Saturday, October 18, 2008

How is CIP different from "Joe the Plumber" security?

When I was a member of CIAG Research, one of the problems that I had to grapple with was distinguishing normal "network security" or "Internet security" from "Critical Infrastructure Protection."

Given that our [dangerously vague] charter was to conduct and fund research that would improve the security of the critical infrastructure[s] we engaged in a lot of soul searching [and heated discussion] about which projects were appropriate? Was web application security within the domain of CI? Probably not, but maybe? How about routing protocol security. BGP security, definitely. RIP, not so much. How about L2/L3 Enterprise best practices? Maybe? Certainly, if they applied were applied to manufacturing and control system networks. Adding SCADA protocol awareness to firewalls, definitely.

So through these are the mud-colored glasses that I read Perry Pederson's inaugural post at Wurldtech.

So on first blush, and after suffering through a number of Control Systems standards efforts that spent too much time focusing on whether attackers were terrorists, disgruntled employees, or script kiddies, I was sympathetic to his lack of concern for the identity or motivation of threat agents:

So, when it comes to protecting these critical infrastructures, the motivation of the attackers is of less value than the response. In other words, it really does not matter if it was a terrorist, an animal rights group, or someone protecting the environment from us humans.

But I would argue that this is equally true for "Joe the Plumber" security as well. You know, the dirty jobs that small and large companies have to deal with: patching, logging, vulnerability management, application security, incident response, etc. Unless they translate into concrete defensive actions (blocking specific target sources or enabling monitoring for specific toolsets) it is irrelevant who or why you are being attacked. Besides, "Joe the Plumber" does not have access to the sort of [classified] threat intelligence that would make this relevant.

On the other hand (particularly in this season of government intervention to secure the private sector ) perhaps motivation and identity is more important to Critical Infrastructure Protection. If the largely privately-owned critical infrastructure is of so critical to the national interest and there is actionable intelligence to intervene through some national-level asset (electronic, physical, military, etc.) in order to obviate the need for a response within the private sector. But given that critical infrastructure depends on the public private partnership (and this should not just be a cliche on the part on government agencies to let Industry and public infrastructure owners to do whatever they hell they want without fear of regulation) the private sector should focus on the response but the public agencies must focus on incident prevention -- and this requires actionable intelligence on threat identity, capabilities, and intentions. Perry also discusses this need for prevention however I think "information sharing" is another one of those critical infrastructure cliches that executives like to talk about (and have been talking about since PDD-63) but sharing information is a means and not an end to itself. Besides information sharing across large enterprise IT organizations (each which is trying to cover it's ass in response to an incident or outage) is probably no different than the sort of challenges in sharing information between the private and public sector or within government agencies in response (or prior to) incidents.

Based on my experience in the first Cyberstorm exercise (and not just because I've heard directors and VP go on and on about them ad nauseum) I can't help but be a little cynical about efforts to that focus on "information sharing," incident response, "situational awareness", and "connecting the dots." Not only are these problems not unique to critical infrastructure but more often that not "raising awareness" and "improving communication" often are a cheap substitute for action.


Ted said...


Matt Franz said...

I'm no fan of congress either but couldn't get any worse than W + GOP CONG.

And that is not hypothetical.