Open Group Security Forum and ABA’s Cyberspace Law Committee issue whitepaper on information-centric security governance

The Open Group, a vendor- and technology-neutral consortium focused on open standards and global interoperability within and between enterprises, today announced the general availability of a new whitepaper about information security strategy. Co-written by The Open Group Security Forum and the American Bar Association’s Cyberspace Law Committee, the whitepaper presents a strategic framework for information-centric security governance. Additionally, the paper offers a methodology for security compliance both within and beyond the perimeter of the enterprise, and recommends further standards to support information security in a boundary-less environment.

Previously, securing ownership of proprietary information security was accomplished mainly through securing a physical ‘perimeter’ via network hardware and software technologies. The new realities of information access and use, based now on distributed relationships within and between enterprises that use a mix of proprietary and non proprietary information, require securing information and infrastructure access and flows beyond the perimeter. This new paradigm requires dynamic interaction of technologists, legal advisors, and business policy makers alike. The whitepaper is available for free download here.

How To Take Down The Power Grid

Ira Wrinkler, who performs espionage or terrorist simulations (or mundanely known as penetration tests) wrote:

"The first time I broke into our country’s electrical power grid was a decade or so ago. Hacking into the control systems set up by utility companies wasn’t surprising then, and it isn’t surprising now. While people find this shocking, it really isn’t. When you think about how insecure computer infrastructures are, why would you think that the power grid would be any more secure? Frankly, the power grid is even less secure than most other computer networks. I wrote about it many times, including some details in my recent book, Spies Among Us." >> More ..

(Text in bold are my emphasis.)

US National Strategy for Homeland Security - October 2007

The US has released the latest document on the National Strategy for Homeland Security this month which has added emphasis on cyber security. The document can be found here.

A quote from the sidebar of that document is as follows:

"Cyber Security: A Special Consideration

Many of the Nation’s essential and emergency
services, as well as our critical infrastructure, rely
on the uninterrupted use of the Internet and the
communications systems, data, monitoring, and
control systems that comprise our cyber infra-
structure. A cyber attack could be debilitating to
our highly interdependent CI/KR and ultimately to
our economy and national security.

A variety of actors threaten the security of our
cyber infrastructure. Terrorists increasingly exploit
the Internet to communicate, proselytize, recruit,
raise funds, and conduct training and operational
planning. Hostile foreign governments have the
technical and financial resources to support
advanced network exploitation and launch attacks
on the informational and physical elements of our
cyber infrastructure. Criminal hackers threaten
our Nation’s economy and the personal informa-
tion of our citizens, and they also could pose a
threat if wittingly or unwittingly recruited by foreign
intelligence or terrorist groups. Our cyber net-
works also remain vulnerable to natural disasters.

In order to secure our cyber infrastructure against
these man-made and natural threats, our Federal,
State, and local governments, along with the pri-
vate sector, are working together to prevent dam-
age to, and the unauthorized use and exploitation
of, our cyber systems. We also are enhancing our
ability and procedures to respond in the event of
an attack or major cyber incident. The National
Strategy to Secure Cyberspace and the NIPP’s
Cross-Sector Cyber Security plan are guiding our
efforts. "

Hole Found in Protocol Handling Vital National Infrastructure

Researchers on March 21 announced that the systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could be used to cause a denial of service or a system takeover.

The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider.

Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information. >> More ..

Those who want more technical details on the vulnerabilities can find them here.

Serious Security Breach in KLIA

The New Straits Times today reported in a news article titled "Red faces over 'phantom' stowaway" that KLIA had a security breach on Thursday 11 Oct 2007 when a man managed to stow away inside the front nose wheel chamber aboard a Singapore Airlines flight from KL to Singapore. The editorial discussed the matter in a bit more detail.

What was even more interesting is that the stowaway did not turn up on any CCTV recordings in KLIA.

So what has this got to do with CIIP? Well the transportation sector is one of the Critical National Information Infrastructure. Physical security is about the most visible of all security measures that anybody can enforce and where there would usually be traceability. If an entity is not able to handle physical security well and is unable to trace back how it happened from their own records, its left to the imagination as to what can happen if cyber breaches of the KLIA systems does occur, since comparatively, cyber intrusions and breaches are harder to detect.

