilities from a cybersecurity-standpoint.A hybrid cloud is a consolidation of a private cloud and a public cloud. The reason for their growing popularity stems from their ability to offer multiple deployment models at once.

Gartner predicts that globally, almost half of all large enterprises will have deployed hybrid clouds by the end of 2017. That means we are in a defining moment wherein companies will begin planning to move away from private into hybrid clouds.

The challenge, though, is how to interconnect multiple clouds to work as a seamless whole. You don’t want a cloud for e-mail, another one for content management and development, and yet another for collaboration; especially if the clouds lack the capability to interact with one another. More importantly, the complexity between hybrid clouds introduces a new paradigm of cybersecurity vulnerabilities. But with a careful implementation of standards concerning how to perform governance and implement IT systems to protect data, securing the hybrid cloud becomes possible.

Establish industry-specific and federal security controls

The energy and utilities industry have The North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) controls, the financial sector has the Payment Card Industry (PCI) standards and the healthcare industry has to comply with security guidelines laid out in the Health Insurance Portability and Accountability Act (HIPAA).

We provide a set of cloud-specific controls and baseline security measures from the Federal Risk and Authorization Management Program, the federal government’s security accreditation program for cloud services and providers. FedRAMP standardizes the approach to security assessment, authorization and continuous monitoring for cloud products and services with a “do once, use many times” framework that is expected to reduce the cost, time and staff required to conduct agency security assessments of cloud solutions.

Our Solutions as a Service Secure Community Cloud or SolaS -- which consists of a community, private and hybrid cloud -- is built to meet the government’s Federal Information System Management Act (FISMA) security guidelines at the Moderate Security Level and FedRAMP certification. SolaS received the FedRAMP Joint Authorization Board’s provisional authorization to operate, which is the most rigorous approval, and involves a thorough review by chief information officers of the General Services Administration, and Homeland Security and Defense departments.

As a cybersecurity company, Lockheed Martin not only meets the FedRAMP requirements but has also layered in specific security controls developed by the company.

stat_gartner

We are working with companies in the energy, finance, healthcare and education sectors to identify similar baselines they can use to deploy trusted cloud services within their domain space.

I believe we will start to see a more significant adoption of the hybrid cloud as the industry-specific controls and the government-specific controls are extended to the cloud. At this point, commercial entities can start to consume each other’s cloud services in a more trusting environment, and in a manner similar to the way agencies share data with FedRAMP.

At Lockheed Martin our approach towards the hybrid cloud and security is in lock-step with the bottom line in the commercial space - to understand how to use, secure and bundle services across multiple environments and make it seamless to their customers.

                                   

Read more