Kazio Networks

Melissa Hathaway, President of Hathaway Global Strategies, LLC and Senior Advisor at Harvard Kennedy School’s Belfer Center wrote a great article yesterday about the myths of cybersecurity.

In a nutshell …

Myth 1: Consumer protection exists in cyberspace
Myth 2: Firewalls and virus scanners protect my computer and my enterprise
Myth 3: My government has the solution and will protect me
Myth 4: Physical assets are more valuable than information
Myth 5: Laws are keeping pace with technological innovation

I would like to especially call out Myth 2. There seems to be a false sense of security with installing firewalls, intrusion detection systems, virus scanners etc. within enterprise and industry. I have come across many situations within the manufacturing and control systems space where the engineers are totally satisfied with the security of their networks (as they have firewalls and virus scanners in place). However, what they don’t realize is that their network is still vulnerable and open to other forms of security breaches/ problems.

Security within a network is not just about physical implementation and should not be centered around it (which unfortunately a lot of people do). Security within enterprise or/and automation systems should be policy based with physical implementation (like firewalls and virus scanners) being one part of puzzle. No matter how big or small your network is, it is a good practice to have policies in place — you always want to be prepared for eventualities.

“Oops, I didn’t mean to do that!”

Security problems don’t just happen with viruses, it could be as simple as a factory worker accidentally pressing the wrong button, uploading the wrong ladder logic program, accidentally pulling out the wrong network cable from the network switch or accidentally dislodging the power cord.

Securitysearch.com gives a good definition of a “Security policy”:

“…a security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets. A security policy is often considered to be a “living document”, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.”

I would like to add to the Myth list –

“Myth 6: My network is 100% secure”
“Myth 7: Hackers always cause network security problems”

There is no such thing as a network being 100% secure. A good secured network is one that has policies/ steps to minimize loss of investment and control breaches/ exploits (purposeful or accidental).

There is also a common perception that network security problems always originate from the outside (from hackers or crackers). Not all security problems are purposeful, they can be accidental too and could originate from within the company. A good security policy accommodates and plans for internal and external occurrences.

To end this off, here are some steps companies should take to protect themselves:

1) Learn and educate yourself — Get a good understanding of the types of security threats you face in your environment
2) Do a risk assessment that reveals the crucial/beneficial areas of your network investment
3) Create policies and procedures that integrate security in accordance to your assessment
4) Integrate/ deploy up to date technical controls
5) Plan for eventualities and how to respond to them
6) Continually update/ revise policies

Of course, I am just scratching the surface here as network security has many facets to it. It does however give you something to think about and is something that can’t be taken lightly.

Do you have other Myths to add? Let us know in the comments area.

This article is an interesting way of how someone can steal data though electrical outlets . Demonstrated at Black Hat 2009 by Andrea Barisani and Daniele Bianco of network security consultancy Inverse Path, it shows how easy it is to steal data without expensive equipment i.e. with just an electrical grid and line of sight of the machine/ computer in question. (more…)

Here is a good whitepaper from Idaho National Labs describing methods for vulnerability (identification, assessment and resolution) within SCADA systems. It’s four years old (written by May Robin Permann and Kenneth Rohde, Idaho National Labs in 2005) but is still a great reference in terms of it’s organized methodologies.

Browsing some discussions and references on twitter, here are recent articles emphasizing the fact that Security in Control Systems is something not to be taken lightly.

Hackers Penetrating Control Systems (PC World)
Hackers Penetrating Industrial Control Systems (Computer World Security)
R&D work vulnerable to cyber threats (Federal Computer Week)
Control Systems Cyber Security – The Current Status of Cyber Security of Critical Infrastructures (Joseph Weiss’ testimony to the Members of Congress dated March 19, 2009)

Around the web

Cyber Security Procurement Language for Control Systems Version 1.8 (MSISA)
Multi-State Information Sharing and Analysis Center (MSISA)
Research Challenges for the Security of Control Systems (University of California, Berkeley)
Advances Needed in Control System Cyber Security (ControlGlobal.com)
Guide to Industrial Control Systems (ICS) Security (NIST)
A Summary of Control System Security Standards Activities in the Energy Sector (Department of Energy)

Any other links that you want to share, let us know in the comments and we will add it to the list.

Cisco is getting pretty innovative. They just released a comic book style 4 part animation series called The Realm. It’s about a group of Cisco engineers battling the evils of network security within the world. This is launched to coincide with their industry conference next month.

Each episode raises issues surrounding security threats, like identity theft and malware, that are averted by comic book heroes, said Marie Hattar, VP of marketing. “The idea was, it would drive the readership to look for products that could [protect them] in real life,” she added.

Taping into the stereotypical security person’s love of comic books and online games, this may proof to be a gimmicky (but effective) effort.