The topic of information sharing has become one of the most interesting in the process of ferreting out “The Solution” to ICS cybersecurity. Aspects of the effort to secure industrial control systems  – including timing, technology and workforce – lend themselves to suggest that answers lie less in technology and more in Robert’s Rules.

There is much wailing and gnashing of teeth among the Information Sharing crowd. Over the past decade valiant efforts have been met with what might not always look like success. The federal government has loomed over the conversation, the brave and the timid from the private sector either strode forth or crabbed hesitantly towards the shadow of the leviathan.

It is not uncommon to hear subject matter experts ask why more isn’t being done, these days. Particularly among the war-weary who have witnessed works like the “Fall of the House of Food ISAC”. Information sharing efforts to date have certainly not exceeded their highest expectations.

But rather than being a matter of a failure of any particular party, it is more that the initial expectations might not have fully encircled the scope of the issue. Both on the federal government side as well as the private sector worthy efforts have been undertaken that themselves were about as much as could be done up to this point.

Bob Radvanovsky partnered with Lofty Perch and started the SCADASEC forum. The Department of Homeland Security stood up ICS-CERT.  These and efforts like them have both provided a medium for communication when there was otherwise none, as well as demonstrated some strengths and weaknesses of common models. Most existing efforts are more likely to grow to more fully fill their niche in coming years than they are to be displaced.

All of this is of course not happening in a vacuum. In 1998, before infosec was even mainstream in IT, Presidential Decision Directive NSC-63 set the framework for a federally-supported ecosystem of Public/Private Information Sharing and Analysis Centers (ISACs). A number of efforts have been undertaken to create ISACs for vertical sectors such as Electricity (ES-ISAC) and Water (Water-ISAC), as well as several different types of horizontal functions like the Multi State ISAC (MS-ISAC) and IT-ISAC.

Some efforts – such as the Food & Agricultural ISAC – began with good intentions and then starved for lack of information to share, or parties to share it with. Such instances themselves provide lessons to inform future efforts, laying the first lines on the blank page for others to begin putting a frame on the true nature of the challenge.

Other efforts – such as SCADASEC, ICS-CERT and MS-ISAC – give examples of the reach and limitations of successful information sharing nodes of different types. Among them that the federal government can do a good job of information sharing among its many warrens but is limited in its ability to effectively use these same methods to penetrate much beyond its walls.

The recent NIAC report from January of this year contains lots of gems on the current state of information sharing. Among them we find a developed awareness of the reach and limitations of public, public/private and private information exchanges:

• (p. ES-3) D. There is currently not an effective process to engage—in a systematic and sustained manner—senior executives in the private sector with their counterparts in government.
• (p. ES-4) C. Intelligence information-sharing mechanisms between the private sector and the Federal Government are complicated, at times confusing to the private sector, and may be redundant and/or conflicting. As a result, engagement through trusted personal relationships remains a primary means of facilitating the flow of needed intelligence information.
• (p. ES-5) C. The private sector reaches out to multiple sources to meet its intelligence needs, including trusted personal relationships, trade associations, various DHS components, other government agencies such as the FBI, Sector-Specific Agencies, sector Information Sharing and Analysis Centers, fusion centers, and State and local law enforcement. While it is important to note that the “value proposition” of various sources and mechanisms varies across sectors, there is a common concern over receiving redundant, late, or conflicting information.

While information sharing within the government and information sharing within the private sector has developed relatively effective mechanisms, the interface between the two domains remains problematic. As with most interfaces, the manner in which these two domains interact has a fundamental impact on the characteristics of both sides.

The ISACs stand as the formal forums for government and the private sector to perform some of the functions of this interface. What in 1998 began with a mandate to create an ISAC has developed into a matrix that shows signs of success. The vertical and horizontal blocks each perform a definable function and interconnect in relatively logical ways. This figure is one way to view these interconnects:

Vertical ISACs like ES-ISAC provide focus on specific sectors or functions. The National Council of ISACS (NC-ISAC) acts as a horizontal ISAC to ensure “Sharing among Sharers”. MS-ISAC combines the value of all of the vertical ISACs for the purpose of state and municipal bodies. Horizontal ISACS like IT-ISAC and Supply Chain ISAC (SC-ISAC) capture and transport commonalities between sectors.

