Comment from Ralph Langner
Time: July 13, 2007, 10:07 am

Even though I can’t say much about SOX, I think Joe’s approach to establish SOME link between SCADA security and legislation has much to it. I hate to say it, but more and more I’m getting convinced in Bruce Schneier’s point that we will see significant improvements in IT (and therefore SCADA) security only if corporations are forced into it by legislation and litigation. — BTW, the situation in Europe leaves less room for interpretation. The KonTraG, Germany’s SOX if you want to say so, is precise in that every corporation must have a risk management system in place for risks that may severly affect the company’s bottom line, IT risks in particular.

Comment from Ron Southworth
Time: July 13, 2007, 1:20 pm

Hi Dale and Ralph.

Regarding the Industrial Defender name change I think the confusion will pass and it is more accurate as to there area of considerable expertise and focus. The product from the Demo I saw in Melbourne recently seems to be going in a positive direction and I like the synergy of it for certain.

Dale thanks for producing the pod casts I think they have been quite a source of entertainment and quite useful. Thanks to Joe for speaking I did enjoy listening to you speak.

What I say below may I state is intended and put forward with the deepest of respect and admiration and with the best of intentions. I would like to hear that you guys give this some real consideration to what I have put forward. I am not the best word smith in the world consider this a draft if you like but here goes.

Brian and Joe have mentioned they see a preference for regulation as a driver to move people into action. I will put a couple of hat’s on and respectfully put forward a counter view to this approach. I have said much of this before on your forum and others but I hope that this time you may reflect a bit more on what I have said here and can see the approach has some merit.

Regulation won’t make people spring into positive and affirmative action. Something Jake Brodsky said a little while ago on the SCADA Gospel list regarding leaders springs to mind and got me thinking about this again (Thanks Jake).

We have a generation of managers in the world in what I call the post APOLLO 11 times, but where have all our leaders gone. The guys that truly made USA great from the space program many of them I am privileged and honoured to say were my mentors and teachers. I can tell you they were real leaders, & people with the right stuff. You guys are fortunate that they are still alive and still can give you their spark if you are prepared to go somewhere and hear them speak and take that spark for your own. Please do it before it is too late!

I think the problem you are really facing in the USA stems from the wake of loss of not having all these great leaders to motivate and inspire. That is not to say that I think there are no leaders left. I think that you guys have a number of great people with the ability to lead that maybe are just a bit lost or lacking in direction, maybe the tools to effectively motivate in a positive way are lost or not being used?

To be fair and balanced I have seen some people in the industry there that are trying to lead like Joe and Brian and the guys I have met from DHS and a large number of the researchers and industry participants in North America in very recent times. In fact I think that some are starting to catch on to this important philosophical goal and maybe I am really behind some of them.

I make no secret that I don’t think that regulation is truly the answer with security and in particular securing our critical infrastructure. I do deeply respect Brian and Joe tremendously and understand and appreciate their belief that regulation is the only way. In fact a few years ago I would have been right up there with them banging on the same drum.

I respectfully ask you all to have a real hard and systemic level look at this problem, do some research as I have been doing for the past few years and see if you can have a honest look and draw the conclusion that regulation is loosing it’s effectiveness in the USA and in fact is becoming a nightmare and a considerable burden to everyone. I would go so far as saying this is your greatest threat to life style and prosperity if it is not managed better in the future.

I am certain that I have seen Joe and Brian both talk about root causation of problems. With respect have they stood back from the coal face lately and taken the same degree of analysis to the big picture on security and on threat trends where things are heading etc.

As you are aware Dale we take quite a different view and approach in Australia to this and believe that as a community regulation is not the answer to the root cause of the problem. I have sat back and looked at how the USA is starting to have some serious issues on many fronts for may reasons. For certain there is a burden and a need for having cultural principals followed and as such these usually take some from of regulation so I am not suggesting that all regulation or guiding first principals be thrown out. People are people and someone will always try to do everything they can but act in a truly ethical way.

You can regulate till you are black and blue in the face, until the culture of the industry changes, regulation will continue to fail. SOX is a good case in point where there have been a number of articles highlighting that SOX is not achieving the desired outcomes. People in the industry are the key to obtaining success in the outcomes so we need to target our efforts at our Leaders, Managers, peers friends and colleagues and persuade and encourage the necessary cultural changes.

This may be seen as a harder road perhaps, through motivation, peer support, pressure and through the pursuit of excellence. Taking an “All Hazards and Risks Approach” to the problem and motivation and pooling and collaboration and sharing of resources is the answer and a positive way forward. Imagine if we were to redirect all the regulatory effort and refocused it all in the same direction or outcome.. Would this not alleviate so much of the frustration due to the inaction that Brian and Joe are actually speaking out about. Peoples job description would change slightly and how they apply and motivate but what a difference it would make.

There is still a need for standards, best practices and guides and for comparisons and quality performance measurements and audits to be undertaken. It is how we motivate, apply these standards and how we facilitate the progress, that needs to change, slightly in reality, in my humble opinion. This won’t take bread out of your mouth it is just what drives how you motivate the outcomes we are all seeking.

