December 19, 2014

Medical Device Cybersecurity Risks Are The Wrong Kind of Halloween Fright

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Well, Halloween is approaching boys and girls. And while it’s fun to don a Dracula (or Miley Cyrus) costume and get some yucks faux scaring folks, the FDA is acting like a responsible parent by setting up a medical device cybersecurity educational seminar later this month in Arlington, VA. It appears to have filled up already, but a webcast recording will be made available.

Getting a tiny adrenalin rush when a nine-year-old Frankenstein jumps out at you in the dark is one thing; finding out some nineteen-year-old hacker has infiltrated your proprietary product and customer information isn’t the right kind of fright.

Seems like someone out there in the bureaucracy has a little sense of humor, because October is National Cybersecurity Awareness Month. FDA, along with the Department of Health and Human Services and the Department of Homeland Security, hope to bring together a wide swath of stakeholders, including medical device makers, to their Oct. 20-21 “Collaborative Approaches for Medical Device and Healthcare Cybersecurity.”

Participants will be encouraged to help regulators identify barriers to promoting medical device cybersecurity; discuss innovative strategies to address challenges that may jeopardize critical infrastructure; and enable proactive development of analytical tools, processes, and best practices by the stakeholder community in order to strengthen medical device cybersecurity. It’s shaping up to be a good agenda, but it’ll probably only be as strong as the attendees who show up to share war stories and discuss best practices with regulators and others.

iStock_000020037007SmallBroadly speaking, the symposium hopes to help advance medical device cybersecurity by swapping information about the most current online threats, identifying gaps, advancing usage of the feds’ “Framework for Improving Critical Infrastructure Cybersecurity”, and developing tools and standards to build robust, comprehensive protection programs, among other areas of focus.

One of the topics will be the FDA’s new guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” released Oct. 2. That guidance provides some helpful definitions (helpful in the sense that this is how the FDA views the world), and what kind of cybersecurity protection program the agency expects from medical device makers and their kin.

Some say the threat of medical device security hacks has been hyped up a bit. I’m no expert there. But a report issued earlier this year from a cyber expert at SANS Institute (sponsored by cybersecurity vendor Norse), says some 94% of medical institutions report being victims of some type of cyberattack. This isn’t a report specifically about medical device makers, and I’m certain the vast majority of the attacks were relatively small and easy to thwart. Regardless, those numbers deserve some attention.

Hyped or not, I don’t imagine you’ll see an attendee at FDA’s event getting a jump on Halloween and showing up dressed as a sophisticated hacker, though. That’s just too scary.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FERC Order to Impose Stricter Physical Security Standards on Electric Utilities

Trey Kirkpatrick, Vice President, Energy & Utilities Compliance, AssurX Inc.

Vice President, Energy & Utilities Compliance, AssurX Inc.

On March 7th, FERC released a new order (Docket No. RD14-6-000) directing the North American Electric Reliability Corporation (NERC) to develop new reliability standards for the NERC registered entities, the owners and operators of the Bulk-Power System, to address the risks due to physical security threats and vulnerabilities.

“Because the grid is so critical to all aspects of our society and economy, protecting its reliability and resilience is a core responsibility of everyone who works in the electric industry.” FERC Acting Chairman Cheryl LaFleur said. “Today’s order enhances the grid’s resilience by requiring physical security for the facilities most critical to the reliable operation of the Bulk-Power System. It will complement the ongoing efforts of FERC and facility owners and operators to ensure the physical security of the grid.”

In the Commission’s release the order directed the owners and operators of the Bulk-Power System to take at least three steps to protect physical security.

