Ask The Experts: Daily Tasks

This time around, we get a great question from a reader:

Q: “I’m a one man infosec team at a small financial company, and as such, I stay overtasked. Can you give me a few examples of some key tasks I should make sure I am doing daily/weekly/monthly to make sure I am hitting them all and to help me better structure my schedule?”

Bill Hagestad answered with:

Daily Tasks: 

– Keep self and staff educated about latest cyber threats to your business – read the MSI Blog @ State of Securityhttps://stateofsecurity.com/;
– Review what Federal Law Enforcement considers top cyber threats are base on current cases:
– Compromise of account holder credentials leading to legitimate account compromise;
-Via  phasing attack vectors; unauthorized ACH transfers; 
– Compromise of Third Party Payment Processors;
 
Source: FBI Threat To Financial Sector
 
-Insider attacks – perhaps the largest threat to any commercial enterprise – especially given the recent NSA dilemma via a US contractor
 
– Have staff follow all account verification standing operating procedures – covering all types of customer interaction, including but not limited to; phone, Internet, and in-person account interactions;
– Information Security/Assurance infrastructure configuration changes should be reviewed daily and approved/counter-approved internally to eliminate potential administrative abuses;
– Hold weekly Information Security/Assurance infrastructure team meetings – invite MicroSolved to participate as a credible resource for staff to ask questions of and make sound recommendations.
 
Weekly Tasks:
 
– Stay ahead of international financial sector threat intelligence – read the MSI Blog @ State of Securityhttps://stateofsecurity.com/;
– Ensure account access lists are secure and validated both for external customers (most importantly) and also internal employee need to access/right to access customer account information;
  
Monthly Tasks:
 
– Participate in professional cyber/information assurance mailing lists – if not sure who or what these are contact MSI Cyber Threat Intelligence;
– Be certain to review the US Government Hearing Notes: Cybersecurity: Threats to the Financial Sector downloadable @ http://www.gpo.gov/fdsys/pkg/CHRG-112hhrg72601/pdf/CHRG-112hhrg72601.pdf
– Review or create a cyber threat identification strategy involving key staff and MicroSolved – install HoneyPoint Security Server to capture knowledge about who truly is probing your network, eliminate the proverbial network noise and focus on specific threat actors – e.g.; Russian Cyber Crimianls, Chinese entities using government cyber espionage tools for crime purposes
 
Adam Hostetler added:
It’s hard to answer exactly what you should be doing on a timely basis
without reviewing your current requirements, tools, processes, and
infrastructure. However, If you go to www.microsolved.com and look at
our 80/20 white paper, you can use that as a guideline to give you some
ideas to help build out your security program.

Examples of some things you could/should be doing.

Daily:
Log reviews. Not necessary for all logs, but if you have
IDS/IPS/Honeypots etc, they should be reviewed and investigated if needed
Spend a bit of time following up on the latest security news/threats.
That includes things like new vulnerabilities or exploits, and then
following up if it would affect you.

Weekly:
Check and verify backups and processes

Monthly:
Update software/OS patches.

 
Finally, Jim Klun weighed in with: 
1. Make sure your subscribed to security news-feeds/alerting services that apply to your environment. Review those daily.

2. Make sure you are reviewing your logs daily.  You should know every day about successful and unsuccessful logins. You should also be paying attention to your firewall logs for inbound activity and outbound activity.

3 If you have a local help desk, talk to them at least monthly. They are often in a position to see things that are in fact security problems.

4. Automate your patching program if that is not true already, then review patch reports monthly.

5. If you have Internet exposures, check them monthly. Make absolutely sure at the end of each month you are absolutely sure of what services your organization offers to the Internet – and why.

As always, thanks for reading and if you have a question for the experts, either leave it in the comments, email us or drop us a line on Twitter at (@lbhuston). 

Ask The Security Experts: Holiday Coverage

This time around on Ask The Security Experts, we have a question about holiday coverage for the security team:

Q: “With the upcoming summer holidays and heavy vacation schedules, what are some things I need to pay attention to in order to make sure attackers don’t catch us off guard while we are short on staff?”

Jim Klun weighed in with:

1. Make sure all staff have been reminded of the reality of phishing attacks and what they need to watch out for.
   Use real-world examples like this one: http://labs.ft.com/2013/05/a-sobering-day/ ( courtesy of Adam Hostetler )
   Its important that staff understand the potential severity of a successful phishing attack.
   Such attacks are more likely over holiday periods when attackers can rely on short-staffing.

