You are currently browsing the tag archive for the ‘CIP’ tag.

Someone today asked me what I thought of this article:

My answer was short: Obvious? PCI doesn’t work. NERC CIP doesn’t work. NIST standards don’t work. Anyone who says or implies that these companies just needed to do more is lying, trying to sell you something, ignorant, or a combination. Security as we do it, in the context of IT as we do it, in the context of business as we do it does not reliably do what we want it to do.

I know one thinks we should continue to admire the problem – we need action! But what if we’ve entirely failed to correctly identify and articulate the problem?  :P

Someone else replied elsewhere with (regarding the standards/regs mentioned above):

“although they can be foundational for funding and building a good security program, they don’t work on their own.”

While that is true, a lot hinges on what “G.ood S.ecurity P.rogram” means. I’d argue that results from G.S.P.’s are regularly considered insufficient – i.e., Target *had* a Good Security Program and yet here we are.


Starting September 14th, I will no longer be contracting to TSA (via KCG, who have been wonderful). Instead, I will be working for Idaho National Labs (INL) onsite at DHS as a liaison between the smart people exploring the vulnerabilities of our nation’s critical infrastructure and the smart people at DHS CSSP doing the many things that they do.

Before I head out, though, I’d like to comment a little bit on an issue I’ve dealt with at TSA that I think also extrapolates to national cyber security efforts and is in no way unique to a single agency, or even the government. The issue is the label “cyber security”.  At TSA, as at DHS, as within the media, as within popular culture, there is confusion as to what “cyber security” means – even at a very high level. The term gets bandied about so loosely that it means everything and nothing. Still, people are making policy based on it without any definition.  The amorphous nature of the conversation is going to kick us in the pants sooner rather than later. Can we please nail it down more specifically when we discuss “cyber security”?

Below, find some areas of confusion that I’ve personally run into:

1. The internet, government networks, SCADA/ICS: This one is simple. When we talk about cyber security, we really need to preface our statements with which of these areas we’re discussing. They’re NOT THE SAME and the strategies, ownership, and etc to deal with them are NOT THE SAME either. Over and over again a lack of explicit distinction here burns us.

2. “IT Security” and Technology vs Strategy: Often, in my role, we were lumped in with what IT Security does: “Isn’t that the same thing, only with more computers?” was a popular sentiment.  There is the concept that these efforts are technical in nature and that they look a lot like FISMA shops: Assess, Remediate, Certify, etc.  against some standard or set of standards.  Nothing could be further from the truth.  “Cyber security” issues are of a strategic business and programmatic nature. We know how to fix computers, we don’t know how to define what security means to our businesses, how computers affect our operations, and we don’t know our risk appetites. In other words, “cyber security” in an executive (CEO, CFO, COO, CTO, CIO) issue, not one for technologists.

3. Computers vs Infrastructure vs Business Assets: We don’t care in most sectors if our computers work. Really, we don’t. What we care about is that our energy grid keeps pumping out power, our chemicals get mixed right, our cars are manufactured correctly, our financial transactions are accurate, our goods get delivered on time, etc.  These are the “assets” we are protecting. We are not protecting the internet, we are not protecting government computer systems. We are protecting the national operational interests of the United States.

4. Think globally, act locally: We’re so used to thinking about single companies and single systems within those companies that we forget that everything we do cooperates to larger goals. Our enterprise systems work together to achieve business goals which must be protected. Our business goals within critical infrastructure sectors, in aggregate, also work together to support national goals. For instance, the thousands of independent companies in “the transportation sectors” all combine to “move people and goods throughout the US and the world on time, to the correct destination, in acceptable condition”.   Many decision makers believe that it’s ok to ignore this larger context and focus on single system security or, at best, enterprise security. This is dangerous. Since these systems are interdependent whether we acknowledge it or not, they can be be used to exploit each other and damage our soft assets (goals) if we don’t regular take a look at and secure the larger picture.

This is a repost of my recent comments on SCADASEC with regard to the most recent rush of frantic reports of cyber-espionage and the subsequent pitchfork-waving demands for legislation and/or further immediate regulation.


Ok, so bad stuff is happening. Whether or not we agree on the extent, damage, or origins of attacks against our infrastructure, there’s no disagreement among people in the industry that there is a problem that must be dealt with.  So, now that we’re here, let’s all take a breath and look around and assess where we’re at.

