19 October 2010

OPS Risk: Diversifying Systems Portfolio...

What kind of testing, experiments and operational risk projects are your organization running simultaneously right now? As an example, do you have an OPS Risk project where a business unit has moved entirely to using "Google Apps" for their entire computing utility platform? Migrated the e-mail system to Gmail, eliminated the use of Microsoft Office Suite and Outlook for the purpose of increasing your understanding of the benefits, vulnerabilities or other metrics. If you have not, the question is why not?

We recommend you do this now. Move an entire business unit, such as the crisis management team or operational risk management department to jump off the "Microsoft Mother Ship" and develop several metrics categories. Buy everyone a Blackberry or Android based smart phone and couple this with an Android-based Tablet PC or soon to the market the Blackberry Playbook. Enable a domain for use by the team for all participants to get on Google Apps and keep the team dedicated to being enterprise connected, yet possibly more resilient to any major internal business disruption.

You must establish metrics beyond the technology and app compatibility and focus in on productivity, accessibility and any failures in the systems themselves. Once you have untethered your team from the Microsoft-centric platforms in the enterprise and now are living in the virtual cloud or outsourced world of using Google Apps or other SaaS or IaaS-based solutions, the testing is only beginning.

The behaviors that your employees now take upon themselves to work within this new set of tools, devices and services may very well pave the way for the organization to be more resistant to several corporate plagues. Besides the normal scourge of Microsoft related exploits by Malware and Trojan horses it would be interesting to measure how people actually feel. Do they feel or have an attitude of being more productive or less? Are the new behaviors that they are experimenting with doing their work giving them more insight, increased speed to answers or greater reach into the information they need to make important decisions?

And even if this team was finding that there were missing capabilities from their Microsoft Exchange and Outlook apps, you could still migrate them to a hosted solution outside your own enterprise. This outsourced yet hosted somewhere else Microsoft-based platform could be the answer where you have teams that must be using a Microsoft-based OS desktop, tethered to a Microsoft-based enterprise app. There are even now governments making the case for the exodus to Google Apps:

The debate continues about whether cloud computing and hosted services put sensitive data at risk or actually realize the cost savings that are promised. Some local governments have determined that the return on investment for moving to cloud-based services isn’t sufficient yet to justify moving in that direction. But the concern isn’t universal. Orlando, Fla.; Washington, D.C.; and some departments in New Mexico and Colorado have already migrated to Google Apps.

This year, Google even launched a version of its productivity suite tailored for government customers that meets federal IT security benchmarks. According to the company, Apps for Government is the first cloud computing suite to receive Federal Information Security Management Act-moderate accreditation, designed to standardize IT security across the government and relieve concerns about perceived security risks.

“By the end of the migration, most customers are convinced that data would be safer in Google data centers,” Cohn said.

Not all governments believe in cloud computing as the smart solution. Some local governments don’t see the cost benefits in migrating unless it’s a last resort. Some observers believe that was the case in L.A.

Last year, the city decided to implement Gmail on more than 30,000 desktops and adopt the suite. The five-year deal made L.A. the first government of its scale to choose Gmail for the enterprise.

Whether you are the City of Los Angeles, Washington, D.C. or other smaller jurisdictions, you can start to see that the momentum is starting to take effect. So the Operational Risk Management team at your organization might be on to something as they break away from the corporate Mother Ship, to test and try the resiliency and the productivity of another platform outside the Microsoft Suite.

As you begin to explore the number of new apps that are working on the integration with Google you start to see other places that maybe, you can eliminate Microsoft Excel, Word and Project Management:

The Google Apps Marketplace offers products and services designed for Google users, including installable apps that integrate directly with Google Apps. Installable apps are easy to use because they include single sign-on, Google's universal navigation, and some even include features that integrate with your domain's data.

Operational Risk Management is about testing and experimenting to find the vulnerabilities in your current environment. It's about establishing teams with new and different ways to running their day to day business in order to increase the resilience of certain core capabilities within the enterprise. Have you ever had a financial planner say, "You need to diversify your portfolio."? Let's just hope you listened to this piece of wise advice these past two years...

04 October 2010

Stuxnet: Digital Sabotage of Critical Infrastructure...

The Chief Information Security Officer's (CISO) are getting significant new understanding of the new threat emerging in the digital domains. The Energy, Chemical, Water, Transportation and other Critical Infrastructure sectors are on high alert. The Operational Risks associated with their Programmable Logic Controller (PLC) systems using Siemens technologies are being attacked. Stuxnet is a new worm that has emerged over the past few months and is being analyzed from several vectors. One analysis that is forthcoming is who developed this new sophisticated industrial sabotage cyber weapon? Let's consider this logic from Ralph Langner:

Many aspects of Stuxnet are so completely different from malware as we know it that it's only natural that so many hard-working experts at some point in the analysis ended in frustration. The best way to approach Stuxnet is not to think of it as a piece of malware like Sasser or Zotob, but to think of it as part of an operation -- operation myrtus. Operation myrtus can be broken down into three major stages: Preparation, infiltration, and execution.
Stage 1, preparation:
- Assemble team, consisting of multiple units (intel, covert ops, exploit writers, process engineers, control system engineers, product specialists, military liaison)
- Assemble development & test lab, including process model
- Do intel on target specifics, including identification of key people for initial infiltration
- Steal digital certificates

Stage 2, infiltration:
- Initial infiltration using USB sticks, perhaps using contractor's comprised web presence
- Weapon spreads locally via USB stick sharing, shared folders, printer spoolers
- Contact to command & control servers for updates, and for evidence of compromise
- Update local peers by using embedded peer-to-peer networking
- shut down CC servers

Stage 3, execution:
- Check controller configuration
- Identify individual target controllers
- Load rogue ladder logic
- Hide rogue ladder logic from control system engineers
- Check PROCESS condition
- Activate attack sequence

For the CISO and executives who are sitting around the latest emergency CISCO Telepresence call at companies such as Entergy, American Electric Power, Dominion Resources and dozens of others in the power grid industry; the reliability factor is uncertain.

If this new malware had an initial project budget cost of seven figures $,$$$,$$$.00 to achieve the three stages described previously, preparation, infiltration, and execution then the price will soon be more affordable. A price for a malware exploit kit such as this one as it is reengineered for other purposes or types of targets will decrease dramatically as it propagates across the Internet.

The significance of the decrease in price is that now it will be more affordable for the transnational economic crime syndicates. How they will utilize the new Stuxnet capability in their toolkit for cyber extortion, digital sabotage and other schemes remains to be seen. What is certain is that it will not be long before this becomes a reality. Gary McGraw comments further:

Stuxnet is a fascinating study in the future of malware. Not only did it reveal at least 4 0days (which are still being patched by Microsoft), it clearly demonstrated that physical process control systems of the sort that control power plants and safety-critical industrial processes are ripe for compromise.

Now that the genie is out of the bottle, it is hardly possible to stuff it back in. Expect the techniques and concepts seen in Stuxnet to be copied. Attacks on process control systems are no longer the fantasies of paranoids in tinfoil hats — they are here.


The next Operational Risk that will be on the horizon are the plaintiff law suits, each time we have an event like this one:


Pacific Gas and Electric Co. on Monday announced it would put as much as $100 million towards rebuilding areas of the Crestmoor neighborhood destroyed in the flames. PG&E president Chris Johns maintained that money in that relief fund would be spent on reconstructing the San Bruno neighborhood, not paying off potential legal claims. Nonetheless, the utility company reportedly already cut the city a $3 million check to cover expenses associated with responding to the disaster. PG&E is also expected to pay victims whose homes were destroyed up to $50,000 to help pay for their everyday necessities. “I realize money can’t return lives. It can’t heal scars, it can’t replace memories… But there does come a time for healing and for rebuilding, and we are committed to helping that happen,” Johns added.

A full probe would be required to determine what might have caused the 30-inch high-pressure gas pipeline to burst at Earl Avenue and Glenview Drive around 6:15 p.m. that Thursday evening. Thirty-seven homes were apparently leveled in the blast. A 30-foot-wide crater could also be seen in the aftermath of the explosion. Authorities evacuated over 100 people in the area immediately after the blast. Now the California Public Utilities Commission has ordered PG&E to check all high-pressure gas lines located in densely populated areas. The National Transportation Safety Board (NTSB) is leading the investigation into the fatal San Bruno natural gas explosion.


It is too early to determine the exact nature of the cause of the San Bruno, CA disaster yet the corporate general counsel's of major utilities are preparing for their defense. The legal risks could go well beyond the exact scene of the explosion. Why? As the plaintiffs examine the number of PLC and SCADA controllers involved in the area of the incident, you can be certain they will be looking at the software systems associated with them. They will be requesting the Information Technology organization at PG&E to produce evidence of their policies, procedures, and best practices as it pertains to SCADA exploits such as the Stuxnet worm.

Managing the Operational Risks associated with the Energy and Chemical "Critical Infrastructure" sectors goes well beyond the norm of security and safety. Even BP has established a new Operational Risk initiative in the aftermath of their Gulf of Mexico catastrophe.

BP is to create a new safety division with sweeping powers to oversee and audit the company’s operations around the world.

The Safety & Operational Risk function will have authority to intervene in all aspects of BP’s technical activities.

It will have its own expert staff embedded in BP’s operating units, including exploration projects and refineries. It will be responsible for ensuring that all operations are carried out to common standards, and for auditing compliance with those standards.

The powerful new organisation is designed to strengthen safety and risk management across the BP group. It will be headed by Mark Bly and report directly to incoming chief executive Bob Dudley.

The company said the decision to establish the new function follows the Deepwater Horizon accident in the Gulf of Mexico and BP’s investigation into the disaster. It is one of a number of major changes announced by Dudley as he prepares to take over his new role on October 1.

Who will be in charge of the "Stuxnet Task Force" ?