A quote similar stated that SCADA and basically systems controlling physical machines is the new attack surface. It struck me as obvious and non-obvious upon reflection. The security of these systems tends to be Facilities and not under the scope of concern of most CISO and certainly not the CIO. That is unless the organization is structured where such operating roles are under the General Legal Counsel or the COO. The structure of the organization as it relates to operational integrity, competitiveness, and ultimately compliance – security depends upon the organizational structures being adapted to the technology age. To often we forget the value of organizational strategy shifts, and this is one that will be necessary and provide valuable returns.
How can this trickle into the tactical operations of the business?
Consider this single example?
- What controls do you have on checking the version of the HVAC units (software version) powering your data center and or corporate offices?
- Is there a security control in place to have it; be sure it can handle the load, and testing to ensure it works? I imagine yes to all 3, as these are ABC of operations
- What is the version of the HVAC PLC / SCADA element that is being utilized by the vendor and monitoring teams that is accessible remotely?
- When audits occur, do they check to be sure the device isn’t the Siemens or other manufacturer that was just highlighted at Defcon or on the news?
If this is the new frontier, we need to start structuring organizations in a manner that are designed to care for these considerations to allow for business to be agile and competitive.
Thoughts (a bit of latitude on the above terminology is requested, given I am simplifying the example to avoid to much technical specification and confusion)?
Posted in audit, Compliance, Security
Tagged 2012, attack surface, best practices, chief audit executive, cio, clo, Compliance, coo, cybersecurity, data center, defcon, it compliance and controls, IT Controls, james deluccia, jdeluccia, new frontier, organizational change, scada, Security, strategic, trend
The ability to attack, compromise, and cause damage has existed since the utility industry began connecting these systems on the Internet. Examples, including the European nation that was attacked 24+ months ago, are easy to locate. Yesterday an attack (more proof of concept than anything it could have really been) occurred. The current public awareness of cyber attacks, the nation state theater risks, and transparency of this action has raised the resulting awareness beyond the closed professional circles within Information Security. There is a number of interesting writeups and I would suggest carefully reading a few for a balanced perspective. Two that I would recommend include:
What this means for your Utility company is that the abstract threat modeling exercise that considers these attack vectors should be conducted more thoroughly with real risk and mitigation decisions progressing up to the Board of Directors.
As for everyone else who is a customer of such utility companies, the BCP/DR plans should be updated to reflect the possibility of such a loss of services. Business enterprise information security / risk management programs (+vendor management) should elevate utility service providers (including cellular operators). These actions should directly impact the annual/ongoing risk assessments and establish an expectation of security assessment and assurance on a regular basis from these service providers.
It is an interesting quandry that Cloud service providers are vetted and assessed more rigorously than that of Utility service providers, the original cloud.
Thoughts .. challenges?
James DeLuccia iV
Posted in Compliance
Tagged 2011, best practices, china, cloud computing, cybersecurity, data breaches, europe, it compliance and controls, IT Controls, james deluccia, PCI DSS, risk management, scada, Security, vendor management, virtualization