The best motivational quote I can think of and this one bares repeating for so many reasons. I suspect you will see and hear this repeated again. I may not have it quite right but here we go…

“It is not just my (USA’s) homeland, it is all our homelands.”
Perry Pederson DHS, U5 SCADA Security Conference, 2007.

Comment from Chase Perrin
Time: July 13, 2007, 1:50 pm

Hello Dale,

Thanks for the write up. I work with Industrial Defender’s PR firm and thought I could shed a litlle light on some questions.

To clarify the naming structure. Industrial Defender Version 3.0 refers to the entire Risk Mitigation technology Suite, from NIDS and HIDS to SEM, et cetera. The “Version 3.0″ revers to the new version, which updates signitures, support and scalability on process control systems.

Please contact me at cperrin@golinharris.com or at 213-438-8788 if you have any further questions.

All the best,
Chase

Comment from Dale Peterson
Time: July 14, 2007, 12:11 pm

Ron, I’d feel badly if I didn’t respond to your long comment.

1) We see much more to be positive on the control system owner operator front. Granted our view is a bit biased because we work with people willing to pay for security consulting. That said, we have seen dramatic progress in the security posture of asset owners in water, pipelines, refineries, electric generation and transmission, and more. They have made steady progress over the years and some have systems that are appropriately addressing the risks. Full credit to them - we just show them the way, and they provide the commitment and do the work. Some may be a few years behind but it appears that even the lagging asset owners are beginning to address the issues.

We have a much more negative view on the vendor front because we see little effort to improve and integrate security in the development process or include the security features and functions needed. The community suffers from low expectations, “oh that’s just the way things are in SCADA”, and we are constantly looking for ways to shake it by the shoulders and say demand more.

2) Regulation - - Digital Bond does not have a unified position on this and I’m not even sure where I stand. My first reaction is to be against regulation because it often involves substantial efforts that do not improve security. It is not an efficient way to improve the security posture of an organization.

Some of the US industries, I’m thinking especially of the chemical sector, have tried to demonstrate they are taking a responsible position to forestall legislators from taking action.

However we can’t ignore the experiment called NERC CIP. We know and work with enough bulk electric organizations to safely say that NERC CIP has dramatically heightened the resources and attention cyber security is getting in these organizations.

There are really three roads here: no regulation, industry self-regulation, and government regulation. It would have been interesting to see if the NERC self-regulation would have had the same impact if the Energy Act did not involve the USG / FERC. We will never know.

If forced to choose today, my vote would be for industry self-regulation with normative standards that can be audited for compliance. Then have the stockholders, peers or communities pressure the asset owners to comply.

Comment from Ron Southworth
Time: July 15, 2007, 8:36 am

Thanks Dale,

As you know I spend a lot of energy coming to grips with understanding the problems surrounding securing our Critical Infrastructure and getting involved where I can with trying to move things forward.

My colleagues and I here are doing a lot to try and make a difference in raising awareness of the community as I think a lot of the same people are doing in your part of the world. I felt that I needed to put a counter perspective to Joe’s with respect to regulation as I have been studying this aspect of the US landscape for a while and thought that I owed at least to offer something that would help even in a heavily regulated market. I understand that NERC & SP800-53 are a fact of life there. I also know that a lot of end users are really struggling with it and it is also forcing some vendors to leave the CI space.

I do speak with a lot of our end user peers in the USA and some are really having some big problems with moving things forward. Certainly Joe’s points raised in the pod cast are valid or what is behind them at the very least.

I find it interesting that you feel the vendor space is not responsive and I must say here 12 months ago there did not seem to be much traction, What has changed is that the industry awareness is getting above buzz words in certain circles but as you say there are some stragglers.

Documents like the Common procurement language, The work you guys have done with Eric and Matt have been sent to vendors (by end users) asking could they supply a solution to the language how much can they “tighten up” their security and some vendors have taken the questions seriously enough to look at the language etc and are setting about to see what they can do to meet this. Tools like CS2SAT and others can help work through the process of checking, validating, assessing and identifying gaps in a security posture.

With end users asking the sort’s of security related questions that need to be asked more and more I think that the vendors are starting to take notice even in this part of the world. I had a very good discussion with a vendor’s representative recently and they could see the writing on the wall whereas some as you say have not.

We are trying to involve vendors into discussing best practices and building some community spirit in this subject here and teh feedback so far has been quite positive and supportive. You may have even noticed more comments from some vendor’s or integrators on the Gospel list so hopefully this is a sign of more interaction in the wind. Even the vendor we use even mentioned to me late last week that secure DNP3 is going to be available soon on their latest product!

There are a number of utilities that are leading the way with their security posture and hopefully you can persuade them to not just keep this posture but also to help their peers through the various processes and obstacles for all of us to benefit.

Keep smiling

Comment from Ralph Langner
Time: July 16, 2007, 3:50 am

“If forced to choose today, my vote would be for industry self-regulation with normative standards that can be audited for compliance.” said Dale. Yes, this would be a good thing, but everyone will agree that such an auditable standard is about 10 years away, even if major forces would start working on it right away.

