ICS Cyber Convergence

Cybersecurity is arguably the biggest challenge facing most companies today. We are undergoing a change in IT Security where it seems like every company is subjected to endless cyber-attacks. With the increase in Advanced Persistent Threats to traditionally consumer-oriented organizations, the adoption of cyber regulations within private companies is more prevalent than ever. Although compliance does not in itself guarantee security, it’s a good starting point, especially when combined with best practices and guidelines that regulate the industry.

Seeking to avoid having government regulations imposed on them to force IT security, a number of companies are moving towards adopting and complying to a general IT security regulation like the Federal Information Security Management Act of 2002 (FISMA). Their hope is that self-regulation will prevent government mandates.

According to David Lawson, Director, Risk Management and Compliance at Acumen Solutions, "More and more companies are getting requests for FISMA control assessments." FISMA, a regulation built for federal agencies, holds executives at those agencies responsible for the security of their data and accountable for implanting security controls that meet minimum security requirements.

A discussion on the virtues of FISMA couldn’t be more appropriate. It’s clear that businesses need to do more to fight cyber attacks and to better protect their businesses and customers, preventing huge losses in the process. A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail, for example, more than doubled from 2013 to an annual average of $8.6 million in 2014.

The Top Three Things to learn from FISMA

By following general FISMA guidelines, organizations can help bolster the security of their enterprise within the following areas:

Policies and Procedures:
FISMA can help organizations establish the policies and procedures designed to reduce information security risks in a cost-effective manner. This can often include building routines toward assessing cybersecurity that often bolsters an organization’s information security health throughout the year. Part of this proper regulatory planning includes periodic risk assessments that evaluate the potential damage and disruption caused by unauthorized access and procedures for detecting, reporting and responding to security incidents.

Training and Awareness:
Security awareness training for employees is a crucial element of proper enterprise security planning. Such topics covered should include security risks associated with day to day activities, and start with the basics such as the definition of the security roles and responsibilities, and users’ responsibility for complying with policies and procedures.

Testing and Evaluation:
FISMA does a good job at singling-out the need for an organization to perform effective analysis on information security policies, procedures, practices and controls. The frequency of these tests is up to the risk level of the organization, but most commonly are conducted annually.

Another best practice is to use technology for process automation and threat monitoring. Automation and centralized reporting tracking tools can increase the efficiency and quality of an organization's cybersecurity platform, not to mention the compliance efforts. This viewpoint on automation helps eliminate several manual reporting steps and leads to a reduction of redundancy.

Regulations are rapidly becoming an important part of cyber planning for organizations not traditionally impacted by compliancy, but which are very interested in becoming more secure. When used and understood properly, cyber regulations can help an organization new to cybersecurity build the foundation of a sound IT security platform that can help avoid headaches now and in the future.

Reference Links:

http://deloitte.wsj.com/cio/2013/06/03/fisma-takes-private-sector-by-surprise/

http://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

http://www.bly.com/newsite/Pages/WP_FISMACompliance_062206.pdf

Read more

A necessary but relentless focus on regulatory compliance in the cybersecurity community may be shifting resources away from more complex threats. Although organizations focused on checking the compliance box are more likely to address the foundational solutions necessary in building a cybersecurity framework, this approach can also lead to a false sense of security.

The Ponemon Institute and Lockheed Martin recently surveyed 678 IT security leaders within the United States. The surveyed respondents were security practitioners familiar with their organizations’ defense against cybersecurity attacks and responsible for directing cybersecurity activities. (Download the Intelligence Driven Cyber Defense survey results.)

When asked about cybersecurity business priorities, compliance was rated the number one cybersecurity business priority (above confidentiality, interoperability, integrity and availability). The challenge with this common response is that compliance does not necessarily equal security. 

Achieving compliance provides organizations with a foundation to start becoming secure with. But there are ways they can be both compliant and remain vulnerable. For example, you can have a solid maintenance log to comply with a regulation or policy. However, how will that log be used to proactively defend infrastructure? Within the Utilities industry it’s one thing to comply with the NERC CIP requirement to map all networkable operational technology. However, what good does that do when protecting IP if you don’t actively monitor those devices for potential breaches?

A focus on compliance as a top priority may cause an unbalanced view of the controls and the vulnerabilities of a cybersecurity model. This, in turn, can prevent organizations from combating the most critical facet in risk management: the threats.

