William T. (Tim) Shaw
PhD, CISSP

If you’re like me, it took losing a lot of important files, software and ongoing work to convince me to finally get into the habit of making regular backups of my various PCs. Oh sure, I knew intellectually that I ought to be doing that all along. But, like most folks, it took an actual computer hard-drive failure, and the resulting ‘pain and suffering’ to finally drive that point home on a visceral basis. That was several years ago, but now I make and retain disk backups fairly religiously. The pain has faded but the backup habit, engrained while the pain was fresh in my mind, lives on.

I try to share my learning experience about making regular backups with others. But, humans – being the imperfect and occasionally hardheaded creatures that we are – always seem to have to experience something personally in order to really get the picture. Cyber security preventative measures are kind of like that; people don’t really believe they need them until the unthinkable happens to them personally. They may intellectually understand the arguments for protective measures, and the discussions of threat agents and malware, but it isn’t REAL until it hits close to home.

One of the most frustrating aspects of security – particularly cyber security – is that if you have designed and implemented an effective and comprehensive security program you may never have a security incident. I’m not talking about the constant nibbling at the edges of your “electronic cyber-perimeter” that occur regularly if you have Internet connectivity. I mean an actual attempt to breach your electronic and/or physical security perimeter. If you present a strong enough security front to a potential attacker, after a bit of such nibbling and probing, the attacker may decide to look for an easier target. If not, then you are probably being targeted and you can likely expect to see a serious attack at some point in the future! The problem is that you don’t usually know how many potential attackers were either scared off by your defenses or couldn’t make any headway against them and gave up on their attempt to break in.

The fact is, it’s difficult to keep people focused on security issues – let alone justify ongoing security expenditures – when nothing much ever seems to happen. The problem is similar to that of keeping folks focused on safety. People tend to remember safety and follow the proper procedures only after someone else didn’t and was injured – or worse. Likewise, they usually start making regular disk backups right after they lose everything!

One of the reasons for an ongoing security awareness program, for periodic retraining of key personnel, and for periodic tests of your response and recovery procedures, is to help fight the effects of accumulated complacency. Another is to make sure that you are ready for those surprises mentioned earlier. By definition, surprises are unexpected, so you need to plan for them in advance. You need to design and prepare response and recovery plans and associated procedures that address a wide, but reasonable, range of possibilities.

Even more importantly, you need to practice these procedures periodically to make certain that your personnel can perform them and that the procedures are complete, accurate and actually achieve the intended results.

Over the years I’ve been extensively involved in reviewing response and recovery procedures. In performing tabletop rehearsals of such procedures, more often than not I find a point where an important step is left out, is incorrectly documented or requires something (e.g., a key, a password or a dongle) that may not be available to the personnel who would be performing the procedure. It is crucial to rehearse your critical procedures so that applicable personnel remain familiar with them and to identify and correct problems.

Often the problems with written procedures come from the fact that the people writing them are too familiar with and intimately knowledgeable about the process involved. Such people tend to leave out steps that seem obvious or intuitive to them. I like to hand important written procedures to people who have no knowledge about the process and purpose, just to see if they can follow along and perform the procedures successfully. I know that experienced and tech-savvy people get irritated with trouble-shooting procedures that start with: “Make sure the equipment is plugged in and turned on…” but the truth is that your critical procedures probably ought to go to that level of instruction and detail. The start of a new year is a good time to dust off those important procedures and organize a dress rehearsal to keep your staff on their toes and to identify any changes that may be required.

Even though nothing of a cyber security nature may have happened to you this past year, that lack of activity should not lull you into believing that your security program is perfect. People with NO security program or protections still manage to coast along without being subjected to an attack. But I think we would all agree that such a situation is mostly pure luck and that luck can easily be pushed too far, simply by continuing to rely on it as your primary defense mechanism.

Moreover, if you consider an absence of identified cyber attacks as the basis for declaring your program as ‘perfect’ you may be just coasting along and pushing your luck. The cyber ‘threatscape’ is ever-changing as new vulnerabilities are discovered and new attack mechanisms are being devised daily. In fact, nearly every year in recent memory has brought something new to the table. For example, discovery of the Stuxtnet worm this past year changed the rules again. And unless you routinely upgrade your defense profile, odds are that your current cyber defenses and procedures may not adequately defend against these new kinds of threats.

The start of a new year is a good time to review the latest cyber security threat information from authoritative sources –such as USCERT – and then to reexamine your current security program with an eye towards ensuring that it is adequate to protect you from the latest and most potentially harmful threats. If it IS adequate, you have my congratulations! But if it isn’t adequate (there are strong odds on that bet) then you had better evaluate, create and implement the necessary changes. Someone once said that whatever you did to reach this point won’t be good enough to take you into the future. So as we embark down the path of a new year, that should be everyone’s cyber security motto!

If you have implemented an intrusion detection system (IDS) or have the right advanced features in your electronic perimeter firewall(s) then you probably have logged events this past year that might indicate an attempt to penetrate your cyber defenses. But, analysis of event logs is still something of a black art, other than for after-the-fact forensic analysis. Skilled hackers know how to be very stealthy and what types of traffic characteristics an IDS or enterprise firewall look for to indicate likely attacks.

Thus, it isn’t always easy or possible to sort the nibbling and probing log entries from the serious early stage of attack – i.e., hackers performing reconnaissance – log entries. But vendors of IDS and firewall technologies keep improving their detection capabilities, and vulnerability-testing tools (e.g., Metasploit and Nessus) keep adding to their capabilities.

The start of a new year is also a good time to check with all of your vendors for security updates and enhancements and to make sure your plant cyber security team or IT department is using the latest and best tools. It is also a good time to run tests on your defenses to verify that unauthorized ‘holes’ haven’t been created since the last time you checked them and that they are still adequate against the newest attacks and threats. This is particularly true as regards wireless technology since most (all?) new computers come equipped with some type of wireless connectivity. It is always better that you find the potential problems and security vulnerabilities and fix them before the bad guys exploit them. Clearly, that’s not the best way to find out you have problems!

Something I like to do at the end of every year is to review the list of new techno-toys to see if any of them pose a potential security threat. For example, this past year we have seen the introduction of new cell phones that can also act as a “hot spot” (WiFi access point) and also hand-held devices that provide the same capability. You might want to consider whether you need to update your policies and procedures to address such devices and how their use should be managed and controlled at your various facilities.

Maintaining adequate and effective cyber security is a never-ending project. I routinely prepare checklists of things I need to do monthly, quarterly and annually to test, validate and update my security program… but that will be the subject matter for a future column. Meanwhile, a happy (and secure) new year to you all! – Tim.

About the Author

Dr. Shaw is a Certified Information Systems Security Professional (CISSP) and has been active in industrial automation for more than 30 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.