ICS Cyber Convergence

Advanced Persistent Threat (APT), as a term, is perhaps over-used in cybersecurity. Like the Boogie-Man that strikes fear into the minds and hearts of children at night, APTs work just as hard to ensure that CISOs and CIOs never rest easily. But just like the Boogie-Man, the trick to not being afraid of APTs is to understand them. Unfortunately, understanding APTs isn’t as simple as a bed time story.

The first signs of APTs came from targeted, socially-engineered emails dropping Trojans designed for exfiltration of sensitive information. They were identified by UK and US CIRT organizations in 2005. Although the name "APT" was not used, the attackers met the criteria that determines an APT. The term "advanced persistent threat" is cited as originating from the Air Force in 2006 with Colonel Greg Rattray.

Another complexity to understanding APTs are their definition and identifiable characteristics. The internet is filled with different definitions and varying character-traits that can often make this step confusing and ambiguous. One popular definition on the Internet of an APT sums up the definition of an APT nicely is:

“An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltration of information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” –National Institute of Standards and Technology

Within the computer security community, and increasingly within the media, the term is almost always used in reference to a long-term pattern of sophisticated hacking attacks aimed at governments, companies and political activists. The use of the term APT seems to be growing with the rising number of APT-related attacks, which according to a PC World story from a couple of years ago, noted 81 percent increase from 2010 to 2011 of APT attacks.

In a book released a couple of years ago called Reverse Deception: Organized Cyber Threat Counter-Exploitation, the authors define the following APT criteria:

  • Objectives – The end goal of the threat, your adversary
  • Timeliness – The time spent probing and accessing your system 
  • Resources – The level of knowledge and tools used in the event (skills and methods will weigh on this point) 
  • Risk tolerance – The extent the threat will go to remain undetected 
  • Skills and methods – The tools and techniques used throughout the event 
  • Actions – The precise actions of a threat or numerous threats 
  • Attack origination points – The number of points where the event originated
  • Numbers involved in the attack – How many internal and external systems were involved in the event, and how many people's systems have different influence/importance weights
  • Knowledge source – The ability to discern any information regarding any of the specific threats through online information gathering (you might be surprised by what you can find by being a little proactive)

Even though Advanced Persistent Threats play a strong role in cybersecurity planning, especially for large organizations, a lot of the fear and feeling of uncertainty about them can be eliminated by a simple understanding of what they are and what their pattern of attack typically looks like. Although the solution to removing the fear is never as simple as checking your closet, or server, at night before leaving, understanding the threat and partnering with an organization like Lockheed Martin can make your networks more secure.

Read more

Each year, the Internet of Things (IoT) makes strides towards transforming industries. IoT, or as it’s sometimes known as the Internet of Everything (IoE), are physical devices that placed on the Internet by installing wireless sensors on them. You see a lot of IoT in the consumer world, most commonly in home devices such as alarm systems, thermostats and electrical sockets to control lights remotely. Most of these devices are accessed by apps on your mobile device.

Within the last couple of years, IoT has slowly started to enter other markets. Sectors like healthcare and manufacturing are quickly learning about their potential value, particularly when combining IoT with business process management (BPM) programs. At face value, the benefits of this integration seem limitless. Real-time data analytics, immediate social and mobile capabilities to otherwise static and often hard to reach devices, and the ability to pair business-facing operations like inventory control and automated supply-chain capabilities with real-time consumer demand, creates a list of desired capabilities that is almost too appealing for any C level executive to resist.

But how safe are these devices? What can your organization do to protect itself from the danger associated with IoT? In past blogs you’ve heard us talk about the potential challenges between integrating Information Technology and Operational Technology. In many ways, this is very similar. On one hand you have a physical device, like an alarm system, which was built to interface with a live person, and therefore the device was designed from the ground up with accessibility as its core, data integrity as its next most important component, and confidentiality of data as the third priority. By integrating a sensor for wireless access, you’re now effectively opening the door to hackers by providing accessibility to a device that was not built primarily to protect the confidentiality of its data.

According to Earl Perkins, research vice president at Gartner,

The power of an Internet of Things device to change the state of environments and of itself will cause chief information security officers (CISOs) to redefine the scope of their security efforts beyond present responsibilities. IoT security needs will be driven by specific business use cases that are resistant to categorization, compelling CISOs to prioritize initial implementations of IoT scenarios by tactical risk. The requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security.” Gartner

 The Gartner article continues to state a prediction that by 2020 the installed base of "things" that make up IoT, excluding PCs, tablets and smartphones, will grow to 26 billion. That’s a huge leap from the estimated 0.9 billion units in 2009.