This unbalanced condition often results in a focus on incident response versus threat intelligence within the analyst realm. Threat intelligence is a critical element to an effective cybersecurity platform because attacks are ultimately caused by people, who are often unpredictable, non-constant and creative in their tactics. 

5 Tips on How to Achieve Compliance and Security

Compliance is an important aspect of cybersecurity and it should be a priority. The focus on protection, however, should be to measure compliance’s effectiveness rather than mere achievement of compliance. Below are five tips for achieving compliancy and security: 

  1. Map your environment Situational awareness is important, both inside and outside of the network. A common tenant for a majority of regulations is asset mapping. How much Operational Technology do you have? How much IT? Which assets are networked?

  2. Perform Due Diligence The comprehensive security analysis of many companies often ends at the door of the vendors and partners they work with. Yet vendors are often softer targets that attackers can exploit to gain access to your intellectual property (IP). Close this gap by working with your vendors to ensure that they remain not only compliant but also secure.

  3. Share, share and share Vigilance is the key to thwarting the most common threat to your network: the insider threat. A disgruntled employee or unauthorized person with some level of credentials looking to get behind the firewall and access your IP can be devastating. The key to stopping this is by sharing information outside the IT department and training employees on how they can help spot and stop cyberattacks.

  4. Eliminate redundancies Proper cybersecurity involves a lot of analysis. It’s easy to fall victim to analysis paralysis to generate redundant analytic results. Stop this by inventorying your reports, flagging redundancies and removing reports that take up space and add little value.

  5. Use compliance as a guide Compliance is a way to start building your cybersecurity footprint. It’s also a guide for maintaining a proactive cybersecurity approach. By adding the elements above with Intelligence Driven Defense®, your cybersecurity platform will grow beyond compliant and into the realm of the truly secure.

A functionally integrated cybersecurity platform places threats at the forefront. Architects, engineers and analysts adhere to a common methodology that incorporates threat analysis and threat intelligence across systems and processes. A threat-driven cybersecurity platform, tailored to fit with a compliant infrastructure is the combination that best ensures security in a strategic, tactical and operational manner.


Just In: Results of the Intelligence Driven Cyber Defense Survey

survey-ponemon-stylized
 

Get the survey >

 

Read more

Fact: Being compliant is not being secure and being secure is not being compliant. Can electric utilities blend compliance and security objectives to leverage the same tools, people and time?

Compliance keeps you compliant. Security keeps you safe.”

Mark Weatherford of the Chertoff Group was very emphatic on this point in this month’s EnergyCentral webcast saying, “Compliance is not security. We should all have that tattooed somewhere on our body.”

Regulations and industry standards can only get you so far. They tell you “what to do” not “how to do it” and some may argue they’re not dynamic enough to adjust to the constantly changing threat. An example of compliant but not secure? Target. Target had just passed their PCI audit before announcing their breach in 2013.

So in the face of this reality, the goal for North American Electric Utilities is to find a way to leverage NERC CIP compliance to increase cyber security awareness within the industry while still managing their compliance programs – and it’s not without its challenges.

Challenges of compliance:

  • Understanding the standards
  • Reconciling regulation revisions in the least disruptive way to operations
  • Documentation in an ever-changing environment
  • Applying security programs within compliance guidelines
  • Implementing vendors that deliver on their promise
  • Becoming so absorbed in regulatory compliance that you stop focusing on security.

Organizations historically place more importance on compliance because of the very tangible consequences of non-compliance leaving IT managers within the ICS looking for ways to leverage resources to implement more stingent security measures within the context of compliance guidleines.

Sam Sciacca, Senior Director of IEEE-SA, expounded on where NERC CIP touches on cyber security, "Technology and compartmentalization can be very effective in locking out external threats but unintentional events are much harder to prevent and require procedural controls in addition to technology."

