Protecting your Intellectual Property
By Ernie HaydenIn July 2011 Asian Power posted an article I wrote on the new paradigm for utility information security where you should assume your information systems can be breached and react accordingly. In this article I’d like to extend some added ideas for energy and utility executives to consider when trying to secure their information systems.
Identifying Your “Crown Jewels”
As a former CISO I can attest that trying to protect all your information systems is very daunting. The “perimeter” approach is long gone with the ubiquitous mobile devices, USB drives, and portable media. So trying to lasso your systems with a barrier of firewalls may not be the most successful approach. Besides, you still need to have ports open on the firewalls so you can do your work, access the Internet, and still get your corporation’s business done.
A new approach to consider is taking a hard look at your information and computing assets and identifying those databases and systems that are part of your company’s core business.
For instance, as an enterprise your customer data is always key. Consider your intellectual property such as oil and gas exploration data, secret process parameters, and lists of critical assets. These need to be protected and are also the same targets the hackers and nation states are trying to steal and reap benefit.
Also look at your key control systems that cannot be tainted. For example, Supervisory Control and Data Acquisition (SCADA) systems that control your company’s processes and transmission and distribution systems need to be secure and protected.
So, first and foremost, identify your key assets to protect.
Educate Key Employees and “Protectors”
Now that you’ve identified your Crown Jewels in your information and control systems, what do you do next? A key approach is to recognize that one of the first lines of defense are your employees, contractors and vendors who maintain and operate the systems you are most concerned about. Consider a focused education program for these individuals.
For education the key points are to highlight to the employees that their actions – or inactions – can cause substantial damage to the information systems you want to protect.
As an example, train your employees on how to recognize a targeted phishing attack and what to do when one is observed. Teaching your key employees to realize that the attackers will resort to social engineering (aka fraud) to somehow break into your systems. So, imagine the employees who manage your oil and gas exploration databases. Consider that they could be a target of a phishing attack that seems benign, when in actuality the links in the email could open a “back door” into your key database. With access through this “back door” the attacker now has entry to your network and could extricate valuable information you thought was protected.
Also, consider focused training on the dangers of portable media – not only for data extraction, but also for attack (similar to the Stuxnet delivery). Educate your employees – and maybe even establish policies that prohibit the use of portable media when accessing the new sub-perimeters you’ve built around your Crown Jewels.
You could also educate your key employees on ways the attackers conduct a phased approach to the data-rich targets. The attackers’ modes usually include reconnaissance, scanning, gaining access, maintaining access, and then extricating data through “back doors” planted in the system.
In other words, rather than trying to educate all your employees on these key attack methods – even though it still is a good idea – focus on your employees who are protecting your key data so they know and recognize when the “doorknob is being rattled.”
Added Sensors around the “Crown Jewels”
If you’ve ever seen the Queen of England’s jewels at the Tower of London, you realize that they are segregated from the public and isolated within layers of security. You may want to take a hard look at this approach for protection of your critical assets and databases. Training your employees who run and manage these systems is important, but adding sensors around these systems is a critical next step.
The sensors and associated logging systems need to look at events where entry into the information systems occur as well as when data egresses. Remember, the way an attacker “wins” is if they can get the data out of the system they breached.
Therefore, inclusion of technical systems to monitor data flow (ingress and egress) as well as log management and assessment can be especially useful.
Of note, my employer Verizon is often asked to assist with data breach investigations. Often these reviews recognize that data egress may occur over a very short time and if you do not monitor your logs closely you’ll miss the “spike” where the data exited when you were just “blinking.” (For more information on data breaches, please look at our recent Data Breach Investigation Report.)
Next Phases of Protection
As your program becomes more sophisticated and you begin to fine tune your protections around your selected systems and databases you can look at new ways to implement better sensor technology, increased training and awareness activities, and obviously capturing lessons learned from your peers and other industry security events. Your course of protection can also include means of “camouflage” with host name and IP address deception.
You could also look at access controls that require user names and passwords that change frequently and are separate from the normal user names and passwords assigned for the enterprise network. Even added access requirements that include three-factor authentication such as user name/password, token, and biometric may be the next layer of defense you include.
Just realize that your job is to protect the data and protect your control systems from harm, breach, or unwanted impact.
Conclusion
With the attacks on systems increasing and attackers trying to obtain valuable data to achieve financial or political goals you need to look harder at ways to truly protect your most important data and systems. This doesn’t mean that you should give up on protecting the enterprise – in fact expectations for due care are still mandated – but you need to tighten your protections around the key systems through training, improved monitoring, and focused safeguards.
Ernie Hayden CISSP CEH, Managing Principal, Verizon Global Energy & Utility Practice, Verizon Businessis