Despite the prospective issues associated with IoT from a security standpoint, there are two major steps that your organization can take to mitigate the cyber threat of the technology.

1. Map and know your environment

One of the dangers with IoT is the idea that they will proliferate on networks to a great degree, which will make it difficult for organizations to keep track of them, even as they take on increasing responsibilities. Once you lose track of how many you have, then you have an issue. This is a similar problem with IT and OT integration, especially within the utilities industry, because organizations lose track of how many IT-OT enabled devices they have and spend a lot of time just mapping their environment and trying to catch up. Industrial Defender not only offers the capability for your organization to better map these technologies, but also provides a snapshot from a centralized dashboard and portal. You can't fix what you don't know about, so this mapping is a vital first step, as well as an ongoing one, before anything else can be accomplished.

2. Assess and Plug vulnerabilities

Once your environment is mapped, assessing which set of IoT devices are specifically dangerous and building an approach to plugging their vulnerability can go a long way in defending from potential future attacks.

IoT is here to stay, and its implication to business and CISCOs that are both good and bad are still being determined. What is known, however, is that by mapping, assessing and addressing known vulnerabilities, you can go a long way to protecting your network.

Read more

The “consumerization” of business technology is a relatively recent trend that continues to pick-up speed. Defined as the introduction of consumer technology within the corporate environment and for the use of work activities, the consumerization of business technology is best reflected in policies such as Bring Your Own Device (BYOD), which have become prevalent in most corporate environments.

mobile-devices-lowAs this trend continues to grow, the need to plan and deal with BYOD from the level of Chief Information Security Officer (CISO) and even Chief Information Officer (CIO) has been augmented to include home or personalized applications. Now, Bring Your Own Application (BYOA) is becoming a focal point in the IT security planning of many organizations.

These trends are natural. In many ways, our place of work is much like our home. We personalize our office spaces and socialize with our colleagues, and in recent years the corporate infrastructure has been changing to reflect this consumerization. BYOD and BYOA have become natural parts of the consumerization ecosystem, from the introduction of social media within organizations to improve collaboration to the migration toward cloud for business services—including an emphasis on accessible and consumer-like product and service tracking.

At the end of the day, all of these services and all of this consumer integration are focused around one greater need—the ability to provide end-users with mobility. Tech-agnostic computing, or the ability to work from any device at any time, is here today and not going away any time soon. So how should organizations react?

If your company is going to permit BYOD and BYOA, and allow teams of employees to integrate their own personal applications with corporate data, it becomes important to set expectations, produce procedures and rules, and explain those policies and regulations to your employees. This approach to protecting your enterprise must start with answering some basic questions:

  • How do we detect when people are conducting nefarious activities?
  • Do we have the proper monitoring currently on our network?
  • Do I have the controls in place?
  • Do my employees have proper authentication and application protection around BYOD?

These questions are important to answer before addressing the Mobile Device Management policies of your organization. Whether you have smartphones, tablets, or laptops in the workplace, you have an organized approach toward deploying, securing, monitoring, integrating and managing these mobile devices.

It’s also critical to answer these and other questions when addressing information management policies around the use and protection of intellectual property. This includes examining application security and control.

When these policies and procedures are established, it then becomes important to address user and device authentication. At this point, you begin to ask additional questions: How will a user authenticate on premise versus remotely? Can we track when they’re local versus remote? How will mobility impact the security?

Finally, data loss prevention becomes a crucial element in determining if sensitive data is on a mobile device. Once that capability is determined, you can begin to explore how to continue to protect it.

Mobility and the disruptive technologies fueling this trend, such as BYOD and BYOA, can be daunting from a CISO and CIO level. We know it’s here to stay. We also know that new mobile technologies continue to proliferate at alarming rates. Answering these seemingly basic “block and tackle” questions first can give your company a solid footing that will enable you to weather any BYOD or mobility-related storm.

Read more

SANS European ICS Security Summit: Field Report

Don’t even think about ICS cyber security if you don’t first know what assets and software you have running in the ICS. You can’t start to assess your risk, if you don’t know what you have running.” 
– Ralph Langner, SANS EMEA ICS Summit

There’s an intensifying sense of urgency to protect critical infrastructure from cyber threats perpetrated by an accumulating cast of threat actors amid percolating geo-political crisis.  While SANS is known for training security professionals in both IT and OT security, their summits tend to attract thought leaders rather than practitioners and this year’s European SANS ICS Security Summit was no exception. Hosted by Mike Assante with a speaker lineup that included leaders from CERT-EU, ENCS, ABB, Rockwell, Siemens, as well as leading experts such as Ralph Langner, Jonathan Pollett – to name a few – there was no shortage of experts taking the podium.