2. Make sure all systems( both network/OS/application ) are logging and that you are reviewing those logs for anomalies
   Make it a particular point to review those logs after the holidays.
   Log review can be automated but should not be reduced to a formality.  Staff with familiarity with what is normal should be reviewing daily log reports and periodically
   examining the raw logs themselves.

3. Consider internal alerting systems such as Microsolved’s “Honeypoint” solution.  They can act as tripwires in your network, alerting you to the presence of an intruder.
   See: http://www.microsolved.com/honeypoint

Bill Hagestad added:

To prevent surprise cyber attacks the number one focus should be proactive cyber threat intelligence specifically related to your company based upon the following Essential Elements of Information (EEI):

– What are your priorities for intelligence?
– Competitor’s needs/focuses?
– External vendors interests on behalf of competitor?
– Foreign economic interests
– Commercial cyber espionage
– Foreign cyber espionage?
– Potential insider threats?

Once you have prioritized what you consider the information security threats are to your organization MicroSolved can help develop a information a security/assurance strategy.
First step determine a quick list of cyber intelligence targeting baed upon the EEI above;
Second – from the priorities determine your internal High Value Targets that the prioritized list of adversaries might focus on;
Third – install or fine tune your HoneyPoint Security Server to capture attacker and threat vector information; and,
Fourth – focus holiday staffing levels and efforts to mitigate list of potential cyber threats based upon both the EEI and steps 1 -3 above.

John Davis stated:

One of the things to pay particular attention to during vacation season is the security of returning portable devices. Employees will probably be traveling all over the place on their vacations, include foreign countries. And while traveling, people like to let their hair down and take it easy. They also like to keep abreast of their emails or surf the Internet looking for restaurants and places of interest.
Hotel networks and public hot spots are usually open networks and liable to sniffing by enterprising cyber criminals. Because of this, it is relatively easy for these attackers to implant Malware on laptops or other portable devices used by traveling employees. And, as we know, lots of enterprises these days have bring your own device policies in place or tolerate the casual use of company laptops for non-business purposes. To protect the network from this scenario, run anti-virus and other Malware detecting software on these devices, and/or boot them up in a stand alone test environment and look for problems before allowing them onto the production network.

There’s a LOT of good advice here. Hopefully, some of it helps you. Until next time, thanks for reading and have a safe holiday!

Ask the Experts: Travel Abroad with Electronics

This time around, a reader wrote in with a very common question:

Q: “A member of my management team is about to go on a business trip to a country with known cyber-spying capabilities. She wants to take her phone, tablet and laptop so she can be productive on the road. What can I do to make this safer for her and our organization without restricting her work capability on the road in an unreasonable manner?”

Adam Hostetler opened with: 

The standard here is don’t bring anything electronic, if you can help it. In most cases, that’s not probable so don’t bring your normal personal phones or laptops, no smartphone at all is advisable. Bring loaner devices that have only exactly what they need and can be burned when they get back. Only connect through a VPN, and have that account monitored on the other end. Don’t leave phone or laptop in a hotel room, even in the safe, and don’t talk business there either.

Jim Klun added:

There is likely no way to do this without restricting – or at least significantly changing – the way she works. 

It has to be assumed that any information on her personal devices will be compromised. 
It also can be assumed that any information flowing between her devices and the outside world will be compromised. 

I would recommend two things:

1. Take only what you can afford to lose. Communicate only what you can afford to lose. 

        So – take a small number of devices (e.g. phone, laptop) minimally configured with only that information absolutely required for this trip. 
        Better to have corporate staff respond to email requests from her rather than to allow access to critical corporate resources from suspect location. 
        If internal connectivity to corporate resources must be allowed ( e.g VPN) it should be ideally require 2-factor auth of some sort, use strong encryption, and grant access only to a limited subset of resources. 
        All credentials can be assumed to be lost – hence the utility of two-factor.  All of the employees credentials should be changed on return. 

        All devices brought back should be assumed to be compromised and will need complete re-imaging. 
                

2.  Consider creating “go-kits” and well-defined repeatable processes for employees who travel to such locations. 

     A special set of devices ( laptop, phone, etc) that are minimally configured and can be wiped on return.  No personally owned devices should be allowed. 
     Connectivity for those devices – if absolutely needed – that allows access only to a tightly restricted and monitored subset of internal corporate resources. 
     Most importantly – training for employees who make these trips.  The employee must understand the special risks being incurred and be aware of their responsibility to protect the company and the companies existing customers.   
      As above – all of the employees credentials should be changed on return.

