Remote Control

By cliangNo Comments
This facility is common in our daily life for convenience with digital function components. Examples that we are familiar with are TV, air conditioners and ceiling lights. Sometimes, the features in the remote are even much more than those in local device. Given that digitalization dominates the consumer market, it is common to see digital devices have remote control counter-part. In industry use cases, OT systems are established for controlling and monitoring the physical plants. OEM will make the life of operation easier by equipping remote control as option to help operators, support staff in managing devices over a diverse geographical area. The intention is good for cost-effectiveness, better throughput. I come across a cybersecurity practitioner that this remote control capability hits the nerve. His immediate response is to demand such remote control should be disabled. What are the key lessons here? First, the terminology must be precise. Typically, plants are installed in equipment room where they will be monitored and controlled from a different...
Read More

Anomaly

By cliangNo Comments
Observations are basis in any informed-assessment to understand if operations are compliance to rules & regulations meeting the expected standards. Observations are used to support the finding in the report. They can be in the form of screenshots, photo, configuration files in plain text. When you find anomalies, what is your first respond? You have to double check if it is a false positive first. If it is valid, then check if exception process has been granted with valid reason and appropriate level of approval. That is not yet the end. A more responsible cybersecurity practitioner or auditor shall also look at the effectiveness of the written directive - if they are reasonable and practically achievable. This is the hard part because it might outside the scope of assessment, or the assessor solely bases on the book. In any cases, policy maker should look at the report and rethink if the written directives are too tight, too rigid in killing the business. Bear in...
Read More

Obsolescence

By cliangNo Comments
One of the biggest challenges in OT (Operation Technology) system is the technology obsolescence. Here, we are not talking about the machinery part but the controller part. A typical machine (or plant) have 2 major portions: machinery (e.g. motor, valve) and C&I. Nowadays the traditional C&I are replaced by commodity hardware/software because they are readily available from the market. The pain point exists. Technology product lifecycle is shorter than the machinery. Most often, those micro-processor controller enters into end of support state because the OEM of the embedded OS platform, applications will not fix any public known vulnerabilities as they do have support policy to entertain only the latest few versions. From system reliability perspective, support is important but from cyber security perspective, end of support is not the end of the world. As long as the "system" is still running, there is no means to upgrade because of the fear of hypothetical cyber attack. The plant room in the illustration shall host those...
Read More

Treat or Trick #2

By cliangNo Comments
I talked about "strengthening human awareness cannot be overlooked". The easiest penetration into a corporate network is via phishing email. To validate workforce awareness and readiness withstanding phishing attacks, organizations start using simulated phishing emails to test who will take the bait: embedded document or hyperlink to track. This is a good motive except other surrounding elements need to be considered. Nowadays, email service provider will mark external emails to draw attention they are coming from outside. There are also emails generated from application for information using SMTP connector which carries the same external marker. Unless the corporate email gateway whitelists these SMTP sources or else workforce will get confused what emails to trust. Mail headers in simulated emails - this will disclose the email is a phishing test exercise for "advanced" or "professional" email users who know how to check the SMTP mail headers. Phishing test results will be affected because real phishing emails do not carry such identification. We should focus more...
Read More

Purpose of Control #2

By cliangNo Comments
When we deploy control, we must understand what is the purpose of the control. I came across certain cybersecurity practitioners that network firewall has to be deployed even in a standalone environment to further segregate the zones within the system just because the policies say so. There will not be material enhancement to cybersecurity but impose recurring maintenance overhead of the addition network components: regular firmware upgrade, end of life monitoring for technology refresh, log review, account/password changes etc. All these can be avoided if no firewall is deployed. In the illustration, the control is informative or advisory. It won't be able to withstand "brute force" bypass. There is also no point to impose. The consequence is the best control that if you go beyond this point, your life would be at risk and you take the sole (not shared) responsibility. ...
Read More

Access Path

By cliangNo Comments
A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...
Read More

Control #4

By cliangNo Comments
The "Exit" has demonstrated various types of control to secure the physical perimeter while enable a "kill switch" to emergency situation. The door lock acts as preventive control in normal circumstance. Inbound entry to the hall is prohibited by civilians (not stopping armed force). The lock bar can be pushed out to evacuate people in case emergency inside. It must be easily activated. To guard against abuse by malicious actor, CCTV camera is monitoring the scene. However, detective control must be supported by administrative control or else it won't be enforceable. Let's say, putting another notice there to indicate improper use will be subject to fine or imprisonment per bylaw clause so and so. Furthermore, security system is the first target to attack for disabling its surveillance function such that "improper" activities can be conducted without being caught. Altogether, this are the typical people, process, technologies, policies aspects that should be considered in formulating the use case, security and safety. ...
Read More

In The Cloud

By cliangNo Comments
We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...
Read More

Perimeter #3

By cliangNo Comments
One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...
Read More

Shared Responsibility

By cliangNo Comments
Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...
Read More