Padding Oracle On Downgraded Legacy Encryption (POODLE)
The poodle vulnerability has been around as an exploit since 2014.It led to an attack which led to completely disabling SSL 3.0 on the client and server-side to prevent hackers from making use of this man-in-the-middle attack. 2014 also brought us Heartbleed bug, BERserk, and FREAK exploits. That might seem like ancient history in cybersecurity. But history has a freaky way of repeating itself.
In 2016 the DROWN attack took advantage of support for SSLv2 protocol and exposed the weakness in more than 81,000 of the top 1 million most popular websites. As we get closer to 2017, the odds are increasing that the number of exploits will continue to rise.
Krebs is usually a good source of the most up to date info. But it remains a race, and I’m not always sure we’re winning. http://krebsonsecurity.com/
In the meantime, here’s some pictures of poodles to lighten the mood! This is Cleaver Black – destroyer of dragons (blue stuffed ones).
The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring
The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.
The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.
The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.
The Boring but tremendously important bits
Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!
Assess the business impact levels for your systems
Scan your logs
There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out. http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
The answer is not more power for intelligence and law enforcement
Let’s keep it simple
Assess the business impact levels for your systems
Scan your logs
If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.
Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.
Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.
Where might government focus its resources?
Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.
Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.
I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.
Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.
Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.
It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!
When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.
Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.
Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.
Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.
The way to make the argument is to do so on the basis not of security, but finance.
Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.
Here’s a collection of links, which might be useful
How do organisations develop resilience in the complex environment that is the 21st century information centric world?
The lifeblood of the modern organisation is information. Every organisation, from small business to government department depends on information being passed to the right place at the right time.
Organisations and society are becoming more complex, but that doesn’t mean that they are more resilient. Complexity and resilience are more often enemies than friends!
Complex Organisations in the 21st Century
The opportunities posed by increased information flows are enormous,
Information is being gathered, stored and manipulated in larger quantities at higher speeds and analysed in more detail by organisations and society. They aim to to drive greater efficiencies and provide new and improved services. The information revolution allows organisations to become larger and more complex and to develop more complex systems and processes to support their organisational models.
The threats are also enormous
But the opportunity to become larger and therefore more complex often comes with a downside for organisational resilience and longevity. Complex systems are prone to catastrophic failure as small problems cascade and become enormous.
Information is damaging organisations when it is leaked or lost. Organisations are struggling to cope and governments are struggling to keep their own data secure. In other cases, too little information being passed to the places that need them. The organisational strategy is a delicate balancing act!
Survival and resilience
Why do organisations fail. Organisations are by definition self organising systems. However, when a self organising system loses the capacity to self organise – it is dead. Broadly, the story is similar for each one. The organisation was unable to adapt to the business environment before it ran out of resources. The end is often brought about by an acute event, but in many ways such an event is really just the ‘final straw that breaks the camel’s back’ .
However, in practice I think this may be too gentle. Taken over the longer term, organisations either live or die. There is no middle ground. Organisations that survive crises are able to do so for two reasons
They have the resources, capital personnel, leadership etc to manage themselves out of a crisis once it hits emerging weaker but alive; or
They are prepared to adapt if a crisis arises and have developed a broad set of principles which will work with minimal change in most eventualities.
It is this second group which are truly resilient and survive long term. They still suffer from crises, but emerge stronger over the long term as they adapt to their new environment.
ICT is a two edged sword in the quest for resilience
As organisations become more complex, they are relying more and more on information technology and systems to help them understand themselves and their environment. Organisations can become more efficient. However, most organisations do not have control of their ICT infrastructure and it is increasingly difficult to understand how information flows within an organisation. It is also important to realise that efficiency and resilience are not the same. In fact, some efficiency practices may increase organisational fragility
Are the tools that organisations are using to try to understand their own organisations becoming in themselves part of the problem?
Possibly, though it is more the issue of complexity. There are a number of other factors
Speed of change
The speed that societies are changing is accelerating as technology advances. This means that organisations need to be able to adapt faster in order to keep up.
