If you are a regular follower of this blog, you’ve probably noticed that I haven’t been writing much in the past few months. I have simply been too busy, traveling and speaking at some really great security conferences.
The most recent and the most informative (for me at least) was the International NCSC One Conference 2014 at the World Forum in The Hague. This is a massive and well organized event run by the Netherlands National Cyber Security Centre, the Dutch equivalent to the US-CERT. Close to 950 people listened to my talk on “The Internet of Insecure Things.”
During NCSC One I heard some great talks on the state of encryption technology today, SCADA security consortiums, and foreign APT threats. But the highlight was the plenary speech by Jon Callas entitled “Security and Usability in the Age of Surveillance.” Jon’s talk focused on Bring Your Own Device (BYOD) security, but it raised some questions that are core to cyber security in the 21st century.
If you’re not familiar with the BYOD security debate and want to get some background, check out my blog on the topic: The iPhone is coming to the Plant Floor – Can we Secure it?. The short version is that the BYOD controversy revolves around the possible security issues that arise when employees use their personal mobile devices to access privileged company resources. A common example is using your iPhone to access your company’s email system – does this increase or decrease corporate security?
Does using personal devices on the plant floor increase or decrease corporate security?
What is that Security Policy REALLY Trying to Achieve?
The first question that Jon brought up was around understanding the real goals of any security policy or program. While security traditionalists talk about ensuring Confidentiality, Availability, and Integrity, Jon suggested that the real goals can be divided into two more general ones:
- Maintaining Safety
- Maintaining Control
Most of the time the reason given for a specific security policy is safety – for example, securing a SCADA system to ensure the safety of the processes, people, and products. This reason is hard to argue with. After all, who wants to be less safe?
In reality there are many security policies that have nothing to do with safety; instead, they are about maintaining IT control. Now this isn’t necessarily bad, but it is a lot harder to sell compared to the safety argument. So the safety excuse gets rolled out every time.
Enter the Evil Smart Phone
Jon then explained how this relates to the BYOD controversy. When mobile devices first came onto the market, the IT department loved the BlackBerry. Like the mainframe and the central server, the BlackBerry architecture centralized everything. Every email you sent and every note you made passed under the watchful eyes of the IT department. Any other mobile device was banned because it was “unsafe” for confidential company information.
Unfortunately for Blackberry, the real customer wasn’t the IT department, but rather the end user. When the user was a lowly engineer or a sales person, the iPhone, iPad, or Android could be safely ignored. But once company CEOs started to buy iPhones and saw how effective they were, suddenly IT had to start accepting other mobile devices.
The flood gates burst open and soon iPhones and Androids dominated the corporate world while Blackberry withered to a shadow of its former glory.
Yet to this day we still hear lots of crying about how insecure personal mobile devices are and how the IT department has to “bring the problem under control.” There are endless pitches for BYOD security products and no shortage of corporate policies (many of questionable effectiveness) intended to “manage the problem.” The reason always given is the “safety and security” of corporate intellectual property.
Eric Byres presenting at the International NCSC One Conference 2014 in The Hague, Netherlands on June 3rd.
Tell Me Again Why my Company Laptop is More Secure than my Personal iPhone...
But is the iPhone or Android really the security risk the IT world claims? Or are they just annoyingly difficult to maintain centralized control over?
Sure, smart phones aren’t perfect, but how many truly effective rootkits have you seen for attacking iPhones? Now consider how many rootkits there are for taking over PCs. How many serious mobile device vulnerabilities have you needed to quickly patch in the last year? Maybe two? And how often do you have to install a critical Windows, Java, or Adobe patch on your PC? Every week? As Jon put it: “Antivirus software for the mobile device is not exactly a growth market.”
In fact, it may be that personal phones are actually more secure than all the other devices that are welcomed by traditional IT.
Smart phones are also more carefully guarded by their owners. Jon quoted studies showing that, on average, people noticed and reported a missing phone in less than 20 minutes compared to 24 hours for a missing wallet. If someone stole my laptop on a weekend, it could be two days before I noticed. And once an iPhone goes missing, the remote wipe features are very effective. I doubt my IT department could ever wipe the laptop they gave me if I happen to lose it.
Mobile Devices are NOT Perfect but...
To be clear, Jon is NOT saying that mobile devices are perfectly secure – far from it. But all the evidence suggests that they are more secure than any other common computing device currently in use. Thus the argument to tangle up iPhones and Androids in red tape is just an excuse. And industry might just be better off from a security point of view if we embraced — or even encouraged — the mobile device on the plant floor. It certainly is worth considering.
Picking the Right SCADA Security Battles
I often think that safety as an excuse for control is common in airport security. Many of the restrictions and processes required by both the TSA and the airlines with the “We’re doing this for your protection” justification appear to be a way to make the customer easier to control (or are an excuse to cut services).
For example, The Atlantic magazine reported that a TSA employee confessed to reporter Jeff Goldburg that the purpose of enhanced pat downs was to make opting out of full body scans so unpleasant that everyone would quiescently choose to go through the scanner. This would make the inspection process quicker and cheaper for the TSA.
Causing people frustration never leads to better security; it just encourages rebellious behavior. This is doubly true for the industrial world. It is human nature that people (especially engineers!) only have so much patience for security policies that make their job harder to do.
Institute a few security controls that offer clear safety benefits and people will respect them. Throw too many controls in a person’s way and they will find a way to circumvent them so they can get their job done. Unfortunately people don’t necessarily pick the least effective controls to ignore – they might obey the ineffective measures and bypass the important ones.
Thus, as SCADA security professionals we need to pick our security battles carefully. After listening to Jon, I will be looking deeper into the real goals of any SCADA security policy or technology I am exposed to. Is it really helping make SCADA and ICS safer? Or is it just a way to make control easier? Is it addressing the real risks? Or is it just for show? Fail to ask these questions and we risk creating a backlash against the whole SCADA/ICS security message. And that will be a loss for the entire industry.
Cross Posted from the Tofino Security Blog