Cybersecurity Review: Art of InvisibilityGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-01T04:00:00ZKevin Mitnick with Robert Vamosi; Reviewed by Ben Rothke<p>​By Kevin Mitnick with Robert Vamosi. Hachette Book Group;; 320 pages; $14.99.</p><p>Every student of forensic science knows about Locard’s exchange principle, which states that a criminal brings something into the crime scene and leaves with something from it—both can be valuable as forensic evidence. </p><p>When it comes to cybercrime, digital forensics, and general computer usage, cyber experts debate whether Locard’s fully applies. Either way, the simple act of fetching a Web page can create thousands of log entries. In 1999, when software businessman Scott McNealy said “You have zero privacy anyway. Get over it,” little did he imagine a world where every click, search, and user preference is tracked and indefinitely stored. Anyone who uses a free Internet service becomes a piece of data. After a while, the data providers may know more about you than you do yourself. </p><p>In <em>The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data</em>, author Kevin Mitnick shows readers what they can do to leave no digital trace. So, can a person become fully invisible on the Internet? Yes; but with a caveat. While Mitnick shows how one can do that in this most interesting book, it’s not practical for the vast majority of users. </p><p>Notwithstanding that it’s quite difficult to be fully invisible, there are still countless strategies detailed in this book that readers can put into action to better protect their privacy, buying habits, lifestyle choices, and more. </p><p>Being anonymous today requires a lot of work and constant vigilance. If you want to stay online while retaining your privacy, this book provides some guidance.</p><p><em><strong>Reviewer: Ben Rothke</strong>, CISSP (Certified Information Systems Security Professional), PCI QSA (Qualified Security Assessor), is a principal eGRC consultant with the Nettitude Group.</em></p> Problem with Data Education Connection Review: Network Video Review: Art of Invisibility Zero Day Problem the Business Internet And The Future of Online Trust Official Says Russia Tried to Hack 21 States in 2016 Election U.S. Hospitals Have Not Deployed DMARC To Protect Their Email Systems the Business Opines on the Future of Technology,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data Mayhem The Force Multiplier‘Catastrophic,’-Survey-Finds.aspx2017-05-31T04:00:00ZSecurity Incidents Caused By IoT Devices Could Be ‘Catastrophic,’ Survey Finds

 You May Also Like... Zero Day Problem<p>​In August 2017, FireEye released new threat research confirming with “moderate confidence” that the Russian hacking group APT28, also known as FancyBear, was using an exploit to install malware on hotel networks that then spread laterally to target travelers. </p><p>“Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,” FireEye said in a blog post. “No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.”</p><p>After APT28 accessed corporate and guest machines connected to the hotel Wi-Fi networks, it deployed a malware that then sent the victims’ usernames and hashed passwords to APT28-controlled machines.</p><p>“APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” FireEye explained. </p><p>This new method is worrisome for security experts because the exploit APT28 was using to infiltrate hotel networks in the first place was EternalBlue, the same vulnerability used to spread ransomware such as WannaCry and NotPetya. It was also allegedly stolen from the U.S. National Security Agency (NSA).</p><p>A group of hackers, dubbed the Shadow Brokers, posted the EternalBlue exploit online in April 2017 after claiming to have stolen it from the NSA. The leak was just one of many the group has made over the past year detailing NSA vulnerabilities that exploited Cisco Systems, Microsoft products, and others. </p><p>The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.</p><p>Some of the harshest criticism came from Microsoft itself. In a blog post, President and Chief Legal Officer Brad Smith wrote that the WannaCry attack provided an example of why “stockpiling of vulnerabilities by governments” is a problem.</p><p>“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith explained. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world—nation-state action and organized criminal action.”</p><p>The VEP began to take form under the George W. Bush administration when then President Bush issued a directive instructing the director of national intelligence, the attorney general, and the secretaries of state, defense, and homeland security to create a “joint plan for the coordination and application of offensive capabilities to defend U.S. information systems.”</p><p>Based on this directive, the respective agencies recommended that the government create a VEP to coordinate the government’s “offensive and defensive mission interests,” according to a memo by the Congressional Research Service (CRS) in February 2017. </p><p>The Obama administration then created the current VEP, which became publicly known in 2014 in response to the Heartbleed vulnerability—a bug in the OpenSSL cryptographic software that allowed protected information to be compromised. </p><p>The VEP, as it is known to exist today, provides the process for how the U.S. government chooses whether to disclose vulnerabilities to the vendor community or retain those vulnerabilities for its own use.</p><p>“Vulnerabilities for this purpose may include software vulnerabilities (such as a flaw in the software which allows unauthorized code to run on a machine) or hardware vulnerabilities (such as a flaw in the design of a circuit board which allows an unauthorized party to determine the process running on the machine),” according to the CRS memo sent to U.S. Representative Ted Lieu (D-CA).