Gerry Cauley, NERC President and CEO, released a statement on NERC’s website:

FERClogo2“On Friday evening, March 7th, FERC issued a directive to NERC to develop reliability standards to address risks due to physical security threats and vulnerabilities. As you know, FERC Acting Chairman Cheryl LaFleur asked NERC to work with her staff to determine the need for a mandatory standard for physical security. I believe we identified a path forward that focuses on the most critical assets, incorporates risk assessment and further affirms foundational physical security efforts, while providing enough flexibility to avoid prescriptive, lock-step regulation. Any standard must be dynamic and adaptable to the constantly changing threat environment. As we review the order, I take seriously the comments made by all the Commissioners to ensure that a standard achieves the goals identified in a cost effective manner.”

As mentioned in a previous AssurX blog, NERC and Industry Move in the Right Direction for Greater Reliability, security vulnerabilities of the electric grid has been a focus for the regulators and registered entities since the attack by gunmen at a California (Metcalf) substation.

Commissioner John Norris, writing a separate opinion, wants Congress to act on protecting sensitive security information “I believe that our success in developing a comprehensive approach to addressing physical vulnerabilities relies at least in part on Congress taking steps to ensure the confidentiality of sensitive security information regarding the physical vulnerabilities of our grid. Currently, industry remains concerned that confidential security information submitted to the Commission would be subject to disclosure through Freedom of Information Act requests. These concerns have understandably left industry reluctant to provide the Commission with its most sensitive security information related to potential physical threats or vulnerabilities to our power grid. A reliability standard will likely have limited impact if industry, NERC, and the Commission remain unable to safely and securely exchange such information. Thus, I urge Congress to act expeditiously by creating a clearly-defined exemption to the Freedom of Information Act to allow for such exchange of information without fear of disclosure.”

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Electronic Medical Records: Don’t Feel So Secure

Patrick Stone

Patrick Stone, President, TradeStoneQA

How often do we see HIPAA violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large scale security breaches and, sometimes, the selling of your e-records by various third party sources are in the news. In Massachusetts and New Hampshire an e-record vendor recently admitted to large scale e-record breaches. The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the E-Systems I have reviewed meet the minimal requirements but have security vulnerabilities.

The second half of this story will send shivers down your spine, and then make you mad. Your e-records are being sold to insurance companies, debt collectors, and prospective employers. Yes your e-records are for sale to the highest bidder.  The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Some of the stolen or hacked e-records get sold, and that’s terrible of course, but ironically most of the time your e-records are sold it is “legal.” Securing medical e-records comes with a price and even with some of the best security there may still be a breach. In most business models for building e-record systems security is last on the list. Sadly, it doesn’t appear to be much different in the healthcare industry.

So, what’s to be done?

doctor electronic health recordWill it take a 21st century modernization of HIPAA, written almost twenty years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?

In our digital age of e-records our security should be insured since we pay for the care we receive. HHS and congress should be focusing on this but they are currently being distracted by advocating or decrying Obamacare.

And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.

But don’t get me started on Obamacare implentation before we deal with HIPAA.

For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are weakly protected by a 20th century law.

Patrick Stone is the author of Bubble Gum Badge – An FDA His-Story. You can also follow him on Twitter.

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

FDA Seeks to Plug Swiss Cheese-size Holes in Medical Device Security Systems

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

Michael Causey, Editor & Publisher, eDataIntegrityReport.com

The Internet giveth and the Internet taketh away.

For years, we’ve been hearing about the benefits online tools will bring to the medical industry, especially at hospitals and physicians’ offices.  Many of those promises have come true, and its been a benefit for patients and industry.

But that sound you are hearing could be the other shoe dropping.

Perhaps reacting in part to a sobering year-long series by The Washington Post finding big, big holes in medical device security systems, the FDA this week (June 17) issued a new safety communication suggesting the hospitals take this threat to medical devices seriously.

Meantime, the FDA have been busy beavers. Last week the agency issued an alert and notices bulletin advising the industry to shore up key medical device security provisions.

Among its recommendations for responsible medical device manufacturers:

  • Swiss CheeseKick the tires on your program designed to limit unauthorized device access to trusted users.
  • Utilize stronger security controls such as user authentication, user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised

No, neither Woodward or Bernstein were involved in The Post piece, but its pretty thorough and damning for the medical device industry nonetheless.