The key point for getting things rocking and rolling is liability. It is absurd that a jurisdiction that lets consumers sue tabacco companies, McDonalds etc. for what is their own behavioral fault in the first place leaves the asset owner on his own when he tries to go after his vendor for selling a product that is defective and insecure by any standard.

Comment from Bryan Singer
Time: July 17, 2007, 10:50 am

Ron,

I suspect you mean me when you say “Brian and Joe.” If so, then I appreciate the counter view. A little respectful criticism is never a bad thing if it challenges us to open up on our own assumptions, which your comment has done for me as well.

I have spoken about regulation on a number of occasions, and I admit I have a real “love-hate” relationship with it. When we first stood up ISA-99, I had a number of meetings with lots of folks in US and international government. While I will not name names, a few pointed discussions were on this topic. Several times, from several sources, there were comments similar to, “if you guys (as in industry) don’t get your act together, we’ll legislate.” The opinion was that they wanted to see industry act first because they knew it was less than ideal for them to have to legislate action.

The biggest challenge I see to legislation is that it creates a “compliance” based version of security, or a check-the-box sort of mentality. Many organizations will simply pass the audit on to make sure they meet the absolute minimum set of requirements and move on. Its sort of like when you were a kid and told to clean your room. Many of us did the absolute minimum just to get our parents off of our backs. But what about when you got your first car? I’ll bet most of us took meticulous care of it and kept it VERY clean. The difference? Self-motivated action.

If the government can find ways to legislate motivation, then that would be great. In absence of that, I really think that the best thing that government can do is to create a better atmosphere of awareness so that companies are more motivated to take action. This includes open sharing of declassified (and hence sanitized) intelligence information, better collaboration with industry standards and research bodies, etc. They are starting this process, but seem to me to have a ways to go.

The big thing I think we have to get away from is this compliance based security. This check the box mentality never works. We are seeing a running average of just north of 70% error rate in many of the vulnerability assessments that were mandated by the US Government. Clearly, legislative compliance based initiatives are not taking a hold in these sectors.

I believe there is a need for “performance based” security that we are seeing in some organizations today. ROI or benefit driven security, or other metrics to judge performance to standards. I don’t think this is an easy game, and we haven’t seen a lot of truly substantive work in this space yet, but it is beginning to develop. I’m working now on some game theory based approaches to optimizing security spending. Hopefully someday someone with a better mind for mathematics than mine will be able to take that work and turn it into useful science. For now, we are seeing some interesting results.

Comment from Ron Southworth
Time: July 18, 2007, 12:43 am

Hi Brian thanks for the reply. I thought long and hard about what you and Joe have said here and there and I am glad I got my message across as desired. I think that many of us have some very similar views on what the problem as a root cause is it is in how we go about acheiving the desired outcome is the frustration and what we all express in various ways and means.

I am aware of two very similar efforts in deriving metrics one from acouple of the gentelmen at INL and from Eric Byres and David Leversarge that are of a similar intent I think Eric’s work references Miles and his co-author’s work.

This is certainly a worthwhile topic to discuss as well. Perhaps I will send you a more detailed email off the public spaces once I collect some thoughts, on teh subject and on some collaberative efforts or ideas on this if you like.

In this public forum I agree in principal with what you are saying on a RoI focus. I would like to say a lot more but will leave this for an email. I think it is reasonable to say that this is a key that can be used for certain to provide perhaps one driver to force some positive directon and would serve the purpose of a “common tool” so makes good sense to do something we can all agree on and only do it once?

I do think that compliance breeds a tick and flick mentality. Performance based measure is a good phrase.

Many thanks for your contributions Brian.

Comment from Ralph Langner
Time: July 18, 2007, 4:19 am

Game theory, Markoff chains or other sophisticated numerical stuff beyond basic addition and multiplication won’t do the trick. What trick? Convincing upper management that they have to do something to improve security in their back yard. For example, it is not plausible for any Harvard type manager to protect against sabotage acts when all evidence that we can come up is a weirdo in Australia.

Comment from Jake Brodsky
Time: July 18, 2007, 7:07 am

The solution lies somewhere in the middle of these two extremes of self regulation versus legislation. In my industry, most people do not lift a finger unless there is a legal or financial obligation to do so.

I too like the idea of self regulation. And to the extent that we can make it work, great. However, my executive managers are going to ask why this is needed, and frankly, there isn’t enough of a mess on the floor that I can point to and say “That’s why we need to do this.” So, lacking that kind of disaster, the only option left is legislation. And that legislation is happening.

My only hope is that those who write this stuff will find the self regulation efforts and attempt to point at them as a starting place.

Comment from Ralph Langner
Time: July 18, 2007, 8:10 am

“In my industry, most people do not lift a finger unless there is a legal or financial obligation to do so.” — A case in point, Jake.

All self-regulation efforts are outrun by the speed that organizations continue to install SCADA networks without any reasonable protection. If we don’t force management into it — either by legislation or by some very basic business math –, several other billions will be lost down the road due to security incidents to come.