Architecture

By cliangNo Comments
ICS now totally utilitizes general computing equipment (server, workstatiom, OS, DB, communication) rather than developing own C&I. Therefore, OEM has to test the integration of machineries with these commodities sourced from the market. The industry has already defined the standard architecture how should the different types of components be zoned in the different network segments. Certain cybersecurity practitioners have misused the term architecture review. To be specific, it is the design review how is the design system deviated from the standard architecture, what are the ingress/egress points to the system, what is the worst scenario consequence and the anticipated likelihood to derive the optimal controls. We should not change the approved design by the OEM because they have validated the functionality and usability of the ICS to deliver the outcome. Catching security patches, new software version, adding extra firewall in between or even changing network layer protocol for perceived security could break the ICS. It will then be just like "The operation...
Read More

Improper Control #2

By cliangNo Comments
The detection should be deployed on the "risky" lane at junction Technical control is just one of the security measures. There are much surrounding elements to take care in order to secure. This includes but not limited to: Understand the security objectiveDesign with optimal controlsDeploy with the viable measures (be it technical, administrative or management controls)Verify if controls are deployed per designSustain the effectiveness of the controls Most often, security practitioners are focusing on technical controls with micro management. They forget the bigger picture where the technology stands in the entire business landscape. ...
Read More

Policy Making

By cliangNo Comments
For certain job roles of cybersecurity practitioners, policy making is necessary as a foundation in running the business securely to a reasonably degree. While doing so, we must fully understand the business objectives, operating environment and intended business outcomes taking text book knowledge as a reference rather than blindly applying. Where necessary, suitable qualifier or elaboration is required to enhance clarity. Example is personal privacy. The data subject must be a living individual shall have differentiated the situation in real life. Without this, it is impossible and impractical to enforce by replacing all the tombstone around the globe. ...
Read More

Stepping Stone #2

By cliangNo Comments
Jump hosts are typical used for remote access. These are controls: User accounts with multi-factor authenticationTime of day granted to this user accountRuleset to limit destination hosts when landed; and per login userSession monitoring On reasonable ground, some are mandatory while other extra measures depend. In extreme cases, multiple jump hosts are demanded that whether network latency, usability are at doubt. The optimal decision is to balance risk and usability with a hoslistic and objective assessment. Otherwise, it will be overkilled. ...
Read More

Access Control #4

By cliangNo Comments
From technology point of view of a discrete control, opening the bridge will disconnect the traffic across the sides. Is this barrier secure? It all depends how the entire protection system is run. The bridge will only block access via that land path. What about access is via air or water? By the same token, vulnerabilities in a computer platform or its underlying applications will not pose immediate cyber threat if it has its own surrounding effective electronic security perimeter. As professional cybersecurity practitioner, we have to reassure comfort to management rather than just follow text book knowledge to clear all known vulnerabilities. That is not practical to achieve. ...
Read More

Support Model

By cliangNo Comments
Peer "Support" Like any other information processing solutions, cyber protection technologies require ongoing support and maintenance to sustain their effectiveness. Otherwise, the protection strength will deteriorate over time. Example is the regular definition update of blacklisted codes (or malware). Other than technology vendor support, peer support is also essential. We are not just acting as an individual in the cyber world. What we do will affect others. Something goes wrong will not just impact to own self but also bring adverse effects to the connected peers in the cyber world. Example is social engineering attack using compromised identity against that identity contacts. Therefore, peers are important to provide a different support perspective. If peers see something unusual (IM, email from someone they know), contact that someone via trusted channel (say, a phone call) to verify. Sometimes, that someone might even not know the identity has been compromised and launching attack. ...
Read More

Physics #2

By cliangNo Comments
This is another great example to think deeper to balance cyber and physical world rather than just blindly putting unnecessary investment in cyber protection. There are researchers able to demonstrate remote control of the crane via a Casio watch. Is this scary? Without knowing the exploitation condition, management will be misinformed. We, as security practitioners, must analyze the situation, identify how this can be exploited before provide the correct message. The physical conditions of the crane must also be well under attention. Imagine a loosen bolt / nut, or erected at the improper foundation, incorrect procedure to extend the crane height could all result into the same catastrophic consequence. ...
Read More

Seasonal Factor #2

By cliangNo Comments
The Ice Road only opens Jan-Feb Anomalies detection highlights the technology will learn your environment as baseline reference such that "unusual" traffic will be flagged for alert. This will save detection ruleset definition but vendor always stresses short learning time (even just 1 or 2 weeks) to convince deployment for quick win demonstrating ROI. Sometimes, network traffic or application behaviors are seasonal based because of the business operations. Therefore as always, recurring maintenance efforts are required to sustain its effectiveness and don't be influenced by vendor for zero-deployment and zero-maintenance. ...
Read More

Physics

By cliangNo Comments
Some cybersecurity practitioners just narrow-focus on the cyber aspects. It is no surprise given that the IT cyber space is mostly digital. But when we come to OT, we must have a balanced view to look at the physical side as well. Both cyber and physical aspects are equally important to secure the plant. If the OT system is well protected at network perimeter, why bother to keep unnecessary investment on cyber protections while ignoring the physical protection? Even worst, the mentality is to untrust contractors doing work on OT system but ignoring physical security is outsourced. We have a strong and secure OT system but a misaligned or incorrect torque in a bolt and nut might cause the same severe consequence. More competent cybersecurity practitioners or auditors are required to avoid corporate management is misinformed incurring FUD. ...
Read More

Directive

By cliangNo Comments
A clear directive (warning on usage) is required to keep human safe. This is the most effective safety protection. After all, everyone is responsible for own safety. Similarly, a proper directive (usage terms) is deemed sufficient to keep cyber safe. It's just a matter to exercise disciplinary process in an organization is rare leading to too many controls. Making things complicated does not necessarily enhance security but could degrade intended protection. People will try to get around controls to make life easier. ...
Read More