Super Cyber Security Reading: 2Q ICS-CERT Monitor

Unfortunately, the Energy Sector wins this competition over last 12 months

There are few publications you can read that will tell you more about the current state of cyber awareness and attacks on critical infrastructure orgs and systems than this than the Monitor.

SGSB notes from NIST's Critical Infrastructure Cybersecurity Framework Workshop

Long title, eh?  Cranking this out just before heading back to Beantown from DC/Reagan airport so please be more tolerant than usual of typo's, lack of narrative, lack of clarity, weak grammar, lack of a point, etc. ...

ICS-ISAC Chair Chris Blask, pictured above (long hair on right), waited very patiently at a microphone that seemed like it was for audience use, and ultimately got his turn, in which he asked a long question phrased like a long statement.

Boxing the Fundamental Assumptions of Cybersecurity Risk Management

Here's something to wrap your head around (or more literally, put in your head) as you head to NIST on April 3rd to make your contribution to the Critical Infrastructure Cybersecurity framework development processes, an effort begat by the recent Presidential Executive Order.

Many in our community love to talk about risk management as the common sense, business oriented antidote to the mandatory and therefore inflexible and slow moving instructions in the NERC CIPs.

You could certainly put me at least half in that camp.  Well, after reading THIS sharp Brookings paper from Ralph Langer and Perry Pederson, that half of me is feeling a little wobbly.

DHS ICS-CERT reports malware on power control systems

Happy 2013!

OK, enough frivolity. Let's turn down the Nat King Cole, step out from under the mistletoe, and get down to brass tacks.

First, in case that compound acronym is new to you, it stands for: the Industrial Control System - Computer Emergency Readiness Team, and it lives in the US Department of Homeland Defense.

This organization just issued a public quarterly report that describes, at a high level, a recent incident at a power generation company you'll be interested in. I'll get out of the way and let you read the first bits for yourself:

MALWARE INFECTIONS IN THE CONTROL ENVIRONMENT

ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation.

Welcoming Weatherford to his new DHS Cyber Security Post

I've got a note here this morning from National Bureau of Information Security Examiners (NBISE) founder and former NERC CSO Michael Assante. Perhaps there's no one who understands the challenges Weatherford faced at FERC more than Mike. As a frequent advisor to FERC and Congress on critical national infrastructure security issues, few are better placed to know the obstacles and opportunities that await the new DHS Cybersecurity leader:

I would like to extend my congratulations to Mark Weatherford on his appointment as the new Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) and am very pleased to see such a capable and experienced leader take the helm. 

Mark has always carried a deep sense of mission into his assignments and in doing so has been able to motivate people, build teams, and mobilize entire communities. His background makes him an ideal choice for the Deputy Under Secretary position as he has experience working across large government enterprises and his most recent post, as the NERC CSO, has prepared him to appreciate the unique challenges involved with cybersecurity and industrial control systems.

At NERC, Mark helped broaden our thinking about cybersecurity and our digitally reliant infrastructures. His vision has pushed organizations to look beyond compliance to develop a comprehensive approach by including system engineering, planning, operations, risk management and security into efforts to secure our infrastructures. Mark’s leadership will help ensure national efforts align with front line reality as our nation continues to modernize our grid to increase productivity and efficiency.

We should look for opportunities to support Mark and the department in the months ahead to achieve greater cyber-resilience in our nation’s critical infrastructure.

Hear hear. Mark Weatherford has now seen how the cyber security policy sausage is made at the state level twice and Federal level once, in a large company, and in the DoD for the US Navy at the beginning of his career.

Sausage making is never pretty. But if you know how it's done, how it can go wrong and what ingredients are required to produce the best stuff, you can do a lot of good. Let's wish him well, and, seconding Mike's call to assist, pitch in wherever and whenever we can. Even with a strong leader, this type of sausage making is, after all, a team sport.

Photo credit: Govinfosecurity.com