Organisations are more interdependent than ever. It is a trend that will continue to increase. In fact, countries are also more interdependent than ever. During the Cold war, sanctions didn’t affect Russia nearly as much as they do now. This is positive from a global political perspective, no country can survive without others, not even the USA or China. It is even forcing Iran to make compromises. In some ways this trade interdependency may be an alternate for the Mutually Assured Destruction (MAD) that nuclear weapons threatened to the USA and Russia during the cold war.
However, interdependency inherently leads to complexity and that is not a characteristic of resilience. Most organisations are increasingly dependent on long supply chains for materials and services, meaning that failure at one end of the supply chain can be expensive or time-consuming. On the other hand, international supply chains are extremely reliable … until they aren’t.
Everyone’s your neighbour
Because everyone is connected. Organisations can get closer to their customers and suppliers via the Internet. At the same time criminals and competitors are able to get closer to their target organisations as well.
Some organisations have been struggling. Sony corporation is one of the most prominent, but it is by no means the only one.
Affecting organisational longevity?
The evidence seems to be showing that organisational longevity is being reduced by a number of factors. Not least the ones I’ve written about above.
This graph produced by Innosight plots the average company lifespan on the USA Standard and Poor’s company index from 1958 to 2012 and extrapolates this out to 2030.
US corporations in the S&P500 in 1958 remained in the index for an average of 61 years. By 1980, the average tenure of a similar organisation was 25 years. By 2011, that average had been cut to 18 years. In other words, the churn rate of companies has been accelerating over the last Century. On average, one S&P500 company is dropping off the index every two weeks! In total, 23 companies were removed from the S&P in 2011, either due to
declines in market value – eg Radio Shack’s stock no longer qualified in June 2011.
acquisition – eg National Semiconductor was bought by Texas Instruments in September 2011.
At the current churn rate, 75% of the S&P organisations that were there in 2011, will no longer be on the index in 2027.
The flaws in simple risk
Risk assessment loses specificity with complexity. That is, the larger, more complex the organisation, the less accurate the risk assessment can be. This is also true when we think about societal risks.
The sum of overall risk that an organisation has, is greater than its parts.
It is hubris to think that an organisation or society can know all its risks. There will be risks faced by an organisation that are either unknown, unquantifiable or both. Moreover:
The organisational environment continues to change rapidly. This means that risk owners ie company boards have less time for consideration and risk assessments need to adapt to the changing circumstances.
Perception bias is a significant problem. Gardner talks about bounded rationality in risk – suffice to say we downplay risk of things that we think we understand. Taleb talked in the Black Swan that people focus on the simple things they could understand.
In a complex organisation, people tend to focus on problems in parts of the organisation, rather than the organisation as a whole.
Different risk events
We see these issues playing out in different events that affect organisations, whether it is a
such as the
– Deepwater Horizon Oil Spill that may yet cause BP’s demise, but seems to have been caused by a failure in the relationship with its drilling contractor, Haliburton
– Target(USA) hack which saw tens of millions of credit cards stolen due to weaknesses in service provider security.
Or chronic failure
such as Kodak’s failure over decades to manage the transition to digital imaging, despite the fact that it’s own researchers had discovered the technologies in the 1970s.
A resilient approach
Resilience is the capacity for complex systems to survive, adapt, evolve and grow in the face of turbulent change. Resilient enterprises are risk intelligent, flexible and agile (Adapted from www.compete.org)
A ‘Resilience approach’ does ignore risk assessment and management, it builds upon it to address weaknesses in terms of dealing with unknowns (known and unknown) and perception bias. Particularly those ‘high consequence low likelihood events’ – the black swans, that sit untreated at the bottom of any risk assessment, or fall off the bottom because nobody wants to think about them, or are not acute but in the chronic creeping ‘must deal with it sometime’ category. Worse still, they may be completely unknown.
Resilience approach allows enterprises to put in place mechanisms ‘deal with the gaps’ in the risk approach – those things that have been missed or underestimated.
As the world becomes more complex and organisations become more complex themselves. A resilience approach is the only option.
The resilient organisation
Develops organisational adaptability. A culture of making things work in spite of adversity. This creates a capacity to deal with adverse events – adaptability to deal with rapid onset of shocks. They also analyse to see whether improvements can be made out of any adversity.