What struck me was the common thread topic focused on the need for asset and configuration management as a starting point for handling the realities and difficulties of managing risks to control environments. As Europeans seriously consider how to practically manage the complexity and interconnectivity of a mish mash of both antiquated and modern operational systems technologies, one thing is obvious, you can’t protect anything until you know what you have in your environments.  Ralph Langner (famed Stuxnet analyst @langnergroup) said it best, “Don’t even try risk management until you have asset management.”

He was preaching to the choir. The Lockheed Martin Industrial Defender Solutions team has come to that same conclusion and what’s more – we’ve developed a solution to meet the niche needs of ICS cyber asset management. It was all I could do to not jump out of my seat and say, “Yes, we know that too and we’ve built something to help!” Needless to say, that would have gotten me ejected by the fine folks at SANS who don’t want to subject their summits to over-zealous ICS security marketers.

Bottom line – if you want to track asset inventory, asset configuration details and asset baseline configuration changes – and you do, consider Industrial Defender ASM for automated data collection, searchable asset detail functionality for always-current asset info. See it for yourself!

The demo below takes less than 2 minutes, and it just might help you with automating the first step in an improved approach to ICS cyber security.

SANS Top 20 Critial Controls adapted for the unique needs of industrial control systems

20_Control_Implementation_Guide_thumbThe US State Department in conjunction with the SANS Institute has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Critical Controls.

Find out what this mean for your unique control systems environment.

New Call-to-Action

Read more

One of the most common terms in any large organization is Risk Management. Risk Management has grown from a vertical role shared by multiple organizational executives into a separate horizontal practice in which a series of professionals can often dedicate entire careers. But what exactly is Risk Management? What is IT Risk Management? What is a Risk Management Framework? And why is it a vital component of an effective cyber security platform? For me, Risk Management is a rigorous business discipline that if applied and communicated correctly can ensure a business continues to achieve a strategy for profitable growth. It’s also the language of executives and one that cyber security executives should be extremely well versed in.

Originating as a business discipline, risk management is the process of understanding what could possibly impact your company in a negative way, and having an action plan for each possible threat. Risk Management is about mapping and understanding the likelihood of these financial threats to your organization in a manner that looks at probability and severity.

The purpose of Risk Management is two-fold. Be prepared for the worst, and help leaders make better-informed decisions. IT Risk Management is a subset of an enterprise-wide risk management strategy. Like business, IT can’t always avoid bad things from happening. Servers will fail, attacks will persist and some will eventually succeed. Therefore, it’s important to forecast uncertainty, map threats, and create countermeasures to potential threats as it pertains to the use of technology within an enterprise.

Part of this Risk Management approach toward IT is the combination of information security policies and activities with risk management principles. The result is a lifecycle known as an IT Risk Management Framework.

Seemingly every corporation has its own approach towards IT risk management. However, all IT Risk Management Frameworks share some basic traits. For example, IT Risk Management Frameworks tend to be a step-by-step process, or workflow, focused on:

  • Identifying threats
  • Mapping the severity and probability of each threat
  • Determining the impact of each threat
  • Implementing control recommendations



Following even a basic framework like the one we just described carries several major benefits to IT cyber security, such as:

Documentation: IT Risk Management Frameworks encourage organizations to document and put down a centralized view of threats and actions.
Structure: These frameworks augment incident response services to provide a bigger-picture perspective of organizational cyber health and security.
Gap discovery: These frameworks help organizations find and close or monitor vulnerabilities within their networks and structure.
Collaboration: IT Risk Management Frameworks are models that organizations can share to provide better security for the company as a whole. For example, Lockheed Martin’s Office of Counterintelligence Operations works to identify adversaries attempting to gather information about Lockheed Martin programs. It does so by gathering information about our Corporation, our personnel, and/or our customers, and uses mitigation strategies to deal effectively with these threats. But success means collaborating with corporate security teams, counterintelligence leads and other functional organizations. This collaboration is made possible in large-part through a common approach or framework towards risk management.

Risk is a natural part of the business and Information Technology. The key is to manage the cyber security risks in an effective way. If performed successfully, cyber security executives can leverage the risk management toolset to communicate clearly to their executive teams and more importantly secure funding for important security programs.

Did you miss the webinar introducing Lockheed Martin Industrial Defender?

A Unified Approach to IT and OT Cyber Security for Critical Infrastructure Industries

Demystifying NERC CIP
, Inc.
Read more