• Situational Awareness (SA) is the
cognitive recognition and realization
of enterprise technical performance, the relationship of technical performance
to supported mission sets, recognizing emerging threats within and external
to the enterprise, and being aware of activity as it relates to the broader
agency enterprise.
• SA is essential to Cyber Security and Mission Assurance – “getting the job
done, not simply protecting information”
- SA after-the-fact means data is lost or manipulated and a mission has failed
- SA is “designed in” to the enterprise and must be rigorously pursued
Preparing for the Cyber Pearl Harbor with increased situational awareness
1. 1
Preparing for the Cyber Pearl Harbor:
Is blind compliance aiding the aggressor?
Part seven of a series
September 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
ABSTRACT
How effective is the U.S. National Institute of Standards and Technology’s
“Discussion Draft of the Preliminary Cybersecurity Framework” in meeting its
stated goal of protecting critical infrastructure?
Background
On the morning of December 7, 1941 –
so the story goes – newly trained
operators of “RADAR” telephoned the
watch commander at the military
operations center and advised the duty
officer of a rather large “blip”.
Legend has it, that the duty officer had a
rather late night and wasn’t ready to
address reports from a new untested
technology at 6:30 am. Besides, this
“blip” was most likely a squadron of
friendly B-17 bombers arriving at
Hickman Army Air Field. The threat was
“detected” and the appropriate party --
that could have created a “response” to
the threat – was duly notified.
Unfortunately, for humanity, the blip was
recording over 400 Japanese aircraft
that would soon obliterate the U.S.
Pacific Naval and Air Forces. So began
World War II for the United States.
Fast forward to present day. The
Operations Section Chief (OSC) at Big
City Emergency Operations Center
(EOC), activated due to civil unrest,
receives a text from the City’s I.T.
director, stating:
“Suddenly our Web-EOC application is
getting slammed with 5,000 SYN
packets per second with TTL set to
zero. These are coming from dozens of
multiple sources from best we can tell,
including inside our domain.”
What if the OSC replied, “Yeah, don’t
worry about it, WebEOC isn’t that
helpful anyway.”
“What we have here is a failure to
communicate”.1
1
Captain, prison warden, in the movie Cool Hand
Luke, 1967
2. 2
Introduction
The Cybersecurity Framework (CSF) is
an evolving structure and process for
“voluntary” certification of private sector
critical infrastructure and key resource
(CI/KR) operators, encouraged to use a
consensus developed risk-based
approach proposed by the White
House2
. The stated purpose of the CSF
is to help protect critical infrastructure.
The U.S. National Institute for Standards
and Technology (NIST), the lead
technical agency to define the CSF,
released a Discussion Draft of the
Preliminary Cybersecurity Framework
on 8/28/2013. NIST has defined a “core
framework” comprised of five (5) key
CSF categories: IDENTIFY, PROTECT,
DETECT, RESPOND and RECOVER.
In the Pearl Harbor and Big City civil
unrest scenarios the DETECT and
RESPOND activities required clear and
understandable communications.
A persistent need exists to clearly
convey indicator and warning signs
(developed by technical staff operating
in an abstract world (RADAR &
Cyberspace)) to aid the physical “real
world” responders that may have to
address the downstream consequences
of CI/KR failures (e.g. power blackouts
of the Bulk Electric System (BES),
explosions in underground gas
2
Executive Order -- Improving Critical Infrastructure
Cybersecurity, 2/12/2013. See: Sec. 7. Baseline
Framework to Reduce Cyber Risk to Critical
Infrastructure
pipelines, malicious failures of traffic
signals, etc.).
NIST’s 8/28/2013 draft discussion paper
provides the appropriate baseline to
begin this process.
DETECT
Subcategories under the DETECT
heading in the NIST draft include:
DE.DP-1: Ensure accountability by
establishing organizational roles,
responsibilities for event detection and
response
DE.DP-2: Perform policy compliance
and enforcement for detect activities
(internal, external constraints)
DE.DP-3: Conduct exercises (e.g.,
tabletop exercises) to ensure that staff
understand roles/responsibilities and to
help provide quality assurance of
planned processes
DE.DP-4: Communicate and coordinate
cybersecurity event information among
appropriate parties
In sum, these activities promote the
ability to create abstract cyber threat
situational awareness (SA). However,
the cyber community should consider
that the loss of key systems can impact
real-world SA and hamper decision-
makers. These issues become even
more acute in the context of cloud
computing, as NIST cites:
“..Loss of control over both the physical
and logical aspects of the system and
data diminishes the organization’s ability
to maintain situational awareness, weigh
alternatives, set priorities, and effect
changes in security and privacy that are
3. 3
in the best interest of the
organization…”3
Therefore, the loss of systems providing
real-world SA is significant and directly
impacts any follow-on RESPONSE
activity.