Organisations look for mitigations that are able to treat a range of threats, because these techniques are likely to be more adaptable than highly specialised methodologies.
Testing – Organisations test systems to breaking point and beyond in the most realistic scenarios possible.
Resilience from Chaos (Monkey)
An example of testing to breaking point in a real environment is the ‘chaos monkey’ tool developed by Netflix. This application/agent randomly turns off parts of the Netflix production environment simulating the failure of different parts of their infrastructure. It is set to only do this during working hours when engineers are about to respond. In this way, the system is tested in the best manner possible short of the real thing.
This post is based on a presentation I gave in Singapore. Here are my slides
Resilience Outcomes would like to acknowledge the assistance of Emirates Airlines for getting Alex to and from Singapore in great comfort.
State of ICT Security – Attackers take over SCADA controlled steelworks furnace and caused massive damage
The threat to online assets from attackers remains critical according to a report just released on the State of ICT security by the German Government.
Cloud Computing, mobile systems and big data are providing enormous economic prosperity, but have on the other hand opened up large attack surface for organisations.
The German Federal Department for Safety in Information Technology has just released its annual “State of ICT Security” report for 2014. The German Government’s version of the bit of NSA that helps government and businesses protect themselves online is called the BSI. They are highly skilled and well respected.
As is usual for a government report it is turgid. However there is some really interesting stuff hidden in the morass. I’ve picked out some of the gems and translated them here.
Complexity is killing information security
The report emphasises that complexity is exposing organisations to attack. Of particular concern is that Internet of Things (Systeme und Dinge) is now moving from the stage where it is mostly about observation of the environment to changing the environment.
Importantly, particularly in light of the Snowden expose, this report is not coming from either the US or UK and so gives a secondary source to some of what those governments are saying.
There are over 250 million individual varieties of Windows malware around now
Other observations which confirm what you may have seen in other places
Spam continues to grow exponentially
Malware is still growing and at least a million devices are being infected annually in Germany. The BSI estimates that the number of different types of Windows malware is at a staggering 250 million. This is up from around 180 million in 2013!
The number of infected sites delivering ‘driveby exploits’ is growing substantially.
Botnets are being used to steal identity information. There are more than one million devices under the control of botnets in Germany.
Phishing continues to yield results for cyber criminals
Advanced Persistent Threats – an increasing threat for government and industry
Germany is constantly being cyber-attacked by foreign intelligence services. The BSI has installed improved sensor technology in the government’s networks following the revelations that came from Edward Snowden in 2013/14. There are a number of methodologies which the BSI has identified. This tallies quite well with some of the things Bruce Schneier has written recently about these issues
Strategic enlightenment – whereby the intelligence service identifies connections between various users to gain an intelligence picture
Attacks on key individuals – attacking system administrators for key systems to gain access.
Influencing Standards – By weakening standards, , the allegation has been that NSA individuals have influenced the NIST standards development process.
Manipulation of IT hardware and software – Well they would do that wouldn’t they.
The BSI notes that trusted insiders are being used to enable some attacks by intelligence services, criminals and activists.
This table is reasonably easy to read, even if you don’t understand German. It shows the prognosis (prognose) for threats over the coming year.
Schwachstellen = vulnerabilities
Schadprogramme = malware
Identitaetsdiebstahl = ID theft
The report goes through a number of cases where the BSI was called to assist businesses. Here are two that are of particular concern.
Steelworks compromise causes massive damage to furnace.
One of the most concerning was a targeted APT attack on a German steelworks which ended in the attackers gaining access to the business systems and through them to the production network (including SCADA). The effect was that the attackers gained control of a steel furnace and this caused massive damages to the plant.
Dragonfly attacks a dozen companies
The Dragonfly hacker group attacked a number of companies’ SCADA systems and installed the malware ‘Havex’. This was used to gather information about the systems. No damage was done, because the compromise was detected and removed before the hackers had completed the observation and intelligence gathering phase.
It’s worth remembering that there are many other countries dealing with the cyber threat around the world. Germany has always been one of the leading non-UK CAN, US, AUS, NZ countries and it is interesting to see how they view the landscape.
