S4 Takeaway: Differences between North America and Europe

I've had a week now to reflect on my experience at Digital Bond's 2014 S4 conference and compare it to others I had last quarter. I spent almost all of Q4 2013 on the road with customers and at conferences, both in North America and Europe. While it is unfair to paint either region with one brush, I do see broad differences in the level of understanding of industrial cybersecurity issues.

For example, in North America, I rarely have to explain why cybersecurity is important to industrial sites. I am often asked to relate what the latest developments are, how they fit into the overall risk and solution picture, and how various debates in the industrial control system (ICS) security field are evolving. I also tend to see people working to understand how the latest developments fit into their understanding, and deciding what these developments suggest as to how organizations need to evolve their security programs.

Compare that with Europe, where interactions with representatives of critical infrastructure owners and operators tend to be more challenging. Operations teams will often say that security is an IT problem. However, IT is busy deploying privacy-focused security technologies on operational and control system networks with limited success. Both groups struggle to see how state-of-the-practice OT security technology, like Unidirectional Gateways, fit in their IT-style integrated systems and IT security programs. The widely known, very effective techniques used to break into IT-style networks are a risk Europeans tend to discount.

In hindsight, my experience at S4 really highlighted these differences. The programs and discussions were all about control systems and issues and solutions specific to them. For example, I'd been hearing about the DNP3 news second-hand, and was really looking forward to Chris Sistrunk's presentation of his and Adam Crain's work. "Ahh," I thought, "they used a fuzzer! And against master stations, not remote terminal units. Of course they found vulnerabilities – good for them! More work like that needs to be done." And then there was the "risk-based" debate regarding the NIST cybersecurity framework, which crystallized the understanding that cyber risk assessment really does need to be different for critical infrastructure sites versus other kinds of industrial sites.

To be fair, there are other large (by ICS cybersecurity standards) and high-quality events on the slate every year in North America – NERC's GridSecCon, the SANS SCADA events, the ACS Cyber Security Conference and the DHS ICSJWG events all spring to mind. Many Europeans attend and contribute to these events and to S4 – the real leaders in Europe are no slackers. But S4 seems to be where the world's technical leaders get together to argue things out. Differences between experts remain when the day is over, of course, but at least everyone goes away armed with the latest data and counter-arguments.

Admittedly, my experience in Europe is limited. I've only just started attending events and visiting European customers, and there is a spectrum of sophistication in a region this large and diverse. For example, one meeting I had with senior government and industry leaders in the UK earlier this year was impressive. I did not have to explain to them why security was important or how control systems were different – they were the ones asking me the hard questions, testing my answers and seeing how my information fit into their understandings and plans.

On average though, I have the impression that there is more awareness-level work to do in Europe than there is in North America. Look for greater Waterfall participation in European industrial cyber-security events, as well as standards, guidance and research efforts.

By the way: business is booming. We're swamped. Waterfall is hiring. Not all the jobs are posted yet. Drop us a note if you enjoy working hard, doing important work and being on the road a lot:  jobs@waterfall-security.com

Cyberwarfare is a bigger threat to U.S. than terrorism – now what?

Defense News released last week the results of a poll in which nearly half of the U.S. national security leaders who responded cited cyberwarfare as the most serious threat facing the country, ranking it higher than terrorism or China. The alarm bells have been ringing for some time now – the sound got louder last year, when President Obama issued an executive order to update the National Institute of Standards and Technology (NIST) cybersecurity framework. With this latest survey it seems that a consensus is starting to emerge that yes, cyberattacks are a real threat and something must be done to better secure the nation’s critical infrastructures.  While it’s encouraging to see this issue finally getting the attention it deserves, the question still remains “will anything will be done about it?”

Unfortunately, it will probably take a large-scale attack for some utilities to get serious about improving security defenses. This is because many utilities base their risk models on the likelihood of an attack – and without a significant event to reference, the probability of future attack must be low, right? In fact, all it takes is one significant event to trigger the risk models, and no utility wants to become the new poster child for critical infrastructure cyberattacks – one that will be talked about and analyzed for years to come. While the first big attack will almost certainly light a fire underneath utilities, this isn’t something we can afford to wait for when power, or clean water, or clean air for millions of people are at risk.

There is progress to report. The North American Electric Reliability Corporation (NERC) recently updated its Critical Infrastructure Protection (CIP) standards to Version 5, which is a marked improvement over Versions 3 and 4. These standards will go a long way in bringing power grid security up to par by encouraging the adoption of new technologies that are stronger than firewalls.

