To sum up, the Operational Resilience Maturity Assessment Framework is a tool that measures the level of operational resilience of an organization.

What is Operational Resilience?

We believe that Operational Resilience (OpRes) is a young but increasingly unavoidable issue for our clients, especially for those in the financial sector. The United Kingdom has been a pioneer in this field, with an Operational Resilience Framework coming into force in March 2022, imposed by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). Similarly, the European Union is set to follow suit, with its Digital Operational Resilience Act (DORA). The underlying principle for both legal frameworks is the acknowledgement that many events, both internal and external, can disrupt the activities of banks and other organizations.

Operational resilience therefore involves different sources of threats: from third parties (partners, suppliers, or service providers), pandemics, power failures, fire, to name but a few. From an organisational point of view, resilience is very often a program driven by the Head of Operational Resilience, the IT department or the risk division, and less often by a CISO.

Why did you create this tool? What problem does it solve for clients?

Under pressure from regulators, our clients have launched programs to increase their level of resilience, and therefore have had to measure their maturity level, both before and after these programs. Compliance is a good starting point, but it doesn’t go far enough! The idea of our Operational Resilience Maturity Assessment Framework is to provide a tool that encompasses both these new guidelines, and the best practices observed in the field. The tool is useful because it:

• Measures the maturity of an organization, in terms of the methodologies and processes in place to address Operational Resilience.
• Reports on the actual resilience capabilities at a given moment by analysing the tools and capabilities in place.
• Facilitates the formalisation of a risk reduction plan and the management of resilience by highlighting the main areas that require more investment.
• Integrates all Wavestone’s field experience in resilience from all our offices! Especially in the UK, where Operational Resilience is more advanced than the European Union countries, we have been working on resilience projects for over 3 years.

It assesses the organisation’s processes and operational implementation with a form consisting of ninety questions spanning twelve major topics. For each question, a resilience score between 0 and 5 is assigned, and a list of evidence is provided to support this score.

Customers are always keen to benchmark, and this has been incorporated into the assessment. Everything has been thought out to standardise the evaluations and thus allow clients to position themselves in the market; it’s a real value-add!

As the regulatory landscape matures, we’ve identified a need to maintain a global view; firms must implement Horizon Scanning functions to stay ahead of regulators and the competition. Therefore, working in conjunction with our maturity assessment tool, we have an Operational Resilience Regulatory Radar which maps regulations across the globe according to the same themes. It is a live document, updated every quarter that provides a holistic view of OpRes regulation and allows the user to compare by both geography and topic.

Can you tell us about the last time you used it?

The trigger for the creation of the Operational Resilience Maturity Assessment was a UK project supporting a major bank. Initially, we provided a 360° analysis of their resilience during which we developed our first assessment framework. With it, we were able to establish four maturity levels of resilience: 1) “Insufficient”, 2) “Compliant”, 3) “Good Level” and 4) “Leader”. We were then able to position them on these 4 levels and provide relevant advice and feedback accordingly.

Recently, we received a second assignment from another banking company, providing an opportunity to modify the assessment and make it more precise and extensive. We also modified our list of proofs that are used to position an organization against the correct maturity level, and added a 5th level of maturity, “The Pioneer”.

Currently, we use this framework in the financial sector, which has a high level of maturity given the regulatory constraints and the sensitivity of the data it processes. For clients in other sectors, we would adapt the levels to align with the overall maturity of the market.

Any final thoughts?

We think we can go even further in assessing resilience in a few years. The more feedback we get from the field, the more precise we will be on the required conditions to reach a level. For example, a player will be considered mature if it has the capacity to rebuild its AD in 3 hours. Just like on the CyberBenchmark. The next step would therefore be to define quantitative and/or qualitative indicators… And the only way to do this is to continue to confront the framework with reality!

Although everything can be improved, we are still very proud of this tool which was built in collaboration with our customers and experts, and has already proved its worth.

Cet article [INTERVIEW] Operational resilience, how to recover after an attack! est apparu en premier sur RiskInsight.

To accomplish this, you must understand your starting point and your market position. Wavestone’s cybersecurity maturity assessment framework, which currently has the support of over 100 international organisations, was developed with this conviction.

Discover how the CyberBenchmark works with Anthony GUIEU, the Cybersecurity Manager at Wavestone.

Hello Anthony. As a start, can you present CyberBenchmark in one sentence?

The CyberBenchmark is a comprehensive tool that allows companies to assess their level of cybersecurity, position themselves in relation to the market, and establish a roadmap- thanks to a questionnaire and a database of nearly 100 customers worldwide.

Why did you create the CyberBenchmark when there are already many frameworks in the market?

We created the CyberBenchmark because many of our clients were concerned about where they stood in relation to the market. Historically, our clients were looking for absolute ratings against known frameworks such as NIST or ISO. But now, they are very much interested in knowing their relative position within their ecosystem. Our CyberBenchmark allows them to deal with both of these approaches simultaneously.

CyberBenchmark also enables to come up with slightly different angles of attack: there are issues that our clients are not mature as per the market and prioritising these actions can make them progress. On the other hand, there are areas where they are not good and the market is also not mature, here the subject’s urgency must be put in context. Companies such as Gartner and Forrester provide general trends on major cyber issues, to which we add a concrete perspective based on our field observations with clients.

As soon as we built the CyberBenchmark, we realized that numerous competitors offer their own augmented versions of cyber security questionnaires. Our real added value is the market comparison: to date, nearly 100 clients have trusted us and been evaluated using this reference framework!

How does the CyberBenchmark work?

To have a coherent framework, we based ourselves on the existing frameworks, i.e., the security standards as per the market: ISO 27001/2, NIST, etc. This was necessary because our clients used these standards for assessing themselves. We added a questionnaire with our own feedback from the field to refine the maturity levels by theme. 

One of the added values of the CyberBenchmark is the granularity of the evaluation. It allows precise perimeter measurement in relation to their level of maturity. In concrete terms, it is possible to distribute the level of maturity for a given question with different levels: for example, 30% level 2, 60% level 3 and 10% level 4, which may be due to heterogeneous perimeters, initiatives in progress, etc. This enables us to quantify the value of projects that take a longer time to complete and are complex to implement over several perimeters: particularly in large groups by materialising their progress.