Understanding compliance impact on
SA activities
To illustrate these subtle points
concerning the abstract cyber world vs.
the real world, consider that the NIST
8/28/2013 draft identifies NIST Special
Publication (SP) 800-53 Rev. 4, entitled
Recommended Security Controls, as an
appropriate reference document in the
DETECT category; meaning it can
presumably aid those cyber responders
in detection activity. However, as
pointed out in a Government
Accountability Office report, entitled
Critical Infrastructure Protection, the
BES industry believed that NIST SP
800-53 would actually reduce SA (if
followed). Quoting in relevant part4
:
“SP 800-53 recommends implementing
a session lock control after a period of
inactivity or upon receiving a request
from a user. According to the NERC
(North American Electric Reliability
Corp.) officials, this control is not
applicable and not feasible in a real-time
control system environment because
session lock on an operational console
could result in a loss of system
3 Guidelines on Security and Privacy in Public Cloud
Computing, NIST Special Pub 800-144
4
GAO Report GAO-12-92, December 2011
operations and system monitoring,
leading to a loss of present situational
awareness. The NERC officials also
stated that a lack of situational
awareness was a key factor leading to
the August 14, 2003, blackout…”.
Such scenarios highlight one of the
critiques of the “check the box”
standards-based approach to cyber
security industry compliance –
unattended impact on SA.
Drawing from Pearl Harbor, recall the
Army Air Forces had neatly arranged its
fighter aircraft wing tip to wing tip at
Hickam Field in full compliance with
policy directives to prevent sabotage
(affording easier physical surveillance of
the aircraft by sentries). Compliance
with policy aided the aggressor in a
more efficient destruction of aircraft, as
the close proximity of the crowded
aircraft made it easier to destroy with
strafing and bombs.
The lesson here is that compliance in a
threat awareness vacuum can create
dangerous conditions. Therefore,
emphasis on developing effective SA
tools and plans should be a major
objective of the NIST CSF DETECT
function.
Understanding how to mature SA
The NIST CSF Subcategories DE.DP-3
(exercises) & DE.DP-4: (communicate &
coordinate) are good starting points to
build upon for creating what SA
4. 4
practitioners refer to as a “knowledge
map”.
Knowledge maps are a planning tool
that can be used by crisis action teams
to identify what information they will
require when addressing a crisis. For
instance, in a table top exercise (as
suggested by NIST), e.g. the Big City
civil unrest, the OSC may want to know
if the SYN packet cyber-attack on the
WebEOC application is a coordinated
cyber-attack.
During the table top exercise (TTX) it
may be discovered that the OSC needs
to contact the Federal Bureau of
Investigation (FBI) to secure network
forensics of the attack. An individual
point of contact may need to be
identified. A reasonable take-away
would be to follow up with the FBI to find
out what key bits of information they will
require in such a scenario.
Likewise, the OSC may learn that
malicious SYN packets attacking cyber
SA assets from the internal domain may
indicate that the EOC I.T. infrastructure
may itself be compromised. Again, this
may require contacting key personnel
and asking relevant questions to
ascertain the impact on SA assets.
A knowledge map helps to graphically
display these relationships with types of
information sought or requested by
information consumers (FBI), etc. Other
points of contact may include CI/KR
EOCs (network providers, telecomm
firms, etc.).
Cyber responders need to participate in
these TTX activities with an inter-
disciplinary approach and be prepared
to communicate outside of their cyber
technical comfort zone. Again, this is
likened to the RADAR operator (abstract
reality) who is trying to raise SA and
create a response to a detected threat.
Escalation procedures will need to be
worked out to aid in the information
sharing process. Appropriate cyber
response SA specialists and teams will
need to comprehend the developing
situation and communicate it
appropriately to “real-world” decision
makers organizing the response.
Had the Pearl Harbor watch commander
knew that a U.S. Navy destroyer was
firing upon a suspected mini-submarine,
at the very moment he dismissed the
RADAR operators, history may have
been forever changed with a
dramatically different outcome. That is
situational awareness.
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. A former
consultant to the U.S. National Security
Agency, he is a practitioner of
cybersecurity. He has attended more
than 1,000 hours in instructor led
courses that address incident
management and CI/KR protection.