Thursday, December 26, 2013

NIST Framework Misses the Mark on Risk Assessment

Last week, the open enrollment period ended on the latest National Institute of Standards and Technology (NIST) preliminary cybersecurity framework. While changes are likely, given the input of many in the industrial sector, the framework as it stands does not meet one of its key goals – it is not simple enough for senior business leaders, executives and board members to understand and implement to achieve measurable impact on security efforts. In particular, Waterfall Security’s feedback into the framework process points out that the framework has missed an opportunity to encourage utilities to rethink their approach toward risk assessment, and points out that the framework leads senior management to ask the wrong kinds of questions about the security of critical infrastructure sites.      

Capabilities versus actuarial
Risk assessment is notoriously subjective in that businesses routinely conclude whatever they want and point to a “risk assessment process” to justify their decisions. Even worse, a major issue with the NIST framework is that it encourages an actuarial approach to risk assessment for determining what, if any, improvements need to be made to a security program. This methodology compares the number and cost of known incidents to the total cost of a security program which would have been strong enough to prevent these incidents. If historical costs are small, insurance can be purchased to transfer the risk.

Contrast this with a capabilities-based risk assessment, which compares our enemies’ attack capabilities with our own defensive capabilities, and asks when the one meets the other, what is the most likely outcome? This kind of assessment does not ask how many times was the North American power grid taken down by a cyber assault in the last decade, and what did each such incident cost? The answer is of course, zero – the power grid as a whole has never been successfully attacked. A capabilities-based assessment asks only when our most capable enemies attack us, what is the most likely outcome?

The big difference in assessment techniques is due to the increasingly widespread understanding of “new, advanced attack techniques.” These techniques by now are neither new nor particularly advanced – they are taught in all intermediate-level cyber security training programs. Everyone with a little skill knows how to apply these techniques. Existing “risk-based” security programs at industrial sites, including sites throughout most of the power grid, are inadequate to attack this “new” class of attack. For example, security testers who use these techniques routinely report breaching security at fully CIP-compliant sites within minutes of launching their tests. Deployed defensive capabilities have not kept up with well-known attack capabilities.

No – there has not yet been a significant, well-documented attack on the safety or reliability of critical infrastructure sites using these new techniques. But using the actuarial approach and saying “it’s never happened so I’ll just buy insurance” is seriously misguided. Can you imagine the CEO of a large power utility on television after some cyber attack causes a major power outage that casts tens of millions of people into darkness for several days? Can you imagine this person saying “We are very sorry this attack that made all your power go out for so long – but never fear, my utility did not lose any money, because we have insurance.” He would be lynched.

Advanced Defenses
Now, the truth is often more complex than an “actuarial vs. capabilities-based” buzz-word. For example, many business-focused IT experts are on record saying that they are no longer confident that even the best security programs can block these “new advanced attacks” at the network perimeter, and so these experts are advocating the deployment of sophisticated intrusion detection, data exfiltration prevention and other systems.

This assessment may be accurate for corporate networks, but the NIST framework is supposed to speak to critical infrastructure control system networks and the “SCADA Security” problem primarily, not corporate information protection systems. A variety of control system-centric security technologies have proven very effective at blocking even “new advanced attacks,” not least of which is Unidirectional Security Gateways. This hardware-enforced server replication technology completely blocks the interactive remote control capabilities which are essential to “new advanced” attacks – a fact which is not called out in the least by the NIST framework.

Capabilities versus motives
In all fairness though, NIST’s risk management approach does use the word “capability” a couple of times, but only in wholly secondary contexts. The focus of the risk management part of the framework is still an actuarial “cost of incidents” style of risk assessment. No, there have not been credible cyber-sabotage attacks on critical infrastructure sites using modern, well-known attack techniques. But  plugging this fact into an actuarial risk calculation is not going to produce a security program which protects against our adversaries’ capabilities, it will only produce a program that protects against what we think our enemies’ motives are. If we guess wrong as to those motives, we are in deep trouble.

We need to start communicating more effectively to senior decision makers. We need to persuade them to invest in security programs which anticipate our enemies’ capabilities, not programs which hope we can guess right as to our enemies’ motives.

To stay updated on new developments follow Waterfall Security on Twitter.

Friday, December 20, 2013

NERC CIP Version 5 – The Uncertainty is Over

Late last month, the Federal Energy Regulatory Commission (FERC) approved Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards. With the approval of Version 5, FERC effectively eliminates Version 4 of the standard, clearing up the uncertainty that froze progress on most CIP programs by approving a move from Version 3 directly to Version 5. This is great news for utilities, which can now move forward with strengthening security programs after eight months of minimizing change while waiting for the new standards.

A new approach to cybersecurity
NERC CIP Version 5 is an improvement over Versions 3 and 4 in several ways. First, the standards embody a new approach that encourages the development of a culture of security and due diligence by responsible entities, in addition to the culture of compliance encouraged in CIP versions 1 through 4. To accomplish this, the V5 standards focus on what security objectives must be accomplished, and when they must be accomplished, but leave discretion as to how to achieve those objectives. For example, the much-maligned anti-virus requirement in CIP-007-3 has been replaced with a set of malicious code prevention requirements, which do not mandate specific anti-virus technologies, but allow BES entities to apply one or more technologies from a set that now includes sophisticated application control  or white-listing, and removable device control technologies.

Other technology-focused improvements include mandating the use of network intrusion detection capabilities for the highest-impact cybersystems. With this measure, the V5 standards echo the FERC assertion that a single layer of firewall is not sufficient perimeter protection for high impact BES cybersystems. Often, just one small mistake in a firewall configuration is all that it takes to bypass security rules and effectively turn the firewall into no more than a router. The V5 standard also includes three new requirements governing interactive remote access, including a requirement for multifactor authentication.

Unidirectional security gateways get their due recognition
In addition, the NERC CIP Version 5 standards are among the first in the world to begin to address modern cyberattack patterns by encouraging the use of unidirectional security gateway technology. Unlike firewalls, which can easily be breached and whose vulnerabilities are well-known to adversaries, unidirectional security gateways are one-way communications hardware devices that replicate servers in real time to send information out of control system networks without any risk of a cyberattack getting back in.  

The security threats facing our critical infrastructure are very real. While no system is ever completely secure, there is still much work to be done to ensure our defenses are more than a match for the capabilities of our adversaries. NERC CIP Version 5 gives utilities a platform on which to improve their defenses and options to secure the reliability of those defenses via technology such as unidirectional security gateways. Now that the uncertainty is over, we can make serious progress toward securing our critical infrastructure.

To stay up to speed on NERC CIP updates, follow @WaterfallSecure. For more information about how Unidirectional Security Gateways can strengthen your security program, email