Challenges of cyber security:

  • Configuration Errors:
    – Devices are more multifunctional and more complex
    – Many “hands” touching the same device (SCADA, protection, local control/operation)
    – Firmware and configuration software updates 
    – Centralized configuration management is not universal
  • Procedural Errors:
    – Failure to review configuration and programming changes (field tweaks) 
    – Making configuration changes from the wrong starting point (file-wise) 
    – Failure to notify other operational elements when configuration and/or maintenance activities being undertaken

Register to watch the webcast for a deep-dive discussion with industry experts on:

  1. How are compliance challenges affecting ICS resource allocation today
  2. How is NERC CIP addressing the unique cyber security concerns of industrial control systems
  3. How a top U.S. utility is tackling the above challenges while keeping an eye on operational integrity across their complete supply chain to:
    • Automate and improve efficiency in providing evidence
    • Improve evidence with real-time monitoring details and on-demand queries
    • Create quality reports that won’t be questioned by the auditors
    • Produce a synched evidence package after a project completed
    • Go beyond CIP regulations and manage assets across the supply chain for security and operations on non-CIP assets  

Register to watch on-demand: 

Navigating-play

 

Read more

How NERC CIP v5 is igniting a more collaborative approach to critical infrastructure cyber security 

The recent EnergySec Security Summit in Austin, TX offered a SANS Institute course on NERC CIP readiness. The Lockheed Martin Industrial Defender Solutions team attended the 4-day event including the SANS curriculum. There were many a great sound bite that caught our attention and sparked conversation. Here are some of our favorites:

Sound-bite-ROSound-bite-BHSound_bite_KL

What do these summit sound bites mean for ICS management?

NERC CIP v5 updates

Impact level assessments and asset identification are among the issues inciting organization to file Requests for Interpretation (RFI’s) with the North American Electric Reliability Corporation (NERC).

To the Auditor – inventory is a key thing… without a good inventory, how are you going to apply policies…”
– Stacey Bresler, EnergySec

Richard O’Neil, seasoned Security Engineer on Lockheed Martin’s  Industrial Defender team, was on hand for the NERC CIP v5 training. Commenting on his objective for the session, “If I better understand the requirements our customers need to fulfill, I can better advise them on how to leverage the Industrial Defender ASM to get the reports they need.”

O’Neil noted what resonated with him saying, “My biggest take away from the seminar was what Steve and Stacey [course instructors and former NERC CIP Auditors] said about CIP version 5. ‘NERC is not ready for v5. There are already a lot of formal Requests for Interpretation (RFI’s) into NERC for clarification.” A big topic for discussion is the differences between “guidelines” and “requirements” and how an Auditor may interpret them.

For example:

  • Fact: Assets must be categorized as low, medium or high impact.
  • Fact: Cyber security policies are now required for low impact assets.
  • Fact: Guidelines and requirements apply to assets based on their impact category but there is no requirement that an organization have an exhaustive inventory of all assets within these categories

In this example an Auditor may reason that inventory is a key thing… although a discreet list of low impact BES Cyber Systems is not required. From an Auditor’s standpoint without a reliable inventory, how would an organization be able to apply policies? Possible solution? An asset management platform with inventory capabilities for devices that are not connected to a network. 

IT is becoming more involved

Get IT and OT together and a lot of good problem solving happens.” 
– Patrick Miller, EnergySec

Patrick Miller hit the nail on the head when he said IT and OT departments are doing the same things they’re just using different words. Same goals, same drivers, same intentions. The consensus in the room was that this statement was true enough in theory but closing the departmental gap was proving to be an ever-persistent challenge. Miller polled the room asking if anyone had successfully combined IT and OT business units. The responses ranged from “no” to… “it’s not on our roadmap” to… “we attempted it but reverted back”. An “I hear that” chuckle rippled across the room as heads nodded knowingly.

Among the challenges standing in the way of true integration – tools and cross-departmental education. Traditional IT tools are falling “serial device” short of the mark. And IT department heads earnestly looking to integrate the departments, although improving, are admittedly struggling to manage the growing list of requirements.

Miller concluded his pep talk “you need more money, people and time. Why not share resources so you aren’t forever out-gunned.” And to that – we say “amen”.

Other industries may follow

…the amount of data that needs to be tracked is immense.” 

The IT Manager of a large U.S. chemical processor and private power generator could be overheard saying, “It’s like drinking from a fire hose,” commenting on the value of the NERC CIP training day that proceeded the EnergySec Security Summit, “…the amount of data, especially configuration and change data, that needs to be tracked is immense”.