Security analysts at cyber security firm Cylance found it was depressingly easy to figure out hundreds of passwords for sensitive surgical equipment, patient monitors, among others.

“We stopped after we got to 300,” Billy Rios, who found the passwords with his colleague Terry McCorkle, told The Post.

They tell me Swiss cheese holes are the result of bacteria popping (some use a grosser word). I’m no foodie, leaving that to fellow blogger Kim Egan and celebrity chefs, but I do understand that these are “good” holes.

Holes in medical device security programs are not among them.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Part 2: Cloud Vendor Selection for Your Life Science Company – Strategies to Ensure Benefits and Mitigate Risk

Russ King, Managing Partner, Methodsense

Know your Cloud options

Cloud computing is defined to have several deployment models, each of which provides distinct trade-offs which are migrating applications to a cloud environment.  NIST defines the cloud deployment models as follows:

  • Private cloud: The cloud infrastructure is operated solely for an organization.  It may be managed by the organization or a third party and may exist on premise or off premise.
  • Community cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g.  mission, security requirements, policy, and compliance considerations).  It may be managed by the organizations or a third party and may exist on premise or off premise.
  • Public cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Hybrid cloud:  The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e g , cloud bursting for load-balancing between clouds).

Choosing the correct deployment can depend on who needs to access the service, budget and security concerns.

Private clouds are the most secure and most expensive. Private clouds allow companies to have isolated sections of a cloud where you can launch resources in a virtual network. You can have complete control over your virtual networking environment and place your backend systems, such as databases or application servers with no Internet access. You can limit access to these servers based on access control, physical hardware, and IP address. A Private Cloud is therefore mostly suited for sensitive data, where the customer is dependent on a certain degree of security. Private Clouds, to an extent, lose the economy of scale compared to a Public Cloud.

Community clouds spread costs over fewer users than a public cloud. This option is more expensive but may offer a higher level of privacy, security and/or policy compliance.

Public clouds are the least expensive deployment. When most people think about cloud computing, they think of a public cloud deployment. All resources are shared but can be secured. If you are comfortable with the level of security of your cloud provider or have budget constraints, public clouds are your best option.

Hybrid clouds are the typical deployment model for most enterprises. In this cloud deployment model, an organization provides and manages some resources in-house and has others provided externally. The main benefit of the hybrid cloud is that it provides the scalability and low costs of a public cloud without exposing mission-critical applications and data to third-parties.

Know your privacy, security and disaster recovery needs

When it comes to comes to privacy, security, and disaster recovery, you need to first determine your requirements and budget. The Cloud provider can provide you tools to help protect your data, but you need to implement those tools. For example, Cloud providers can allow you to limit access to your data based on their physical machine or location; but you need to remove those access rights when machine or location no longer needs access.

 

Your Cloud provider needs policies, processes, and control activities for the delivery of each of their services. The collective control environment encompasses the people, processes, and technology. Your Cloud provider needs well trained staff that has limited physical access to your data and processes that protect your data and technology by keeping prying eyes away from sensitive areas. Accordingly, you should choose a Cloud vendor that maintain proper certifications like SAS 70 (the Statement on Auditing Standards No. 70), ISO/IEC 27001, and FISMA.

You also need to ensure the Cloud provider stores your data in the proper region. The selection of a region within an acceptable geographic jurisdiction to the customer provides a solid foundation to meeting location-dependent privacy and compliance requirements, such as the EU Data Privacy Directive.