Subsequently, each evaluation gives rise to a report in two parts-

• One part is for top management with budgetary ratios, human resources, and the level of maturity in relation to international standards.
• Second part is for the operational security staff, who identifies good and bad practices as well as the actions to be launched as a priority. The objective is to develop recommendations and concrete measures to elevate the level of the organisation.

When should the CyberBenchmark be used?

• In my opinion, this tool will be ideal for an organisation that wishes to rapidly identify its cybersecurity priorities
• The first results are quick: within a month itself, we were able to produce a deliverable for the Executive Committee that included specific action proposals
• It is one of the few tools in the market that offers a comparison with competitors
• Unlike the traditional frameworks, our questionnaire addresses both governance and operational concerns

The CyberBenchmark is also adaptable to all requirements and budgets

• The “quick” approach requires only a few interviews. It is based on a declarative evaluation to quickly determine the company’s level of maturity and the projects to be launched
• The “complete” approach is based on an in-depth audit, dozens of interviews, a review of the evidence, and even additional technical tests (intrusion tests, Red Team, etc.)

Can you provide an example of a specific application of the CyberBenchmark?

To illustrate the “rapid” approach, we recently used it to support a large industrial group in initiating a security process and challenging its executive committee. After 2 months of work and 5 workshops, we were able to provide a clear vision of the structure’s cybersecurity level and project a target level for 3 years, which got accepted by the Executive Committee.

In terms of a comprehensive approach, over the last few months, we have been working with a British bank for assessing its general cybersecurity posture and level of compliance with the reference frameworks. We mobilised a team of 10 consultants in 3 different countries for conducting more than 50 workshops and collecting evidence. With this we were able to provide concrete and reliable feedback on the level of security as well as for identifying market-related investment priorities. Likewise, these elements are utilised in exchanges with their main regulators.

A final word?

Wavestone’s CyberBenchmark provides a broad view of the market’s level of maturity while delving deep into its specific technical subjects. This is what makes it a differentiating asset for our clients, as they could position themselves against competitors within their sector on each of their topics. The priorities in terms of cybersecurity would then emerge clearly for the client, allowing them for an effective cyber budget. It is a real cyber strategy accelerator, that has been tried and tested by numerous clients!

We can easily generate statistics and trends using CyberBenchmark’s exclusive data: how many companies have deployed a security tool (EDR, bastion, probes, etc.), where they stand in terms of deployment, who is leading the market, and so on. According to the latest study on the maturity of French companies, the general level of maturity on our benchmark based on international standards (NIST CSF Framework and ISO 27001/2) is… 46%. Each year, we formalise our market knowledge and forecast strong sector and technical subject trends.

Finally, as you would have understood, the CyberBenchmark evolves and develops as it is used by new companies. We now have a database of over 100 companies, which will enable us to open a new category in January: “Luxury goods & Retail”, with more than ten companies with which we can refine the sector-specific analysis.

If you are interested in positioning your organisation within the market, please do not hesitate to contact me or one of our experts. We will be able to guide you through this process.

Cet article One month to assess your cybersecurity posture! est apparu en premier sur RiskInsight.

The obviousness of IAM, and the difficulty of the transformations it implies

Faced with the evolution of growing threats and use cases (Mobility, Teleworking, Cloud Computing etc.), incorporating IAM is no longer just an option. Instead, it is now a given that incorporating an efficient and agile identity and access management is a major differentiator for organisations.

In essence, IAM is at the crossroads of all structuring transformations. Firstly, it is a major pillar for moving towards a zero-trust approach. Secondly, it is a “basic” essential for effectively serving its users and providing them with constant comfort during all phases of transformation. Finally, it is obviously a differentiator in the creation of the relationship with customers.

IAM can no longer simply allow itself to “follow at a distance” amidst the transformations of the Enterprise i.e., by offering a minimal level of service that is often difficult to evolve. Instead, it must be efficient, agile, and able to anticipate complex situations that may arise. For instance, M&As, the multiplication of APIs, or the shift to a “platform” economy model. These situations imply an in-depth rethink of the IAM service. For example, the IAM’s scope and ambition, policy and governance, delivery mode (on-premise vs. SaaS), service offering, and economic model etc.

Deployment of IAM services in major accounts

Market maturity: know how to evaluate your maturity in relation to the market in order to launch your transformation programme on a solid and objective basis

The vast majority of large accounts have already carried out one or more projects that have led to the deployment of IAM services. However, these deployments are often partial, and the maturity of the deployment can vary greatly from one entity to another. Historically, these projects are in fact confronted with a strong heterogeneity of the existing ones (in terms of organisations, processes, and I.S.), and do not have the necessary legitimacy to make practices converge. Furthermore, IAM was often seen as a “one shot” project with resources that were often insufficient to follow and adapt to changes in the company (reorganisation, M&A, application changes, etc.). These factors could lead to a “disconnect” between the IAM subjects that are too static and the real needs that are constantly evolving.

The deployment of an IAM service is not simply a matter of deploying a “box” in production. Instead, in order to gain the most benefit, it is necessary to rethink and simplify its organisation and processes. Therefore, it is imperative to ask the following questions:

• How to manage the arrival of a new employee?
• How to manage the internalisation of a service provider?
• How can you model your business profiles? How to make them evolve over time?
• How to involve managers and data managers in the IAM process?
• How to deal with the loss of strong authentication means?
• What standards should be imposed to simplify the connection of applications to the IAM?
• How to ensure compliance with internal rules and regulations?

For a few years now, we have seen a real awareness and a desire on the part of our clients to take hold of IAM in order to make it more efficient, streamlined, and agile. This implies being able to arbitrate and carry out an in-depth transformation. In concrete terms, over the last 3 years, two-thirds of our clients have launched such IAM transformation programmes. These multi-year initiatives have gained in ambition, structure, investment, and visibility and now rank high in the “Top 5” of major IT transformation projects.