First, these intrusions do not seem to represent a substantial change in our tactical situation; these types of intrusions have been occurring in one form or another for years. We may be -detecting- them more frequently before, but that’s it.  A nationally significant incident occurring by way of a cyber attack against our critical infrastructure by a serious actor is, by many accounts, just as likely to happen now as it was a few years ago.  This is interesting.  It has long been observed that “the internet can be taken down in 30 minutes and no one is sure why that hasn’t happened yet.”  I imagine that a similar thing can be said about our critical infrastructure.

While I am not suggesting that there is anything but a pressing, critical, national security level issue with the state of our cyber security and CIKR, I am suggesting that it is not so imminent that the value of taking our considered time in fixing the problem should be thrown out in favor of passing rushed, ill-advised legislation or regulation.

Let me elaborate:

The proposed cyber security / critical infrastructure regulation proposals I have seen would absolutely achieve a short term tactical gain in our level of security.

It would do so, though, by committing us to a permanent cyber security arms race at the cost of any hope of a long term strategic win. We would spend all of our money, effort, and cycles, repeatedly reacting to our adversaries’ change in tactics and would provide no method of ultimately getting ahead of them. Eventually, we would have 853 (heh) layers of defense, attackers would still be getting through them all, but we’d be out of any more money to throw at more layers.

This is both because of the nature of the problem as well as the proposed solution. What we have on our hands is a complete architectural failure of our cyber networks with regard to “security”.  It is not the lack of some subset of individual security controls. Mandating specific control sets at this point – or any existing in-place “security best practices” – would be akin to insisting that contractors keep building a house on top of a known bad foundation. Incremental improvements will never address that kind of a problem.

What we need (from our technology) but do not have are information-centric systems with end-to-end processing requirements designed into their bones.  We skip the hard work of identifying what information we need our systems to produce, what information they need to take in initially, what transformations must be made to the source information, and who can make those transformations in what contexts. We then fail to tightly couple our code, our designs, and our infrastructure to those requirements when we do have them.

We skip it because it seems hard and expensive and the perceived value of speed and the enticements of deferred costs seem to outweigh the risks to the organizations making these decisions.  The costs of adding layers and layers and layers of ineffective security afterwords, however, is rarely calculated and compared to just doing it right the first time.

Instead of doing the right thing up front, we end up with tack-on solution sets like NIST 800-53. I don’t know about you all, but I’m pretty sure that if you did everything 800-53 describes – but never did the legwork I just described – security would still fail and it would fail badly.  In fact, we see this time and time again in existing federal IT networks.  800-53, by itself, does not work for IT.  Why would we legislate it for control systems? I don’t mean to pick on NIST here – it’s one of the better control catalogues out there – but that still doesn’t mean it works.

Technically, we are actually -nowhere near- industry agreement on how to solve the cyber security problem (Did anyone listen to Bruce Potter’s opening Shmoocon remarks? He astutely compared our current cyber security efforts to building a Maginot Line “In-depth”).  If that’s true, then legislating something we know will never allow us to achieve a strategic win seems contrary to logic.  But, if we want to put our heads in the sand and go the “any incremental gain we can achieve now is worth it even if we’ll have to redesign it from scratch later” route, the idea of legislating security controls for our critical infrastructure is still fatally flawed.

Why? Because a lack of security controls in our national critical infrastructure is not the problem, it is a symptom. Not only is it a symptom, but it’s a symptom of exactly the same problems that led to Wall Street’s collapse and the atrocious mortgage mess. Let me say that again: “it’s a symptom of exactly the same problems that led to Wall Street’s collapse and the atrocious mortgage mess.”

Those with budget authority – in both private and public organizations – are collectively and consistently making poor operational risk management decisions.  They are opting for short term gains at the expense of long term strategic success.  From where I sit, I honestly cannot tell whether it’s intentional or simply a lack of visibility into what the actual risks are (which stems from poorly designed organizational architecture).  In either case, we have an issue of priorities by people making decisions – and that’s not a technical failure at all.

What happens if we mandate 800-53 or something similar? We create yet another technical compliance regime which, at best, only indirectly affects prioritization of cyber risk.  The priority for decisions makers becomes meeting the regulation, not securing their organizations. When this happens, the risk is pushed down to the dedicated people on this list who then have to do the best they can in an environment where their organizations limit their ability to ultimately succeed. When that happens, we also find that good money is repeatedly thrown after bad and security, instead of being a business enabler, becomes a bottomless pit.

We need to find a way, if we think legislation is needed, to directly legislate cyber security as a priority and accountability for failure. If user information is stolen, decision makers need to be held responsible. If control systems are compromised in ways that could result in public harm, decisions makers need to be held responsible.  If people suddenly became on the hook for -succeeding-, then one would hope the market and industry would be driven to finding ways to succeed.