Bill Hagestad summed it up with this: 

This one is near and dear to my heart…I call these rules of counter cyber espionage the  李侃如的中國旅遊規則 (Lieberthal’s China Travel Rules)

Cellphone and laptop @ home brings “loaner” devices, erased before he leaves home country & wiped clean immediately upon returns;

In China, disable Bluetooth & Wi-Fi, phone never out of his sight;

In meetings, not only turn off his phone but also remove battery, microphone could be turned on remotely;

Connect to the Internet only via encrypted, password-protected channel, copies & pastes his password from a USB thumb drive;

Never type in a password directly, “the Chinese are very good at installing key-logging software on your laptop.”

The article can be found @ http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all

Brent Huston closed with:

Any electronic items they do take on the road with them should be current on patches, AV signatures and detection capabilities. All data, drives, systems, etc. should be strongly encrypted when possible to do so (Pay special attention to export restrictions on crypto depending on where they are going.) Also, turn and burn EVERYTHING when they come back. Treat all media and data obtained during the travel as suspicious or malicious in nature. Trojans of data and documents are common (and usually they scan as clean with common tools). This is especially true for high value targets and critical infrastructure clients. Trust us! Safe travels! 

李侃如的中國旅遊規則

(Lieberthal’s China Travel Rules)


ØCellphone and laptop home brings “loaner” devices, erased before he leaves home country & wiped clean immediately upon returns;
ØIn China, disable Bluetooth Wi-Fi, phone never out of his sight;
ØIn meetings, not only turn off his phone but also remove batterymicrophone could be turned on remotely;
ØConnect to the Internet only via encrypted, password-protected channel, copies & pastes his password from a USB thumb drive;
ØNever types in a password directly, “the Chinese are very good at installing key-logging software on your laptop.”

Ask The Security Experts: Public Facing Workstations

This time around, we have a question from a reader named John: “I work in a small financial institution and we have problems with physical access to our computers. Many of our workstations sit in semi-public areas and could easily be attacked with USB devices or physical access when a teller or customer service person leaves the customers alone with the machine at a desk or cubicle. What advice do the experts have to help counter these types of attacks?”

Bill Hagestad started the conversation:

Recommended Points for mitigating this digital & physical vulnerability;

1) Remove workstations from semi-public areas; 2) Deploy & install single – purpose Internet workstations at no more than 2 public locations with VERY limited access to financial institution records only after 3 factor authentication has been authorized by credentialed users only; 3) Set time limites on inactive sessions on all banking terminals to logoff after physical proximity to machine exceeds 15 seconds; 4) Enforce 32 random, alpha-numeric character password changes to all critical financial institutional systems weekly; and, 5) Implement and /or continue aggressive financial institution information assurance education program with goal of 100% employee participation; review/update monthly and, 6) Mandate information security and awareness program participation from financial institution leadership throughout all employees and ranks within the organization.

John Davis expanded: I know how difficult this is for financial institutions. Your customer service representatives need computers in their cubicles in order to provide service to your customers, while at the same time those same computers are a main point of physical vulnerabilitiy. Easy steps can be taken, though, to harden these work stations.

First, workstation users should be allotted local administration rights on their systems only when a business need is present. So, CSR workstations should have their USB and DVD ports disabled. Furthermore, their is no need for them to have the ability to upload or download software. In addition, workstations in publicly accessible areas must be turned off each and every time they are unattended. Perhaps you could implement a system similar to the cut off device used on treadmills or at casinos: CSRs would have to clip a device from their clothing to the workstation before it will work. You could accompany this with biometric access for quick and easy access for the users.

Jim Klun added:

From my experience, and assuming the worst case of Windows systems configured as normal workstations with end-users having admin level access, some immediate things I would do:

