Design & Build #3

Earlier, I talked about similar. When conducting a comprehensive assessment of a facility, we should not just look at the cyber aspects but also the reliability and safety of the facility. Those exposed pipelines could be essential supply of human nessasities or dischargs of waste. If they are physically damaged (intentionally or unintentionally), these facilities will be disrupted therefore affecting normal live or even life. Physical security is also importantly in protecting the cyber components of facilities. ...
Read More

Policies #10

Policies are rules. They stipulate what are allowed and what not. Good policies must be practically achievable and enforceable, not too strict and not too loose - this is the hard part. Too strict will incur policy exception and too loose will make the policy a decorative statement in the sign board. Writing good cybersecurity policies will require these as foundation: The policy maker must understand the business model, what outcomes to be delivered What are the risk appetite the organization willing to take, after all, there won't be 100% secure business in the world How the requirement shall enable the business securely but not prohibit innovations, we are living in digital transformation era and everything is going inside cyber What are peers or the industry doing, is the bar setting too high or too low That said, don't just apply textbook knowledge but listen to business units what will work and what not. Strike the right balance with 80/20 rule. ...
Read More

Bag Tag

It is common practice to tag your checked bag or even hand carried bag with a tag. How are you going to fill the info there? In old days, mobile communication device is rare. If you cannot find the bag at baggage claim area, you rely on transportation service provider to contact you and deliver the bag per the stated address even though you report them about lost bag. Therefore, you have to provide the accurate address and contact information. Now, the scenario is reversed. If you cannot find your checked bag, you contact the transportation service provider to locate the lost bag with ticket number assigned at check in and tell them where to send to and how to reach you. Therefore, the bag tag shall only serve an identification means and avoid putting too much privacy information (address, contact number, email) there. In addition, the tag attached to the checked bag has RFiD to track its routing through out the entire...
Read More

Renewable Energy

It is one of the decarbonization means. Investment involves initial plant setup and then recurring operating cost. There is no need for fuel except resources to manage the plant properly. The entire ecosystem will need site survey, i.e. how many days with sufficient wind are there in a year and the strength, physical security from sabotage of the plant and then digital security against cyber attack - bring down the grid, damage the equipment, scheduled plant maintenance. This shall best have a Hazard and Operability (HAZOP) exercise that include everything that most cybersecurity practitioners are only focusing on cybersecurity, or technical controls. If they do, they are incompetent for the job. ...
Read More

Administrative Control #2

SSSS (or 4S) is Smart Site Safety System. It consists of server, workstation, mobile network, end point devices (CCTV, smart watch, RFiD helmet, other sensors) to monitor construction site and workforce situation for safety hazards alert. For client project involving civil works, equipment installation etc, contractor will bring their own 4S to ensure and compliance with safety rules and regulations. 4S is not a project deliverable but a tool during construction. I see some cybersecurity practitioners have incorrect understanding. They demand contractor 4S compliance with own organization cybersecurity policies. No doubt 4S might capture client site specific condition, coincidental inclusion of personnel other than contractor workforce causing privacy concerns. We must not forget there are administrative controls in the contractual obligation to comply with laws & regulation plus non-disclosure agreement. We shall not bother the how's in technical aspects. Otherwise, this is overkilled. This something like you walk into a mall, using the ATM - there are CCTV everywhere but you won't question...
Read More

The Forgotten Place #5

It is self-explanatory. There are similar faults posted previously. Risk of consequence must be understood before deploying information automation tool. If the display is for information of the mall, failure does not matter much and at most the reputation of the management office. But if the display shows real time high value trading, failure will cause substantial direct and indirect financial impacts. Direct is the loss of opportunity to conduct transaction by the users of the display. Indirect could be claims thru litigation by users of the display causing their direct loss due to this failure. Technically, multi-displays are deployed for resilience. From policy perspective, users must sign usage agreement to undertake consequence due to machine failure and disclaim the service provide for any direct or indirect losses. ...
Read More

Security By Trust

In physical world, we trust this glass roof is safe and secure to walk on because there are underlying processes to sustain its safety: Regular inspection and maintenance Regulatory requirement for license issue and renewal 3rd party insurance etc. In addition in building this infrastructure, the design will cater for the intended loading with safety margin, wind speed, anchor points stability plus build it per engineering standard to ascertain the quality. We will therefore have no doubt and trust these arrangements are in place and safely step on it. In cyber world, things are different. There might be cybersecurity standards as foundation but the design and build will require competent practitioners. Even there is comprehensive verification tests before commissioning, there are always new cyber threats requiring recurring effort to sustain the protection effectiveness. Deception to lurk victim into malicious web site to compromise the device or application will further complicate the situation. Then, how do we stay secure in the cyber world? It's a very...
Read More

Time

Time is an interesting phenomenon. It dominates everything both in physical and cyber worlds. All living individual or objects are under influence of time: getting aged. All data traffic are regulated with time as base reference for synchronization and handshaking. Everyone has equal amount of time. Time cannot be borrowed nor saved for later use. Time is abstract that cannot be touched nor felt its existence. That said, how do we deal with time? This is really use case based. In time-sensitive action, time is kept down to micro or nano second. Examples are stock trading transaction and racing. In certain case, "coarse" time reference may be used like the illustration that hour indication is sufficient - morning, afternoon, evening or night time. It all depends how time reference is deployed in the use case, and how time measurement is secure to maintain integrity. Inevitably, a comprehensive risk assessment (not just cyber but the business as a whole) is required to understanding risk...
Read More

Label

Label is commonly seen and required to identify things especially in cables. Without proper identification, it will be tedious in trouble-shooting. There is always debates on label. On one hand, it eases operation and maintenance tasks but on the dark side, it exposes the usage of the marked item. A mitigation is to assign label ID and mark this is the drawing. This requires resources to sustain the documentation when changes occur and regular inventory check to validate the marking is still correct. For the illustration, it has certain pitfall for insights. It exposes the location is for military purpose, a target for threat actor to penetrate or attack. "No trespassing" is unlikely enforceable especially during political conflict time. Ultimately, this requires the holistic assessment to balance the signage, back-end enforcement mechanism and cater for unexpected scenarios. All these are the attributes of writing a good policy that can be practically achieved. That said, don't just copy textbook knowledge and apply to your organization cybersecurity...
Read More