Successful ransomware attacks are at an all time high, we are losing the cyberwar, cyber criminals are making more money than ever before and it is only going to get worse, a cyber attack could be as damaging as a nuclear war – the headlines abound with comments such as this. Yet, there are still a lot of postings about how information security should not be the office of No. Really? Information security is a security function, as an information security professional are you really going to say – Yes, sure, go ahead and port that un-scanned software code into our production environment? I would hope you are going to say no you cannot port that un-scanned software code into our production environment. No is not a bad word, it is one that the job requires us to say. If you are offended when someone says you are the office of No- don’t be. To be a security professional no is a good response. I train my team members to say “yes, but” in order to soften the perceived impression of the word no ….. (here’s a clue – “yes, but” is still a no – no matter how you spin it).
However, I have yet to sit in a business meeting and see any of my peers simply say no without being willing to engage in dialogue that would lead to a good and secure solution. So for those who don’t like to say no then do it this way – yes you can put that server with 2 catastrophic exploitable vulnerabilities into the environment after we help you remediate the vulnerabilities or work on additional adequate controls that will allow us to use the server in a safe and secure manner. For me, information security professionals can and should say no, but after doing so we need to be helpful and smart enough to engage in conversations that help the business figure out how to do what they want to do in a way that is cost effective, safe and secure.
In many ways with the types and amount of successful attacks we are experiencing across the U.S. infrastructure being the office of Yes is a far more scary response than saying No to items that put your business at risk.
One item that really bugs me is to hear IT and Cyber Security professionals espouse that the perimeter is dead and that Cyber Security professionals should stop focusing on tools that protect the non-existing perimeter. I was at a lunch with a fellow CISO a few months back and he had invited his CIO to lunch with us. The CIO had recently attended a seminar where they talked about the perimeter no longer existing and he was truly wondering if he could just get rid of his firewalls. It was a fun conversation but also a bit scary to me that the conversation actually had to take place. The reality is that while the perimeter has changed we still host most of our systems and data in a data center or in multiple data centers and whether these data centers are on premise or in the cloud they still have a perimeter that needs protected. Bad actors, both external and internal need to be kept out of areas they have no business being in. To do that requires a strong perimeter consisting of next-generation firewalls such as the ones Palo Alto or CISCO provides. These first line perimeter defense tools should alert into your Security Alert tool (such as QRadar or Splunk) and should also be running Intrusion Prevention and WildFire type of technologies.
The Perimeter exists, heck in most organizations an argument could be made that multiple perimeters exist. Let’s quit saying that there is no Perimeter as the people we are tasked with protecting don’t need to be walking around thinking that they can get rid of their perimeter protection tools.
I have been lucky enough to spend most of my Cyber Security career doing startup operations for large companies. I thrive on the energy and passion that teams get when they are given the opportunity and support to design and implement security protections for their company.
One of the things that I am often asked is why do I focus some of my first efforts on locking down the end user system before locking down the servers and databases. This is a great question and one that can spark many hours of debate. Please don’t send me a lot of comments telling me that Databases and servers are where the information is – of course I know that.
For me, and remember my work has been mostly in very large global enterprises with a mix of blue collar and professional staff, it is a matter of evaluating risk. In large companies it is often hard to know where all the servers are and who owns them but it is a pretty safe bet that the person running the server is a techie and has been running and protecting these types of systems for a number of years ergo they have much more knowledge of how to protect a system and how not to fall for a bad actors attack than most end users. I need to consider whether 50,000 or 100,000 attack vectors (i.e. end user systems) , all with email accounts, usually with admin access to their systems and wanting to open attachments and PDFs pose more of a risk than 4-5,000 attack vectors (i.e. servers) that typically don’t surf the web or get email. My choice in the first 12-18 months is to say that the end user systems pose more overall risk than the servers. This leads to aggressively putting in controls and protections for those systems first. Please don’t take this out of context – of course in parallel I drive initiatives to patch server vulnerabilities, get servers logging into a Security Alerting system, setting up a SOC, etc. but given choices with limited resources and time I choose to deploy end point encryption, good AV and HIPs, taking away admin rights, software such as Tanium, 2 factor authentication for email, etc. on the end user system first.