Firewalls are no match for the advanced level of today’s cyber threats. It’s like going into battle using paper clips for armor. Years ago, a lot of us were confident that a firewall would block the vast majority of cyberattacks, whether we were right or not. Nowadays, firewall limitations are well-known in both white-hat and black-hat communities. The problem is that security practitioners in utilities often have trouble communicating this risk to the management teams who control security budgets. These teams often don’t understand just how poor their defenses are until someone shows them how easy it is to breach those defenses. Hiring a penetration tester is a good way to expose poor defenses, before our enemies do.

NERC has recognized the value of Unidirectional Security Gateways. What will it take to communicate the risk to other decision-makers? Sometimes what it takes is a security breach – malicious or benign – to change our thinking. Better a white-hat penetration-testing breach, than waiting to become a poster child for a black-hat cyberattack. 

Strategic Defence Intelligence recognizes Waterfall Security’s achievements in protecting critical infrastructure

There’s a familiar name in the Strategic Defence Intelligence and Global Defence Technology Awards – Ones to Watch 2013: Waterfall Security. The awards recognize outstanding achievements in defense technology and innovation, validating Waterfall’s unidirectional security gateway technology as stronger than firewalls and underscoring the potential for protecting our nation’s critical infrastructure.

In its announcement of the shortlist of recipients, Strategic Defence Intelligence says that:

“Waterfall Security’s Unidirectional Security Gateway solutions offer effective protection for safety-critical and reliability-critical networks. Unlike competitors that specialise in military and government requirements only, Waterfall’s products cater extensively to the industrial space as well, important when you consider that some of the most sophisticated attacks emanate from outside conventional warfare.”

Highlighted in the assessment of Waterfall’s solutions is our Waterfall for Bulk Electric System (BES) Control Centers, protecting two-way communications via hardware-enforced Unidirectional Security Gateways replicating inter-control-center protocol (ICCP) communications endpoints in two directions.

Last year saw renewed focus in the vulnerability of our nation’s critical industrial infrastructures to cyberattacks. In February, President Barack Obama signed an executive order requiring the National Institute of Standards and Technology (NIST) to create a cybersecurity framework, a preliminary version of which was announced this past fall. (See our take on the framework here.) Perhaps the biggest news of 2013 was the Federal Energy Regulatory Commission (FERC) approval of the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Version 5 standards, replacing the ineffectual Version 4 and allowing utilities to move forward with strengthening security programs. 

While there is still a lot of work to be done, we are optimistic that 2014 will see improvements made in securing the nation’s power grids and other critical industrial infrastructures. The more we talk, the more advanced our adversaries become. Firewalls are no match, and it’s time to take action to better secure our infrastructures. 

NIST Framework Misses the Mark on Risk Assessment

Last week, the open enrollment period ended on the latest National Institute of Standards and Technology (NIST) preliminary cybersecurity framework. While changes are likely, given the input of many in the industrial sector, the framework as it stands does not meet one of its key goals – it is not simple enough for senior business leaders, executives and board members to understand and implement to achieve measurable impact on security efforts. In particular, Waterfall Security’s feedback into the framework process points out that the framework has missed an opportunity to encourage utilities to rethink their approach toward risk assessment, and points out that the framework leads senior management to ask the wrong kinds of questions about the security of critical infrastructure sites.      

Capabilities versus actuarial

Risk assessment is notoriously subjective in that businesses routinely conclude whatever they want and point to a “risk assessment process” to justify their decisions. Even worse, a major issue with the NIST framework is that it encourages an actuarial approach to risk assessment for determining what, if any, improvements need to be made to a security program. This methodology compares the number and cost of known incidents to the total cost of a security program which would have been strong enough to prevent these incidents. If historical costs are small, insurance can be purchased to transfer the risk.

Contrast this with a capabilities-based risk assessment, which compares our enemies’ attack capabilities with our own defensive capabilities, and asks when the one meets the other, what is the most likely outcome? This kind of assessment does not ask how many times was the North American power grid taken down by a cyber assault in the last decade, and what did each such incident cost? The answer is of course, zero – the power grid as a whole has never been successfully attacked. A capabilities-based assessment asks only when our most capable enemies attack us, what is the most likely outcome?

The big difference in assessment techniques is due to the increasingly widespread understanding of “new, advanced attack techniques.” These techniques by now are neither new nor particularly advanced – they are taught in all intermediate-level cyber security training programs. Everyone with a little skill knows how to apply these techniques. Existing “risk-based” security programs at industrial sites, including sites throughout most of the power grid, are inadequate to attack this “new” class of attack. For example, security testers who use these techniques routinely report breaching security at fully CIP-compliant sites within minutes of launching their tests. Deployed defensive capabilities have not kept up with well-known attack capabilities.

