Looking Ahead – CIKR Panel This Week at BSidesDC

EnergySecby Jack Whitsitt, Energysec

It’s finally here, this weekend – BSidesDC – and I am one of the “CIKR Panel” participants Sunday morning! As I was looking at the schedule, however, it occurred to me that many potential B-Sides attendees might not know what “CIKR” stood for (Critical Infrastructure & Key Resources – a bit of an outdated policy term), what “Critical Infrastructure” formally means in DC or in practice, or many of the other considerations that might help them get the most of our panel. And so, to help, I thought I’d write a brief guide to “CIKR” ahead of the panel for your enjoyment (heh) and education.

So, what is “CIKR”?

According to DHS, it is: “an umbrella term referring to the assets of the United States essential to the nation’s security, public health and safety, economic vitality, and way of life. Simply put, it’s power grids and water filtration plants; national monuments and government facilities; telecommunications and transportation systems; chemical facilities and much more.” – most of which is owned and operated by private industry. You can find out more here: https://www.dhs.gov/blog/2009/11/19/cikr

What are “sectors” and how do they fit into the CIKR conversation?

The government has split up US industry into formal units called “sectors” in order to better assure their unique issues are being addressed. These include energy, manufacturing, transportation, and others. It is important to note that the aim is to protect the nation from attack against these sectors not to protect the U.S. government systems. This is the equivalent of keeping a nation from invading Texas vs keeping them from invading the Pentagon.

How does cyber security work in the “CIKR” space?

There are several elements involved, but they can basically be broken down along two axes: What’s being done (“Strategic Planning” vs “Operations”) and Who is Doing it (“Government” vs “Industry”). In both cases, the “customer” is industry, not government. Strategic Planning is the sustainable improvement of our collective threat posture over time while Operations largely deals with more short-term (and often more technical) concerns. Within that continuum, some efforts are primarily undertaken by government on behalf of or in support of industry and others are undertaken by industry. In most cases, it is a blended effort as part of a public/private partnership. (It’s worth noting that “Strategic Planning” and “Operations” are my own framing, not official designations.)

A public/private partnership? What’s that?

There are a number of ways the U.S. government can work with industry – including regulation and law. However, for *most* cyber security efforts (electric companies and their associated NERC CIP regulations being the most notable exceptions), the government takes a collaborative partnership approach. Interestingly, this is not an informal term. It is a non-trivial activity for representatives from industry and representatives from government to be able to legally and effectively sit down in one room to discuss security issues without putting someone in, at the minimum, an awkward position. (For example, what if one agency decided to only share threat information with *one* company in a sector, and all companies were affected?) And so specific protocols, policies, and mechanisms have been developed over time to aid the process and keep everyone out of trouble. For a treatment on and explanation of this topic – and it’s a very important one to understand – check out my SOURCE Boston 2013 presentation and my recent ISSA-DC slides (lots of overlap, but different presentations).

What are the laws and policies defining and governing CIKR and Critical Infrastructure protection?

Well, in addition to the public/private partnership mechanisms, there are many other laws/policies (which tend to be both boring and hard to read). In particular, while there are a number of regulations on the books for cyber security, your best bet is to look up the public/private partnership based efforts described earlier. They are more broadly applicable to what’s going on in the U.S. (for now). Things such as PPD-21, The National Infrastructure Protection Plan (NIPP), HSPD-7 (outdated, but relevant), the recent White House Executive Order, the NIST Framework, etc. Check out the previously linked slides for more information.

Tell me more about the Executive Order and the NIST Framework and how they apply here?

While a great question and very applicable, the exact and nuanced current state of those efforts are beyond the scope of this article. Again, pull up the two previously mentioned slide decks – and some of the posts on my blog – for additional information. These are topics that need several articles themselves. Or, find me and I will happily share my soap boxes and perspectives with you. I have strong opinions and feelings on both of those topics, as well as quite a bit of experience.

Is CIKR (or Critical Infrastructure) the same as “SCADA” or “Control Systems”?

Often, but not necessarily. You see, because “Critical” is really an outcome-based designation (by definition, not always in policy), any infrastructure on which we depend can be critical. Because of its role in industry and safety and what can happen if they fail, “SCADA” systems definitely make up much of our critical infrastructure. However, there are many scenarios – such as in Finance and Medicine – where there are relatively few significant control systems specific technology. It is also worth considering the idea of “functions” as being the critical infrastructure – independent of the types of technology which supports those functions. And example would be “The systems which get people and goods in the U.S. from point A to point B reliably, on time, at the right destination, and in acceptable condition”.