To launch such programmes, the first step is being able to assess its real maturity, entity by entity, before being able to define a realistic transformation trajectory that unites the stakeholders. In a very simplified way, we can distinguish 4 levels of maturity:

• Fragmented: the organisation does not have a consolidated approach
• Rationalised: the organisation’s IAM is simplified and centrally managed on core services
• Extended: the organisation’s IAM capabilities are adapted to an evolving I.S.
• Controlled: the organisation’s IAM is efficient, agile, and reduces workload through automation

As a trend, we consider that most large companies lie on the intermediate levels of “Rationalised” and “Extended” and aim for a “mastered” target that is based on:

• A central, unique, and optimised IAM infrastructure
• Delegated day-to-day management within each entity

5 keys to successfully operationalise your IAM strategy

IAM is a vast subject in which it is easy to get lost. Moreover, the operational reality of IAM is often poorly understood. Meanwhile, the complexity of the transformation is underestimated.

To mitigate these risks, we propose 5 major keys:

• Define your IAM ambition and ensure that this ambition is consistent with the resources allocated (sponsor, ability to move the lines, human & financial resources etc.)
• Take the time to understand the operational reality of IAM
• Organise yourself in a transformation programme capable of addressing all facets
• Prepare for an in-depth transformation by accepting to move forward in stages alongside any compromises and, therefore, any renunciations to deal with the sum of the constraints
• Rely on real data to explain its trade-offs and to anticipate possible quality shortfalls

Relying on IAM providers: trends and risks

The IAM vendor market is becoming more structured and is translating into the Cloud

The IAM provider market, like other specialised markets, is evolving as a result of changes in information systems. For instance, moving to the Cloud, offering more APIs, integrating data analysis and AI functionalities to simplify and automate decision making etc.

In addition to these considerations, two trends specific to the IAM vendor market are emerging:

• Firstly, the leading Access Management players are looking to progressively extend their functional coverage towards Identity Management or PAM functionalities
• Secondly, there are more and more players covering specific functional needs, such as IAI (Identity Analytics & Intelligence), CIAM, or the desire to have a platform directly developed in Service Now

The move to the cloud indicates changes in the architecture of IAM solutions

An increasingly great number of vendors are offering IAM solutions in the cloud. This movement aims to offer the same functional coverage as on-premise applications in SaaS mode. Depending on the services offered, they are structured around two components:

• A “Cloud” part that carries all the functionalities and stores the customers’ data
• An onsite “gateway” which provides a link with the historical system in place (for provisioning, for example). This allows for better control of data exchanges and therefore contributes to securing the architecture

Hence, the aforementioned two-component architecture presents the same risks as any other Cloud service and must be addressed in the same way: What service levels are guaranteed? Where is my data stored? What about the protection of my data and compliance with standards (GDPR in particular)? Under what conditions can I change suppliers?

The geopolitical context increases these risks and poses a potential service interruption in the application of possible international sanctions.

And the IAM of the future: what developments?

Tomorrow, IAM will continue its transformation towards greater agility, Cloud, standards & integration, decision support, and automation – thanks to enhanced AI capabilities. As far as the authentication system is concerned, a strong authentication is now a “basic” and we expect two major developments:

• A rather technical evolution with “passwordless” that aims to make passwords disappear. This includes, on a technical front, a passwordless world in application databases and in inter-application flows.
• An evolution in the means of authentication given to users. Smartphones have become an established authentication factor. However, not all enterprise populations are well equipped. While the “smart card” medium is losing ground, secure dongles (a hardware component that plugs into computers or televisions, generally on an input/output port) seem to be gaining traction for those populations without smartphones instead.

Finally, in the longer term, IAM will certainly evolve under the impetus of the “privacy-by-design” approach, which is becoming increasingly interesting and more frequent. This comes with good reason, especially with the with the growing generalisation of citizen identity (with an ad hoc level of enrolment) for commercial uses.

Cet article IAM has finally made it to the top of the IT department’s major transformation projects! est apparu en premier sur RiskInsight.

What is S4?

A 3 day conference, dedicated to ICS cybersecurity, held in Miami South Beach and organized by Dale Peterson.

• 3 stages: the Main Stage at the Fillmore theater, stage 2 and stage 3 mainly for technical deep dives at the ELV
• the Cabana Sessions around the Surfcomber pool to network, discuss with vendors such as Dragos, Nozomi Networks, Phoenix Contact, Keysight and many others but also get a copy of the book “Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)” signed by Andy Bochman and Sarah Freeman
• the Welcome Party at the Botanical Garden

This year, around 800 people attended the conference to create the future and Wavestone was there through my participation as both an attendee but also a speaker.

S4 actually started on April 18th with two specific events:

• The first ICS4ICS exercice (I will talk about that a bit later in this article)
• Women in ICS Security social event: more than 160 women attended the conference this year and it was great having the opportunity to meet incredible talents at a women only event; it was the first time such an event was organized at S4 and I hope not the last!

The talks started on April 19th and Dale kicked off the event with a keynote introducing this  year’s theme: No Limits!

In this article, I am going to present some of my favorite talks.

If you are interested, all videos will be released in the next weeks on S4Events YouTube channel: https://www.youtube.com/c/S4Events/videos Here is the full S4x22 video release schedule: https://s4xevents.com/wp-content/uploads/2022/04/S4x22-Video-Release-Schedule.pdf Stay tuned!

A Tale of Two (very different) Secure ICS Architectures

Speaker: Alexandrine TORRENTS, Wavestone

Well, I can’t say this is my favorite talk but I have to start with this presentation as this year was a bit special for me: first time speaker at S4.

I had the opportunity to talk on the Main Stage, right after the keynotes and talk about ICS secure architectures.

No Limits! It gave me the idea of thinking about the future of ICS network architectures.

In this presentation, I compare and contrast the requirements and corresponding secure ICS network architecture of two very different businesses within the same company: power plants and solar/wind farms.

I won’t detail the whole presentation today as I will write a more detailed article in a few weeks just in time for the release of the video on June 13th.

Interview: CISA Director Jen Easterly

Dale Peterson interviewed CISA Director Jen Easterly on the Main Stage.