1. Disable all removable media access at the hardware ( i.e. BIOS) level. At minimum: disable ability to boot from such sources. or: remove all DVD and CDROM drives and physically disable USB ports. (e.g. glue) 2. Ensure all workstations log activity and ensure that the logs are directed to a central log repository and reviewed. Example: http://www.intersectalliance.com/projects/SnareWindows/ 3. Ensure surveillance cameras cover workstation areas. 4. Aggressive screen-lock settings 5. Removal of admin access for all but limited support staff if at all possible. 6. Consider Usage of security cabinets for workstations: Example: http://www.globalindustrial.com/g/office/computer-furniture/cabinets/orbit-side-car-cabinet 7. Network Access Control to limit what devices are allowed on the local network. That unattended RJ45 jack or poorly secured wireless environment is as much a threat as that USB port or CDROM. Bluetooth setting should also be reviewed. 8. Ensure all sensitive information traveling over the local LAN is encrypted. 9. Use a firmware password ( e.g drivelock or a BIOS power-on password) to limit who can boot the machine. 10. Monthly re-iteration of security policies – including need to lock workstations. In my experience such messages are best tied to real-world examples. It makes the risk real – not just an abstract “security guy” worry. For example, this event could be used to ensure employees are aware that an unlocked workstation could lead to the installation of malware: http://news.techworld.com/security/3256513/sovereign-bank-and-penfed-warn-customers-after-keyloggers-are-found-on-laptops/

I note that both JD and Bill talk about enhanced authentication – including the use of proximity devices. Using such devices ( mostly bluetooth ) to secure these workstations sounds like a great idea to me and may be the easiest and most effective solution. Once the financial institution walks away from the workstation – it’s locked and ideally will not boot. http://btprox.sourceforge.net/ – open source Google “computer proximity lock” for a number of commercial alternatives.

Adam Hostetler closed the conversation with:

Everyone has really good suggestions so far. I am a fan of the simple phsyical solutions. I would put the workstations in locked cages. This would prevent any malicious people from inserting USB devices or CDs, or implanting sniffers between the keyboard and USB ports. Additionally, follow the other advice of disabling them through software, just to be sure.

Another solution may be to move to a thin client solution. It is possible to buy thin clients that have no USB ports or optical drives. This would also ensure that no sensitive information was on the workstation, in the event that it was stolen.

Ask The Experts: Getting Started with Web App Security

Question from a  reader: What should I be paying attention to the most with regards to web applications? My organization has a number of Internet facing web applications, but I don’t even know where to start to understand what the risks and exposures might be.

Adam Hostetler responds:

The first thing I would do is to identify what the applications are. Are they in house developed applications, or are they something like WordPress or another framework? What kind of information do they store (email addresses, PII, etc)? If they are in house or vendor applications, have they been assessed before? With a little knowledge of the applications, you can start building an understanding of what the risks might be. A great resource for web application risks is the OWASP project. https://www.owasp.org

Phil Grimes adds:

When it comes to web applications, I always promote a philosophy that I was raised on and continue to pound into my kid’s heads today: Trust but verify. When an organization launches an internet facing application there is an immediate loss of control on some level. The organization doesn’t know that the users accessing the application are who they say they are, or that their intentions are “normal”. Sure, most people who encounter the app will either use it as intended or if they access the app inadvertently, they may just mosey on about their merry way. But when a user starts poking around the application, we have to rely on the development team to have secured the application. Making sure identity management is handled properly will help us ensure our users are who they say they are, and validating all data that a user might pass to the application becomes an integral part of security to ensure possible attacks are recognized and thwarted.

John Davis comments:

I would say that the most important thing is to ensure that your Internet facing web applications are coded securely. For some time now, exploiting coding weaknesses in web applications has been one of the leading attack vectors exploited by cyber criminals to compromise computer networks. For example, poor coding can allow attackers to perform code injection and cross site scripting attacks against your applications. The Open Web Application Security Project (OWASP), which is accessible on the Internet, is a good place to learn more about secure web application coding techniques. Their website contains lots of free tools and information that will help your organization in this process. There are also professional information security organizations (such as MicroSolved) that can also provide your organization with comprehensive application security assessments.

As always, thanks for reading and let us know if you have questions for the experts.

Ask The Security Experts: Mobile Policy

This time around, the experts offer insights on this question:

Q: “Dear Experts, what are the key things I need to keep in mind when I write my company’s mobile security policy?” — MK

John Davis starts us off with:

I would say the most important thing is to actually write your own policy; don’t just copy a generic mobile security policy from the Internet and adopt it as your own. For a mobile security policy to be effective, it needs to be tailored to meet your organizations particular information security requirements and also needs to reflect the reality of mobile device use at your organization. It won’t do you much good to forbid using mobile devices for business purposes if you have no mechanisms in place to prevent or detect such uses. Effective information security policy, like effective statute law, is both practical and enforceable.

Adam Hostetler added:

Keep in mind what kind of current security policies you have, and try to apply that to the mobile sphere. Users need to understand that they are connecting an additional computer to the network, and not just a “phone”. Keep in mind also what kind of deployment you are using. Is it bring your own device, or is it company provided? There will be different policies and procedures for each method and possible user backlash depending on how you are doing this.