You need to have proper disaster recovery controls in place. A traditional approach to disaster recovery involves different levels of off-site duplication of data and infrastructure.  Critical business services are set up and maintained on this infrastructure and tested at regular intervals.  The disaster recovery environment’s location and the source infrastructure should be a significant physical distance apart to ensure that the disaster recovery environment is isolated from faults that could impact the source site. Accordingly, it is important that your Cloud provider has data centers located in different physical locations and are isolated from faults from the other data centers. When dealing with a disaster, it’s very likely that you will have to modify network settings as you are failing over to another site. For the most critical systems you want to choose a Cloud provider that will allow you to automate the changing of the network settings.

Although the Cloud provider is responsible to maintain the infrastructure, it is still your responsibility to test your disaster recovery plan.

Choose a Cloud Vendor who can support your FDA Quality Management System needs

Cloud vendors commonly implement quality measures ranging from verbally shared processes and practices to SOPs and trouble ticket software to highly structured Quality Systems.  However, advertising a level of quality management does not guarantee that the Cloud Vendor will meet your life science quality management expectations.  To meet your compliance obligations, your cloud provider may need to make existing processes and procedures more robust and in a way that is more collaborative than they originally intended. Be aware that many Cloud Vendors consider their services to be proprietary and comprised of trade secrets, which may make collaborating around quality more difficult.

Choose a Cloud Vendor who can support your FDA Vendor Management needs

When selecting your Cloud Vendor, be sure they support your vendor management obligations. Cloud vendors who rightly take pride in their SAS 70 Type II certification, for example, often mistakenly insist that the certification should satisfy all quality and auditing needs. These certifications frequently focus on security issues and may not sufficiently cover life science regulatory concerns. Life science companies face validation requirements and regulatory concerns that go above and beyond SAS 70 certification, such as installation qualifications, change control, audit trails, electronic signatures, and permissions configuration. These requirements should be defined for the cloud environment and services and then implemented in your Service Level Agreements.

Be prepared to massage and coax the understanding of the vendor for cooperation before and during this process. By educating the Cloud Vendor about your requirements, you’ll be much more likely to complete a successful migration to the cloud.

Conclusion: Your Cloud Vendor needs to be a partner who fits into your regulatory and quality framework.

Shifting your technology operation to the cloud can garner many significant benefits including:

  • Improved scalability and cost savings
  • Increased access to and utilization of key business assets
  • Improved controls on security and data access
  • Increased innovation due to collaboration and availability of resources

However, regulatory burdens are not abated by shifting to the cloud, and Cloud Vendors today are by and large unschooled on FDA regulations, which, if not addressed, can create risk.  Life science companies should select a Cloud Vendor with the expectation that many will depend on coaching and assistance in order to meet regulatory requirements.   The Cloud Vendor’s ability to accept and then in a timely fashion respond to your regulatory requirements should, therefore, become a highlighted vendor characteristic in your vendor selection criteria.

Read Part I of this series here.

About the authors:

Russ King is President of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.   He can be reached at (919) 313-3962 or rking@methodsense.com.

Jason Rock is Chief Technology Officer of GlobalSubmit, a products and services company that provides transparency in regulated healthcare products. He may be reached at  888-840-9580.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Do You Know About Heavyweight NERC CIP 011-1?

Ron Lepofsky

Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

 

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Weighing Pros and Cons of Energy Storage Technologies

James Holler, Founder, Abidance Consulting

Last time we made the argument that advanced energy storage has a demonstrable track record of positive environmental and economic benefits. Now let’s look at some of the energy storage technologies available in today’s marketplace:

Dynamic Power Resources (DPR)