Many organizations are now looking to the NERC CIP standard as the basis for building a robust cybersecurity program for their critical infrastructure operations. Although utilities are familiar with NERC CIP, other industries (such as Nuclear) are looking to model the newest version of the NERC CIP v5, as a way to guide their efforts to secure critical infrastructure operations. In conversations with those from the energy sector and other industries, we hear IT departments are being asked to become familiar with the NERC CIP standard as they build their own programs. 

Many of the participants in that training session found it both informative and overwhelming. In particular they noted that the amount of data that needs to be tracked on the industrial control systems and other operational endpoints is significant. Because the amount of configuration data that needs to be collected, baselined and monitored is considerable, many noted that manual data collection, monitoring, and reporting was nearly impossible.

We at Lockheed Martin were happy to be there and share with them how the Industrial Defender ASM offered a step towards a comprehensive, yet automated, approach to many aspect of a NERC CIP program.


See how the Industrial Defender ASM™ directly maps to NERC CIP v5 requirement updates. Explore the interactive chart >

 

Read more

Today we are proud to announce a new chapter in our Industrial Defender ASM solution, ASM v6.0. Version 6.0 is a culmination of many of our dreams, aspirations and efforts of the past 3 years. It’s not only been a fun journey to make an industry-defining product in the ICS market but it’s also a passionate mission to help that brave and over-worked plant manager wearing several hats outside his primary job; that compliance manager trying to maintain hundreds of spreadsheet based compliance documents; that fleet manager responsible for compliance, health and welfare of several plants; that IT lead on OT systems who is trying to grapple with getting data from a 20 yr. old PLC. We worked with each of those different users to carefully develop the solution to meet their needs.

With 6.0, we completed the goal to be that one tool an OT operator needs. Our product is the most complete and comprehensive in the market to help with the security, compliance, operations and change management aspects of an OT environment, whether it’s a generation plant, an EMS system, a substation, a refinery, a water treatment plant or a chemical plant.

6.0 is also the beginning of a new chapter, extending our approach to a converged IT-OT model. As we deploy ASMs across the OT environments of our fleet customers, they have been contemplating what a consolidated, fleet-level OT monitoring would look like and how ASM can help with that vision.

The Journey

It has been a fun journey for all of us at Industrial Defender introducing the change management paradigm to the OT market. We struggled for a few months to get our pitch right on why change management is seminal for OT. Like all software, we had a few early hiccups. As the product stabilized and the market understood the value of change management within OT, we’ve seen explosive growth in ASM. We have about 60 customers, the majority of them in the last 2 years, and that’s growing every month.

What did we technically achieve?

The 5.X series ASM saw the creation and introduction of the ASM as Industrial Defender’s platform for delivery of analysis and reporting. The 5.x series included innovations such as the creation of a unique asset configuration management system and a configuration exception system based on our change detection engine technology. Business policy evaluation and exceptions were also introduced as well as our advanced endpoint agent rule management system.

We made significant breakthroughs on the infrastructure side as well. Creation of IDIS (Industrial Defender Infrastructure Service), the ability to scale horizontally or vertically for n-tiers to distribute solution load. We also achieved common communication definition between nodes using message queues and common messaging framework. We introduced and developed the concept of destinations (ticketing APIs, syslog, File System, email, data diode) and we overhauled our high-availability (HA) solution.

We introduced a new framework for configuration of our infrastructure devices, and we introduced the concept of a network baseline.

Going forward

So what’s the 6.x chapter looks like?

There is an ocean of change that is going to affect OT environments in the next 2–3 years. Our customers are moving from compliance driven security to security as part of the DNA inside the operations environment. As our customers try to achieve the vision of consolidated OT monitoring and as CISOs of a critical infrastructure companies strive to realize an effective security strategy across the organization, we are helping to re-invent technologies and re-tool processes. We are excited to be part of that vision and already have a head-start on that journey.


Review your next project with an ICS Security Specialist

Speak with one of our cybersecurity consultants to review your next project and discuss how Industrial Defender ASM v6 capabilities and functionality map to your specific project needs.

Discuss your project

 

Read more

ASM 5.6 adds a whole new level of interoperability with the security technologies that have been deployed to address vulnerabilities in control systems. ASM now collects data from a wide range of best-in-breed security technologies to provide the highest level of situational awareness for industrial control systems. Customers assert that using ASM has saved them 80% of the time it takes to identify, analyze, and report on their ICS cybersecurity and compliance activities.