The video of the interview is already available on S4Events YouTube channel: https://www.youtube.com/watch?v=xOdIUA4lWnI

I found this interview very interesting, and also very inspiring.

Jen presented CISA’s goal: understand, manage and reduce risks, as well as specific objectives for 2022-2023.

One is oriented on processes:

• Baseline goals have been defined to drive common baselines across all sectors.
• Sector specific documents will be added in the next two years.

Another one is oriented on people:

• CISA wishes to expand its ICS team and is recruiting, especially senior ICS experts.
• CISA will create an ICS JCDC workgroup (Joint Cyber Defense Collaborative) to unify defensive actions and drive down risk in advance of cyber incidents related to ICS. The workgroup will include both public and private sectors.

Jen also talked about Shields UP (https://www.cisa.gov/shields-up) . Since Russia’s invasion of Ukraine, intelligence indicates that the Russian Government is exploring options for potential cyberattacks and CISA is asking every organization to be prepared to respond to disruptive cyber incidents. They published several recommendations on their website.

This interview made me think about what could be done within the French cybersecurity agency (ANSSI) regarding ICS cybersecurity. From my understanding, the ICS expertise is spread across different business units. But what if there was a dedicated ICS cybersecurity task force driving all efforts?

Security Truth or Consequences

Speaker: Dale Peterson

Dale presented a Hard Security Truth: Cybersecurity controls at best reduce the likelihood of attack, but they do not eliminate the possibility of compromise.

Indeed, even with the best security controls implemented and the best OT security program,organizations can be defeated by human errors, configuration errors, or 0day vulnerabilities. It is not a game asset owners can win, they can only reduce the chances of losing.

But what if companies could shift to a consequence reduction mindset and maybe win the cyber risk management game?

Let’s take the example of a glass manufacturer. One of the most sensitive PLCs controls the heat of the oven. if this PLC is compromised, it could be very dangerous for the process. Of course, you can reduce the likelihood of this compromise by implementing security controls, such as network filtering for example. But what if the PLC gets compromised anyway? How could you reduce the impact and get back the control of the process as quickly as possible?

Well, do not only think about cybersecurity and focus on the business and its resiliency. Adding a manual control on the production line could do the trick and make sure the consequence of an attack would not be that important.

Well, it is not always that simple but I find it interesting to focus on consequences and find business oriented solutions to reduce cyber risks.

Dale concluded his talk by presenting his 3-step approach for consequence reduction:

• Identify high consequence event within your organization
• Determine if a cyber attack can cause that event
• If yes, find a way that it won’t

This approach looks like a safety approach, but applied to additional consequences not covered by safety, like loss of revenue.

PIPEDREAM & ICS Cyber Threat In 2022

Speaker: Rob Lee, Dragos

Rob Lee was supposed to present his ICS Cyber Treat review but with the recent news, he made a focus on Pipedream, the ICS attack toolkit/malware analyzed by Dragos: https://www.youtube.com/watch?v=H82sbIwFxt4

This toolkit has been developed by the threat group Chernovite and its capability has not been employed yet. Pipedream seems to be the most flexible ICS attack framework to date. It uses ICS-specific protocols for reconnaissance and manipulation of PLCs.

The primary targets of the toolkit include PLCs from Omron and Schneider Electric. However, pipedream capabilities could impact much more PLC vendors.

Rob presented some of these capabilities, as well as potential attack scenarios following the ICS cyber kill chain:

• EVILSCHOLAR – A capability designed to discover, access, manipulate, and disable Schneider Elctric PLCs.
• BADOMEN – A remote shell capability designed to interact with Omron software and PLCs.
• MOUSEHOLE – A scanning tool designed to use OPC UA and FINS protocols to enumerate PLCs and OT networks.
• DUSTYTUNNEL – Custom remote operational implant capability to perform host reconnaissance and command and control.
• LAZYCARGO – Drops and exploits a vulnerable ASRock driver to load an unsigned driver. Works on all Windows systems not just those with ASRock

Dragos published a full report on pipedream: https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/

What I find the most interesting in this toolkit is that it does not use a lot of CVEs, but mainly legitimate functionalities of PLCs and industrial protocols to target industrial control systems.

This toolkit was also analyzed by Mandiant, who called it Incontroller. They also made a presentation at S4 and published a detailed report of their analysis: https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool

Unpwning A Building

Speaker: Peter Panholzer, Limes Security

This presentation was pretty original as cybersecurity experts had to exploit a cybersecurity vulnerability to resolve a cybersecurity incident.

The incident: a building had a complete loss of their building automation system, using KNX devices.

The initial situation: Devices of the building were no longer operational and the vendor recommended replacing the devices (cost > 100k€).

Idea to resolve the incident: the BCU key is a security parameter used to protect the device from being modified; the BCU key was probably set on the device by the attacker. The idea was to retrieve the BCU key and reprogram the devices.

How: the cybersecurity experts asked for some samples of devices, and tried to read the key from the devices. They managed to dump the firmware of one of the devices and access the memory that was not protected. They used a sliding window and with some brute force, they managed to retrieve the key that was written in clear text in the memory.

Resolution: Fortunately (in this case), the key was the same for all devices and it could be used to reset the devices and restart the building automation system

Unprecedented Attack, Unprecedented Response – SUNBURST From The Inside

Speaker: Tim Brown, SolarWinds

You’ve all heard about the SUNBURST cyberattack on SolarWinds in December 2020.  In this presentation, Tim Brown, CISO of SolarWinds took us inside and explained how he managed this major incident in the first hours, days, weeks, and months that followed.

Besides the presentation in itself that was very good, the most interesting point for me is about the final thoughts and the fact that this incident has increased the level of transparency expected of vendors.

This event caused many changes and has brought supply chain security even more to the front of cybersecurity discussions. 

Using NTIA’s VEX to Tame the Vulnerability Tsunami

Speaker: Eric Byres, aDolus Technology

SBOM (Software Bill of Materials) was kind of trendy this year at S4. Vendors and asset owners should have a SBOM to list all components and libraries used in their products and use it in their vulnerability management process to identify patches to install.

