10/31/2011 - The energy sector encompasses many of the most critical infrastructures in the world. Take heed of that fact when building out your Industrial Control System (ICS) cyber security solutions. Consider the importance of your role in assuring the continued reliability of these infrastructures and the impact of the security measures you are implementing.
10/30/2011 - Review your remote access policies, procedures and technical security solutions specific to your Industrial Controls System (ICS) networks. A good checklist of considerations can be found in Joel Langill's Security Objectives for Remote Access found on page 13 of his ICSJWG presentation. Also, implement an on-going remote access discovery practice. In addition to network-based and war-dialing discovery methods include physical walk throughs of your control network - you never know when a rogue modem might have been implemented.
10/29/2011 - Don't forget to apply good security practices to your historical databases. OSISoft PI, GE Proficy, Siemens SINAUT and other historians require the same defense-in-depth protection as other critical cyber assets. Review the security options made available in the historian you are using - often there are security features that go unused or are misconfigured.
10/28/2011 - Before you embark on a vulnerability assessment (VA) of your industrial control systems (ICS), take a gander at this National Security Agency (NSA) ICS assessment framework - http://1.usa.gov/uGDIdI. Consider using this framework to help build your internal ICS VA program or when establishing VA requirements for outsourced services
10/27/2011 - "Optimal security configuration." That is what Digital Bond's Bandolier project aims to help asset owners and vendors achieve for Industrial Control System (ICS) servers and workstations. This is a must have tool for your ICS security kit and applying an appropriate security configuration to your ICS assets is must do activity.
10/26/2011 - Information Sharing doesn't need to be a formal arrangement. Get to know your neighboring utilities and discover who is responsible for cyber security in their organizations. Open up a line of discussion that includes organizational security practices, potential joint projects and sharing of contact information to be used in the event of an emergency.
10/25/2011 - Pay attention to what's happening! Examples of on-line sources you should consider watching: SANS NewsBites, ICS-CERT, InfoSec Island and the Tactical Analysis Center Handler's Diary (asset owners only, requires registration - www.energysec.org/join). An RSS reader can be used on all these examples to aggregate the information flows.
10/24/2011 - Utilize your organizations procurement process to identify cyber security specifications that the vendor must meet and/or require a third party security assessment to be performed prior to purchase. You are the responsible owner and must be certain that the products selected to be used in your control environments have the security capabilities necessary to maintain and improve system reliability.
10/23/2011 - Protecting your cyber assets against physical malicious activity within the control environment is often overlooked. Consider implementing lockable ethernet cables, tamper-proof outlets and USB port locks as additional measures to address unauthorized access to these devices. Googling for these terms will result in many options suited for your control network.
10/22/2011 - Many legacy systems in your control environment use out dated operating systems and are not able to be patched due to technical limitations. Often these type of systems are incapable of having malware solutions installed on them as well. If possible, you should work with your vendors to replace these systems. If that is not an option, you should isolate the legacy systems within your control network using VLANs or other network segmentation strategies.
10/21/2011 - Don't forget to include firmware updates as part of your security patch management practice. Be mindful of how those firmware updates are being delivered and implemented! Take the time to review your Industrial Control System (ICS) devices and develop specific procedures for implementing firmware updates that includes testing before moving to production.
10/20/2011 - Be sure to establish processes for contingency planning specifically for industrial control systems. Your planning should consider a broad range of failure scenarios resulting from a possible cyber incident, establish methods to restore or replace systems to a known good state and alternative solutions for continued operations in the event of an actual incident. Read the "An All Hazards Approach" section in the September edition of ICS-CERT's Monthly Monitor for additional information - http://1.usa.gov/nLNl0k.
10/19/2011 - Security lessons are to be had from the past - read about it and learn! Did you know that the Urgent Action Standards 1200 was adopted by the NERC Board of Trustees on August 13, 2003 just one day before the Northeast blackout of 2003? You can read the UAS1200 standards here and the final report of the Northeast blackout here.