See it for yourself:

Read the full release here >>

 

 

 

Read more

Executive Summary

It has been 16 years since Presidential Directive 63 (PDD-63) was released. The directive broadened the definition of critical infrastructure and defined what systems were “essential to the minimum operations of the economy and government”, and ultimately called for public-private partnerships to “swiftly eliminate any significant vulnerability to both physical and cyber-attacks on our critical infrastructures”. PDD-63 eventually led to the creation of the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) program.

In the last 16 years the critical infrastructure security community has experienced changes including:

  • The 9/11 attacks
    • New regulations, such as NERC CIP, have entered the picture
    • Mainstream automation system vendors have developed mitigating solutions
    • Numerous start-up companies that have succeeded and many that have failed.

A few general questions to ponder: Have we made progress towards securing critical infrastructure? What’s worked and what hasn’t? Can we call the entire endeavor a success or failure?

With over 14 years’ experience securing critical infrastructure starting with pen-testing to researching to consulting and then to building products in the space, we are in a unique position to provide insight to these questions.

The Heritage Foundation recently released a paper titled “Plotting a More Confident Course: Rethinking Oversight of the Electric Sector and Critical Infrastructure Cybersecurity” which asks policy makers and the utility industry to “rethink” the oversight of the electric sector. While The Heritage Foundation asks us to rethink the oversight, we propose a very different approach: stay the course. Critical Infrastructure is a long way from utopia; however, we think we’ve made significant progress considering the constraints that come along with the critical infrastructure industries.

Sixteen Years of CIP in Review

Since PDD-63 was issued, the utility environment has certainly not grown safer. To the contrary, we have seen a sea change in the risk trends over the past 16 years. For example, very few mainstream security professionals knew much about the Modbus and DNP3 protocols—common in the utility control environment. Today we see quite a few BlackHat security talks on these topics. We have also witnessed:

  • The appearance of zero day attacks targeting ICS (industrial control systems)
  • Attacks directly targeting OT (operations technology) vendors and applications
  • Readily available tools designed to infiltrate ICS

These trends are indicative of increasingly sophisticated threats targeting the supply chain accompanied by an increasing arsenal of easily available tools which warrant that the utility industry “must not slow down” on security.

Let’s look at what we have learned over the past 16 years about improving cyber security of the power grid and how we should apply these lessons to continual improvement, primarily:

  • Regulations have helped the security posture of utility industry, even if it’s the minimum requirements
  • Security solutions must make economic sense
  • OT Awareness drives effective utility security, compliance and operations
  • Change management and automation are essential

Regulations have helped the security posture of utility industry

Regulations in critical infrastructure industries, particularly the NERC CIP regulations for electric utilities, have helped increase the security posture of their systems. For example, back in 2000, it was very hard to push the concept of a Firewall between the control system network and the corporate network. Today, industrial protocol-aware firewalls residing inside the control network (below level 3) are common. Not too long ago, vendors sold products with little to no security controls built into products used in ICS environments. Now cybersecurity is a standard section in RFPs with line items reflecting NERC CIP requirements.

Over the long term, critical infrastructure and utility industries should control their own fate flying solo without government regulation. However, the wings of various industries—especially utility industry—need to be stronger for them to fly far. NERC CIP has been effective, but has not yet widely percolated into every aspect of the industry because of several loop holes in CIP version 3. CIP version 5 needs to be in place for a few years before the utility industry can control their fate in cyber security.

Security solutions must make economic sense

The most effective way to deploy and maintain security in a control system, according to an operator’s mindset, is to clearly communicate the operational value of the security products. Improving availability and operational efficiency is the key to justifying a security solution to the industry. For example, we could not deploy VPNs into control system environments until we showed the business value of remote monitoring of a control system environment. Today, control system professionals are able to remotely diagnose and correct problems, reducing the need for onsite personnel deployments and improving uptime.

While understanding the operational value is fundamental to making economic sense of a security solution, it is not enough to make the whole economic case. This is because, like so many other industries, the utility industry is going through a period of resource crunch. Capital budgets are getting slashed and vendors cannot sell security for security’s sake. If, as with point solutions, a product consumes excessive maintenance and management resources, or demands developer-like experience to write the rules used by the tool, these costs will quickly overwhelm the positive operational and security side of the economic equation. Thus, operational value must be accompanied by ease of use and maintenance. Solutions now must be easy to use, require little management, and provide actionable intelligence instead of raw data that needs to be analyzed.

