Tuesday, 30 April 2013

Worrying about Supply Chain Security

How often do you look at the "made in" label on the equipment you buy?  A glance across my desk says that my Apple iPhone was made in China, my Casio calculator was made in China, and even the Rexel stapler was made in China!  In fact the only thing I can find on my desk that wasn't made in China is a tube of toothpaste, and that was made in Mexico.

Didn't we get over the "red menace" and "yellow peril" in the 1960s?  Apparently not.  But before we plumb the depths of paranoia and xenophobia which are bubbling beneath the surface of supply chain security, perhaps it's worth thinking in a little more detail about what we really mean.

Security is the conservation of confidentiality, integrity and availability.

Traditional supply chain security concerns have been availability issues - can we get the parts that we need when we need them.  We dealt with this by using multiple suppliers, understanding lead time, and holding stock.  Nothing has changed here.

Once availability was addressed, we moved to integrity issues - are the quality of the stock we receive good enough for our purposes.  We dealt with this by over-ordering and batch testing.  Nothing has changed here.

Finally once everything else was working smoothly, we moved to confidentiality issues - are our suppliers stealing our intellectual property.  We dealt with this by contracts and wishing really hard.  Nothing has changed here either.

There is a reason that everything is made in China, and that is money.  It's much cheaper to produce goods there than here - for any definition of "here" that involves the first world.  That reduction in price came at a cost - the cost of control.

But this hasn't addressed the first question: should we be worried about supply chain security?  Of course we should, we always have, and we've always found mitigating controls to manage the risk.  That isn't any different today.

If you don't like that your equipment is manufactured overseas, then create a local manufacturing industry.

If you worry that your suppliers are stealing your intellectual property, apply rigorous audits, and take the work elsewhere if they break the rules.  Remember they also have a profit motive.

This really is a first world problem.  We created it by outsourcing.  Now we get to live with the consequences of our choices.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Monday, 22 April 2013

Why no-one gets SCADA security right

SCADA is an acronym for Supervisory Control and Data Acquisition.  That's a bit of a mouthful and unless you've studied Engineering it's not clear what it means, so here's a simple definition: SCADA is computer controlled physical processes.  The common examples given are power stations and water treatment plants, but it's much more than that.  Building management systems that control the temperature, lights and door locks: that's SCADA.  The production line at a large bakery that makes your bread: that's SCADA.  The baggage system at the airport that loses your bags: that's SCADA.  The traffic lights that annoy you on your drive to work: that's SCADA.

It's everywhere.  It's all around us.  And it's all implemented badly.  Maybe that's too strong - it's all implemented inappropriately for the threat model we have in 2013.

We have to set the way back machine to the 1980s to understand why we are in the mess we are today.

Traditionally SCADA systems were designed around reliability and safety.  Security was not a consideration.  This means that the way the engineers think of security is different.  In IT security we consider Confidentiality first, then Integrity and finally Availability.  This matches with our real world experience of security.  But in SCADA systems it's the other way around - Availability first, then Integrity, and finally Confidentiality a very distant third.

There are two very good reasons for this approach.

Firstly: Keeping SCADA systems running is like balancing a broom stick on your finger - you can do it, but it takes a lot of control, and if you stop thinking about it, the broom stick falls.  This is the fundamental reason that the dramatic scenes where the bad guy blows up a power station as shown in movies just can't happen.  If you mess up the control the power stations stops generating power, it doesn't explode.

Secondly: Every business that controls real world processes has a culture of safety: they have sign boards telling how many days since the last lost time injury, and are proud that the number keeps going up.  Anything that gets in the way of human safety is removed.  That's why control workstations don't have logins or passwords.  If something needs to be done for a safety reason, it can't be delayed by a forgotten password.

All of this made perfect sense in the 1980s when SCADA systems were hard wired analog computers, connected to nothing, staffed by a large number of well-trained engineers, and located in secure facilities at the plant.

That isn't true now.  Today SCADA systems are off-the-shelf IT equipment, connected to corporate networks over third party WAN solutions and sometimes the Internet, staffed by very few over-stressed Engineers, sometimes not located even in the same country.

So what happened in between?  Nothing.  Really.  SCADA systems have an expected life of about 30 years.  The analog computers were replaced by the first general purpose computers in the late 1980s, and they are only now being replaced again with today's technology.  They will be expected to run as deployed all the way to 2040.

I hope you've stocked up on candles.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Tuesday, 16 April 2013

Decline of the PCI empire

The Payment Card Industry Data Security Standard - PCI DSS - is a standard with 255 controls that you must comply with if you store, process or transmit credit card information.  Complying with the standard is the cost of doing e-commerce today.  The cost is high, and going to get higher, and as with all monopoly empires this increase will eventually lead to its downfall.

Disclaimer: CQR is a QSA company and I am a QSA.  I have no special knowledge about what the PCI council is going to do, so this is a fairly bold statement.  I base my assessment on simple economics.

PCI DSS v3.0 will be released in October 2013.  The only certainty is that it will have more controls, and they will be harder to comply with, and it will be more expensive both to implement and have audited.  Today most level 3 and 4 merchants are struggling with PCI.  Next year will break some of them - some will just fail to comply, and others will consider no longer taking credit cards.  Three years later, in October 2016, PCI DSS v4.0 will be released, and this will break the rest.

Don't get me wrong - PCI DSS is a good standard, it serves the purpose it was designed for, and if all merchants complied with it there would be far fewer credit card breaches.  But we need to go back to economic basics: if the cost of the control exceeds the value of the service, then it makes no economic sense to offer the service.  Somewhere around the release of PCI DSS v4.0 this will cross-over.

Here's my prediction for the inevitable decline: more and more merchants will stop taking credit cards directly.  PCI DSS only applies if you store, process or transmit credit card data.  So if merchants stop doing this directly, and instead use a third party service provider to process card data, they will no longer have a compliance burden.  Merchants will still have a cost to bear, as the service provider will need to be compliant, but that cost can be amortised over many more merchants, leading to the cost of the control dropping back below the value of the service, and economic theory prevailing.

We are going to keep taking credit cards because they are just too convenient.  But the market for PCI services is going to shrink radically, and in the end this is going to make all of us safer.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com

Monday, 8 April 2013

Running with Scissors

There are things that we just shouldn't do - like running with scissors.  We can be told not to do them.  We can know intellectually not to do them.  But until we've stabbed ourselves or someone else it just doesn't sink in.

I've been seeing a lot of discussion recently on attack as pro-active defence - especially related to botnets.  The proponents make a good case that they are making everyone safer.  The opponents say that any unauthorised access - even to disable malware - is wrong and must not happen.  In both cases they have the implicit assumption that the people who own the computers that have been turned into bots are also victims.  I think it's time we addressed the elephant in the room.  We should adjust our thinking and stop thinking of them as victims and start thinking of them as part of the problem.

The only reason they have been turned into bots in the first place is that they haven't enabled even the most basic protections on their computer.  They are running with scissors.  They are stabbing people with the scissors.

We can no longer accept this.  Basic protections won't stop a determined attacker, but turning on automatic patching and running a free antivirus solution will stop most of them being owned most of the time.

It's time the software and operating system vendors made it impossible to turn off these sort of basic protections.  And it's time for society as the real victim of cybercrime demanded it.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com