CyberSecurity Institute

“Regulations recognize you can’t protect yourself from everything,” Proctor told delegates at Thursday’s Information Security Decisions conference.

But, he acknowledged, their built-in flexibility also can work against an organization if controls aren’t mapped to a proactive, process-oriented security program based on an ongoing risk assessment.

Corporate governance-oriented SOX, which holds public companies’ top executives accountable for internal data controls, is especially vague on security.

The real deal with Sarbanes-Oxley: Perspectives for the security manager Delve below the surface and examine how SOX applies to the work done by the security manager.

Companies that must meet multiple regulatory laws should find common denominators and then roll out a security program based on the general legal requirements, such as record-keeping, incident reporting and following best practices.

Build a defensible case for anyone likely to challenge those controls, such as data owners and both internal and external auditors who ultimately decide who is and isn’t meeting security and privacy guidelines.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1013875,00.html

PLCs are microprocessor-based systems programmed to make the timing and control decisions in machine automation that once required arrays of electromechanical relays.

On older systems, PLCs communicated over RS-232 serial lines — slow going, but relatively secure. But modern PLCs can plug right into a plant’s Ethernet, exposing them to whatever threats lurk therein.

Coming from an IT environment, Cupps hoped to find that the control systems at his company’s plants were protected by at least as much security as a Windows desktop. The controls systems at Cupps’ company are made by Rockwell Automation, but Cupps hastens to point out that the absence of authentication on PLCs is an industrywide problem, and not at all limited to one particular vendor.

Other experts agree, and say the root cause is historical: the control systems rely on protocols and industry standards that were built for dedicated serial lines – not shared TCP/IP networks.

“It’s script kiddy material to control PLCs,” says Eric Byres, a researcher and critical infrastructure security specialist at the British Columbia Institute of Technology (BCIT).

The implications are disturbing to Byres and Cupps; in factories across the globe PLCs control pumps, conveyer belts, paint sprayer booths, welding machines, motors and other equipment. “We found numerous ways to perform single-packet denial of service attacks against PLCs,” says Byres.

The 13 cyber security incidents logged between the years 1982 and 2000 were almost all attributable to accidents, inappropriate employee behaviour, or sabotage by disgruntled employees.

Processer Power Issues In a lot of those external attacks, control systems were merely collateral damage from IT issues like worms, “because we have Windows running all over the plant floor,” says Byres. Michael Bush, security program manager at Rockwell Automation, acknowledges that Ethernet-enabled control systems “change the rules significantly” from the days of dedicated serial lines.

For his part, Cupps says he took emergency measure to shore up the control systems at his company, then committed to a massive reorganization of its networks, putting the factory floors on their own subnets, adding firewalls between them, and installing intrusion prevention systems, among other things.

http://www.securityfocus.com/news/9671