By Art Drake
Summary: National security has affected all people and industries since 9/11. One of those involves water treatment and operators of such equipment. One security company has a multi-stage solution to the increase in regulations and discusses some of its approaches here.
The current Fiscal Year 2004 Energy & Water Appropriations Bill signed by President Bush encourages the Federal Energy Regulatory Commission (FERC) to “ensure that process control systems, switchingstations and substations are adequately protected by any cyber security standards issued for the national power grid.” Approval of the bill is further evidence regulators understand an enormous range of potential threat still remains and needs to be prevented. These threats emerge from both outside and within electric, water, gas, waste management, mass transportation and all other mission-critical infrastructures.
Like other industries, information and data management is critical to ongoing and successful water treatment operations. To date, companies have struggled to evaluate risk as it relates to those functions. Regardless of size, large and small companies are at risk of information security losses. Therefore, how do you know what you’re at risk for and how large is the risk? These are the questions legislators are trying to grapple with as evidenced in recent information security regulations.
A common experience
To meet current security regulations, many companies in the water industry are initiating information security assessments as part of their compliance efforts. As an output of an assessment, they receive a report identifying vulnerabilities and threats, an analysis of these threats to determine risk impact and, finally, a list of tactical “fixes” that need to be implemented. Most likely, this report may identify some weak ports on a Unix machine that need to be changed or even closed and some Microsoft NT passwords that need to be strengthened. Of course, there’s also the obligatory recommendation to “patch your systems.” A recent read of NERC’s current security and protection standards confirmed our understanding that the Energy & Water Appropriations Bill doesn’t discuss ports on Unix platforms nor any other specific technology detail or requirement.
Although current assessments can provide a very detailed list of potential risk problems, water companies need a balanced strategic and tactical perspective on information security and risk management. A report of findings should include a discussion on the audit approach and scope, and a description or validation of the environment being audited. More importantly, there should be a discussion or alignment between the tactical audit and the client’s strategic risk management perspective. Without relevance to a larger context, there can be no adequate analysis or meta-perspective with which to evaluate the report’s findings.
Assessments only represent a point-in-time review of the current state. Whether it’s related to people, process or technology, assessments are focused on a specific set of environmental factors and considerations. The assessment findings may identify problems and provide relevant recommendations, but in the scheme of managing risk across a water organization over time, normal technology assessment processes fail us. How then can we adequately comply with recent regulations such as Energy & Water Appropriations Bill with focuses on process and controls?
The right context
Compliance with information security legislation is largely based on basic risk management principles: What am I at risk for, and how can I manage that risk? Legislators are expecting water executives to know what’s going on in their environment, be responsible for establishing and exercising controls, protect human, physical and data assets, and demonstrate due diligence in the process:
“Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value.”
—The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in a draft of its Enterprise Risk Management Framework
In most companies, there’s a chief financial officer (CFO) to oversee all financial aspects of the organization. From budgeting to resource allocation, the CFO is never in the position of not knowing the financial performance of the organization. If there’s ever a question on financial performance, the chief executive officer (CEO) relies on his/her CFO for information, analysis and recommendations (See Figure 1). More importantly, the CEO and CFO—as well as the board of directors, shareholders and employees—share the same mechanism to manage performance: financial statements (budgets, profit and loss, balance sheet, etc.). So, what measurement does your chief security officer share with you to understand how well your security strategy is working, especially at managing risk?
From our experience, having a sound security program enables compliance. Compliance, however, does not enable security. Put another way, is compliance with the Energy & Water Appropriations Bill a strategic issue for the survivability of your organization? Probably not. It could however, be financially painful. Is security a strategic issue for the survivability of your organization? Absolutely!
As previously discussed, recent security regulations are designed to compel water organizations to do a better job at managing risk. Risk management isn’t a one-time event. Risk must be managed on a daily basis within a water organization. At the strategic level, your security program is a reflection and execution of your risk management strategy (See Figure 2).
While it’s important to know detailed technical security concerns, it’s more important to understand how those concerns materialized in the first place and how you can improve and prevent them from recurring. We don’t mean “improve” by patching systems or changing the network services you run but, rather, how will you improve your processes to proactively address issues before they become audit findings?
Our interpretation of the Energy & Water Appropriations Bill, FERC and the Sarbanes-Oxley Act (SOx) of 2002 is that they all address both process and quality control as they relate to information technology (IT) and not one of them has anything to say about the technical aspects of information security. These regulations do, however, scream at water organizations to define process, and not just a set of best practices, but something much more concrete—a measurable risk management process.
Measure, monitor and manage
Defining how many viruses there are in the world or how many times an organization’s firewall has been hit does nothing to proactively illuminate the security risk that water organizations incur every day. Regulations are asking us to define risk quantitatively so that information security can be addressed in a consistent, predictive and repeatable way.
It isn’t simple to develop an overall measurement of the risk to information assets that considers the people, process and technology issues comprising information security. It’s possible, however, to use the available quantitative information that describes specific technologies, analyzes information using inferential statistics, and draws specific conclusions describing how well people implement process.
Consider that a water organization’s IT infrastructure is largely comprised of software components running on hardware components. The software components can be decomposed to input, computational and output constructs. These software constructs are the building blocks of an IT infrastructure just as bricks and mortar are the fundamental components of a building.
Over the past few years, information security professionals (and regulators) have settled on categorizing information security along the dimensions of confidentiality, integrity, availability and audit. Attacks against information assets have been going on for as long as we’ve had computers and there’s a wealth of data available as to how those attacks degrade the confidentiality, integrity, availability and/or audit characteristics of an organization’s information assets. For example, although buffer overflows existed 10 years ago, we are more confident that software being constructed today is being built in such a way that it will be vulnerable to buffer overflow attack.
Unlike a vulnerability scan, which reflects the existence of a known set of software defects, a risk index is needed. Such an index would be based on how the implemented software is actually formulated at its most fundamental level.
This isn’t to say vulnerability scans, penetration tests, access control audits or any other commonly used information security assessment techniques don’t have value—they do. They have enormous tactical value and yield many detailed insights into IT infrastructure. These commonly used techniques do not, however, have any power to illuminate the performance of a water company’s information security processes.
How do you know if a vulnerability scan or intrusion detection system improves your information security processes and/or reduces the risk to your information assets? You don’t. Only by considering risk as based upon an assessment of the most fundamental elements of IT infrastructure can we measure, monitor and manage the enterprise view of information security.
This approach should be a consistent and repeatable process that provides a quantifiable and objective evaluation of your risk as required by the Energy & Water Appropriations bill as well as FERC, SOx, GLBA, HIPAA, DITSCAP (see FYI) and other regulations. More importantly, using a risk index, as described, enables managers within water companies to appropriately allocate their limited information security budgets with the confidence that every dollar spent is deployed toward the goal of reducing risk.
About the author
Art Drake is director of business assurance services for Minneapolis-based Upstream Solutions. The company has recently launched the Inferential Risk Method (IRM) that uniquely supports the water executive’s imperative to make information security more strategically managed and performance driven. Drake can be reached at (763) 377-3241 or website: www.upstreamsolutions.com