10/18/2011 - Don't assume that employees working in non-security jobs understand security risks. Be sure to take the time to explain the threats, vulnerabilities and potential impacts using real world examples that the targeted audience can relate. Talking about the details of a security risk methodology to a group of control room operators is probably not a good use of your time or theirs. Instead, consider discussing known adversaries and, if possible, the ways they have maliciously exploited vulnerabilities related to systems the operators use on a daily basis. Focus on the potential impact if an attacker were able to infiltrate the control environment or a specific critical asset.
10/17/2011 - Be mindful of Industrial Control System (ICS) security standards, recommendations and other similar documents. The Swedish Civil Contingencies Agencies (MSB) published this 2010 document that makes many references to such content - http://bit.ly/pDljuc. This may be useful in your ICS security awareness efforts!
10/16/2011 - As part of Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) activities, perform rigorous attack resilience testing of new systems. Budget for a third party vulnerability assessment and penetration test as you spec new systems.
10/15/2011 - Review equipment inventory in your control environments on a regular basis and ensure you are subscribed to the appropriate patch notification services. Keep an eye on firmware updates as well!
10/14/2011 - Pay attention to seemingly insignificant virus infections. When discovered malware only affects one or two machines, it can often be the hallmark of a highly targeted attack that requires qualified forensics resources to investigate.
10/13/2011 - As you develop your Aware Person System (APS), establish routine tests of your users and their habits when receiving phishing emails. The Anti-Phishing Working Group has a number of excellent resources - http://bit.ly/r3I6IZ.
10/12/2011 - Develop an Aware Person System (APS). Hire and continuously train security personnel who have strong deductive reasoning capabilities and are skilled at using a variety of security tools. An appropriate balance of skilled people and technology should be applied in establishing an efficient and effective cyber security program.
10/11/2011 - When researching and selecting code fragments, support libraries, virtual machines and other software components for your web application development projects, treat them as untrusted and potentially hostile until proven otherwise. Utilize malware detection tools before using these components and follow a software development lifecycle practice that incorporates good security testing practices. For security tools to evaluate web applications and learn about security assessments in the software development process, check out the OWASP project - http://bit.ly/nCN2mz.
10/10/2011 - Ensure published case studies, regulatory filings, conference materials, websites, blogs and other public information sources do not include sensitive information about your critical infrastructures. For more information about what sensitive information should be protected, read pages 4 and 5 of this National Association of Regulatory Utility Commissioners (NARUC) publication - http://bit.ly/qXVJ1p.
10/9/2011 - If you suspect a security breach, do not perform any active research on the adversary. Even tasks as simple as Domain Name Service (DNS) lookups may provide the attacker enough information to know they have been discovered causing a change in their tactics or an acceleration of their attack objectives. Instead, engage a qualified forensics resource who can assist with your issue such as the Industrial Control System Cyber Emergency Response Team (ICS-CERT). More information about the ICS-CERT's free of charge on-site incident response program can be found here.
10/8/2011 - Revisit your assumptions. Take time - at least monthly - to step back and think about what you're securing. Consider a variety of possible malicious actors (who or what), the probability of those actors carrying out an attack on your systems and the methods that may be used.
10/7/2011 - Consider job shadowing as a practice to understand the environment you are trying to help secure. For example: If you are an IT security professional, seek out someone in your control system operations to learn about their day-to-day responsibilities. You will be amazed at how much you learn and you will likely earn a few good will points with the system operators.
10/6/2011 - Security training is an important component of any good cyber security program. Be sure to provide such training opportunities for your system operators that focuses on the Industrial Control System (ICS) environments.
10/5/2011 - Reach out and connect. Find one or two organizations similar to yours and connect with their security staff to share ideas, concerns, and solutions.
10/4/2011 - Review the configurations of your Industrial Control Systems. Look for options that will improve your security posture such as changing default passwords. Consider using tools such as Digital Bond's Bandolier to help in this effort - http://bit.ly/nvGMbg
10/3/2011 - Check your Domain Name Service (DNS) logs for unusual activity. This could indicate the use of DNS as a communication channel between malicious parties and devices on your network. Read more about DNS as covert channel in this whitepaper.
10/2/2011 - Don't forget to update your AV signatures and periodically validate that your other anti-malware controls are functioning properly.
10/1/2011 - Take the time to review the logs of your control network boundary devices for unknown inbound or outbound connections on a regular basis.