ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems (SCADA).
The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.
This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.
SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.
Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.
The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.
It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.
A biological approach to organisational resilience
By a lapsed microbiologist
“Organisational resilience is only achievable through adaptability”
Too many leaders start believing their own press and thinking that they are able to predict the future. Whilst it is absolutely true that the best indicators of the future are the events of the past. It is also true that the past is not an absolute indicator of future events because our view of the past is limited by our record of it. Some events are so rare that they are not recorded, yet they may have extreme consequences if they occur. So if we cannot predict the future with certainty, how is longevity possible for organisations? The answer is resilience, and at the core of resilience is adaptability.
The lesson from biology is that adaptation to the environment that has allowed organisms to survive and thrive. However large and seemingly terrible an organism is, if it is not adapted to its environment it will become extinct. The vast majority of species that have ever existed are not around today.
The same is true for organisations.
The vast majority of organisations that have ever existed are not around today
In simple terms the story is the same for each failed organisation. They were unable to adapt to the business environment before they ran out of resources. Those that survive a crisis are able to do so for two reasons
1 They have the resources, capital personnel leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
2 They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities. These companies still suffer from the crisis at first, but emerge stronger in the longer term.
By my reckoning, 99% of companies that manage to survive a crisis are in the first category. In most cases, those companies are then consigned to a slow death (My Space anyone?). Sometimes however, the first crisis weakens them, but they then become more resilient and bounce back to ride future crises.
This is an era of organisational accelerated extinction
What is more, the ‘extinction rate’ for companies is becoming faster as society and technology changes more rapidly.
I think we all understand that small businesses come and go, but this lesson is true for large organisations as well. Of the top 25 companies on the US Fortune 500 in 1961, only six remained there in 2011.
Research carried out on fortune 500 companies in the USA shows that the average rate of turnover of large organisations is accelerating. The turnover has reduced from around 35 years in 1965 to around 15 years in 1995.
If you think about how much the world has changed since 1995 when Facebook barely existed and Google just did search, you might agree with the idea that organisations that want to stick around need to adapt with the changing environment.
So give me the recipe!
Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as agility and the ability to recover quickly from an event and an awareness of their changing environment and the willingness to evolve with it amongst others. This is difficult for a number of reasons.
1 increasing connectedness – interdependencies leading to increasing brittleness of society/organisations – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
2 increasing speed of communication forces speedier decision making
3 increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decision makers
4 biology – Organisations operate with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.
5 Organisational Inertia. The willingness to change organisational culture to adapt to a change in the environment.
Something about organisational culture and resilience
When discussing culture, resilience is more an organisational strategic management strategy, and less a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’. But both are focused on organisational culture.
Organisations, particularly large organisations, all have their own way of doing things. Organisational culture is built up because individuals within the organisation find reward in undertaking tasks in a certain way. This is the same whether we are talking about security culture or indeed financial practice. Organisational culture goes bad when the reward structure in the organisation encourages people to do things that are immoral or illegal.
Larger organisations have more inertia and so take longer to move from good to bad culture and vice versa. Generally most organisations that are larger than about 150 staff have a mix of cultures.
The more successful an organisation has been in the past, the more difficult (inertia) it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.
Maybe the Kodak company is the best example of this. An organisation that had been very successful for more than 100 years (1880 -2007), Kodak failed to make the transition to digital and to transition from film as fast as its competitors. The irony is that it was Kodak researchers who in the 1970s invented the first digital camera thus sewing the seeds for the company’s doom forty years later.
Where does my organisation start on the path
So what is the answer, how do we make sure that our organisations adapt faster than the environment that is changing more rapidly every time we look around? The only way is to begin to adapt to the changing environment before crises arise. This requires making decisions with less than 100% certainty and taking risk. The alternative is to attempt to change after a crisis arises, which historically carries higher risk for organisations.
It is a combination of many things –
developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
partnering with other organisations to increase their knowledge and reach when an event comes; and
Lastly engaging in the debate and learning about best practices
Are there two sorts of resilience?
But is resilience just one set of behaviours or a number. When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.
However there is another set of actions, which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.
Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.
How an organisation achieves this is the challenge that every management team needs to address if they want to achieve longevity.
If you wish to discuss any of the issues in this whitepaper, please contact us
 noting that the word dinosaur is directly translated as terrible lizard
Making strategic decisions about cyber security, or any sort of security needs to be done a the board level. It is difficult to get company boards to focus on strategic issues, despite the fact that this is what they are theoretically meant to do. Companies are busy places and there are always minute issues that take time from board meetings. In some companies, the culture is such that managers avoid their responsibility by sending decisions to the board, again robbing the board of valuable time.
The Centre for the Protection of National Infrastructure, a UK Government organisation, has released a short document aimed at helping security managers get cyber security onto the corporate agenda. CPNI makes the somewhat obvious point that getting buy-in from a company board is crucial to the successful outcome of a cyber security implementation project.
Although the CPNI paper doesn’t spell it out quite this way, the key is to show in a concise manner why security is of importance to them and the company they are responsible for. Generally the key issues fall into three categories.
