Preparing for the Cyber Pearl Harbor with increased situational awareness


Published on

• Situational Awareness (SA) is the
cognitive recognition and realization
of enterprise technical performance, the relationship of technical performance
to supported mission sets, recognizing emerging threats within and external
to the enterprise, and being aware of activity as it relates to the broader
agency enterprise.
• SA is essential to Cyber Security and Mission Assurance – “getting the job
done, not simply protecting information”
- SA after-the-fact means data is lost or manipulated and a mission has failed
- SA is “designed in” to the enterprise and must be rigorously pursued

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Preparing for the Cyber Pearl Harbor with increased situational awareness

  1. 1. 1 Preparing for the Cyber Pearl Harbor: Is blind compliance aiding the aggressor? Part seven of a series September 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP ABSTRACT How effective is the U.S. National Institute of Standards and Technology’s “Discussion Draft of the Preliminary Cybersecurity Framework” in meeting its stated goal of protecting critical infrastructure? Background On the morning of December 7, 1941 – so the story goes – newly trained operators of “RADAR” telephoned the watch commander at the military operations center and advised the duty officer of a rather large “blip”. Legend has it, that the duty officer had a rather late night and wasn’t ready to address reports from a new untested technology at 6:30 am. Besides, this “blip” was most likely a squadron of friendly B-17 bombers arriving at Hickman Army Air Field. The threat was “detected” and the appropriate party -- that could have created a “response” to the threat – was duly notified. Unfortunately, for humanity, the blip was recording over 400 Japanese aircraft that would soon obliterate the U.S. Pacific Naval and Air Forces. So began World War II for the United States. Fast forward to present day. The Operations Section Chief (OSC) at Big City Emergency Operations Center (EOC), activated due to civil unrest, receives a text from the City’s I.T. director, stating: “Suddenly our Web-EOC application is getting slammed with 5,000 SYN packets per second with TTL set to zero. These are coming from dozens of multiple sources from best we can tell, including inside our domain.” What if the OSC replied, “Yeah, don’t worry about it, WebEOC isn’t that helpful anyway.” “What we have here is a failure to communicate”.1 1 Captain, prison warden, in the movie Cool Hand Luke, 1967
  2. 2. 2 Introduction The Cybersecurity Framework (CSF) is an evolving structure and process for “voluntary” certification of private sector critical infrastructure and key resource (CI/KR) operators, encouraged to use a consensus developed risk-based approach proposed by the White House2 . The stated purpose of the CSF is to help protect critical infrastructure. The U.S. National Institute for Standards and Technology (NIST), the lead technical agency to define the CSF, released a Discussion Draft of the Preliminary Cybersecurity Framework on 8/28/2013. NIST has defined a “core framework” comprised of five (5) key CSF categories: IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER. In the Pearl Harbor and Big City civil unrest scenarios the DETECT and RESPOND activities required clear and understandable communications. A persistent need exists to clearly convey indicator and warning signs (developed by technical staff operating in an abstract world (RADAR & Cyberspace)) to aid the physical “real world” responders that may have to address the downstream consequences of CI/KR failures (e.g. power blackouts of the Bulk Electric System (BES), explosions in underground gas 2 Executive Order -- Improving Critical Infrastructure Cybersecurity, 2/12/2013. See: Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure pipelines, malicious failures of traffic signals, etc.). NIST’s 8/28/2013 draft discussion paper provides the appropriate baseline to begin this process. DETECT Subcategories under the DETECT heading in the NIST draft include: DE.DP-1: Ensure accountability by establishing organizational roles, responsibilities for event detection and response DE.DP-2: Perform policy compliance and enforcement for detect activities (internal, external constraints) DE.DP-3: Conduct exercises (e.g., tabletop exercises) to ensure that staff understand roles/responsibilities and to help provide quality assurance of planned processes DE.DP-4: Communicate and coordinate cybersecurity event information among appropriate parties In sum, these activities promote the ability to create abstract cyber threat situational awareness (SA). However, the cyber community should consider that the loss of key systems can impact real-world SA and hamper decision- makers. These issues become even more acute in the context of cloud computing, as NIST cites: “..Loss of control over both the physical and logical aspects of the system and data diminishes the organization’s ability to maintain situational awareness, weigh alternatives, set priorities, and effect changes in security and privacy that are