The IAPP announced at the 2014 IAPP Privacy Summit “Privacy at Play” held at the Westin on 17 November in Sydney that Alex Webling had won the 2014 award for best article published in the association’s journal “Privacy Unbound”.
The iappANZ is the pre-eminent forum for privacy professionals in Australia and New Zealand. We are affiliated with the International Association of Privacy Professionals (IAPP) which is the largest privacy body at the global level with a membership approaching 20,000. We work with public and private entities across all industry sectors in Australia and New Zealand as well as the Privacy Commissioners in both countries.
The iappANZ Privacy Unbound Journal provides practical thought leadership and case studies along with a popular Q&A with the Australian and New Zealand Privacy Commissioners to keep members in touch with regulators. iappANZ also provides a Weekly and Daily Digest for regular privacy news updates.
Is it possible to enhance privacy with social login?
The likelihood that any Australian Government is going to create an online identity credential now seems distant with the National Trusted Identities Framework (NTIF) almost forgotten. How quickly the Internet forgets, but maybe that’s a good thing if you’re Mario Costeja González.
But the need that the NTIF sought to fill has not gone away. Governments are trying to work out how to service their citizen/customer/users at lower cost. The Internet offers one possibility, but in taking their services online, government agencies expose themselves and us to different threats and potentially higher risk. However, it seems inevitable that government agencies will follow financial institutions in offering higher value transactions online. In the end, the economic argument is likely to drive government agency migration online with more high trust services. Recent federal and state/territory budget announcements are only likely to spur this movement.
There are a number of threats that need to be mitigated before a government agency could potentially provide its services online. Probably the key issue is for the agency to be sure that a user requesting access to a site is who they say they are. Currently issuing the customer with a username and password mostly does this, but the model is beginning to fail. The problem is that most people don’t interact with government agencies on a regular basis and yet information sensitivity and computer capabilities require users to adopt increasingly complex and non-sensical passwords.
This in turn makes the passwords more difficult to remember even as they are harder to crack. It also means that password resets are much demanded. Yet at the same time, customers are expected to change their passwords regularly, not to write them down or repeat them for other online services.
It seems clear that these password requirements largely force customers to break their user agreements and either, write their passwords down, or worse re-use them for other services/websites.
It also puts government agencies in a bind. They want to provide online access to their services because it could be cheaper to operate than bricks and mortar outlets (if they didn’t have to reset too many passwords), but they also do not want to be embarrassed by privacy and security breaches.
One option is the use of a social login to help secure online authentication. This could enhance user information security and minimise privacy breaches. Social login, also known as social sign-in, is a form of simple sign-on (to web resources) using existing membership of a social networking service such as Facebook, Yahoo, Twitter or Google+ to sign into a third party website in lieu of creating a new login account specifically for that website or service. Social login is designed to simplify logins for end users as well as provide more and more reliable demographic information to website owners. Social login can be used as a mechanism for both identity authentication and user authorisation.
Social login is being adopted by private sector organisations for a number of reasons including: Rapid registration; Verified email contacts; and Customer stickiness. However social login also offers three major benefits for government agencies.
– Currency of contact data. Contact data such as email tend to be kept up to date by the user.
– Passwords are less easily forgotten because they are regularly used. At the same time, the social login passwords are not transmitted from the user to the agency website.
– Security. Agencies can leverage security technologies implemented by the social networks that they might never be able to replicate themselves. Because of their resources, social networks such as Google and Facebook are able to detect and patch zero day exploits quickly.
So what are the privacy risks?
A user, when accepting the convenience of a social login, can share a significant amount of their information between a third party website (such as a government agency) and the social network. The social site is informed of every social login performed by the user. Often, it is worth considering whether users understand exactly what they are sharing and whether they are giving informed consent to share. However this risk can be mitigated with the creation of clear and detailed login screens, which explain what the users are sharing.
As an example, the following information is returned when a Facebook user agrees to share their ‘Basic Profile’. Other than the email, the information is not verified and may not be present. However, several organisations claim that the quality of the data returned is in general very good because social network users feel social pressure from their friends to be accurate.
At the same time, it is not necessary for the third party website to collect all the information if it is not required.