Financial – the loss due to another entity (government, business, criminal) gaining commercially sensitive information. The effect of this can be short term where a negotiation is damaged or longer term where valuable intellectual property is lost.
Legal – many organisations are subject to regulatory requirements to protect information that they hold on behalf of clients, stakeholders and staff. In Australia, the Australian Privacy Principles come into force in March 2014. Most private sector organisations will be required to adhere to them. Financial and professional organisations have been required to meet similar requirements for a number of years.
Reputational – High profile privacy breaches have affected a number of large companies. Companies such as Sony, Heartland and RSA have suffered huge breaches which cost them millions of dollars to clean up and resulted in significant lost business. In some cases, they have resulted in tightened regulation which in turn increased the cost of doing business.
Things to remember
most if not all board members will not have a good understanding of the Internet or information security (Tech companies are the exception of course).
boards are generally made up of people who are very clever and need you to acknowledge it – presentations need to be logical but also require little subject specific knowledge.
If you are the expert, you need to have the answer when one board member starts talking about “his daughter’s computer” or the spam she “gets on the company email” that she doesn’t get at home – this is where a well briefed chair is important
the best briefings work when board members are given details of current, real world examples of similar companies’ misfortunes. You can bet that Microsoft looked very hard at the Sony hack at the board level and that CA examined the breach of RSA tokens carefully!
Sometimes an outside expert needs to be brought in to tell the board what the security cell already knows. It is a funny quirk of human nature that we sometimes don’t give enough respect to the people in our own organisation.
That’s where you can call on us to help you get your message across. We have experience talking to boards and senior executives from government, councils, banks and companies including those in the DISP.
In the digital world it is very easy to create data, very difficult to get rid of it
Like us all, government agencies are creating huge amounts of information. Lots of it is classified either to protect privacy or for national security. This is what should happen, classification is an important aspect of information security.
What is data classification?
It is the process of assigning a business impact level to a piece of data or a system. This then governs how many resources are directly devoted to their protection. By classifying documents and systems an organisation makes risk managed decisions on how information is protected.
Digital data wants to be free and it is expensive to ensure confidentiality if you also want to maintain data integrity and availability.
However over-classification of information can be as bad for an organisation as under classification. This is particularly true of large government organisations.
In addition, Government agencies tend to be risk averse places anyway – which on balance is a good thing!
So how could governments shift the classification balance, improve security and improve efficiency in agencies?
The problem is that the person who classifies data or systems does not have to pay for the cost of their actions in classifying. In fact, the individual avoids personal risk if a piece of data is over-classified. However their agency has to wear the added expense.
Gentle readers, we have a problem of incentive imbalance!
Suppose it costs $100 to store a Secret document for its lifetime and $10 to store an everyday unclassified document. If governments placed a nominal value on document creation relative to the whole of life costs, it might be possible to stem the tide of increasing amounts of classified data.
If under this scheme a government employee wishes to create a secret classified document, they would need to find $100 in their budget to do so. In this case the employee might consider producing an unclassified document or one that was slightly classified. I argue that this market based approach to declassification would have far more effect than more rules.
A plan for implementation
So how might the plan be implemented in the tight fiscal environment that government agencies currently face, even though it is likely to save money long term?
Survey government agencies to see how many classified pieces of data they produce each year by type. eg, there might be 500 top secret data pieces and 1000 secret.
Assign a dollar value to each document according to the level of protection it receives. This bit would require a bit of research or possibly a pilot scheme.
Based on the previous year’s classified information output, each agency is given a declassification budget. It might be considered that as this task was one that the agency should have been doing previously, that there is no requirement for central funding.
Require each agency to report the numbers of classified data produced.
Agencies that produced too many classified documents would need to pay the treasury a fine equivalent to the cost of storing the extra documents in archives.
Agencies that produced fewer pieces of data than the previous year would receive a windfall.
That’s it in a nutshell. As governments produce more data, they will need to store it. Balancing the incentives to overclassify and underclassify data will help ensure that information is properly protected.
I’d love to hear your ideas, please make a comment
I was asked to give a snapshot about what I thought the big risks for organisations were likely to be in the cyber world in 2013. Below are eight trends that I think are more likely than not to be important in the next twelve months.
1 Boards continue to struggle to consider cyber risks in a holistic manner
With the exception of technology based companies, most government and private sector boards lack directors with a good understanding of their cyber risks. However all organisations are becoming more dependent on electronic information and commerce. This brings with it both opportunities and threats which are not well understood by boards. Good risk management depends on the board setting the risk tolerance for the organisation. Risk and reward are two sides of the same coin.
Senior Management must create a culture where they acknowledge that cyber risk is evolving and encourage sharing of incident information with trusted partners in government, police, industry and with their service providers. Moreover, if boards see problems in sharing information, they should lobby governments to improve the conditions for sharing.
