If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I just have been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA Security consortium and foreign APT threats. But the highlight was the plenary speech by Jon Callas on the second day entitled “Security and Usability in the age of Surveillance”. Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic - The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources.
A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
Does using personal devices on the plant floor increase or decrease corporate security?
What is that Security Policy REALLY Trying to Achieve?
The first question that Jon brought up was around understanding the real goals of any security policy or program. While security traditionalists talk about ensuring Confidentiality, Availability and Integrity, Jon suggested that the real goals can be divided into two more general ones:
- Maintaining Safety
- Maintaining Control
Now most of the time the reason given for a specific security policy is safety – for example securing a SCADA system to ensure the safety of the processes, people and products. This reason is hard to argue with – after all who wants to be less safe?
In reality there are many security policies that have nothing to do with safety. Instead they are about maintaining IT control. Now this isn’t necessarily bad, but it is a lot harder to sell compared to the safety argument. So the safety excuse gets rolled out every time*.
Enter the Evil Smart Phone
Jon then explained how this relates to the BOYD controversy. When mobile devices first came onto the market, the IT department loved the BlackBerry. Like the mainframe and the central server, the BlackBerry architecture centralized everything. Every email you sent, every note you made passed under the watchful eyes of the IT department. Any other mobile device was banned because it was “unsafe” for confidential company information.
Unfortunately for Blackberry, the real customer wasn’t the IT department, but rather the end user. When the user was a lowly engineer or a sales person, the iPhone, iPad or Android could be safely ignored. But once company CEOs started to buy iPhones and see how effective they were, suddenly IT had to start accepting other mobile devices.
The flood gates burst open and soon iPhones and Androids dominated the corporate world and Blackberry withered to a shadow of its former glory.
Yet to this day we still hear lots of crying on how insecure personal mobile devices are and how the IT department has to “bring the problem under control”. There are endless pitches for BOYD security products and no shortage of corporate policies (many of questionable effectiveness) intended to “manage the problem”. Always the reason given is the “safety and security” of corporate intellectual property.
Eric Byres presenting at the International NCSC One Conference 2014 in The Hague, Netherlands on June 4th.
Tell Me Again Why My Company Laptop is More Secure than my Personal iPhone…
But is the iPhone or Android really the security risk the IT world claims? Or is it just an issue that is difficult to maintain control over?
Smart phones aren’t perfect, but how many truly effective rootkits have you seen for attacking iPhones? Now how many rootkits are there for taking over PCs? How many serious mobile device vulnerabilities have you needed to quickly patch in the last year? Maybe two? Now how often do you have to install a critical Windows, Java, or Adobe patch on your PC? Every week? As Jon put it “Anti virus Anti-virus software for the mobile device is not exactly a growth market.”
In fact, it may be that personal phones are actually more secure than all the other devices that are welcomed by traditional IT.
Smart phones are also more carefully guarded by their owners. Jon quoted studies that showed on average people noticed and reported a missing phone in under 20 minutes compared to 24 hours for a missing wallet. If someone stole my laptop on a weekend, it could be two days before I noticed. Plus, once an iPhone goes missing, the remote wipe features are very effective. I doubt my IT department can ever wipe the laptop they gave me if I lose it.
Mobile Devices are NOT Secure
To be clear Jon is NOT saying that mobile devices are perfectly secure – far from it. But all the evidence suggests that they are more secure than any other common computing device currently in use. Thus the excuse to tangle up iPhones and Androids in red tape is just an excuse. And industry might just be better off from a security point of view if we embraced or even encouraged the mobile device on the plant floor. It certainly is worth considering.
Picking the Right SCADA Security Battles
I often think that safety as an excuse for control is common in airport security. Many of the restrictions and processes required by both the TSA and the airlines with the “We’re doing this for your protection” justification appear to be a way to make the customer easier to control (or as an excuse to cut services).
For example, The Atlantic magazine reported that a TSA employee confessed to reporter Jeff Goldburg that the purpose of enhanced pat downs was to make opting out of full body scans so unpleasant that everyone would quiescently choose to go through the scanner. This would make the inspection process quicker and cheaper for the TSA.
Frustrating people never leads to better security. It just encourages rebellious behavior. This is doubly true for the industrial world. It is human nature that people (especially engineers!) only have so much patience for security policies that make their job harder to do.
Institute a few security controls that offer clear safety benefits and people will respect them. Throw too many controls in a person’s way and they will find a way to circumvent them so they can get their job done. Unfortunately people don’t necessarily pick the least effective controls to ignore – they might obey the ineffective measures and bypass the important ones.
Thus as SCADA security professionals we need to pick our security battles carefully. After listening to Jon, I will be looking deeper into the real goals of any SCADA security policy or technology I am exposed to. Is it really helping making SCADA and ICS safer? Or is it just a way to make control easier? Is it addressing the real risks? Or is it just for show? Fail to ask these questions and we risk creating a backlash against the whole SCADA/ICS security message. And that will be a loss for the entire industry.
- National Cyber Security Centre of The Netherlands Webpage: International NCSC One Conference 2014
- Blog: Can the iPhone and SCADA Security Co-Exist?
- Wikipedia Webpage: Bring your own device
- Automationworld.com Webpage: Industry Interrupted: Tablets and Smart Phones Poised to Make a Big Impact
- Automationworld.com Webpage: Industrial Networking Desires Revealed
- Avanade.com PDF: Global Survey: Dispelling Six Myths of Consumerization of IT
- Tofinosecurity.com blog: SCADA Security: Losing the Battle to Efficiency