With this, you could end up with thousands of vulnerabilities to patch. But is the vulnerability exploitable in your context?

Indeed, just because a vulnerability database references a particular software component doesn’t mean the vulnerability will actually be exploitable in every software product that includes that component. As a result, organizations can waste valuable time fruitlessly searching for and patching vulnerabilities, even though those vulnerabilities aren’t actually exploitable.

This introduces VEX (Vulnerability Exploitability eXchange), which is a security advisory profile that will be used in combination with SBOM. This profile allows software suppliers to issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities.

You can use VEX for multiple use cases:

• Multiple products to one vulnerability: what products are affected by Log4j?
• Multiple vulnerabilities to a specific product: which vulnerabilities affect the product I use?

The status of a vulnerability includes affected, not affected, fixed, or under investigation.

VEX provides a method for asset owners to focus on exploitable vulnerabilities that present the most risk.

Once you get a comprehensive list of vulnerabilities that could be exploited in your product, as an asset owner, you can use the SSVC methodology to decide what to do in your context with the vulnerability: patch now, patch during the next scheduled maintenance, defer.

Another talk was related to this subject during S4: CSAF, not SBOM, is the Solution, presented by Jens Wiesner from BSI. CSAF (Common Security Advisory Framework) is an open standard about security advisories.

Top 20 PLC Secure Coding Practices

Speakers: Vivek Ponnada, Nozomi Networks and Josh Ruff, Deloitte

The Top 20 PLC Secure Coding Practices is the result of a community effort to provide guidelines to engineers that are creating software (ladder logic, function charts etc.) to help improve the security posture of Industrial Control Systems: https://plc-security.com/

The idea came from a talk at S4x20 where Jake Brodsky asked why engineers and technicians aren’t trained to code and configure PLC’s in a secure manner, and then gave examples of what should be taught and done.

The aim of this session was to present some of the practices in detail and with concrete examples.

Below are two of the practices that were presented:

• Practice #3: Leave operational logic in PLC

While HMI visualization software provides some level of coding capabilities, this functionality should not be used for control or safety coding

The idea with this practice is to make sure that controls are performed by the PLC itself and not by the HMI. This way, if you bypass the HMI and send a request directly to the PLC, the PLC won’t automatically accept your request but will perform controls to make sure the logic makes sense.

It is similar to the OWASP recommendation in IT to implement controls on the server side and not on the client side for web applications.

• Practice #7: Validate paired inputs/outputs

When mutually exclusive paired inputs or outputs that physically cannot happen at the same time (e.g., motor start/stop, valve open/close) are asserted simultaneously, this may indicate a sensor failure or malicious activity.

The idea with this practice is to implement controls based on inputs/outputs that are linked together. For example, a compressor cannot be started and stopped at the same time. An attacker could turn on both the start and stop outputs simultaneously. To avoid that, a single output could be used to run the compressor with interlocks and delay timers.

If you already know the Top 20 PLC secure coding practices, you won’t learn anything with this presentation but I think it is a great introduction to understand the mindset behind these practices.

Something interesting as well, several talks this year were linked to PLC secure coding practices:

• PLC EDR: Model Checking of Logic
• PLC Library to Detect Abnormalities

You can find out more about these presentations, as well as others in Arnaud SOULLIE’s video on S4: https://www.youtube.com/watch?v=9XCNjmKJiTk

ICS4ICS: Results of the First Major Exercise

Speaker: Megan Samford, Schneider Electric

Like I mentioned earlier, S4 was the stage of the first ICS4ICS exercise on April 18th. ICS4ICS stands for Incident Command System for Industrial Control Systems.

Megan Samford talked at S4x20 about the fact that cyber was the only designated federal disaster type not currently using Incident Command System for its response framework.

Since 2020, a team of more than 1000 volunteers has been put together to create a global framework of cyber responders.

The Incident Command Process is based on a planning P cycle that provides a proven structured process to manage any incident with a standardized approach to organizing and executing work.

The objective of the exercise was to present this methodology as well as the structure of documents and templates that can be used to follow a cyber incident:

• Cover Sheet
• ICS-202 Incident Objectives
• IICS-203 Organization Assignment List
• ICS-204 Assignment List
• ICS-205A Communications List
• ICS-207 Incident Organization Chart
• ICS-208 Safety Message/Plan
• ICS-214 Activity Log

The goal for ICS4ICS after S4x22 is to expand its capabilities by:

• Conducting ICS4ICS exercices globally
• Offering ICS4ICS credentials and training globally
• Supporting more complex incidents

Of course, ICS4ICS is more of an organizational framework and does not give guidance about the cyber incident itself. I would be interested in the next few years to have insights on how companies actually used this framework and how it helped their ICS cyber incident response.

Finally, if you still have time, I recommend the following presentations as well:

• Cyber Conflict and International Relations
• Assessing the Balance Between Visibility and Confidentiality in ICS Network Traffic
• Inside Industroyer2 and Sandworm’s Latest Cyberattacks Against Ukraine
• The Great Debate: Cyber Insurance Will Play A Major Role In OT Risk Management
• When C-SHTF: Lessons Learned from the Front Lines in OT Incident Response

S4x22 was great! So many good talks but also (and foremostly) the opportunity to see again so many familiar faces of the ICS community and meet new people.

I already look forward to S4x23 that will take place from February 13th to February 16th, 2023. Next year, the conference will still be in Miami South Beach, but at the Loews as the Fillmore will be in renovation.

Cet article S4x22 – Write up of the ICS cybersecurity conference est apparu en premier sur RiskInsight.

First of all, it is important to know that cloud security is particularly different depending on the type of cloud and the way cloud services are consumed. Among these services, there are three main categories: SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service).

Overall, cloud security is quite distinct between the PaaS / IaaS part and the SaaS part. This is materialized by the principle of the shared responsibility model. When consuming a cloud service, the customer will have access to a certain perimeter with a certain number of data layers or infrastructure depending on the category of cloud service.

This model makes it possible to determine on which perimeter of the service the responsibility of the cloud provider or that of the customer is engaged. The security part will also be shared on the layers of data on which the customer will have the responsibility, it thus requires the customer to ensure the security of its perimeter.

