Tuesday, January 4, 2011

Doing security right...

I just finished reading a column by Rodger Grimes at InfoWorld, and two paragraphs really jumped out at me:
Instead of creating one or two porous boundaries, you need to create fine-grained security domain isolation. If workstations don't need to talk to other workstations, don't let them. Most servers don't talk to every other server. Don't let them. Most admins don't need to connect to every server -- so don't let them.

To build your defense, diagram all the legitimate network traffic connections and block the rest, using access control lists, routers, firewalls, proxies, IPSec, and whatever else you can use. It should always be this way.
This is a real thought-provoking idea for those of us who have thought at any length about security in the electric grid.  For a large part, the security of the grid has historically been about making sure that everyone who touches the grid in a way to affect reliability knew exactly what (s)he was doing, and keeping anybody else away from the big red (and green and blue) buttons. 

For a lot of reasons, that model may not work in today's world, let alone in tomorrow's.
  • The workforce is changing, and a lot of old grey heads who've spent their careers in these systems are leaving to be replaced by younger people who don't expect to be in a job for more than a few years.  The "disgruntled insider" is a greater thereat than in the past.
  • Systems are increasingly being attacked from the outside, and the first thing an attacking outsider seeks to do is become a privileged "insider".  
  • Systems are becoming more complex, and they started out pretty complex.  Greater complexity means human error becomes more likely, and more likely to be problematic.
Limiting what even privileged insiders (whether people or systems) can do is one of the most effective ways to stop a security-related problem, or limit the damage that can be done.

I would add two more thoughts to Rodger's ideas here:
  • Even when you trust, verify.  Any action that could be damaging to the system if it is wrong needs to be checked before execution.  Does this instruction/decision/command make sense right now? 
  • Tripwire everything.  Any attempt to take action outside of those specifically permitted should raise an alarm, as should permitted instructions beyond certain boundaries.  
Sending a disconnect command to one meter should be checked before execution for obvious reasons, like not pissing off a customer needlessly.

Sending disconnect commands to, for example, 10,000 meters in rapid succession should be either impossible, or flat halted if it's tried.

This is going to mean that each party participating in the grid is going to have to do this kind of "who-needs-access-to-what" analysis.

Security isn't a feature, it's a business mindset.