As always, thanks to the experts for weighing in, and to the readers for the questions. Keep them coming!

Ask The Experts: Insights on Facebook Friends

This time around, the experts tackle this question:

Q: “Hey Security Experts, should I be friends with everyone that asks on Facebook? What’s the risk of friending people I don’t really know? Can we be friends on Facebook?” –Scott918

Adam Hostetler weighed in with:

I wouldn’t recommend accepting friends request for anyone on Facebook, unless you actually know them. This especially goes for somebody that claims they work at the same company as you, as it really could be somebody building a network of targets to social engineer.

Take advantage of Facebook privacy settings also. Don’t make your information public, and only make it viewable by friends. I would even recommend against putting too much personal information on there, even if it is only among friends. There have been security issues in the past that allow people to get around privacy controls, and Facebook really doesn’t need a lot of information from you anyway.

John Davis added:

The short answer is NO! I’m a big believer in the tenet the you DON’T want the whole world to know everything about you. Posting lots of personal facts, even to your known friends on Facebook, is akin to the ripples you get from tossing a pebble into still water – tidbits of info about you radiate out from your friends like waves. You never know who may access it and you can never get it back! There are lots of different people out there that you really don’t want as your friend – I’m talking about everything from annoying marketers to thieves to child molesters. People like that are trying to find out information about you all the time. Why make it easy for them?

Finally, Phil Grimes chimed in:

Facebook is a ripe playground for attackers. This is something I speak about regularly and the short answer is NO, absolutely not. If you don’t know someone, what is the benefit of “friending” them? There is no benefit. On the contrary, this opens a can of worms few of us are prepared to handle. By having friends who aren’t really friends one risks being attacked directly, in the case of the unknown friend sending malicious links or the like. There is also the risk of indirect attack. If an attacker is stalking Facebook pages, there is a lot of information that can be viewed, even if you think your privacy settings are properly set. Stranger danger applies even more on the Internet.

So, while they may not be your friends on Facebook, you can follow the Experts on Twitter (@microsolved) or keep an eye on the blog at http://www.stateofsecurity.com. Until next time, stay safe out there! 

Ask The Experts: Advice to New InfoSec Folks

This time our question came from a follow up on our last advice article to new infosec folks (here). Readers might also want to roll back the clock and check out our historic post “So You Wanna Be in InfoSec” from a few years ago. 

Question: “I really want to know what advice the Experts would give to someone looking to get into the information security business. What should they do to get up to speed and what should they do to participate in the infosec community?”

Adam Hostetler replied:

To get up to speed, I think you should start with a good foundation of knowledge. Already working in IT will help, you should then already have a good idea of networking knowledge, protocols, and architecture, as well as good OS administrative skills. Having this knowledge already helped me a lot at the beginning. Then I would move into the infosec world, read and listen to everything you can related to infosec.  There’s much much more security related knowledge online than ever before, so use it to your advantage. You also now have the opportunity to take info sec programs in colleges, which weren’t really available 10 years ago. Social Networking is very important too, and how you would likely land a job in infosec. Go to events, conferences or local infosec meetings. Some of the local infosec meetings here in Columbus are ISSA, OWASP, and Security MBA. Find some in your area, and attend something like Security B-Sides, if you can. Get to know people at these places, let them know you’re interested, and you might just end up with your dream job.

John Davis chimed in:

If you want to get into the risk management side of the information security business, first and above all I recommend that you read, read, read! Read the NIST 800 series,  ISO 27001 & 27002, the PCI DSS, CobiT, the CAG, information security books, magazine articles, and anything else you can find about information security. Risk assessment, ERM, business continuity planning, incident response and other risk management functions are the milieu of the generalist; the broader your knowledge base, the more effective you are going to be. To participate in the infosec community, there are several things you can do. Probably the best and quickest way to get started is to attend (and participate in) meetings of information security professional organizations such as ISSA, ISACA and OWASP. Talk to the attendees, ask questions, see if they know of any entry level positions or internships you might be able to get into. There are also infosec webinars, summits and conferences that you can participate in. Once you get your foot in the door someplace, stick with it! It takes time to get ahead in this business. For example, you need four years of professional infosec experience or three years experience and a pertinent college degree before you can even test for your CISSP certification.

As always, thanks for reading! Drop us line in the comments or tweet us (@lbhuston or @microsolved) with other questions for the Security Experts.

