Policy #10

By cliangNo Comments
In an organization, policy affects the culture and work practices. A good policy is practically achievable, acceptable and having buy-in with all levels why they have to follow these directives. In contrast, badly written policies will create conflict, politics and non-compliance because auditors will point out you are not doing the work according to the policies. Even worst in cybersecurity, certain cybersecurity practitioners micro-manage the protection technology down to brand name but no published standard is available. Everything is just in their mind with word slipping out from their mouth as recommendation. We must always bear in mind that cybersecurity is to help running business securely and don't overkill with unnecessary controls. There are lots of threats outside the cyber domains affecting business. The bottom line is to adopt resilience approach for prompt recovery rather than adding protection because you never know the threats outside your knowledge domain. Protections will require overheads to sustain their effectiveness too. ...
Read More

Infected

By cliangNo Comments
A leaft in a plant is infected. Saving the plant should contain and neutralize the infected from spreading to other peers. Similarly if a computer in a Plant system is compromised, the recovery is to contain, neutralize and rectify it to avoid affecting the neighouring nodes. On a strategic approach, if the ingress/egress points with external systems including removable media are tightly controlled and the O&M activities are strictly following the administrative controls, the likelihood of being compromised if rare to none; even security patching is not in regular fashion. This is the common practice in industrial automation control systems. However, certain cybersecurity practitioners always believe the same maintenance practice including technical controls as if in IT should be adopted. This will definitely consume unnecessary resource and likely break things causing severe damage to the plant. ...
Read More

Improper Control #2

By cliangNo Comments
The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...
Read More

Support Model

By cliangNo Comments
Peer "Support" Like any other information processing solutions, cyber protection technologies require ongoing support and maintenance to sustain their effectiveness. Otherwise, the protection strength will deteriorate over time. Example is the regular definition update of blacklisted codes (or malware). Other than technology vendor support, peer support is also essential. We are not just acting as an individual in the cyber world. What we do will affect others. Something goes wrong will not just impact to own self but also bring adverse effects to the connected peers in the cyber world. Example is social engineering attack using compromised identity against that identity contacts. Therefore, peers are important to provide a different support perspective. If peers see something unusual (IM, email from someone they know), contact that someone via trusted channel (say, a phone call) to verify. Sometimes, that someone might even not know the identity has been compromised and launching attack. ...
Read More

Physics #2

By cliangNo Comments
This is another great example to think deeper to balance cyber and physical world rather than just blindly putting unnecessary investment in cyber protection. There are researchers able to demonstrate remote control of the crane via a Casio watch. Is this scary? Without knowing the exploitation condition, management will be misinformed. We, as security practitioners, must analyze the situation, identify how this can be exploited before provide the correct message. The physical conditions of the crane must also be well under attention. Imagine a loosen bolt / nut, or erected at the improper foundation, incorrect procedure to extend the crane height could all result into the same catastrophic consequence. ...
Read More

Physics

By cliangNo Comments
Some cybersecurity practitioners just narrow-focus on the cyber aspects. It is no surprise given that the IT cyber space is mostly digital. But when we come to OT, we must have a balanced view to look at the physical side as well. Both cyber and physical aspects are equally important to secure the plant. If the OT system is well protected at network perimeter, why bother to keep unnecessary investment on cyber protections while ignoring the physical protection? Even worst, the mentality is to untrust contractors doing work on OT system but ignoring physical security is outsourced. We have a strong and secure OT system but a misaligned or incorrect torque in a bolt and nut might cause the same severe consequence. More competent cybersecurity practitioners or auditors are required to avoid corporate management is misinformed incurring FUD. ...
Read More

Directive

By cliangNo Comments
A clear directive (warning on usage) is required to keep human safe. This is the most effective safety protection. After all, everyone is responsible for own safety. Similarly, a proper directive (usage terms) is deemed sufficient to keep cyber safe. It's just a matter to exercise disciplinary process in an organization is rare leading to too many controls. Making things complicated does not necessarily enhance security but could degrade intended protection. People will try to get around controls to make life easier. ...
Read More

Usability

By cliangNo Comments
Everything is now undergoing digital transformation residing in the cyber space. Certain cybersecurity practitioners I met are overkilling business operations with cyber protection claiming to stay secure. Take the illustration above, the glass window provides scenery view from the room. If the reinforced steel covers are put on, it could definitely protect the glass window from strong wind during adverse weather. But if this steel covers are closed all the time, this will drive guests away affecting revenue. We need to be pragmatic and accept there are always risks from various domains to the business. And it's impractical to eliminate all risks. If you attempt doing so, it will end up "The operation was successful. The maharaja is dead." ...
Read More

Isolation

By cliangNo Comments
By common sense, systems isolated from the network will have immunity from cyber attack over the wire but still be vulnerable to infected removable media upon physical insertion. Just like the boat above. You don't worry about attack from sharks but what about crocodile in shallow water? As cybersecurity practitioner, we must have holistic understanding of the target operating environment, business objective and adverse consequence. We should not simply say my roles look after architecture and other issues need to talk to relevant team mates regarding cyber risks, cyber operations etc. With complete understanding, impose viable (not necessarily technical) controls for high impact consequence by reducing likelihood as much as practical. Don't just follow textbook knowledge - these are for reference only and must be digested what is applicable in own environment for helping asset owners with recommended optimal investment rather than overkill. Adding controls only creates complication and does not guarantee more secure. Indeed, more controls will demand...
Read More

“Insecure” Tunnel

By cliangNo Comments
Older TLS (Transport Layer Security) version is marked insecure by vulnerability scanner. Certain cybersecurity practitioners make decision solely based on scanner report and blindly to urge system admin to "fix" it without looking at the big picture. The vulnerability scanner has zero knowledge on the system landscape, criticality of the system being evaluated and most importantly where is the scanner placed in the network. Good practice is to assess the big picture, mark these are non-issues and forget it if it is just an internal system in isolated environment. Resources should be deployed on more important things. ...
Read More