Industrial information security awareness

Having dusted-off an old security awareness module on SCADA/ICS, we reviewed it to see what needed updating for May. It soon became clear that things have changed significantly in this area in the past seven years, hence we ended up re-scoping and re-writing the entire module. This time around we’ve broadened our perspective to cover all sorts of industrial IT systems and networks (including but going well beyond SCADA/ICS) and picked up on the issues relating to protecting critical national and corporate infrastructures.

There are important lessons to be learned from industrial incidents such as Fukushima, including the cascading failures that turned a Japanese disaster in 2011 into a global incident lasting much longer.

[I’m currently enjoying “The Power of Resilience: How the Best Companies Manage the Unexpected”, a fascinating book by Yossi Sheffi that uses the Sendai tsunami and other examples to illustrate business supply chain resilience.  Recommended reading.]

We also touch on the health and safety implications of industrial IT, acknowledging that shop-floor workers are valuable yet vulnerable information assets too and deserve every bit as much protection as do the robots, machine tools and pump controllers around them.

Government sends Australia down the cybersecurity rabbit-hole

The Australian government's new 67-page cyber security strategy sets out to address "the dual challenges of the digital age—advancing and protecting [Australia's] interests online".

Its incomplete and arguably half-baked definitions of a few cyber terms, along with the thrust of the entire strategy and a lot of the rhetoric, indicates that the Australian government considers Australia to be under attack from [foreign] actors i.e. competent and scary [foreign] adversaries intent on causing grave economic and social damage on a national scale to Australia through the Internet [specifically].

Despite the earlier mention of advancing Australia's interests in a positive sense, the strategy is overwhelmingly defensive/protective in nature, the main thrusts being:

• Dispensing advice on "cybersecurity", which appears to mean either old-fashioned IT/network/data security or new-fangled Internet/online security. Either way, it's evidently not information risk and information security in the broad. Exactly who is to dispense the guidance (and what gives them the credibility and capability to do so), to whom, and what they are supposed to do with it, are not clear from the strategy.
  
  
• Encouraging businesses to disclose ("share") information on their cyber-incidents to the government, for unstated purposes. As stated, the "sharing" seems to be purely one way. The paper doesn't even hint that businesses might get something valuable in return, to offset their not inconsequential costs and risks from "sharing" sensitive information with a government that can't even be trusted keep its own cybersecurity in order.
  
  
• Penetration testing ... that would leave tested organizations with the enormous challenge of addressing a mountain of identified technical vulnerabilities, keeping the focus away from other aspects of information risk, information security, privacy, governance, fraud, malfeasance and so on and on. [Perhaps that is itself a strategic objective? Watch the hands, watch the hands, follow the ball under the cup ...] Worse still, there are hints that the government intends to use classical network pentesting as a (if not the) mechanism for applying pressure to their suppliers, and perhaps Australian businesses in general, to improve their technical IT network/systems security, an approach known as coercion. I suspect this arises from the government having discovered the value of pentesting various government departments/agencies, but it pointedly ignores concerns such as how to go about prioritizing and addressing identified issues, and again completely disregards the fact that externally-exposed technical risks are a subset of all information risks, which is itself a subset of all risks. Pentesting does not meaningfully address insider threats, for example. Pentesting is unlikely to have identified or prevented Manning and Snowden.
  
  
• Supporting' efforts to keep the Internet a free, neutral and open global social, commercial and governmental asset, I guess, although again the objectives are largely unstated. This aspect is quite distinct from and irrelevant to (perhaps even directly opposed to!) information risk and security, and smells to me like a lost waif and stray of a political agenda desperately searching for a home.

Despite my cynicism, I'm very impressed by the strategy website if not the strategy itself, and encourage you to peruse it for yourself. 

Comments, corrections, counterpoints and challenges are welcome. What do you make of it?  How could it have been improved?

Eternal passwords

Thanks to a tip-off from a colleague on CISSPforum, I've been reading advice just published by CESG (one of several spooky UK government outfits) concerning fixed password lifetimes.

In short, the official advice is to make passwords eternal i.e. non-expiring. 

Encourage and make it easy for users to change their passwords if they feel their current passwords are weak or may have been compromised (e.g. shared, guessed, stolen in transit or hacked from storage) but don't force them to change their passwords simply because "it's time".

"It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis."

Having long advised clients against enforced password lifetimes, I challenge the assertion that it is perfectly sensible advice - longstanding, yes, but it has never been sensible. As far as I'm concerned, it is merely superstition or folklore based on misconceptions and cloudy thinking.  

  

Remembering lots of unique passwords is hard, so we humans tend to take shortcuts such as:

• Re-using passwords with a predictable sequence on any one system and/or using the same password on multiple systems
• Using passwords that are pathetically weak but easier to recall
• Writing our passwords down (doh!)
• Using obvious and hence easily-guessed rules to generate variant passwords on different systems, or obvious sequences for sequential passwords

Some of those weaknesses can be addressed by password parameters in the authentication systems, others through effective security awareness ... but forcing regular password changes exacerbates the problems with little benefit.  

Talking of the lack of benefit, password changes are costly. Users have to stop whatever they're doing, think of a new password, fire up the password-change function, enter their current and new passwords, and enter the new password again (both to cut down on typos and to practice remembering and entering it), and remember their new password. Sometimes they need several attempts to figure out (typically by trial and error since systems don't usually explain all their rules, at least not up-front) the particular combination and number of characters that the system will accept. Sometimes, they subsequently need to run the forgotten password routine as well because their new password is unfamiliar. They may well need to call the Help Desk, and hopefully they are forced to re-authenticate before their password is changed ... at which point they restart the change my password baloney.

All in all, it's a disruptive and costly process, made worse by the fact that users have been forced against their will to do it, for no good reason*. 

A more detailed CESG paper, referenced from the one cited above, aimed to offer "Advice for system owners responsible for determining password policy, advocating a dramatic simplification of the current approach at a system level". The advice is old-hat and hardly what I'd call 'dramatically' simple  Personally, I advocate password vaults, provided users choose long, strong passphrases with which to unlock the vault.  Since they only need remember the one, make it count.

* If you can explain lucidly why enforced password expiry (lifetimes) are a good idea, do please comment below. Seriously, I'd like to understand your reasoning. If your explanation is rational, fair enough. If you also take the trouble to explain things to your users when repeatedly forcing them to change their passwords, fantastic ...