The ICS-ISAC is currently being created to perform a function similar to the IT-ISAC. Most vertical sectors employ industrial control systems of one form or another, with both shared commonalities as well as sector-specific technologies and processes. The ICS-ISAC will be chartered to put in place structures to capture these commonalities and ensure their value is effectively shared among the ISACs and their public and private constituencies.

Inside its own walls the US federal government has made significant improvements in information sharing. The private sector has developed for-profit and non-profit mechanisms which gather, process and disseminate information with often reasonable effectiveness.  The ISAC structure has evolved into a workable matrix that can be improved upon over time.

The indications are that we will continue on these paths and build on lessons learned. While the future will remain a mystery until it arrives the past is clearly laid out to see. The story it tells does not foreshadow endless doom and strife. Rather, it points the way to success.

———-

[Editors Note: Those interested can join the Linkedin ICS-ISAC Group. Chris is also doing a keynote speech on the topic of “Information Sharing in the Age of LIGHTS” at 4pmPT, April 17th as part of the “Smart Grid Educational Seminar Series”.

Join representatives of industry organizations APPA, NRECA and AWWA representing tens of thousands of smaller water and power utilities in this roundtable discussion of the challenges faced by smaller utilities, and how the LIGHTS program may provide viable, executable solutions within existing operating budgets.

Tuesday, April 24, 2012 10:00 AM – 11:00 AM PST

Click here to register

The LIGHTS program is a private-private partnership which leverages the best aspects of the for-profit, competitive arena and the non-profit collaborative space to promote cybersecurity situational awareness across critical infrastructure industries. The goal of LIGHTS is to increase visibility into infrastructure threats and attacks by making security monitoring ubiquitous, and enabling wide-area analysis across geographic areas, and industry verticals.

About the presenters:

Mr. Blask’s career covers the breadth of the ICS cybersecurity space. In 1990 he worked at General Electric Power Systems as a control systems engineer where he conceived, designed and implemented a facility-wide mobile video conferencing capability to integrate with GE’s new global video conferencing network. He joined Sea Change Corporation in 1991 where he invented one of the first commercial firewall products, the BorderWare Firewall Server. In 1998 he joined Cisco System where he led the company’s firewall business to a position of global leadership which continues to this day. With several Cisco colleagues Mr. Blask started Protego Networks, an early SIEM vendor later acquired by Cisco. He founded Lofty Perch in 2005 to investigate the application of SIEM technologies to ICS cybersecurity and has advocated such architectures since. As Chief Evangelist for NSS Labs in 2008 he worked to develop regulatory compliance testing regimes. In 2010, Mr. Blask authored the first book on SIEM, “Security Information and Event Management Implementation”, published by McGraw Hill. He created AlienVault’s Industrial Control Systems Group in 2011.

Today Mr. Blask serves in faculty and advisory roles at a variety of industry organizations. He is Chair of the LIGHTS program, Vice Chair of the UCAIug OpenSG Security Conformity Group, on the board of the Australian Wind Energy Institute, and is actively involved with efforts such as the Department of Energy’s NESCO and NESCOR programs and the Department of Homeland Security’s ICSJWG.

Steve Parker, Vice President, EnergySec
Steven Parker, CISA, CISSP, is Vice President of Technology Research and Projects at Energy Sector Security Consortium (EnergySec), and is a founding director of the organization. He has been engaged in critical infrastructure protection within the electric sector for more than a decade, including 8 years as a senior security staff member at PacifiCorp.  Mr. Parker was also part of the team that established the NERC CIP audit program at the Western Electricity Coordinating Council (WECC).  His experience includes a broad range of security disciplines including e-commerce, identity management, intrusion detection, forensics, incident response and investigations, security event monitoring, and NERC CIP compliance.

