William T. (Tim) Shaw
PhD, CISSP / CIEH / CPT

If you keep track of cyber incidents and hacking-related news events as I do (ok, you probably don’t – but I am old and have no life, so I do) you can’t have failed to notice that they no longer nearly exclusively target US interests. A few years back most cyber attacks were aimed at getting into our government (and military) systems along with financial institutions and business systems containing personal and financial information. Sure, some Russian hackers attacked some infrastructure assets in former Soviet-block countries and turned their lights off and you occasionally saw some ‘hacktivist’ organization deface an evil corporate website or release embarrassing emails. But mostly it was the Chinese trying to steal our technology and the Russian and US mobs trying to steal all your savings and pathetic middle-eastern terrorist ‘wanna-be’ groups putting up web sites promising to send all of us evil Americans (and the Israelis) to Islamic hell. Ah, the good old days.

Lately you hear about a hacking exchange between Pakistani and Indian groups, you see Chinese hackers and Pilipino hackers going after each other, we discover hackers launching specifically tailored trojans against specifically selected Japanese banks, and the Government of Myanmar hacking into Gmail accounts of some of its citizens. There are Syrian hacker groups going after targets in Saudi Arabia, Korean hackers going after targets in China and Taiwan, and the list goes on and on. In this age of universal Internet access and computer literacy the only country without a home-grown hacker community may be Pago Pago (and I might be wrong about that.)

The world today seems to be filled with crafty and cunning folks who are constantly looking for new ways to attack and break into the computers of others. And the threats and attack methods are shifting. More of the recently identified malware is customized and targeted for specifically identified targets rather than for general dispersion. Defensive mechanisms can’t be limited to scanning for known malware ‘signatures’ any more. The most dangerous stuff is all zero-day and may only be identified and blocked after it has gotten past your security perimeter and starts performing its intended malicious functions. If you have a company with a web site and email server (and who doesn’t these days) you are probably ‘scanned’ several times every day from sources located all over the world. Almost makes you want to throw up your hands and take an axe to the router connecting you to the Internet. But there are things that can be reasonably done to erect a pretty sturdy cyber barrier and defensive boundary between the computers and networks you depend on and all of those folks who would like to break in and trash the place (from a cyber-perspective). We have discussed many of them in this column of the past few years.

To date each organization that sets out to establish some cyber peace of mind has had to rely on the skills and experience of their respective IT/Engineering staffs, recommendations published by various industry groups, books on the topic, vendors who insist that their product is a cyber panacea and consultants who will reveal the truth and solve all their cyber ills for enough money. Wouldn’t it be nice if there was a really smart group of folks who could establish a clearinghouse and bring all of this together and issue (and update) industry-segment-specific recommendations based on the funny little differences that make generic and universal approaches untenable? And do it really, really soon? Like yesterday?

By Presidential directive the National Institute of Standards and Technology (NIST) has just kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The ‘Cyber-security Framework,’ as it is being called, was initiated at the behest of the President after several recent attempts to pass cyber security bills (and pretty much everything else) failed to make it through Congress. This executive order calls for the development of a common core of standards and procedures aimed at keeping critical computer and communication systems from falling prey to a wide range of cyber threats. NIST claims that the project will allow government agencies and private firms to be reasonably sure that security measures implemented based on the framework will be effective and provide the best bang for the buck.

I personally have a lot of respect for the work done by NIST. Their 800-series special publications are excellent references for IT best practices and a good technical reference on many IT and cyber topics (although some are very Government issues specific – not many plant automation systems contain classified, Top Secret information). I regularly quote the NIST SP-800 documents in various courses I teach. But my concern is that drawing exclusively on NIST, or any of the major national labs, will not result in the promised results. I have already seen attempts by various groups to force-fit NIST IT cyber security recommendations (from, for example, SP 800-53) into industrial automation applications with no regard to the rather significant differences between business IT and industrial plant automation. When you hear people talking about applying security patches to smart panel indicators or running virus scanning software on a PLC or installing a firewall on a digital chart recorder you realize that there is a basic lack of industry segment understanding.

I have also personally witnessed that one government entity/agency may not have any awareness of the rules and regulations put in place by another. So requiring that updates and patches be installed as soon as they are available may seem like a good practice to an IT cyber person from NIST, but the pharmaceutical company faced with FDA ‘validation’ strictures or the nuclear plant operator with NRC design change procedural hoops to jump through, may see this as a very unworkable practice. A ‘one size fits all’ approach to best cyber practices isn’t going to be all that helpful. I am not saying that some cyber security practices might work well across the board. But many will not. And the best ‘bang for the buck’ would come from recommendations and best practices that are aligned with industry segment regulations and automation technologies. Recognize that an RTU or PLC has to be treated differently than a PC running a Windows O.S.

Again, let me express my admiration for a lot of the great work that has come out of NIST. My sincere hope is that NIST gathers industry segment automation and digital instrumentation experts from each of the major DHS-defined infrastructure segments/sectors and includes their knowledge in the development of the cybersecurity framework. NIST did team-up with the ISA (International Society for Automation – formerly the Instrument Society of America) a couple of years back to develop a more plant/process-friendly set of recommended general cyber practices. It was a step in the right direction. Some of these experts might need to come from the vendor community. I always get a bit nervous about having vendors on a standards committee as they almost invariably tend to try and guide the standards in favor of their products. Naturally they think that their products are the best. Sometimes they may even be right on that score. Frankly issuing recommended practices and standards without taking into account the current state of commercially available technology is just dumb. But many a standards committee has bogged down and failed due to squabbling members who refuse to look objectively at the competition and find a middle ground that serves everyone fairly (you know – just like Congress.)

I will be anxiously watching the work of NIST and their development of a cybersecurity framework. I really hope they do a bang-up job because, as I said at the beginning of this column, there is a cyber war going on out there and we need to protect ourselves. I hope that if they actually do a good job, and the results are designed around the specific needs of each industry segment, that the industry will voluntarily adopt and implement them. Of course when I was a kid I also hoped to get a go-kart. But hey, sometimes wishes and hopes do come true. But that will have to be the subject matter for a future column.

About the Author
 
Dr. Shaw is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (C|EH) a Certified Penetration Tester (CPT) and has been active in designing and installing industrial automation for more than 35 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. He has also developed, and is an instructor for, a number of ISA courses. Dr. Shaw is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net