Is CIKR a Cybersecurity term?

No…well..”not just”. And this has caused confusion in the past. CIKR protection and assurance efforts are typically “All Hazards”. This means they focus on adverse consequences, no matter how they might occur. Because many cyber security efforts have fallen under this broader umbrella and were not called out specifically as “cyber security”, many people were not aware of them until recently and there has been much misunderstanding surrounding who is doing what.. As we work and assure that future catastrophic infrastructure incidents are minimized in frequency and severity, however, cyber security will continue to be a key part of that effort.

Speaking of “Who is responsible for what?”, isn’t it the military’s job to “protect” CIKR from foreign attack? Or should they stay out of our equipment – which is mostly owned by the private sector?

This is a great question with a two-part answer. First, all “protection” should first begin with the concept of “assurance.” I.e., the goal is to *know* you are safe. Sometimes, to achieve assurance, you must do the protection of assets yourself, but not always. Sometimes, through metrics and testing, you can “trust” that undesired outcomes are being managed. The problem with CIKR cyber assurance is rooted in geography. In the past, in physical conflict domains, there was the bad guy, the targets, and between them “geography” – Air, Space, Land, Sea. In order to impact his or her target, the bad guy would have to traverse this geography. In most cases, the defenders could put their assurance and protection mechanisms between the bad guy and his target. Let’s call these “Contestable Threat Vectors”. In cyber security and critical infrastructure, those Contestable Threat Vectors (the geography between the bad guys and their targets) are *also* the targets. In other words, it has become very hard to insert government protective capabilities into a geography between the attackers and their targets.

Doesn’t this make mission scope complicated?

It sure does! Traditionally, the military has attempted to keep conflict out of US geography, the FBI deals with national crime, state and local forces have responded to geographically focused events, and DHS is (broadly speaking) concerned with maintaining “national cohesion” (my term) from a security perspective. Once we began connecting everyone together, however, and we lost the geographic separation, many of these scopes have collided in cyber space. How we resolve these conflicts – while at the same time allowing private industry to continue with the least amount of interference – is one of the main problems being worked on today.

Who *should* be doing what, in your opinion?

Based on my experience, I think the national argument over who should be doing what centers more around a desire for funding than real confusion. For example, the NSA has an almost entirely offensive/military focus. Despite their technical knowledge, would they actually be able to build the partnerships and trust with industry required to improve our overall civilian posture? Doubtful! Similarly, although the FBI appears to have been solid partners in improving the overall U.S. risk posture when it comes to cyber attacks, their core legal mandate is to prosecute and convict. This means that there are many potential (and past actual) situations in which their need to prosecute and convict an attacker may hurt their ability to help with the defense of our infrastructure. DHS, with its existing physical mandates surrounding national cohesion appears to be best positioned at a policy level to help out, but that department has longstanding and well known trust and communications weaknesses. It is hard facilitate the kind of collaboration between industry and government required to improve our posture with such a coarse, unsubtle approach. All that said, *industry* should be doing the lion’s share of the work – but, historically, being focused on protecting themselves today, they have not seen their role to be “make the world better.” Because of the nature of the threats, in my opinion, if industry continues to believe they have no larger obligation to improve the world, their control of their own business destinies will gradually be overrun by a hostile cyber space and a U.S. government which must resort to “protection” of infrastructure instead of “assurance”. That means “management of infrastructure” at the end of the day, and no one really wants that (nor would it be effective, in my opinion).

Speaking of helping, what actually *is* involved in CIKR cyber security? Is that like ICS-CERT and fixing old technology?

Well, partly. You see, while there are a whole host of technical vulnerabilities and initiatives to fix them, many of the problems are of a more policy nature. We are just beginning to think through issues like supply chain and support model risks, who is responsible for what, how those efforts get funded, how to address the intersection of a rapidly changing cyber security environment and the need for a very slow change process (decades!) to help assure the much higher levels of availability and safety required for CIKR than for normal IT systems. And so, what is really needed at a national level is not a series of technical solutions – or simple regulatory mandates – but the development of a series of elegant legal, policy, communications, and partnership mechanisms that will improve the efficiency, sustainability, and effectiveness of the *environment* in which critical infrastructure cyber security is occurring. We need to make it easier for good things to happen, or else any more technical solutions will be inflexible and mired in bureaucracy for so long that they are likely to be obsolete right out of the gate.