Joel Langill, CEH, CPT, CSSA, CCNA, TUV FS-Eng, SCADAHacker.com
Joel Langill has worked for nearly 30 years exclusively in the industrial automation and control industry. His expertise was developed through in-depth, comprehensive industrial control systems architecture, product development, implementation, and system migration in a variety of roles covering manufacturing of consumer products, oil and gas including petroleum refining, automation solution sales and development, and system engineering.  His employers include major companies such as General Electric, Shell Oil Company, Honeywell Process Solutions, and ENGlobal Automation, offering him a rare and insightful expertise in the risks and mitigation of cyber vulnerabilities in industrial control systems.

Joel’s unique approach to security emphasizes the processes and people used to implement security programs, rather than relying solely on technology or “products”.  The best strategy for comprehensive security balances People, Processes and Products.   His perspective has been sought and cited by numerous industry publications focused on both industrial automation and information security.  Last year, Joel has played a central role in the analysis and implications of the Stuxnet worm, including new methods of mitigating current and future attacks on critical infrastructure.

Joel is also the Director of Critical Infrastructure and SCADA representative for the Cyber Security Forum Initiative, where he was a lead contributor to a report on the use of control systems in cyber warfare.  He is a Certified Ethical Hacker, Certified Penetration Test, Cisco Certified Network Associate, and TÜV Functional Safety Engineer.

Joel regularly blogs on the evaluation and security of SCADA and other industrial control systems on various industry sites, and maintains an active presence on Twitter.

Mike Menefee, Founder and Principal Consultant, WireHead Security
Michael Menefee is the founder and Principal Consultant for WireHead Security, a security consulting firm based in Raleigh, NC. One of WireHead’s primary focuses is on Industrial Control Systems in the electrical, water treatment, and delivery and waste-water treatment industries. WireHead Security is the publishing team behind Infosec Island (www.infosecisland.com) and the primary owner of Trusted Metrics, a new Managed Services company, supporting Alienvault SIEM deployments in ICS environments.

Prior to co-founding WireHead in 2009, Mr. Menefee was the co-founder and principal consultant for Secure Solve, Inc from 2005-2009, and Director of Managed Security Services for US Networks, Inc from 2001-2004. He served as the founding member and Chapter Leader of the North Carolina OWASP Chapter from 2005-2010 and is a Team Member at the Institute for Security and Open Methodologies (ISECOM), focusing on the concept of Trust. He regularly gives seminars and speeches on how Trust relates to Risk, and its operational measurement and management in today’s hyper-connected online world.

Kevin Morley, Security & Preparedness Program Manager, American Water Works Association (AWWA)

Kevin Morley works closely with a variety of organizations tasked with advancing the security and preparedness of the Nation’s critical infrastructure, including DHS, EPA, CDC and the Water Sector Coordinating Council, which is part of National Infrastructure Protection Plan (NIPP) sector partnership. Recently this has included facilitating the expansion of mutual aid and assistance networks within the water sector based on the “Utilities Helping Utilities Action Plan” developed by AWWA in 2005. Since developing the Action Plan, AWWA has been conducting instructional workshops, supported by a USEPA grant, that walks each state leadership team through a ten-step process for establishing an intrastate Water/Wastewater Agency Response Network (WARN). In addition to WARN, he has led multiple AWWA projects to support utility security and preparedness including development standards and guidance such as the National Strategic Plan for Emergency Water Supply in collaboration with the USEPA.

Prior to AWWA, he worked with Delon Hampton & Associates where he was involved in conducting water utility vulnerability assessments and assisting with designs for perimeter security at the U.S. Supreme Court and the office complex of the U.S. Senate and House of Representatives. In addition, he spent several years providing environmental and regulatory consulting services to Fortune 500 companies. Mr. Morley received an M.S. from SUNY College of Environmental Science and Forestry and a B.A. from Syracuse University. Currently he is a
doctoral candidate in the Department of Environmental Science and Policy at George Mason University focusing on security issues in the water sector.

AWWA is the authoritative resource for knowledge, information, and advocacy to improve the quality and supply of water in North America and beyond. AWWA is the largest organization of water professionals in the world. AWWA advances public health, safety and welfare by uniting the efforts of the full spectrum of the entire water community. Through our collective strength we become better stewards of water for the greatest good of the people and the environment.