OT Awareness drives effective utility security, compliance and operations

Major IT and IT-security companies have sensed the opportunity in the critical infrastructure industries and have deluged the market with off-the-shelf tools in spite of the fact that they lack control system experience, awareness and specificity. The utility operators have bought into the marketing themes and sales pitches, and have procured some of these IT tools over the past few years. While the ICS professionals need to observe other industries and learn from them, we have heard horror stories from the ICS operators struggling to deploy IT technologies into the OT space. We have seen:

  • IT technologies causing significant downtime to ICS applications
  • Excessively long deployment times and learning curves for IT technologies
  • IT technology support staff lacking the intimate experience with control systems that their ICS customers would naturally expect of a technology supplier

In fact, once sold and deployed, those tools have become major impediments to the progress of securing the ICS infrastructure systems. In many cases, these tools have proven:

  • Too numerous. The ICS operators are struggling with dozens of IT tools such as SIEM tools, compliance tools, reporting tools, documentation tools, ticketing tools, IDS tools, firewall management tools, performance management tools, and more.
  • Too big. Each of the tools is too big for their needs and too bulky to maintain. ICS operators are desperately looking for a simple, custom technology which would perform only the needed functionality.

The technology they need must have intelligence around the control system environment, must be respectful of their applications, and must help—not impede—operations. Control system situational awareness is about bringing all the aspects of the ICS environment including events, configurations, policies, and reporting together into a single, actionable view.

Traditional technologies such as Firewalls, VPNs and SIEM tools are good, but they lack the ICS situational awareness and context of the OT applications. Understanding OT applications and their “normal vs. abnormal” context is essential for technologies that would secure control systems against increasingly sophisticated attacks while simultaneously supporting operational goals.

Change management and automation are essential

We have also found that security solutions not specifically designed for a control system environment lack the understanding of control system priorities necessary for effective change management. Fundamentally, a cyber attack changes aspects of the ICS environment such as modifying software, adding users, reconfiguring assets, manipulating files, and so forth. Effective change management and effective cyber security must go hand-in-hand. Beyond that, the solution should also reflect the context of change: the policies and regulations that changes must comply with.

We are well aware that managing change, security and compliance across an ICS environment is a daunting task, so ease of deployment, ease of use, and ease of maintenance are essential for a security solution. Traditional IT tools are not only expensive and hard to deploy in a control environment, but they often require developer-like experience to write the rules used by the tools. Thus, automation of these tasks are key: automating security event and change management monitoring and alerting with popular rules available out-of-the-box; automated CIP asset monitoring, management and reporting; and easy-to-use, intuitive policy compliance assessment and reporting features.

Security in Utilities Organization

This is an area where we have not seen as much progress as we would like. Today, the individual responsible for security in a utility is no higher up in the organization than 16 years ago. The role of a CSO in Internet companies such as Microsoft, Amazon, Google, and Facebook sits much higher in the organizational hierarchy and possesses greater influence than in critical infrastructure companies. While we have seen a few companies in which a dedicated CISO reports directly into the CEO’s inner circle, they number less than a dozen.

This represents a major impediment because of a lack of visibility. That is, without high-level visibility, it becomes much more difficult to obtain the resources required to significantly improve the security posture. Furthermore, without high-level visibility it is very hard to apply the leverage necessary to break the IT-OT barriers.

We are also seeing a lot of turnover in security staff. We understand that this is largely attributable to the burden of multiple security tools and to the comparatively weak security organization, both discussed earlier.

Concluding Recommendation

In keeping with their stated mission of formulating and advocating policies based on limited government, The Heritage Foundation proposes rethinking the oversight of critical infrastructure cybersecurity with a shift in focus to industry itself and state power commissions, in contrast to the current international oversight program. However, they then admit that utility industry security experts, the “boots on the ground” if you will, state that utility operations are more secure now than they would have been in the absence of NERC CIP. They also realize that the cyber security technical acumen at the state level is nowhere near what it should be to provide effective oversight.

Based on what we have seen working with utilities over the last 14 years, we do not recommend diverting focus now and throwing away all the progress made. Doing so would result in a “let up” in cyber security vigilance and a weakening of the overall critical infrastructure security posture at a time when the threats are growing ever more numerous and sophisticated.