Another issue surrounds current sensitivities with the USA NSA’s indiscriminate hoovering of online data. It is important to note that because all the large social networking sites are based in the USA, they are subject to USA’s laws and customs related to security and privacy. Under that regime, Australians are given significantly fewer protections than USA citizens or residents. Effectively, the social networking site itself provides the main protection for reputational reasons. However, readers may be aware that there have been recent moves in the USA to change this approach for what the US charmingly calls ‘aliens’ like Australians and give the same protections for all users irrespective of citizenship.
Can we get the benefits of social login and have citizen privacy as well?
With careful design it seems possible that social login could enhance privacy for users at the same time as providing benefits to government agencies. Considering the social login as an adjunct to agency authentication rather than the whole process could be an answer. If customers nominate their social login at the same time as they were enrolled into a government service, they could later use their social login as the first stage of an authentication process. This would provide an outer layer of defence against hacking. The user could then login to the agency itself using a separate authentication process.
The advantages of this model, beyond defence in depth, are that the user logs into the agency with their authenticated social login username, but does not gain access to sensitive information without providing an agency specific authentication. The social network also does not receive any sensitive information beyond the fact that a user logged in at a website. The use of government portals can be used to obfuscate which agency a user is accessing. At the same time, with consent, contact information from the social login site could be compared with that held by the agency and presented to users so that they can choose to update the information held on them by the agency.
At both the state and federal level, government agencies are starting to actively consider social login. Provided that governments are also prepared to carefully design the user interaction so that the social networks don’t get any more personal information than the user/citizen is prepared to share – by turning off analytics and sharing social network authentication gateways across groups of government agencies, it can provide benefit to users and government alike.
In the longer term, government will be able to verify citizens online when they wish to enrol themselves for services. The possibility arises to use the Document Verification Service (DVS) combined with social history to connect an entity to an identity, but that may be a discussion for another time.
I’d love to hear what you think.
This article originally appeared under the title “Can social login be privacy enhancing” in the May 2014 edition of Privacy Unbound, the journal of the International association of privacy professionals (IAPP) Australia New Zealand chapter and can be found here at this link iappANZ_MayJournal
The Australian Privacy Principles come into force on 12 March. The APPs extend coverage of privacy laws to most business with turnover of $3 million or more.
Fines of $1.7 million are possible for breaches.
Australian Privacy Principles
The Privacy Act now includes a set of 13 new harmonised privacy principles. The APPs regulate personal information handling by the federal government. In addition, the law significantly expands the number of private sector organisations covered.
The new Australian Privacy Principles (APPs) replace both the Information Privacy Principles (IPPs) that applied to Australian Government agencies and the National Privacy Principles (NPPs) that applied to some private sector organisations. The changes do not generally replace existing state of territory privacy legislation (eg Victoria & ACT) which will probably cause some confusion at the edges
A number of the APPs are quite different from the existing principles, including
APP 7 -on the use and disclosure of personal information for the purpose of direct marketing, and
APP 8 – on cross-border disclosure of personal information.
The OAIC gets teeth
The Privacy Act now includes greater powers for the OAIC which include:
conducting assessments of privacy compliance for both Australian Government agencies and some private sector organisations.
accepting enforceable undertakings
seeking civil penalties in the case of serious or repeated breaches of privacy
In some ways Australia is just catching up with Europe, Canada and USA, but its worth noting that breaches can mean organisations get fines of up to $1.7 million. It is probably an understatement to say that this could have a serious impact on company finances as well as reputations.
One thing that is very good about these changes is that there is better alignment with good information security practice. We hope that these changes may help some organisations improve the state of their information security as they become privacy compliant.
A new mandatory credit reporting privacy code (CR code), created by the Australian Retail Credit Association ( OAIC’s Codes Register ) also starts on 12 March 2014.
We can help
We are helping government agencies and businesses assess the privacy impact of their activities in light of these legal changes. In particular, we have recently worked with the health and finance sectors in Queensland, the ACT and Victoria.
Please contact us at Resilience Outcomes for assistance.
ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems (SCADA).
The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.
This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.
SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.
Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.
The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.
It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.