We are not drawing any conclusions but the incident does raise some fundamental questions about the overall security and surveillance measures in such an important infrastructure entity, be it physical security or cyber security.

Cyber Security Standards for Electric Power Systems

The North American Reliability Corporation or NERC has produced standards for Cyber Security for the power systems industry. Further details can be found here but a summary is described below. The standards are part of a full set of Reliability Standards including Emergency Preparedness and Operations and the full list of standards is listed and can be downloaded here.

NERC Cyber Security

The purpose of NERC's new cyber security standards is to ensure that all entities responsible for the reliability of the bulk electric systems of North America identify and protect critical cyber assets that control or could impact the reliability of the bulk electric systems. An urgent action cyber security standard was initially adopted in August 2003 and renewed for a second year in August 2004. NERC adopted permanent cyber security standards on May 2, 2006. On June 4, 2007 compliance with approved NERC Reliability Standards becomes mandatory and enforceable in the United States.

NERC CIP-002 to CIP-009

NERC's new cyber security standard was originally called NERC 1300, but this has changed to 8 separate standards, CIP-002 to CIP-009. As summarized in the table below, these standards contain definitions, policies, reporting requirements, and issues related to personnel security, electronics (or network) security, and physical security (such as access).

New Std #	Topic
CIP-002-1	Critical Cyber Assets
CIP-003-1	Security Management Controls
CIP-004-1	Personnel and Training
CIP-005-1	Electronic Security
CIP-006-1	Physical Security
CIP-007-1	Systems Security Management
CIP-008-1	Incident Reporting and Response Planning
CIP-009-1	Recovery Plans

Number of Hackers Targeting Utilities Increases 90 Percent According to SecureWorks' Data

SecureWorks, one of the industry’s leading managed security services providers protecting over 1,800 clients and 100 utilities, has seen a 90 percent increase in the number of hackers attempting to attack its utility clients this year. From January through April, SecureWorks blocked an average of 49 attackers per utility client per day. Whereas, from May through September, it saw an average of 93 hackers attempt attacks on each of its utility clients per day.

“When researching these new statistics, we found that Web Browser attacks represented a large number of the attacks attempted against our clients, including our utility customers,” said Wayne Haber, director of development at SecureWorks.

Computer users can become victims of browser attacks by visiting Web sites, which unbeknownst to them is hosting malware, or by clicking on a malicious link in an email or instant message. >>More..

How to Trace a DDOS Attack

DDOS attacks can cripple an organization's website or portal.

ISPs consider DDOS attacks -- where an attacker floods network connections, Websites, or systems with packets -- one of their biggest threats. Most of these attacks are being waged by botnets -- some as large as tens of thousands of bot machines, according to a recent survey of ISPs by Arbor Networks.

Arbor found an average of 1,200 DDOS attacks each day across 38 ISP networks. On 220 of the last 365 days, there has been at least one DDOS attack of one million packets per second, says Danny McPherson, chief research officer for Arbor Networks.

What is more alarming is that despite reports that some ISPs have experienced fewer DDOS attacks overall during the last six months, there is a DDOS attack underway somewhere on the Internet. It's a matter of quality, not quantity: "When DDOSes do occur, they are done with much greater purpose than they used to be".

Read the full article here which includes the tracing indicators and steps to stop the DDOS attacks. It is not that easy though as it involves investigative work by the ISP and worldwide cooperation among ISPs.

Ooops: DC Feds Delete CA.Gov In Response to Hackers

When an organisation does not have a proper response plan to incidents, a bad incident can get worse.

"Case in point: A hacker's diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially "deleted the ca.gov domain."

The original story can be found here.

OWASP Preps Framework for Website Security Certification

The Open Web Application Security Project (OWASP) is working on a potential framework for evaluating and certifying Websites as secure, including the criteria that would entail. The project is still in progress and not quite ready for prime time, but the goal is to provide a framework for certifying the security of a site's apps, which entails much more than just the usual vulnerability scan.