Ask The Experts: Online Banking

This time we asked the experts one of the most common questions we get when we are out speaking at consumer events:

Q: Hey Security Experts, do you do your banking online? If so, what do you do to make it safe for your family? If not, why not?

John Davis explained:

I’ve been banking online for many years now and have always loved the convenience and ability it gives you to monitor your accounts anywhere and any time. There are a few simple things I do to keep myself secure. I do all the usual stuff like keeping a well configured fire wall and anti-virus software package always running. I also ensure that my wireless network is as secure as possible. I make sure the signal is tuned so as to not leak much from the house, I use a long and strong password and ensure I’m using the strongest encryption protocol available. I also monitor my accounts often and take advantage of my banks free identity theft service. One final tip; instead of using your actual name as your login, why not use something different that is hard to guess and doesn’t reveal anything about your identity? It always pays to make it as tough on the cyber-criminals as possible!

Phil Grimes chimed in with:

I do almost all my banking online. This, however, can be a scary task to undertake and should always be done with caution on the forefront! In order to bank safely on line, the first thing I do is to have one machine that was built in my house for strictly that purpose. My wife doesn’t play facebook games on it. My kids don’t even touch it or know it exists. This machine comes online only to get updated and to handle the “sensitive” family business functions like bill payment or banking.  The next thing I’ve done to protect this surface was to use a strong password. I used a password generator and created a super long password with every combination of alpha, numeric, and special characters included to reduce the risk of a successful brute force attack. This password is set to expire every 30 days and I change it religiously! Then finally, using Firefox, I install the NoScript plugin to help defend against client side attacks.

Adam Hostetler added:

Yes, I do my banking online. I also pay all of my bills online and shop online. I think the biggest thing that you can do for safety is just to be aware of things like phishing emails, and other methods that fraudsters use to try to compromise your credentials. I also always use dual factor authentication when possible, or out of band authentication, most banks and credit unions support one of these methods these days. Checking all of my accounts for suspicious activity is also a regular occurrence. 

There are also the malware threats. These are mostly mitigated by having up to date software (all software, not just the OS), up to date anti-virus software, and treating social networking sites like a dark alley. Be wary of clicking on any links on social networks, especially ones that are apps that claim they will do something fun for you. Social networks are probably the largest growing vector of malware currently, and a lot of times people install it willingly!

If you’re really paranoid, just have a dedicated PC or virtual machine for online banking.

Got a question for the Experts? Send it to us in the comments, or drop us a line on Twitter (@microsolved or @lbhuston). Thanks for reading! 

Ask The Experts: Important SCADA Security Tips

This time the question comes from an online forum where we were approached about the MSI Expert’s Opinions on an interesting topic. Without further ado, here it is:

Question: In your opinion, what is the single most important question that security teams should be discussing with SCADA asset owners?

Adam Hostetler (@adamhos) replies:

Do your SCADA managers and IT have a culture of security? It’s still found that many SCADA industries still have a weak culture. This needs to be changed through ongoing education and training (like the DHS training). This will help engineers and IT develop and deploy stronger network architectures and technologies to combat increasing SCADA risks in the future.

John Davis also weighed in: 

I would say the most important question to discuss with SCADA asset owners is this: do you have short term, mid term and long term plans in place for integrating cyber-security and high technology equipment into your industrial control systems? Industrial concerns and utilities have been computerizing and networking their SCADA systems for years now. This has allowed them to save money, time and manpower and has increased their situational awareness and control flexibility. However, industrial control systems are usually not very robust and also very ‘dumb’. They often don’t have the bandwidth or processing power built into them for mechanisms like anti-virus software, IPS and event logging to work, and these systems are usually made to last for decades. This makes most industrial control systems extremely vulnerable to cyber-attack. And with these systems, availability is key. They need to work correctly and without interruption or the consequences vary from loss of revenue to personal injury or death. So, it behooves those in charge of these systems to ensure that they are adequately protected from cyber-attack now and in the future. They are going to have to start by employing alternate security measures, such as monitoring, to secure systems in the short term. Concerns should then work closely with their SCADA equipment manufacturers, IT specialists, sister concerns and information security professionals to develop mid term and long term plans for smoothly and securely transitioning their industrial control systems into the cyber-world. Failure to do this planning will mean a chaotic future for manufacturers and utilities and higher costs and inconveniences for us all.

What do you think? Let us know on Twitter (@microsolved) or drop us a line in the comments below.