Our job is to enable the business to do neat stuff such as this in a secure manner : our approach is to help them design their solution in a secure way and make recommendations that allow them to continue…. We need to be smart enough to help them while at the same time getting them to put reasonable controls in place – Kevin L. McLaughlin
One common item that information Security Professionals working in Critical Manufacturing environments have to deal with is that of legacy systems. You see, in Critical Manufacturing environments it is very common for the systems that run and control factory lines to remain in place for a very long time. Some of these systems can be running Operating Systems(OS) that are 10 to 15 years out of date. In many cases these OS are no longer vendor supported and cannot be patched to remediate known exploitable vulnerabilities. These older systems are often used to run production lines and they still do a great job at doing what they were purchased to do. It is difficult, rightly so, to convince the leadership team at a factory to spend money to replace something that is old but that is still doing the job it was purchased to do. It cost money and reduces potential profits to replace these old and outdated systems with new systems. Because they continue to do the job they were purchased to do justifying the new spend can be a difficult thing to do.
From an Information Security point of view these systems pose a large risk to the overall manufacturing environment and if hacked could cause a large scale production outage. In smaller companies this type of major Cyber attack can result in no longer being able to conduct business and permanently closing the doors. Legacy systems that are commonly found on the shop floor are often 3, 4 or even 10 years out-of-date when it comes to standard Information Technology patching. Information Security Professionals look at these systems as attack vectors while the people working in the Critical Manufacturing environment view them as cost effective work horses that are getting the job done. While cyber attacks on networks at Sony, Target, Home Depot and the US Government are getting all the press, the greatest cyber vulnerability is in manufacturing. “By raw numbers, and by the numerous manners of attacks, manufacturing is the most targeted area now, even compared to financial services,” Chet Namboodri, senior director of Global Private Sector Industries at Cisco, told Design News. “Financial services gets more press, but industrial networks get more attacks.” Attacks and warnings such as Stuxnet, Armaco, SolarWorld and U.S., Steel to U.S. regulators and security experts sending out an official warning that hackers could now access critical medical equipment including pacemakers and insulin pumps with potentially deadly results make the threat to Critical Manufacturing a real one. Determining what to do in order to lock down and protect the Legacy systems while at the same time allowing them to continue doing the work they have been doing is a major part of an Information Security professionals job.
“You can’t scan that system (or you can’t put AV on that system) because it is old and fragile and if you bring it down we will not be able to produce our product” Is way too common of a phrase in the Critical Manufacturing environment. In many cases Information Security Professionals are asked/told to please just leave the systems alone, do not run vulnerability scans, do not put antivirus on them, do not put a light firewall on them, do not patch them, do not put updates on them, etc. This type of thinking by Information Technology and Factory leadership teams is shortsighted and is putting their entire production capability at huge risk of catastrophic failure. As these legacy systems are outdated and no longer being supported by the vendor they are hugely exploitable to any blackhat or hacker that wants to take advantage of their exploitability. The reality is that the risk is real, the risk is great and from past events we know that these systems pose easy to use attack vectors for blackhats, fraudsters and competitors seeking to cause negative business impact to the company.
Information Security professionals working in Critical Manufacturing should take the approach shown in Table 1 for dealing with the Computer Systems residing in the factory environment and that are on the plant floor. By following this methodology the legacy systems will be protected while at the same time be able to continue doing the job they are good at and that they were purchased to do. In most cases this approach will also reduce the overall risk that these systems pose to an acceptable level.
This approach when combined with the network segmentation and smart firewall approach discussed in my previous blog on Critical Manufacturing is the start of a successful recipe in securing a Critical Manufacturing environment.
Still for foundation level folks but a bit more technical view of Defense in Depth than last week’s post.