No – there has not yet been a significant, well-documented attack on the safety or reliability of critical infrastructure sites using these new techniques. But using the actuarial approach and saying “it’s never happened so I’ll just buy insurance” is seriously misguided. Can you imagine the CEO of a large power utility on television after some cyber attack causes a major power outage that casts tens of millions of people into darkness for several days? Can you imagine this person saying “We are very sorry this attack that made all your power go out for so long – but never fear, my utility did not lose any money, because we have insurance.” He would be lynched.

Advanced Defenses

Now, the truth is often more complex than an “actuarial vs. capabilities-based” buzz-word. For example, many business-focused IT experts are on record saying that they are no longer confident that even the best security programs can block these “new advanced attacks” at the network perimeter, and so these experts are advocating the deployment of sophisticated intrusion detection, data exfiltration prevention and other systems.

This assessment may be accurate for corporate networks, but the NIST framework is supposed to speak to critical infrastructure control system networks and the “SCADA Security” problem primarily, not corporate information protection systems. A variety of control system-centric security technologies have proven very effective at blocking even “new advanced attacks,” not least of which is Unidirectional Security Gateways. This hardware-enforced server replication technology completely blocks the interactive remote control capabilities which are essential to “new advanced” attacks – a fact which is not called out in the least by the NIST framework.

Capabilities versus motives

In all fairness though, NIST’s risk management approach does use the word “capability” a couple of times, but only in wholly secondary contexts. The focus of the risk management part of the framework is still an actuarial “cost of incidents” style of risk assessment. No, there have not been credible cyber-sabotage attacks on critical infrastructure sites using modern, well-known attack techniques. But  plugging this fact into an actuarial risk calculation is not going to produce a security program which protects against our adversaries’ capabilities, it will only produce a program that protects against what we think our enemies’ motives are. If we guess wrong as to those motives, we are in deep trouble.

We need to start communicating more effectively to senior decision makers. We need to persuade them to invest in security programs which anticipate our enemies’ capabilities, not programs which hope we can guess right as to our enemies’ motives.

To stay updated on new developments follow Waterfall Security on Twitter.

NERC CIP Version 5 – The Uncertainty is Over

Late last month, the Federal Energy Regulatory Commission (FERC) approved Version 5 of the North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards. With the approval of Version 5, FERC effectively eliminates Version 4 of the standard, clearing up the uncertainty that froze progress on most CIP programs by approving a move from Version 3 directly to Version 5. This is great news for utilities, which can now move forward with strengthening security programs after eight months of minimizing change while waiting for the new standards.

A new approach to cybersecurity

NERC CIP Version 5 is an improvement over Versions 3 and 4 in several ways. First, the standards embody a new approach that encourages the development of a culture of security and due diligence by responsible entities, in addition to the culture of compliance encouraged in CIP versions 1 through 4. To accomplish this, the V5 standards focus on what security objectives must be accomplished, and when they must be accomplished, but leave discretion as to how to achieve those objectives. For example, the much-maligned anti-virus requirement in CIP-007-3 has been replaced with a set of malicious code prevention requirements, which do not mandate specific anti-virus technologies, but allow BES entities to apply one or more technologies from a set that now includes sophisticated application control  or white-listing, and removable device control technologies.

Other technology-focused improvements include mandating the use of network intrusion detection capabilities for the highest-impact cybersystems. With this measure, the V5 standards echo the FERC assertion that a single layer of firewall is not sufficient perimeter protection for high impact BES cybersystems. Often, just one small mistake in a firewall configuration is all that it takes to bypass security rules and effectively turn the firewall into no more than a router. The V5 standard also includes three new requirements governing interactive remote access, including a requirement for multifactor authentication.

Unidirectional security gateways get their due recognition

In addition, the NERC CIP Version 5 standards are among the first in the world to begin to address modern cyberattack patterns by encouraging the use of unidirectional security gateway technology. Unlike firewalls, which can easily be breached and whose vulnerabilities are well-known to adversaries, unidirectional security gateways are one-way communications hardware devices that replicate servers in real time to send information out of control system networks without any risk of a cyberattack getting back in.  

The security threats facing our critical infrastructure are very real. While no system is ever completely secure, there is still much work to be done to ensure our defenses are more than a match for the capabilities of our adversaries. NERC CIP Version 5 gives utilities a platform on which to improve their defenses and options to secure the reliability of those defenses via technology such as unidirectional security gateways. Now that the uncertainty is over, we can make serious progress toward securing our critical infrastructure.

To stay up to speed on NERC CIP updates, follow @WaterfallSecure. For more information about how Unidirectional Security Gateways can strengthen your security program, email sales@waterfall-security.com.