In the context of SaaS, to give an example, Microsoft Office 365 is a service where the customer integrates his data and does not have access to all the lower layers of the service. The customer has little access to the configuration of the service and therefore on the security, they can contractually require a level of security from the provider who will have control over the configuration of the service.

On the contrary, on PaaS or IaaS solutions, the customer will have access to the lower layers and will therefore be responsible for configuring them to ensure their security if they are not managed by the service provider. The customer can still require certain elements but the customer will be responsible for a significant part of the configuration and secure use of the cloud service.

The security of the cloud raises a particularly contractual issue since it is not the customer’s service itself but that of a third party. This raises security issues, and in particular the question of what the customer can demand of its supplier in terms of data security. These requirements are likely to change depending on the nationality of the supplier.

This security issue also leads to organizational changes. The consumption of cloud services must involve rethinking the organization of the IT department and the way it operates in the broadest sense, with security included in the new processes. In this agile approach, security must also be included with DevSecOps-type practices.

What are the market trends?

Just a few years ago, customers were reluctant to move towards cloud solutions, but today, the subject has gained consensus and is becoming more and more important. One of the major factors in its development is the Office 365 solution from Microsoft Azure.

The market trend on the customer side is to launch large cloud migration programs in order to be supported in this process, especially if they have to use single or multiple providers. The topic of multi-sourcing is particularly important at the moment. Customers are also asking how to organize their IT departments to adopt agile and DevOps principles to achieve their transformation in an intelligent way. The goal, is not to “lift and shift” an existing on-premise application without making any changes or redesigns by integrating it directly into the cloud.

Customers are realizing that managing their information systems involves very high costs and that this does not correspond to their core business. The cloud offer allows companies with this expertise, the service providers, to carry out the migration of these cloud platforms. This allows the customer to focus on their business processes and reduce the time to market, the time it takes to realize an initial idea and deliver a finished product to consumers.

In terms of security, a trend for large programs is to accompany cloud migrations in a secure manner. This involves several elements:

• Support in contracting with the cloud provider regarding the shared responsibility model and what the customer can or cannot migrate;
• On the organization of the IT department to become DevSecOps, an approach that allows the integration of security in the entire life cycle of projects, from development to implementation, using flexible methods and the DevOps approach ;
• For more advanced customers who have already started a migration and who already have a multicloud, the objective is to accompany them in the harmonization of these different cloud platforms, in particular security.

The trend among cloud security vendors is to offer multi-cloud solutions, but at the same time to compartmentalize the different types of cloud (IaaS, PaaS, SaaS) in order to offer specialized tools. The latest trend in the market is the so-called CSPM (Cloud Security Posture Management) tools, which enable compliance checks to be carried out on multi-cloud platforms. In terms of encryption, which is a sensitive issue for our customers, the dynamics of multicloud support are based on service offers such as HSMaaS or KMSaaS. These enable the provisioning of keys belonging to the customer – of the BYOK type – that can be used from one cloud to another.

From a technological point of view, the underlying trend remains serverless. This is a cloud development model that allows developers to create and run applications without having to manage servers. Containerization and Dockers or Kubernetes technologies are currently being deployed on a large scale by our customers, leading to major security issues.

What are the difficulties our clients encounter on the topics covered? How is this a real challenge?

Customers with low maturity on the subject who are reluctant to migrate to the cloud are generally entities that handle data with a very high level of confidentiality (e.g. healthcare providers, military, etc.). They wonder how they can trust an American company. Currently, when we talk about the cloud, we are mainly talking about American players: Microsoft, Amazon and Google, which own almost the entire public cloud market.

To answer this question, we emphasize that when you use a cloud provider, you must have total confidence in it. The objective is to define the contractual part upstream of the customer’s migration to ensure total confidence in the supplier. This can be regarding access to the data that will be transmitted. This can be done through a contractual guarantee, security controls, etc.  Note that encryption will never prevent the provider from accessing the data, so it is important to ensure that the cloud is secured against real threats.

Of course, there is a very small risk that the provider can access your data, since it is transmitted to them, but the risk is negligible compared to the risk as a customer of misconfiguring the cloud service. Thus, the main security incidents in the Cloud concern the theft of data exposed publicly through storage services (S3 bucket, Azure storage, etc.). The provider’s responsibility is not engaged in these cases since it is up to the customer to guarantee the correct configuration of the PaaS services he uses so that they are used in private and not exposed mode.

This obviously requires an effort on skills to consume cloud services in an intelligent way while securing it.

For more advanced customers, vendor locking is a dominant issue. If the cloud provider with which the customer is collaborating goes out of business or is unavailable for a certain period of time, the customer loses access to its IS. This is why customers are turning to multi-cloud strategies.

How can we address these issues and how can Wavestone help?

At Wavestone, we believe that the cloud can be a facilitator for IS security. A gateway to build an IS on a sound foundation and rely on technologies that work. You can take advantage of this to put security in the right place from the start, and one of the keys to achieving this is automation.

Automation must be implemented in deployment, infrastructure and security to achieve true value. If the customer sets the right security rules and these technical rules are translated into the integration and deployment chains (CI/CD), the customer will have the guarantee that the deployment of its resources and infrastructures will be secure as soon as they are deployed.

Wavestone also assists clients in contracting with cloud providers. We help our clients build landings zones, i.e. the basis of the security architects that will be deployed in the cloud. Our teams are embedded in cloud centers of excellence at our customers’ sites and work every day to secure cloud infrastructures. We also have the capacity to help our customers in their agile transformation, particularly on DevSecOps issues, in order to bring security closer to their projects.

The future of cloud security

The emerging trend of the moment is Zero Trust. This is a new security model that responds to the current challenges of cloud and mobility of people and data. The Zero Trust model aims at granting access on a need-to-know basis and thus putting security closer to the resources.

The objective is to put the user back at the center with the guarantee of the least privilege and to control access to a resource each time someone expresses the need for it. This verification will be done regardless of its origin even if it is an internal collaborator. Identity and authentication are at the center, as are the means of detection and control.