We would, however, recommend some important adjustments that can be summarized as spending smarter by investing in security solutions that:

  • Recognize that operations are key, are respectful of operations, and merge well with operations.
  • Are aware of the entire operations architecture, its policies and compliance requirements.
  • Focus on change management and automation.

Returning to the original question, our overall recommendation for the utility industry is unequivocal: “Stay the course! Don’t give up the CIP!”[1]


[1] With apologies to Captain James Lawrence, USS Chesapeake, 1813.

Read more

This is a post in a series of blogs about adapting Continuous Delivery concepts and tools to Industrial Control Systems environments.

Virtualization has come of age during the last decade and has begun pervading nearly every aspect of computing... Most notably cloud computing is the largest example of virtualization success.

How virtualization affects your systems

As with any ICS environment, your systems are often defined and controlled by what your ICS vendor(s) allows to be done with their software. Many leading ICS vendors have adapted the ability to use virtualization in the past few years. Some implementations and adaptations of use are more restrictive than others, but in general you have the opportunity to virtualize some of the non-operationally critical assets in your environment as well assets that have data storage requirements that surpass a physical servers capacity – namely quality assurance systems, development systems and historical repositories

How you can leverage virtualization

The most obvious and straightforward application of virtualization in ICS environments is through hardware virtualization. Hardware virtualization provides the ability to have virtualized instances of engineering workstations, non-operationally critical application servers, and servers that support administrative functions (i.e. file and print servers). It also allows you to have many more redundant assets which can be used as hot or cold spare assets for interaction with your environment and process.

A second and very beneficial use of virtualization is in the creation and maintenance of development and test environments for your production systems. Virtualization alleviates much of the hardware overhead that would normally be associated with creating a representative test environment. When you have the ability to freely engineer changes through the use of virtualization, you can leverage your change management and orchestration tools easily and quickly.

As a bonus, gaining the freedom to operate, test, and experiment in a safe environment will lead your teams and organizations to become more confident in the overall operation of your systems. This ultimately leads to increased reliability and confidence in your environment. Maybe the most important benefit is faster recovery during those times of failure as a result of the increased confidence and knowledge of your systems.

Lastly, having the ability to leverage virtualization begins to give your organization the capability to have a “do over” button. Snapshot and revert functions present in virtualization products give you the ability to verify your processes and procedures on your quality assurance and development sandbox environment and turn back the clock on a mistake or bad configuration change without the high overhead of re-installing a system on a bare metal machine, thereby providing your organization a true ROI.

What you need to watch out for

This is not to say that virtualization is for every aspect of the ICS environment. Traditional vendors have invested in their solutions to minimize the impact of any single contingency. Redundancy and high availability is built in to their front end processors, ICCP servers, SCADA servers and application servers. That same technology is leveraged for backup control centers and in disaster scenarios, the customer can always rely on the vendor to rebuild the system from the code repository secured at the vendor’s facility.

But virtualization does address the cost pressures that all companies feel and does provide customers with low cost alternative for sand box environments which are now necessitated by the regulatory bodies for testing and QA purposes.

The use of virtualization is undoubtedly highly vendor specific. Vendor use and allowance of virtualization often dictates what parts of your system or assets you are allowed to virtualize as well as what pieces of their software system, configuration, or system use are allowed.

 

Read more

Today FERC voted to approve and subsequently implement the new NERC CIP version 5 reliability standards for electric utilities in North America. Using the nine calendar quarters rule, implementation of CIP v5 will be sometime in April 2016, however, the most important part of these standards has nothing to do with the standards themselves (we’ll get to those in a minute), but instead the shift in mindset behind them:

  1. Version 5 starts to move from managing compliance risk to managing security risk. In their opinion, too often these days people fear the auditor instead of the attacker.
  2. Seeks continuous improvement instead of a zero defect mentality.

Recorded Webcast: DEMYSTIFYING NERC-010 & 011 REQUIREMENTS

CIP version 5 introduces two new reliability standards: CIP-010: Configuration Change Management & Vulnerability Assessments, and CIP-011: Information Protection. Neither standard is net-new, but instead both new CIPs take requirements from existing CIPs and move them to their own specific designations to strengthen the overall requirements. The fact that configuration change management has been called out as its own specific standard is indicative of the criticality of this requirement as part of enhancing an overall security progam.