  3. 3. 3 in the best interest of the organization…”3 Therefore, the loss of systems providing real-world SA is significant and directly impacts any follow-on RESPONSE activity. Understanding compliance impact on SA activities To illustrate these subtle points concerning the abstract cyber world vs. the real world, consider that the NIST 8/28/2013 draft identifies NIST Special Publication (SP) 800-53 Rev. 4, entitled Recommended Security Controls, as an appropriate reference document in the DETECT category; meaning it can presumably aid those cyber responders in detection activity. However, as pointed out in a Government Accountability Office report, entitled Critical Infrastructure Protection, the BES industry believed that NIST SP 800-53 would actually reduce SA (if followed). Quoting in relevant part4 : “SP 800-53 recommends implementing a session lock control after a period of inactivity or upon receiving a request from a user. According to the NERC (North American Electric Reliability Corp.) officials, this control is not applicable and not feasible in a real-time control system environment because session lock on an operational console could result in a loss of system 3 Guidelines on Security and Privacy in Public Cloud Computing, NIST Special Pub 800-144 4 GAO Report GAO-12-92, December 2011 operations and system monitoring, leading to a loss of present situational awareness. The NERC officials also stated that a lack of situational awareness was a key factor leading to the August 14, 2003, blackout…”. Such scenarios highlight one of the critiques of the “check the box” standards-based approach to cyber security industry compliance – unattended impact on SA. Drawing from Pearl Harbor, recall the Army Air Forces had neatly arranged its fighter aircraft wing tip to wing tip at Hickam Field in full compliance with policy directives to prevent sabotage (affording easier physical surveillance of the aircraft by sentries). Compliance with policy aided the aggressor in a more efficient destruction of aircraft, as the close proximity of the crowded aircraft made it easier to destroy with strafing and bombs. The lesson here is that compliance in a threat awareness vacuum can create dangerous conditions. Therefore, emphasis on developing effective SA tools and plans should be a major objective of the NIST CSF DETECT function. Understanding how to mature SA The NIST CSF Subcategories DE.DP-3 (exercises) & DE.DP-4: (communicate & coordinate) are good starting points to build upon for creating what SA
  4. 4. 4 practitioners refer to as a “knowledge map”. Knowledge maps are a planning tool that can be used by crisis action teams to identify what information they will require when addressing a crisis. For instance, in a table top exercise (as suggested by NIST), e.g. the Big City civil unrest, the OSC may want to know if the SYN packet cyber-attack on the WebEOC application is a coordinated cyber-attack. During the table top exercise (TTX) it may be discovered that the OSC needs to contact the Federal Bureau of Investigation (FBI) to secure network forensics of the attack. An individual point of contact may need to be identified. A reasonable take-away would be to follow up with the FBI to find out what key bits of information they will require in such a scenario. Likewise, the OSC may learn that malicious SYN packets attacking cyber SA assets from the internal domain may indicate that the EOC I.T. infrastructure may itself be compromised. Again, this may require contacting key personnel and asking relevant questions to ascertain the impact on SA assets. A knowledge map helps to graphically display these relationships with types of information sought or requested by information consumers (FBI), etc. Other points of contact may include CI/KR EOCs (network providers, telecomm firms, etc.). Cyber responders need to participate in these TTX activities with an inter- disciplinary approach and be prepared to communicate outside of their cyber technical comfort zone. Again, this is likened to the RADAR operator (abstract reality) who is trying to raise SA and create a response to a detected threat. Escalation procedures will need to be worked out to aid in the information sharing process. Appropriate cyber response SA specialists and teams will need to comprehend the developing situation and communicate it appropriately to “real-world” decision makers organizing the response. Had the Pearl Harbor watch commander knew that a U.S. Navy destroyer was firing upon a suspected mini-submarine, at the very moment he dismissed the RADAR operators, history may have been forever changed with a dramatically different outcome. That is situational awareness. About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A former consultant to the U.S. National Security Agency, he is a practitioner of cybersecurity. He has attended more than 1,000 hours in instructor led courses that address incident management and CI/KR protection.