"A black box scan doesn't mean a site is secure," says Dinis Cruz, OWASP's technology evangelist and project coordinator for the so-called Web Security Application Certification Framework Project.

Several commercial certifications already exist, including ScanAlert's Hacker Safe, and ControlScan, which indicate that a site has been vulnerability-scanned. And the Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, helps verify that a site is legitimate. (See Are 'Sealed' Websites Any Safer?).

But security experts say today's Good Housekeeping-style seal-of-approvals aren't enough. "The fact is that in this day and age, the VeriSign logo and the lock icon in your browser just don't cut it," says Caleb Sima, CTO of SPI Dynamics. >> More ..

Australia's Critical Infrastructure Protection

Information on Australia's Critical Infrastructure Protection issues and initiatives can be found here. This of course includes Critical Information Infrastructure.

Click here to view the then Attorney-General’s press announcement on protecting the National Information Infrastructure

NIST Guide to Industrial Control Systems Security (SCADA)

The second draft of the above document which deals with security for Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC) has been released for public comment on 28 Sep 2007.

The draft can be downloaded here.

The document is 157 pages and information on what other organisations are doing in this area can be found in Appendix C of the document. This Appendix C provides useful information to those who are doing further research or comparative studies or implementation alternatives on SCADA security.

NIST Publications on ICT Security

The USA Department of Commerce's National Institute of Standards and Technology or NIST produces various standards and guidelines documents on ICT implementation and ICT Security.

The list of documents on ICT Security can be found and downloaded here but a more general introduction page on the publications category types is here.

The list is summarized also in the following documents which should be useful as a big picture reference:
1. Guide to NIST Information Security Documents
2. Roadmap to NIST Information Security Documents.

There are hundreds of documents in the whole set and a selection of the relevant topic clusters is listed below (each topic cluster has a list of relevant documents):

Audit & Accountability
Authentication
Awareness & Training
Certification & Accreditation (C&A)
Communications & Wireless
Contingency Planning
General IT Security
Incident Response
Maintenance
Planning
Risk Assessment
Viruses & Malware

On the topic of Critical Infrastructure Protection, the documents relevant to the Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection are:

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Security Controls for Federal Information Systems
SP 800-18 Guide for Developing Security Plans for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-37 Guide for Security Certiication and Accreditation of Federal Information Systems
SP 800-53 Recommended Security Controls for Federal Information Systems
SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
SP 800-59 Guideline for Identifying an Information System as a National Security System
SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security

New security standards to strengthen SCADA

This 2004 Computerworld article says that "The security of critical-infrastructure processes, long festering as a thorny issue in securing everything from food and water to energy and transportation, will be getting a boost from proposed standards for industrial controls. The National Institute of Standards and Technology (NIST) fostered the creation of the Process Control Security Requirements Forum in 2001. The group issued the first draft of its System Protection Profile for Industrial Control Systems (SPP ICS) in October." >More...

Knowledge is Greatest Threat to Critical Infrastructure

Australia's critical infrastructure is still under threat due to a shortage of educational resources, according to researchers and security experts.

The major concern is security of Supervisory Control and Data Acquisition (SCADA) systems -- the central nervous system for sensors, alarms and switches that provide automated control and monitoring functions for utilities such as water, gas and electricity, as well as large manufacturers. More ..

ISA99 cyber security guidelines provide full user resources

Manufacturers concerned about cyber security as it relates to plant equipment and factory automation systems should look at the new ‘ISA-99 Security Guidelines and User Resources for Industrial Automation and Control Systems’ CD-ROM.

There are two technical reports: ANSI/ISA-TR99.00.01-2004, ‘Security Technologies for Manufacturing and Control Systems’, and ANSI/ISA-TR99.00.02-2004, ‘Integrating Electronic Security into the Manufacturing and Control Systems Environment’.

The former provides an evaluation and assessment of current types of electronic security technologies and tools that apply to the manufacturing and control systems environment, including development, implementation, operations and maintenance.

The latter provides a framework for developing an electronic security programme and provides a recommended organisation and structure for the security plan. The information provides detailed information about the minimum elements to include.