2 BYOD goes ballistic – deperimeterisation is forced upon organisations, even when they aren’t ready.
Many organisations are in denial about the threat that ‘bring your own device’ (BYOD) policies make them bear. Together BYOD and Cloud technologies will force deperimeterisation on organisations. The pressure will come from primarily within as their profit centres demand more connectivity to develop new and rapidly changing business relationships.
In the long-term, this is likely to be positive because it will drive down costs and increase flexibility for organisations. But only the resilient will survive the transition. Even resilient organisations will not go through this deperimeterisation unchanged. This process is likely to cause rude shocks for those organisations and their boards that are not prepared and do not invest prudently in technology and more importantly people to transition smoothly.
3 Attacks that intentionally destroy data
The other threat which may arise is where the attacker intentionally destroys data, usually after stealing it. This may be as an act of protest by an issue motivated group, the opposite of Wikileaks if you think of it. Or, it could be undertaken by organised crime against either government agencies or business. Attacks of this nature could cripple many organisations that do not have hot-backup, even then the question of data integrity comes into play. Boards will need to think carefully about the ‘three cornered stool’ of confidentiality, integrity and availability’ relative to their organisations.
Ransomware, where data is encrypted by an attacker to become inaccessible to the owner until a ransom is paid will increase. However, the problem is likely to remain primarily at the home user and SME level. This is less due to technical difficulties with the attacks and more because of the standard problem for such scams – how to extract money when the authorities have been alerted and are on the hunt. Technologies such as Bitcoin will find increasing use here.
4 More sophisticated attacks by organised crime and nation states.
Here’s an easy one. I am more certain of this prediction than any of the others. We are in a cyber arms race between the attackers and the defenders. The advantage currently lies with the attackers. Since the possibility of an international agreement to curb cyberattacks is negligible as per my cyber law of the sea post, I see no let up in 2013.
5 Privacy continues to increase as a concern for governments in most western countries
In Australia, the Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 in November, tightening the Commonwealth Privacy Act 1988, which applies to Commonwealth agencies and private sector organisations. A summary of the changes are here.
In the same month, the European Network and Information Security Agency (ENISA) published a report about the right to be forgotten. This report proposes a regulation that would allow a European citizen to have their personal data destroyed on request unless there were legitimate grounds for retention.
Large multinationals, like Facebook are going to continue to face scrutiny by privacy advocates and governments around the world about the data that they collect and mine. The new version of Microsoft Internet Explorer set a cat among the pigeons when it was shipped with the ‘do not track’ setting on by default. The Digital Advertising Alliance issued a statement that “Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice”.
It will be interesting to see who wins. Consumers have shown themselves to be willing to choose services which commercialise their information in return for real value. The key here is choice.
6 Failure by government to protect private sector organisations causes more of them to create CERTs
In a number of countries national Computer Emergency Response Teams have been created with much fanfare with the aim to share information between government and industry about the threats to the critical infrastructure. In general it hasn’t worked well. Western economies are dependent on infrastructure that is primarily in the hands of private enterprise, so all the players understand that neither government, nor industry can ‘solve cyber’ on their own. In a federal system like Australia or the US, the problem is exponentially harder.
At its heart, the problem is not technical, it is trust. Security and law enforcement have long come to the CERTs with their hands out asking for information, but unwilling to share what they knew about. Industry doesn’t trust government or their competitors. Meanwhile, the attackers make hay.
In a similar way to international negotiations, when multilateral agreements fail, bilateral ones can take their place (messily). Increasingly we are likely to see technology dependent organisations setting up their own CERTs and working at the technical level with like organisations, at the same time, bypassing central government CERTs and inward focussed intelligence organisations.
7 Organisations start to concern themselves more with cyber-dependencies
Organisations have long understood in the physical world that if their supply chain is attacked or degraded, then their ability to function is impeded. Without wheels from factory A, factory B can’t assemble cars. Therefore Factory B is keen to ensure that Factory A survives, but it’s also keen to make sure that the tyres from Factory A don’t cause car accidents. A company’s dependencies do not stop at their front door.
This principle needs to be extended actively into the cyber space. Most organisations do not develop all their technology in house. Vulnerabilities in hardware and software operated by their suppliers are of prime importance. Defence companies have long needed to take this account, but this thinking will expand to more parts of the economy.
8 Developing trusted identities continue to challenge governments and organisations
With deperimeterisation upon us, organisations must assume that attackers can enter their networks. Only through good identity and access management can an organisation potentially protect itself. My post, Trusted Identity – a primer took a longer look at this trend.
If an organisation has no perimeter, it becomes impossible to work out who should access what, if there is not a good identity system in place. Governments are realising the same. Essentially if they are to provide the services that their citizens want, then they have to have ways of identifying for certain what those citizens are entitled to.
In 2013, we will see some results from the US efforts (NSTIC) to pilot programs to develop trusted identities. Business is taking a big part in this, with leadership from the likes of Paypal.
In Australia, there are varying signals coming from the Commonwealth Government. E-Health is moving forward, albeit slowly, and so is online Service Delivery Reform which will also depend on identity at its core. There has not been much news of late about the Cyber white paper, which was due in the second half of 2012.