CPNI published a security assessment of the IP

CPNI has just published a new document on the security of the Internet Protocol.

"Much of the effort of the security community on the Internet protocols did not result in official documents (RFCs) being issued by the IETF (Internet Engineering Task Force) leading to a situation in which 'known' security problems have not always been addressed by all vendors," the report states. "As a result, any system built in the future according to the official TCP/IP specifications might reincarnate security flaws that have already hit our communication systems in the past."
http://www.cpni.gov.uk/Products/technicalnotes/3677.aspx

UK: WARP Annual Forum Report now available

On the WARP website is now available the report of the 2008 annual forum. I participated to this event and gave a presentation on Information Sharing from an International perspective. On the website you find copy of my presentation.

http://www.warp.gov.uk/Index/Forum/indexannualforum.htm

"The WARP Annual Forum held on Tuesday 3 June 2008, at The Law Society (photo) was a great success with feedback showing 100% saying yes to the question: Would you attend this event next year or recommend it to a colleague?

Presentations for the 2008 forum are available here.
The event was attended by over 100 delegates and included attendees from Holland, Ireland and Canada with presentations from the US, Italy and Greece. As usual, the Annual WARP Forum offered delegates a unique opportunity to listen to presentations from experts in the field, network with other people active in the area, and to share advice and experiences. For some delegates it was also the first opportunity to learn about WARPS and gave them a chance to talk to people who had had experience of setting up and running WARPs.

UK CPNI: new SCADA guidelines available

SCADA: CPNI has recently updated their guidelines on SCADA protection. I find these are among the best guidelines I have never read on the subject, as they mainly focus on the Strategy, Processes, Organization and People.

Here is the list of the 8 available guidelines (the Title is also the link to the Guideline):

Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents

Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.

Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.

Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.

Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.

Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.

Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.

Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.

Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.

'Connected' UK vulnerable in face of cyber attack

'Connected' UK vulnerable in face of cyber attack - Public Sector - Breaking Business and Technology News at silicon.com:
The government has said it is engaged in tackling ongoing state-sponsored cyber attacks on UK national infrastructure.
Security minister Lord West told the House of Lords that the UK continues to be targeted by a "large number of attacks" and that the government is "taking action" to deal with those backed by hostile regimes.

Lord West refused to confirm the nature or origin of these attacks but said cyber security is a "very dangerous area" and that the UK has become "more vulnerable as we become more connected".

"He said: 'It ranges from individual hackers right through to state sponsored issues. It is something we should be worried about. We discussed the issue in a Cabinet meeting two months ago, I think we are going in the right direction.'
National and international bodies are in place to defend against these cyber attacks, and cyber attacks occupied recent G8 discussions in Tokyo, he said.
He said there are several layers of defence on the domestic front, ranging from computer emergency response teams protecting the public sector, to the Centre for the Protection of National Infrastructure (CPNI) security response teams defending the private sector. The national response to cyber attacks is co-ordinated by the Central Sponsor for Information Assurance, which is part of the Cabinet Office.
West was unable to give guarantees of total security for data held on the National Identity Register and large NHS databases, saying he did not have the relevant information but added that 'if a system is connected then there is a possibility of getting into a system'.
He admitted past failings in the public sector security due to delays in issuing patches in time but said that the government is committed to continuing to improve response times."

WARP annual forum

WARP annual forum: "Annual Forum 2008"
The next WARP (Warning, Advice and Reporting Point) Annual Forum will be held on Tuesday 3 June 2008, at The Law Society, 113 Chancery Lane, London WC2A 1PL


This year’s Annual WARP Forum will explore the expansion of the WARP model from purely electronic ICT related Warnings, Advice and Reporting into the related areas of physical and personnel security. This is a logical development, but needs to be tested, and if successful it will increase the utility and appeal of WARPs.

In the afternoon, I will manage the session entitled "Information Sharing accross Systems", that I will introduce during the morning panel. I will publish soon an abstact of the session.