The definition of least privilege allocation algorithms and the systematic verification of each new entry request are vast topics around identity governance for our customers. Their technological translation, as with Azure AD to quote Microsoft’s technology, requires solid technical knowledge and change management support to be able to identify and configure the right authentication means (MFA, temporary rights allocation, etc.) and controls (Conditional Access Policy, sign-logs, etc.) available.

This model is particularly well suited for cloud use since most public cloud providers allow the use of more reliable and configurable technologies than on-premise to manage identities, authentication and detection.

Cet article Cloud security challenges and trends, interview with Vincent Ferrie est apparu en premier sur RiskInsight.

Dashboards and KPIs that convey concrete messages and calls for action are often what drives the success of operational resilience initiatives.

Operational resilience brings together and harmonises multiple disciplines that were previously managed in silos: business continuity, IT and disaster recovery, incident and crisis management (IT, business and cyber), cyber defence, third party management, and operational risk management.

In order to coordinate and orchestrate these disciplines effectively to establish an accurate picture of the overall resilience, companies need to analyse their data in relation to these topics. This requires a complete mapping of critical services (Important Business Services), their dependencies (business processes, applications, suppliers, teams, buildings, etc.) and testing.

To make this possible, there is a real need for tools and automation. This is also why we are seeing more end-to-end solutions for operational resilience management emerging in the market, from specialist vendors such as Fusion Risk Management, Castellan to non-specialist ones, such as ServiceNow.

What are the challenges in the field?

Depending on the company’s maturity, each stage of the process may pose challenges or difficulties.

Challenge 1: Data Model

The operational resilience data model must be created in consideration of Important Business Services and their respective dependencies. Preferably, an organisation would reuse existing inventories (e.g. CMDB, supplier inventories, BIAs, HR systems, etc.) and run workshops to leverage on the knowledge of their business representatives and IT experts, suppliers, etc. The challenge stems from the need to rationalise all the elements into a format that enables data analysis. This means that even if one starts with Excel, it is important to firstly define the precise rules (common referencing system, one piece of information per line, etc.).

Challenge 2: Identifying gaps

Once this mapping is carried out, companies need to identify threats linked to the end-to-end service and existing resilience capabilities to mitigate them. These capabilities can be specific to a dependency or broader. This allows the creation of indicators that show resilience gaps. Overall, there can be two types of gaps:

1. A dependency with insufficient contingency plans

This can be identified in the initial analysis, through existing controls, or through testing.

Example: A person wants to withdraw cash. Normally, this service is available through an ATM. Several elements are necessary for ‘normal’ service to function properly:

• Physical ATM itself
• Customer authentication system via their bank card
• Customer account management software provided by a third party to check the balance

The following threats may affect this service:

• Major IT loss (whether or not caused by a cyberattack)
• Loss of the software provider
• Physical incident affecting the ATM

We shall assume that 4 hours is the period before the inability to withdraw cash becomes an intolerable source of harm to the customer – which is also known as the impact tolerance). With this context in mind, the bank needs to consider the following questions to identify resilience gaps:

• Recovery Time Objective (RTO): In the event of a computer loss, can the ATM and authentication system be brought back online within 4 hours according to their RTO? Has it been tested?
• Exit plan: In the event of a major breakdown or bankruptcy of the account management software provider, is there an alternate provider the bank can turn to for delivering the service without intolerable delay? Alternatively, is there a way to bring the activities in-house?
• Contingencies: Is there a degraded process for dispensing cash, for example, by replacing a faulty ATM? What are the dependencies for this process? Can it be done without an IT system?

Once these gaps have been identified, you can then calculate resilience scores for individual components.

2. Absence of a core resilience capability

A range of operational resilience capabilities is needed in every organisation, which includes business and IT continuity, third party management, cyber defence, disaster recovery and crisis management. We have identified a list of 50 generic core capabilities, linked to the most common threats, and are deploying this framework with our clients to measure the overall operational resilience maturity level.

Examples of key capabilities include:

• Crisis management: alternative communication channel
• Disaster recovery: Cyber vault
• Third party management: Crisis SLAs with third parties
• Business and IT continuity: degraded processes without IT
• Cyber defence: emergency authentication procedure

Challenge 3: Governance

Finally, governance is required to ensure that operational resilience data is maintained up to date, such that accurate reporting can be delivered to aid decision-making in the right forums. For instance, any initiatives to remediate identified resilience gaps requires management buy-in and funding, and management can only make the right decision and prioritise initiatives based on what is being reported on official reports.

Finally, what should be measured? 

The underlying question in MI is: how well is your organisation prepared to withstand a major incident?

• Are the dependencies identified?
• Are the necessary documentations in place?
• Are the threats known?
• Are controls in place to indicate a gap?
• Are the company’s employees prepared to respond and minimise the operational impact of a major incident?

What are customers’ expectations?

As of today, through supporting our clients in their Operational Resilience program, we have identified three common themes with regards to our clients’ expectations around operational resilience projects:         

1. Clients need help with creating an inventory and rationalising multiple sources with various data formats to be incorporated into the data model.
2. Clients regularly require support with creating reporting. This can be in the form of designing useful KPIs that can be translated into actionable items and a driver for decision-making process, or creating dashboards in data visualisation tools such as PowerBI.
3. There is an increasing demand for sourcing and deployment of operational resilience tools. Wavestone can help companies find the right tool that suits their needs via:
   • Performing a benchmark
   • Gathering requirements and specifications through workshops with future users
   • Creating an RFP and a suitable scoring mechanism to evaluate vendors

In fact – a great example showcasing our expertise around this particular area around helping our clients with sourcing and the deployment of operational resilience tools would be Wavestone’s second edition of the Operational Resilience Tooling Panorama – it captures the main market players across a range of topics such as emergency notifications, resilience management (mapping, testing, dashboards), crisis management and business or cyber incident simulation (cyber range). The radar is also built to encompass a wide spectrum of players – from disruptive innovators to traditional players, and from start-ups to large organisations.  

Any final advice for readers?