  • Ramp Rate Control: DPRs monitor output from a renewable generation source on a microsecond basis and automatically responds by either absorbing renewable output or supplying additional power so that the grid receives smooth, clean power at a desired MW/minute rate.
  • Firming/Shaping: Coupling a DPR with a renewable generation forecast allows the utility to organize other generation resources to meet expected demand based on its guaranteed day-ahead renewable output schedules, as well as reshape output to deliver power during peak demand times regardless if the renewable asset is generating power or not.  If a forecast is inaccurate, the DPR automatically supplies or absorbs power on a microsecond basis to ensure the day-ahead output schedule is met.
  • Curtailment Mitigation: if there are times when the utility needs to curtail renewable output, the DPR can take advantage of all of the as-available fuel by storing curtailed power and redistributing it at other times throughout the day, whenever the grid needs excess energy.
  • Ancillary Services:  the speed and accuracy of the full four-quadrant DPR are unparalleled to that of typical generation resources.
    • Voltage Support: the DPR has the ability to supply and absorb reactive power (VARs) while simultaneously supplying real power (Watts). This allows the system to maintain a target power factor while continuing to provide other functions that require real power management such as services mentioned in this section.
    • Frequency Regulation: the DPR can respond to both AGC signals and/or frequency deviations with sophisticated control algorithms to help maintain nominal grid frequency. The DPR is capable of providing the frequency support during loss of generation or system disturbance, as well as address less severe frequency deviations due to normal grid operations throughout the course of each day.
    • Spinning Reserve: the unique sizing scheme of the DPR allows the customer to add more energy storage (MWh) and act as a back-up power reserve for extreme generation trip scenarios by providing power while offline generation units ramp up to replace lost generation.
  • Transmission and Distribution Upgrade: Deferral: instead of undertaking costly T&D upgrades, utilize DPRs to supply power for incremental increases in load, as well as to enhance grid reliability for weak and/or congested T&D lines.
  • Peak-Shaving/Load-Leveling: Similar to ramp rate control, but for longer periods of time, a DPR can absorb and provide power, charging during off-peak times for use during on-peak times. Peak loads are lessened, which ultimately enables traditional generation to run more efficiently.

James Holler is founder of Abidance Consulting.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Energy Storage Delivers Financial, Environmental Benefits for Power Entities

James Holler, Founder, Abidance Consulting

Advanced energy storage has proven that it delivers significant environmental and economic benefits as well as superior Bulk Electric System (BES) reliability. Let’s look at some of its key benefits:

Reduces the Need for Reserve Power Plants: Electricity storage technologies provide effective methods of responding to daily fluctuations in demand. Electricity produced at off-peak hours is now capable of being stored and used later to meet demand spikes, thereby reducing the need for expensive, aging, and carbon emitting fossil-fired reserve generation plants.

Cuts the Cost of Power Failures: As a result of the aging U.S. electricity grid, the DOE estimates that electricity outages and interruptions cost the U.S. approximately $150 billion annually.  Electricity storage technologies can provide power to the grid to “bridge” gaps and smooth out short-term fluctuations until backup generation sources can be brought online.

Boosts Renewable Energy Integration: Wind and solar power are the two largest sustainable sources of carbon-free natural resources. But both are intermittent, varying widely in the energy that they can provide at any one time during the day due to fluctuation in the wind patterns and intermittent cloud cover for solar panels. Power storage technologies can smooth out this variability and allow unused electricity to be dispatched at a later time when it is needed at peak times. In addition, paired with renewables, energy storage can provide regulation services such as ramp control, curtailment mitigation, firming/shaping of power and other grid reliability services.

Currently there are about six energy storage technologies available in the market today: pumped hydropower, batteries, compressed air energy storage, flywheels, superconducting magnetic energy storage, and electrochemical capacitors.  Solid state battery technologies are suited to quick, modular, scalable deployments with few environmental risks. We’ll survey each in our next blog tomorrow.

James Holler is founder of Abidance Consulting.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Skilled Social Engineers Threaten Your Proprietary Data

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare

Are The NERC Requirements Strong Enough To Protect The Power Grid?

James Holler, Founder, Abidance Consulting

The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.

With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.

Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.

So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:

Advanced Persistent Threat

Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.

New Dynamics

Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.

Shared Risk

All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.

Pay Closer Attention To Applications

Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.

James Holler is founder of Abidance Consulting.

TwitterFacebookGoogle+LinkedInEmailPrintFriendlyShare