Craig Miller, Senior Program Manager, Cooperative Research Network, National Rural Electric Association (NRECA)

Dr. Miller has more than 30 years of senior project management experience in the power and high tech industries with work ranging from plant repowering in former Soviet bloc countries to market solutions for sulfur dioxide reduction in the US. He has managed large multidisciplinary teams implementing custom hardware and software systems on projects up to $120M for Fortune 100 corporations and the Federal government. He was a pioneer in several areas of information technology including electronic data interchange, online trading systems, and the architectural foundations of cyber security. In 1997 he was awarded a gold medal by the Smithsonian Institution for “Heroic Achievement in the Advancement of Information Technology.” In 2008, he joined NRECA to lead the organization’s $68 million smart grid demonstration project and related research efforts in advancing the smart grid. He holds a Ph.D. in Systems Engineering from the University of Virginia, has been a serial and successful entrepreneur, aand an inventor.

Nathan Mitchell, P.E. Director of Electric Reliability Standards and Compliance, American Public Power Association (APPA)

Mr. Mitchell joined the American Public Power Association in 2006. Prior to that he served for 10 years at the City of Naperville, Illinois, in the Department of Public Utilities, where he was Electric Distribution manager in charge of operations and construction. Mr. Mitchell has a BS in Electrical Engineering from Iowa State University, and is a Registered Professional Engineer in the State of Illinois.

Mr. Mitchell provides NERC compliance resources and services to the APPA membership through webinars, list serve discussions and conference sessions. He currently facilitates APPA member involvement in the NERC standards development process by coordinating the technical concerns of the smaller registered entities.

(This piece was published in various Linkedin Groups in March, 2012.)

LIGHTS – A Non-Profit Program for Small Facility Control System Cybersecurity

A program called LIGHTS has been brewing among a group of industry people. It started with an idea and, as such things go, has gotten all grown up and now has a life of its own.

The idea started with the fact that – while the majority of critical infrastructure consists of small organizations – the majority of effort expended on the topic is focused on the few very large ones. Further, the idea went, securing small facilities with available open source tools could provide a dramatic improvement with moderate effort and little cost. Even further, the idea indulged itself, with a programmatic approach the process becomes repeatable with less effort, and making a habit of that sort of thing could make a significant dent in the problem.

The idea then took itself entirely too seriously – as energetic young ideas are prone to do – and went so far as to propose that MSSPs could manage these deployments safely and cheaply. On a roll now, the idea said that these MSSPs would act as effective hubs for appropriate information sharing: keeping lots of small facilities to-the-minute updated from the various analysis centers popping up everywhere. Finishing with a bang, the idea suggested that these facilities could be given the option to share anonymized metadata with some or all of these analysis centers, improving the security of their industry and the nation as a whole.

The program started with a pilot this past August at an electric cooperative in the southeast states. An Open Source SIEM (OSSIM) appliance was installed on a tap port and an encrypted tunnel setup back to an MSSP. That turned out to be about as easy as expected and the coop has ever since had a 7×24 partner who pays attention and offers informed advice. Under the LIGHTS program, approved MSSPs provide new members the open source on-site solution (or commercial options at member’s discretion) and discounted management services. LIGHTS MSSPs connect to the NESCO Tactical Analysis Center and other centers of information sharing.

Now chartered under Energysec, LIGHTS is beginning outreach through industry organizations and other means (like, say, the right Linkedin groups… ;~). Those interested in participating in the program can go to the LIGHTS page or contact any of the program sponsors or partners.

A roundtable webinar to launch the program is being scheduled for late April with LIGHTS founders Energysec, ICS Cybersecurity and Trusted Metrics along with Joel Langill and representatives from the Water and Electric sectors (check the site for date and reg).

It is critical that we enable these asset owners to implement cybersecurity as reliably as they do their operational systems. The LIGHTS founders believe the program provides a viable approach for asset owners challenged by budgetary and expertise hurdles.

Two competing bills in Congress give possible indications of government policy direction.

In recent weeks Senator Joseph Lieberman (I-Connecticut) introduced the Cybersecurity Act of 2012, while Senator John McCain (R-Arizona) introduced the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 (SECURE IT).