Design & Build

By cliangNo Comments
Secure by design of ICS (Industrial Control System) is just part of the ICS life cycle.  If design is insecure, retrofit sometimes is not possible and need to rebuild from scratch again. Next is the ongoing sustainability of the cybersecurity because the ICS is only secure at that particular point in time of commissioning.  Addressing new vulnerabilities and continuous strengthening are required to keep staying cyber secure. Of course, identify the business outcomes and acceptable risks then translate into ICS cybersecurity requirements in the procurement specification is the very first step....
Read More

FUD

By cliangNo Comments
Fear, Uncertainty, Doubt (FUD) is the tactic vendors are trying to sell you their cybersecurity solution. Typically, this is done via several stages: Share damages for cyber incidents in the public like substantial fines by the Court or huge claims from customers, loss in reputation, drop in stock price, revenue loss due to business operation interruption plus other fees like investigation, containment and recovery How your other peers are doing Market share and strength of their solution from  independent analyst's ranking How their solution is able to help and protect you Certainly, having cybersecurity protection deployed is better than none but what you need to know: Limitation of the solution as there is no bullet proof protection technology Total Cost of Ownership (TCO) to operate including competent skill set and extra resources Understand how effective the protection to limit the risks and threat actors that the organization is facing because each organization has its own business priority, people and culture issues Most importantly,...
Read More

Operation Risk

By cliangNo Comments
Unlike IT application, ICS (Industrial Control System) involves direct physical process that will affect human safety and impose environment impacts. When we conduct ICS risk assessment, we must not just limited thoughts to cyber risks.  Cyber risk is just one of the causes that affect the stability, manageability and operability of the ICS. For impacts caused by cyber issues, are these due to general equipment fault rather than cyber attack?  What about other physical damages like communication lines fails due to natural disaster, or machinery break down from wear and tear?  The counter-measures shall then also address non-cyber issues for a comprehensive business continuity arrangement....
Read More

360

By cliangNo Comments
In physical world, 360 degree can further be 2D or 3D.  Anyway, it has the sense for a holistic view of the surrounding. In cyber world, there isn't any concept of dimension.  The cyber world is connected via different network, gateway and nodes.  The 360 approach is required to assess risks and attack paths to the cyber applications such that the optimal and effective controls can be deployed....
Read More

Zero

By cliangNo Comments
The topic can associate to many things The boundary between positive and negative value Calibration for instrumentation integrity Absolute zero (temperature) Zero-day exploit, attack One of the 2 binary digits From zero to hero Zero-trust ... The zero-trust model (or architecture) is chosen here.  In cyber space with zero-trust, every component needs to be re authenticated for trust even if inside the network.  This is to limit lateral movement when adversary once gains access to an insecure node. This model will reimagine the work process.  Of course, to what degree applying this model will be the trade off of security and productivity plus the risks tolerated....
Read More

Backup & Recovery

By cliangNo Comments
Service availability expectation is high nowadays.  Customers expect everything is always up and running any time for usability. Backup for recovery becomes challenging: platform & applications, system configuration and application data are changing at different frequencies.  It is necessary to formulate the backup strategy at design stage or be part of the major change to meet the recovery time objective by deploying viable technologies. GFS (Grandfather, Father, Son), or 3 generations, is still considered as the minimum set for full backup to recover the entire system at certain point in time.  It's how frequent this is done and what are other business continuity activities to complement the "outdated" information....
Read More

Sunrise, Sunset

By cliangNo Comments
You cannot tell because it lacks of reference - time of day taken or more precisely which planet but generally assumed on Earth. Similarly, is the infrastructure/system cyber secure? It needs reference points. The corporate cybersecurity policies, the corporate risk matrix are the reference points to prioritize protection measures for reducing likelihood. Furthermore, a scoping statement is required especially if we are talking about cybersecurity assessment or accreditation.  An ISO standard compliance is meaningless without statement of applicability.  Whether it's just (a) the in/out tray of document handling or (b) the information processing system/infrastructure handling electronic document will make a great difference in terms of operational controls as well as ongoing effort to sustain the accreditation....
Read More

Privacy

By cliangNo Comments
We all know the importance of privacy and the need to protect it. While protecting privacy, we need to look at regulation requirements in 360 degrees, i.e. we cannot hide something that is supposed mandatory for display. A question for reader: in postal mail, is the window envelop displaying both name and address violating privacy?...
Read More

Shadow IT

By cliangNo Comments
Gartner defines Shadow IT as IT devices, software and services outside the ownership or control of (IT) organizations. Given that information processing facilities or information containers are no longer centralized, the shadow IT is a common phenomenon.  Each one of us has a cellular phone that is indeed a powerful information processing facility and large storage device in the pocket. The extensive connectivity and cloud computing via access anywhere and any platform model further accelerate this situation.  Cyber risks are incurred to different degrees.  Various protection technologies are surfaced in the market: Mobile Device Management, end point lock down, cloud-based proxy, Data Leakage Protection, disk encryption and so forth; but they are never bullet proof. Organization needs to think about enablement (as well as empowerment) rather than prohibitive thru streamlined approach.  Policy formulation, usage guidance, risk management, user awareness and enforcement via disciplinary process are required to minimize the impacts....
Read More

The Good, The Great

By cliangNo Comments
As cybersecurity practitioner, you might need to assist asset owner or end user to deal with auditor (or security assessor). The Good auditors are able to pick discrepancy of your operation against the "policies" (written directives, procedures or instructions document) down to minute details.  They regard these are the yardstick ("so it shall be written, so it shall be done") for a yes or no compliance tolerance without looking at other compensating controls. Every change or review execution needs documented evidence (name, date, signed approval, next review date etc.).  How these documents are effectively managed isn't the focus even though it will create many unnecessary overheads or even the trustworthiness of the documents. The Great auditors make a step further.  They will give further thoughts if the written "policies" have gaps with best practices or practically achievable; recommend both written (documents) and execution improvement.  E.g. make reference to revised password setting per NIST SP-800-63-3. The cybersecurity practitioners need to keep abreast of latest...
Read More