Well, I don’t know, it still seems like a technical problem. Won’t real time technical threat sharing help CIKR cyber security? Why don’t they just disconnect from the Internet? Can’t we help add authentication to their old protocols?

Well, first, all of those would obviously make some impact. But, when it comes to real time information sharing, we really already know many of the (deceptively) simple (looking) steps that should be taken to improve the cybersecurity of our CIKR, but we’re not doing those yet. Asking for real-time threat sharing is like asking for a Ferrari to get to work faster when our real problem is we keep crashing the Ford Taurus. Baby steps! Second, disconnecting from the Internet is simply not realistic. The reasons are out of scope of this article, but honestly, there is no such thing as disconnected from the internet anyway. Just look at how Stuxnet spread – using USB drives. However, there are a whole suite of policy, legal, cultural, and incentivization steps we take together to adjust these business and support models to make them more supportive of good security and to allow technological controls to be more effective. Finally, when it comes to “fixing” the technology, that is something that appears to be happening, but it takes time, especially with control systems. Control systems life cycles are often (from budget, support, and technical standpoints) more than a decade long. And so, there is already a natural and positive evolution occurring from older technology to newer.

Is the transition to more modern computers in control systems a positive thing?

Mostly. However, the move from the “single purpose” computers of the past to “general purpose” computers introduced its own risks – especially in the areas of stability and predictability. Combined with the shifting workforce demographics away from an older generation with lots of learned tribal knowledge to a younger workforce with less experience, we have another “soft” problem that will need to be managed.

Ok, so you have me convinced (for the moment!) that technical security solutions and teams alone won’t fix the problem. What are some of the activities undertaken to address the broader issues and concerns?

Actually, the responsibilities given by DHS (again, see my SOURCE and ISSA-DC talks for the background here) to “Sector Specific Agencies” do a good job of summarizing what’s going on here:

  • Encourage organizations with information to share with those who need it and encourage development of sector information sharing programs and mechanisms
  • Promote education, training, and awareness in coordination with other government and private sector partners
  • Identify, prioritize, coordinate federal activities in sector
  • Appraise congress of current status and progress in reducing risk and implementing policy
  • Increase integration of cyber security efforts with other all hazards protection and response programs
  • Develop and implement sector risk management program and framework and use to determine risk priorities of sector and coordinate risk assessment and management programs
  • Support Ad-Hoc requirements
  • Promote cyber awareness of owners and operators and program level guidance for CIKR protection

An individual’s skillset, in support of these activities, would obviously look a little blended:

  • Example Non-Technical Knowledge
    • Communication & Facilitation
    • Legal/Policy realities
    • Business & Industry
    • Modeling
    • Incident Response Management
    • Self Presentation
    • Strategic Thinking
  • Example Technical Knowledge
    • Threat Landscape
    • Attack Architecture
    • Defense Architecture
    • Experience with operations
    • Hacker Mentality
    • Basic Principles of your Non-Core tech

Why are you really writing this?

Honestly, because we need more of you to play in this space. There are a lot of hackers, a lot of technical security folks, a lot of CISO shop people, policy wonks, and vendors galore. But many of them do not cross those lines in any deep or meaningful way. If you’re a hacker or technical security geek, I encourage you to learn a little bit more about how the soft and fuzzy stuff works. The same goes for those in policy. If you haven’t before, sit down and learn enough to break into a network with metasploit. We could use more blended thinking in my opinion.

Wow. That’s a lot to process. Is this complete? Where can I find out more?

It is a lot – and you’ll find out that many people have a much different perspective than mine. Most importantly, I encourage you to come to our panel this Sunday morning at B-Sides DC. If you cannot, feel free to find me in person, or find me on twitter. If I can’t answer your questions, I can most likely point you to someone who can.

One last thing – Uh, who are you? I’ll let my Bio answer that:

Jack Whitsitt, recently identified by Tripwire as one of the top 10 Rising Stars and Hidden Gems in security education, began his career in security living in a small hacker compound in his teens. Years later, he was involved in early open source honeypot development work, moved into large scale data correlation system design, and has spent the past several years in the critical infrastructure space (including a stint at ICS-CERT, time building a sector specific agency program, and now as an analyst for the non-profit electric sector organization, Energysec).

[email protected] | http://sintixerr.wordpress.com/ | http://twitter.com/sintixerr

#####

Today’s post pic is from SecurityBSides.com. See ya!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.