For French clients who have not yet launched an operational resilience program, there are two pieces of advice:

• As soon as the mapping is done, you need to think about how to store the data (i.e. the data model). Excel may not be sufficient as a tool to ensure the sustainability of the model
• Do not hesitate to re-use what your company already has in terms of business and IT continuity, third party management, cyber defence, IT reconstruction and crisis management.

Cet article MI and tooling at the heart of operational resilience management, Roxane Bohin interview est apparu en premier sur RiskInsight.

Historically, the Agile approach is a set of practices used for IT development projects. 

The Manifesto published in 2001 proposes 4 main values to revolutionise the performance of companies:

This emphasis on human interaction between the development team and business teams aims at reducing the time to market of the products developed, as opposed to projects conducted in V-model which, once delivered, may no longer satisfy changing business requirements.

Today, this practice is applied in most companies at all levels. In the latest State of Agile Report, out of more than 4,000 companies surveyed worldwide, 95% declared that they use agile and 65% of them have been practising it for at least 3 years.  In addition to IT, the methodology is also used in marketing, human resources, sales, and finance departments. 52% of the companies surveyed stated that at least half of their company’s departments adopt agile processes and therefore the scalability of such practices should not be ignored.

Beyond a project management method, it is a new philosophy with gamified elements. We no longer speak of meetings but of ceremonies, with new roles appearing such as product owner and scrum master. Using this philosophy, the desire is to create an atmosphere of co-construction and to make maximum use of collective intelligence to improve the company’s performance.

Although the concept of security is present in the manifesto, the integration of such measures into product development is not properly addressed. The method by which security is implemented in V-model projects does not apply to the agile philosophy and thus new ways of implementing security should be identified for it.

What are the trends and challenges of this field?

One of our challenges is to provide our clients with a global view of their problems. Adopting an agile approach requires a change in all levels of the business from security, to quality teams and as such the effect on all levels of the business must be considered.

In terms of organisation, the ISS must reposition itself as a service to the business and thus shift its image from a ‘policeman’ to a support function. The role of Security Champion (a member of the feature team such as a developer) becomes the point of contact for the ISS teams. In doing this a connection can be created with each feature team, thus increasing autonomy over security integration. This is not something that can be achieved overnight, it requires training to highlight cybersecurity issues and share knowledge (particularly the basics of ISS and secure development). In addition to this, a security Guild should be created, bringing together ISS experts, security champions as well as security enthusiasts. This allows members to exchange information on the latest security news, good practices as feedback and lessons learned from the field. This Guild must be set-up in such a way to allow easy communication between members (such as on an internal wiki).

After the security champion receives training from the ISS team, they become the security referent and thus developers can turn to them for questions and advice. Therefore, the role in itself is fairly technical. In adopting an agile approach, the ISS experts will keep their role, but the relationship will change from that of control and audit to support and facilitative. Audits can still be carried out (such as penetration tests) at the request of the feature team or on the initiative of the security experts. Methodological tools must also be available to help the Champions in their tasks and this includes rewriting risks in conversational format. To adapt to the use of User Stories by feature teams, the ISS team could try writing Evil User Stories, which correspond to an action carried out from the point of view of an attacker. For example:

Faced with these risks, there are Security User Stories, proposing remediation solutions for EUS, with ready-to-use acceptance criteria. All this can be integrated into a security baseline (also in backlog format, in a product management tool, such as JIRA for example), proposing a minimum-security base to be integrated into the products.

In addition to organisational support for the teams, technical support must be provided by optimising the continuous integration and deployment chain (CI/CD) with tools aimed at automating security as much as possible, which can be called the Security Stack or Security Pipeline: code review, vulnerability scans, detection of secrets, security of the Infrastructure as Code, etc.).  Particular attention must be paid to its own security, so as not to produce the opposite effect… From a shift-left security perspective, security is integrated into the product by default, right from the start. It therefore adapts its velocity to that of an agile approach and enables a shift from a DevOps logic to that of DevSecOps. 

Another role can be created, that of AppSec Manager. This is part of the ISS team and is an expert in software security as well as an expert in the security stack. Their role is to help the developers to prioritise and remedy the vulnerabilities reported by the Stack. They work in tandem with the Risk Manager/IS expert, who provides them with knowledge of the risks associated with the product, which enables a more detailed analysis of the vulnerabilities to be dealt with as a priority. All this helps to create a culture of security by design.

What do customer expect?

CISO customers expect to be reassured that security in agile mode will not cause them to “lose control” over the proper implementation of security. The model we propose empowers the feature teams, gives them tools, but security retains control by centralising the performance indicators, by having the capacity to carry out random checks/according to predefined criteria, via bug bounty for example or an envelope of pentester days, to be distributed over the various products.

Secondly, as a consultant, I think that clients expect us to share our convictions and very concrete examples of what we have been able to achieve for other clients. To meet this demand, Wavestone’s Cybersecurity and Digital Trust (CDT) practice has created several methodological accelerators based on feedback from the field, ready to be shared and adapted. Being able to carry out the mission in Agile mode was also part of the expectations, favouring co-construction rather than providing fixed and almost finalised deliverables from the first draft. In this gamification perspective, which is very important from an agile approach, we offer original co-construction workshops based on collective intelligence, thanks to our Creadesk asset, which trains consultants and provides them with tools for remote collective work.

Any final advice for our readers?

Implementing a true test & lean approach is crucial. In order to extract the most benefit from using co-constructing tools, we must regularly test and verify them in the field. While anticipating problems is crucial, significant value can be achieved when one we confront the problems as they arise. It allows us to be in direct contact with the business and feature teams, to show them that concrete actions are being implemented. The approach is agile, flexible, and scalable. The accelerators, methodologies and tools proposed evolve during the pilots and become even more relevant for the second wave of pilots, until all the feature teams are integrated.

At the same time, it is important to remember that change management is essential. A real communication plan is needed – building communities of practice/guilds from the beginning of the pilots and identifying early adopters who will be valuable drivers of change within the teams. Agile has a real and rapid impact in everyday life and at all team levels: implementing this change is essential.  

Cet article Agile Security, Emma Barféty interview est apparu en premier sur RiskInsight.