2) What is the difference between being secure and compliant?
Compliance does not assure security. A company can be compliant with internally or externally generated security regulations (NERC CIP), but may still be vulnerable to attack. To properly prevent security issues, a company must design a system that can defend against both external and internal attacks. Being compliant with any one standard does not guarantee security.
Robert Huber, Co-Founder of Critical Intelligence
What is the difference between "compliance" and "security"?
Compliance is black and white, binary. You either are, or aren't compliant. Yes, auditors/regulators add shades of gray. In compliance, you are measured against some type of standard. Compliance is synonymous with obedience. Security on the other hand, implies a state, or feeling, assurance that you are free of danger or risk. There is no yardstick to measure against in this case. It is very subjective, leading back to the first question.
Sean McBride, Co-Founder of Critical Intelligence
How much security do you need to be really secure?
One way to answer this question is to say that it depends on the determination of an adversary to attack your organization. Successful defenders will push the cost of attack beyond the adversary's ability or desire to conduct it.
Although each adversary's level of determination to attack your organization will differ, one piece of conventional wisdom tells us, "only more than my competitor," highlighting the preference of some attackers to gather first the low-hanging fruit. Moreover, low-hanging fruit can be proving grounds for more difficult, higher-stake future attacks.
Relying on this conventional wisdom, you must ask yourself, how do I make my organization a less attractive target? One baseline to consider is "due diligence," which we generally define as adherence to industry standards and regulations. So, to be a less attractive target than your competitors, you've got to be doing more than due diligence.
One of the disadvantages to a transparent society is that through publicly available information adversaries can learn what groups are not doing due diligence. (Although intended to be devoid of technical detail, consider last year's public GAO report on security at the Tennessee Valley Authority for example.) Hence we see that hand in hand with due diligence comes the concept of operational security or OPSEC―the principle of not allowing attackers to easily obtain information to aid in attacks. Conventional wisdom would tell us that the easier you make it for adversaries to learn about you (your systems, your networks, your organization), the easier it will be for them to successfully attack you. As an operator of critical infrastructure control systems in the Internet age you must not fail to consider that little things you disclose about yourself in public forums may be used against you.
When adversaries match the aforementioned public information about your organization with vulnerabilities and exploits you are at risk. The good news is that the cost of OPSEC is nothing more than the cost of personal responsibility.
So how much security do you need? It honestly depends on who your adversaries are. But you can be sure that due diligence and operational security are cornerstones of "how much you need to be really secure."
Kevin Staggs, Engineering Fellow, Global Security Architect
Honeywell Process Solutions
How much cyber security do you need to be really secure?
There is no single answer to this question. The amount of cybersecurity needed depends on the plant network configuration and the amount of risk that a user is willing to accept with respect to cyber security. Not all plants and configurations will require all cybersecurity mechanisms. At a minimum, a plant should isolate the Process Control Network (PCN) from the corporate network. This isolation should be done using a stateful firewall configured to deny all traffic except for connections required between specific PCN nodes and corporate network nodes. It is recommended that the PCN not be able to reach the Internet directly. A good configuration would also include a DMZ between the corporate network and PCN. The data servers for moving information between the PCN and corporate networks would be located in the DMZ.
A best practice for determining how much cyber security is required is to perform a PCN cybersecurity assessment of your system. This assessment would evaluate such things as:
- Firewall Management
- DMZ Management
- Terminal Server Management
- OS Patch Management
- VPN Remote PCN Access Management
- Automated PCN Vulnerability Scanning
- Intrusion Detection/Prevention
- Anti-Virus Updates
The assessment would review the above items and assign a risk value for each of them. In addition to the risk value, suggested mitigations are documented. With the risk assessment, a SCADA system administrator would be able to evaluate each of the items and associated risk. Determine if the risk is acceptable or requires mitigation. Once complete, the system would be at an acceptable security level for that operation.
Cybersecurity assessments should be repeated at least on an annual basis and higher risk systems should be assessed more often.
What’s the difference between “compliance” and “security”?
Compliance is an element of security. Most security management programs define a process for managing the security of systems. The process includes measures to determine if the security processes are being followed. A security program is considered in compliance when there is auditable evidence that all security processes are being followed.