Industrial Defender’s ASM perfectly aligns in assisting companies subjected to regulatory standards, such as NERC CIP V5, in enhancing security programs and posture, while driving operational efficiency and minimizing organizational overhead required to support evolving regulatory compliance burdens.

Read more

NIST released a preliminary cyber security framework (PDF Link) for review this week. While this is one more framework for the Industrial Control Systems (ICS) professionals to follow, NIST did a good job in mapping the framework and its “controls” to other standards such as NIST SP 800–53, IEC 27001 , ISA 99, COBIT and others.

What can ICS professionals do? The key for the ICS professionals, especially utility operators is the following: practicing the basic tenets of a change management program (asset management, policy management, event management) will help you navigate any new framework with relative ease including this new NIST cyber security framework .

This blog explains how you can navigate the framework using basic change management techniques.

Introduction to the Framework

NIST framework is organized into 3 sections - Core, Profile and Implementation Tiers. The main section of the framework is the core. It has 5 functions - Identify, Protect, Detect, Respond and Recover. There are half-a-dozen or so categories under each function . The framework profile and implementation tiers provide guidance on establishing and implementing the framework.

Let’s explore the basic components of change management and show the mappings between change management and the NIST framework.

Change Management

First, the basic components of change management are:

  1. Asset Management: Asset inventory, know the basic information of the asset (asset type, OS, HW installed) , location and who the owner of the asset is
  2. Event Management: Monitor and manage the security, operations and application events from the asset
  3. Baseline Management: Create and maintain good known baselines for each asset and for each facet of the asset (software, patches, users etc.) and manage deviations of the asset from the baseline
  4. Policy Management: Maintain, execute and manage the policies and corresponding deviations of the asset from the policy

Watch Industrial Defender’s ASM perform all four of these functions with ease!

Let’s examine these four basic components of change management that can help you with the NIST framework.

Asset Management

Asset management is the foundation of a solid change management program - and the NIST framework. Asset Management is the first category of the five functions identified in the document - Identify, Protect, Detect, Respond and Recover. NIST framework addresses the basic functions of asset management such as asset inventory, SW and HW inventory, which are the basic aspects of change management as well. However, it goes beyond the technology of Asset Management, into communications and work flows of asset management.

Event Management

Monitor and manage the security, operations and application events from the asset. Event management grabs the lion share of the NIST framework. Core functions of event management such as monitoring, management, archival, and correlation will help directly with the NIST framework. Specifically, event management will help with the following categories in the NIST framework: Continuous Monitoring, Detection Processes, Analysis, Improvements and Access Control.

Baseline Management

Baseline management is one of the primary functions in a change management program. It is about creating and maintaining good known baselines for each asset, for each facet of the asset (software, patches, users etc.), and for managing deviations of the asset from the baseline. The NIST framework has specific requirements around asset baseline management in the Information Protection and Processes categories. NIST framework goes beyond the asset baseline that NERC CIP dictates with a systems level idea - “baseline for OT systems”.

Policy Management

Policy Management is incorporating and evaluating best practices (such as ones from OWASP), vulnerability notifications (such as one from ICS CERT) against the actuals on the asset base. This will help out with the following categories in the NIST framework: Governance, Risk Assessment, Risk Management.

Operations

Though operations is not one of the primary functions of a change management program, it is on the minds of all ICS professionals. It is about monitoring and proactively managing the health and welfare of assets. It includes functions like monitoring the resources on the asset as well as monitoring and managing backup and disaster recovery procedures. NIST’s framework gives a lot of importance to operations. The following categories are covered in the NIST framework for operations: Recovery Planning, Information Practices and Procedures (including Response Plans such as Business Continuity, Disaster Recovery, and Incident Handling Plans).

Summary

The NIST framework is a sound and complete framework for ICS security but it is yet another framework to follow. ICS professionals who practice the basic change management components are able to navigate the framework and other standards with greater ease. On a side note, NIST puts special emphasis on analytics. With the Industrial Control Systems industry and Smart Grid, big data and analytics will be much on the minds of the ICS professionals for the operations piece of the environment. The NIST framework talks about “Attack patterns” on “large scale systems”, creating a baseline and monitoring for deviations from the baseline will help find the “needle in a haystack” of system logs.

 

Read more