I read over the New South Wales (Australia) cyber security audit. I liked the fact that the audit is publicly available. I liked the fact that it included a close look at the industrial control systems of Sydney Water Corporation (SWC). This helps the average citizen understand where security improvements might need to be made.

I thought the auditors made some concise observations that could well be applied to a number of critical infrastructure operators:

• SWC has an established Information Security Management System (ISMS), but it only covers the corporate data centre and not the engineering systems.

Comment: So the systems that control the service that the corporation exists to provide are not covered by the security management system?

Comment: Ahh, no one has decided how to secure the SCADA. And the strategy they have is so high level that it does not reflect proven threat vectors.

Comment: One password… forever…. for your SCADAs. Because you don’t want passwords getting in the way of the engineers doing their job. (but what about former employees?)

• SWC indicated that an assessment is conducted for every SCADA related alert from national computer emergency response team (CERT Australia), with emails received on a regular basis by several managers whose job it is to assess impacts. However the assessment process was not defined and the analysis documentation that was provided to support this assertion was limited to a minority of the security advisories released by the US Government.

Comment: At least they say they are looking at vulnerabilities, right?

Those may sound easy enough, but the truth is that they require a change in mentality reaching from corporate management to operations engineers. Will they do it?

And what about your water provider?

I heard some surprising and insightful conversation from a pair of young schoolchildren the other day.

Joedamadman: Thomas School Bus

They were chatting about riding the bus to school. One of them said, “I don’t understand why the bus driver is the only one who gets a seat belt.”

“Yeah”, came the response, “and he’s the oldest one!”

Although they couldn’t tell you so, these two students were already grasping some important concepts about safety, security and risk.

1. They honed in on the purpose of the school bus — to get *the students* to school safely (rather than the driver).
2. They did a comparison of useful remaining life — reasoning that it makes more sense to worry about the children, because they have longer to live than the bus driver.

Those same thoughts have a nice analogy to ICS security.

1. Whether your business is generating electricity or making cookies, your most important computing assets are those controlling the industrial process — it’s the production network that is making you money! You should not ignore its safety and security while only investing in protection for the “enterprise side”.
2. Withe a limited budget you’re going to have to choose where to dedicate the most resources. There may be significant challenges with securing older plants. If you are going to build a new facility it is your chance to invest in a lifetime of a more-secure, more-safe control system. Focus your security efforts and budget where they will serve you the longest.

I came across what I thought was an interesting concept: the Cyber Attack Automated Unconventional Sensor Environment (CAUSE) program from IARPA.

The briefing provided by IARPA to entities who may propose solutions is fascinating.

In short, the idea is to get beyond the *reactive* nature of indicators of compromise (IOCs). While I am a proponent of information sharing, I am well aware that IOCs are a treadmill game much of the time. I don’t think IOCs are useless, but I generally view them the same way I view antivirus signatures.

IARPA wants to progress towards an *automated* and *predictive* approach that combines a wide variety of information (about industries, markets, geopolitics, etc.) with cyber security indicators.

According to the slide deck, IARPA has a whole plan set up to *measure* the effectiveness of each proposed solution. The measurements will even include a “ground truth” component theoretically allowing IARPA to compare warnings generated with actual events.

Lots of good thoughts in this one. Will it work? At least they have a plan to find out.

Owners and operators of critical infrastructure might benefit from re-examining their own use of cyber intelligence and how they plan to move beyond the reactive IOC treadmill.

Brian Contos on the Norse security blog offered “Five Reasons ICS-SCADA Security is Fragile“. I especially liked seeing a blog sponsored by a threat intelligence company include a brief discussion of “zones” — an OT security concept unfamiliar to many IT security practitioners.

The post prompted me to ask, “If ICS security is so fragile, then why are known incidents so infrequent?” and “Why aren’t bad things happening to our infrastructure every day?”

I am not the first to ask these questions. And, while I don’t pretend to have all the answers, I’m offering an alternative to Mr. Contos’ perspective.

Five reasons ICS fragility hasn’t mattered — yet.

1. Product is still being produced. At the end of the day, some process outages are tolerated. Until we have a spike in these outages which we can positively trace to cyber attacks, from a business perspective there isn’t much reason to be concerned.

2. Ignorance is bliss. You can’t catch what you can’t observe. Just don’t install any security sensors on your ICS networks, and you are good to go!

3. The “air gaps” separating IT and OT networks at large ICS installations do provide some security. OK, I’m playing devil’s advocate to the customary “air gaps don’t exist”; but look, some gap, some segmentation, is better than none. Very few, if any, large ICS installations are connected directly to the Internet.

4. Process engineering can defeat cyber attacks. I’m not implying that ICS are built to stop intentional attacks, but where dangerous conditions can occur, physical-world engineering helps avoid those conditions.

5. Successful attacks against ICS for specific, premeditated, physical consequence requires cross-domain expertise. Your average script kiddie might brick your Modicon PLC using the Modbus function code for firmware upload, but he probably can’t predict what that will do to the process relying on that PLC.

I read DNI Clappert’s assessment of the cyber threat, as briefed to the Senate Armed Services Committee.

I was pleased to see this statement (on page 1):