It would be nice if education, not legislation, would suffice for this.  But what I’ve been hearing on this list and in professional forums seems to indicate that the time for that is almost behind us. So, if we’re going to end up with legislation or regulation, let’s do it slowly, so it goes smoothly, so it’ll work quickly.

(Second Update: As of 9/14/2009, I’m working for Idaho National Laboratory (INL) liaisoning to DHS in DC supporting their ICS-CERT effort. This is reflected in the online resume, but not yet the pdf.)

Just a pinging post since I’ve just (finally) updated my resume on this site and elsewhere to reflect what Im currently doing at TSA.  Apparently, IDS analysts in this area are in hot demand, but that’s not really what I do any more.  Unfortunately, what I -do- do isn’t as easy to tokenize/categorize as something like that. I do love it, though :) I like…making stuff work better than it did before and do new things.  People, in particular.

Here’s a link to the PDF:

And online:

So lately I’ve been monitoring (for various reasons) the SCADASEC mailing list run by Bob Radvanovsky.  In the course of a mostly unrelated discussion, Gadi Evron linked to the Estonian National Cyber Security Strategy and I decided to look it over.

It was of particular interest because it was written in the wake of the massive DoS attacks against Estonia and it marks probably the first government strategy written by a state that has had to deal with both being attacked as well as the international coordination/input involved in responding to them. We certainly have our own unique issues to deal with, but it’s definitely gives some intriguing insight.

There were a couple of things that stuck out because of their heavy emphasis:

  • Making their legal framework more consistent and interoperable in a way that would allow them to more effectively respond and handle threats. They found it to be decentralised and, in fact, partly contradictory.” This is going to be a huge problem for the US down the line…even more so than it is today.

  • The role of general society (vs government) in responding to threats as well as the importance to the state of the free flow of information to/from society: „Our task rests on a prescient awareness of the need to balance, on the one hand, the risks associated with the use of information systems and, on the other hand, the indispensability of extensive and free use of information technology to the functioning of open and modern societies — and the understanding that this is a challenge confronting not only Estonia but also the rest of the world. The growing threats to cyber security should not hinder the crucial role of information and communications technology in impulsing the future growth of economies and societies.”….” In our modern, globalising world, economic success and a high quality of life can be achieved only through recognising the great importance of the efficient handling of knowledge and information to the proper functioning of our societies. The very term ‘information society’ denotes a setting in which human values of all kinds are created, maintained, manipulated and transmitted in a standardised digital form; it is a further feature of an ‘information society’ that all members have access to such information through a complex data exchange network.” The US tends to address the material and business impacts of the internet and their cyber infrastructure, but we rarely talk about the critical role it plays in defining society itself now.  If we continue to divorce business and government from society, we are going to continue to wonder why everything seems to be sliding away.

Other points I noted:

  • They have a national SOA-like (data exchange layer) backbone with DNSSEC: and „“At the beginning, it was developed as an environment that would facilitate making queries to different databases. By now, a number of standard tools have been developed for the creation of eServices capable of simultaneously using the data of different databases. These services enable to read and write data, develop business logic based on data etc. The X-Road must enable to do any common data processing operation. Proceeding from this principle, several extensions have been developed for the X-Road: writing operations to databases, transmission of huge data sets between information systems, successive search operations of data in different data sheets, possibility to provide services via web portals, etc. The main component of the Estonian public information system architecture is the secure data exchange layer, X-Road, which is based on the public Internet. Although X-Road uses the Internet, it meets all three objectives of information system security – availability, confidentiality and integrity. The number of X-Road’s central components has been minimised and data exchanges between two information systems using X-Road are able to continue in case of its disruption. X-Road’s infrastructure includes countermeasures against both temporary disruptions and attacks aimed at hindering the provision of services. But because new forms of attack and threats in cyberspace are constantly emerging, it is necessary to develop further X-Road’s security measures” Our businesses can’t even seem to get this together, how can they? For god’s sake…we NEED a data interface layer like this in our infrastructure or we’re going to drown in our own unused inefficient data stores without ever being able to synthesize the kind of knowledge we need to in order to function as a society.

  • Their perspective on the nature of current threats: “The current and well known security objectives – confidentiality, availability and integrity of information – are no longer sufficient to ensuring cyber security. To secure the critical infrastructure, it is necessary also to address the severity of disturbances in its functioning, non-repudiation and authenticity of information sources.” I guess all I can say to this is “duh. Why dont we talk more about this publicly on a government level?”

Follow me on Twitter

My Art / Misc. Photo Stream