The original article can be found here.

Hackers Step Up SCADA Attacks

This 2004 article says that "A majority of cyber attacks on industrial control systems now come from the outside, reversing earlier assumptions, according to research at the British Columbia Institute of Technology."

The full article can be found here.

Control Systems, Instrumentation Systems and Automation Security

A number of articles relating to Control Systems, Instrumentation Systems and Automation security can be found from the Instrumentation Systems and Automation site here.

Amongst the relavant articles are:
1. Making Cyber Security Work in the Refinery
2. Uncovering Cyber Flaws
3. SP99 Counterattacks
4. Securing the Power Grid . This article also has a good chronological chart on the 2003 power blackout in OHIO that crippled a part of the nation.
5. ISA99, Manufacturing and Control Systems Security ISA99 is a new standard for Manufacturing and Control Systems Security. The current edition covers only security technologies and their strengths/weaknesses in the manufacturing environment. Eventually this would be expanded to include traditional strengths and weaknesses of the different types of control systems (DCS, PLC, SCADA, HMI, etc). The end of the article contain a list of materials in the development of ISA99 by the ISA SP-99 Committee.

America's Hackable Backbone

This article is a MUST READ article. It highlights the vulnerability of SCADA systems.

SCADA systems are used around the country to control infrastructure like water filtration and
distribution, trains and subways, natural gas and oil pipelines, and practically every kind of industrial manufacturing. And as some security professionals are pointing out, those weaknesses are increasingly connected to the Internet, leaving large parts of America's critical infrastructure exposed to anyone with moderate information technology training and a laptop.

The full article can be found here.

However those who want a pictorial rundown of the story can find it here. The pictorial story covers incidents and potential vulnerabilities of SCADA systems controlling power plants, oil and gas pipelines, transportation, dams, manufacturing, water distribution.

Bank of India site hacked, serves up 22 exploits

The Bank of India Web site was hacked sometime Wednesday night (U.S. time) and seeded with a wide, wild array of malware that infected any users running unpatched browsers, security researchers said Friday.

See this link for the full news.

France Joins Chinese Hacking Row

France has become the fourth country to speak out against hackers in China following an attack on French government systems. More..

US blames China for Pentagon Hack

American officials are claiming that the Chinese military successfully hacked computers inside the Pentagon in June.

The Pentagon has told the Financial Times that it had to shut down computers used by Robert Gates, the current defence secretary and ex-head of the CIA, after hackers managed to crack the systems.

The officials said that they had a "very high level of confidence .... trending towards total certainty" that the attacks came from the People's Liberation Army [PLA]. More ..

Hackers Build Black Economy as They Go Professional

A sophisticated underground economy, where hacking toolkits are on sale for as little as $1,000, has emerged to support computer crime gangs, a new report says.

See here for the full article.

Malicious Code Affects Chinese Security Site

Even security organizations are not spared from cyber attacks!!

The Web site of one of China's Internet security organizations has been laced with malicious code.

At least three pages on the Chinese Internet Security Response Team's (CISRT) Web site are rigged with a malicious "iframe," a hidden window on a Web page that can allow code such as JavaScript to run on a visitor's PC.

See here for the full news.

Water Utility Computer System Susceptible to Cyber Attack

In a 2005 article, it was reported that computer-based monitoring and control systems installed by water utilities "may be susceptible to attacks" by cyberterrorists.

See here for the full article.

US Video Shows Hacker Hit on Power Grid

A government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down.

See here for the full story.

Cyber Attack Cripples Estonia

In April 2007, Estonia experienced a cyber attack that crippled the nation. As reported in a BBC article:

"Estonia, one of the most internet-savvy states in the European Union, has been under sustained attack from hackers since the ethnic Russian riots sparked in late April by its removal of a Soviet war memorial from Tallinn city centre.

Websites of the tiny Baltic state's government, political parties, media and business community have had to shut down temporarily after being hit by denial-of-service attacks, which swamp them with external requests."

See here for the full article.

There are many news reports on the incident, views and commentary which can be found via Google search with suggested keywords "Estonia cyber attack".