Warning Intelligence and Critical Infrastructure

If you are a security professional looking for a fantastic read… something foundational that you might have overlooked, I suggest Cynthia Grabo’s “Anticipating Surprise: Analysis for Strategic Warning”

Grabo book

Grabo reportedly wrote the book in the early 70s, but it remained classified until 2002. There are some fantastic concepts that help the security professional get out of the techno-centric run-the-software mindset and into a “think ahead” approach. (It is amusing that I am saying its useful to look back in time in order to alter perspective for effectively moving ahead.)

Here’s a great quote:

The philosophy behind indicator lists is that [an adversary] in preparation for [an attack] will or may undertake certain [activities], and that it is useful for analysts and collectors to determine in advance what these are or might be, and to identify them as specifically as possible.

At the risk of oversimplification, this means that if you are defending critical infrastructure, you would think through what an adversary may attack, and how that attack might come — getting into the specifics.

For example:

What facilities are the most important (to you, to the country, to specific customers)? What equipment is used at those facilities? How is that equipment connected to a network? Who has access to that equipment? What known vulnerabilities affect that equipment? and so forth.

In my experience, few defenders are systematically thinking in this way… have a read.

Warning Intelligence and negligence

I thought this was pretty big news:

“Judge rules that banks can sue Target for 2013 credit card hack”

Target case

Here’s the key quote from the actual decision:

Plaintiffs have plausibly alleged that Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered. And Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible. Imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.

I was particularly interested in “failing to heed the warning signs” part. As an intelligence professional, I have always found wisdom in the statement “willing ignorance is negligence”. Now we have a case where in the cyber world that may ultimately ring true.

Pointing to possible implications for critical infrastructure, we might consider Internet-connected ICS, including engineering lap tops with access to Web and Email. We have numerous documented cases where these configurations have led to compromise (see Havex and Black Energy).

If one of these led to real physical damage, I imagine the law suits would fly (assuming of course that the “cyber” cause could be accurately ascertained).

After five years of warning about the problems of connectering-up yer HMI to the public Internexus, I don’t think there should be much excuse for getting your plant compromised by anyone who can run a freely-available exploit tool (let alone by someone trying an unchanged default password!).

As a final note, and a point I’ve made before, to what extent should taxpayers be subsidizing incident response when then victim “failed to heed the warning signs”?