</p><p>To be eligible for the VEP, however, a vulnerability must be new or not known to others. Vulnerabilities are referenced against the Common Vulnerabilities and Exposures Database to determine if they are new or unknown.</p><p>When choosing to disclose a vulnerability, there are no clear rules but the U.S. government considers several factors, according to a blog post by former White House Cybersecurity Coordinator Michael Daniel that was written in response to allegations that the NSA knew about the Heartbleed vulnerability prior to its disclosure online.</p><p>For instance, the government considers the extent of the vulnerable system’s use in the Internet’s infrastructure, the risks and harm that could be done if the vulnerability is not patched, whether the administration would know if another organization is exploiting the vulnerability, and whether the vulnerability is needed for the collection of intelligence.</p><p>The government also considers how likely it is that the vulnerability will be discovered by others, if the government can use the vulnerability before disclosing it, and if the vulnerability is, in fact, patchable, according to Daniel.</p><p>In the post, Daniel wrote that the government should not “completely forgo” its practice of collecting zero-day vulnerabilities because it provides a way to “better protect our country in the long run.”</p><p>And while the process allows the government to retain vulnerabilities for its own use, it has tended to disclose them instead. NSA Director Admiral Michael Rogers, for instance, testified to the U.S. Senate Armed Services Committee in September 2016 that the NSA has a VEP disclosure rate of 93 percent, according to the memo which found a discrepancy in the rate.</p><p>“The NSA offers that 91 percent of the vulnerabilities it discovers are reported to vendors for vulnerabilities in products made or used in the United States,” the memo said. “The remaining 9 percent are not disclosed because either the vendor patches it before the review process can be completed or the government chose to retain the vulnerability to exploit for national security purposes.”</p><p>Jonathan Couch, senior vice president of strategy at ThreatQuotient, says that the U.S. government should not be expected to disclose all of the vulnerabilities it leverages in its offensive cyber espionage operations.</p><p>“Our government, just like other governments out there, is reaching out and touching people when needed; they leverage tools and capabilities to do that,” says Couch, who prior to working in the private sector served in the U.S. Air Force at the NSA. “You don’t want to invest a ton of money into developing capabilities, just to end up publishing a patch and patching against it.”</p><p>However, Couch adds that more could be done by agencies—such as the U.S. Department of Homeland Security (DHS)—that work with the private sector to push out critical patches on vulnerabilities when needed.</p><p>“Right now, I think they are too noisy; DHS will pass along anything that it finds—it doesn’t help you prioritize at all,” Couch says. “If DHS could get a pattern of ‘Here’s what we need to patch against, based on what we know and are allowed to share,’ then push that out and allow organizations to act on that.”</p><p>Other critics have also recommended that the government be more transparent about the VEP by creating clear guidelines for disclosing vulnerabilities and to “default toward disclosure with retention being the rare exception,” the CRS explained.</p><p>One of those recommendations was published by the Harvard Kennedy School’s Belfer Center for Science and International Affairs in Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. </p><p>The paper, written by Ari Schwartz, managing director of cybersecurity services for Venable LLP and former member of the White House National Security Council, and Rob Knake, Whitney Shepardson senior fellow at the Council on Foreign Relations and former director for cybersecurity policy at the National Security Council, recommended the VEP be strengthened through formalization. </p><p>“By affirming existing policy in higher- level, unclassified governing principles, the government would add clarity to the process and help set a model for the world,” the authors explained. “If all the countries with capabilities to collect vulnerabilities had a policy of leaning toward disclosure, it would be valuable to the protection of critical infrastructure and consumers alike, as well as U.S. corporate interests.”</p><p>However, the authors cautioned that affirming this process does not mean that the government should publicize its disclosure decisions or deliberations.</p><p>“In many cases, it likely would not serve the interests of national security to make such information public,” according to Schwartz and Knake. “However, the principles guiding these decisions, as well as a high-level map of the process that will be used to make such decisions, can and should be public.”</p><p>U.S. lawmakers also agree that the VEP should be overhauled to boost transparency. In May, U.S. Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO), and U.S. Representatives Ted Lieu (D-CA) and Blake Fernthold (R-TX) introduced legislation that would require a Vulnerabilities Equities Review Board comprising permanent members. These members would include the secretary of homeland security, the FBI director, the director of national intelligence, the CIA director, the NSA director, and the secretary of commerce. </p><p>Schatz said that the bill, called the Protecting Our Ability to Counter Hacking (PATCH) Act, strikes the correct balance between national security and cybersecurity.</p><p>“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” he explained in a statement.</p><p>Additionally, the secretaries of state, treasury, and energy would be considered ad hoc members of the board. Any member of the National Security Council could also be requested by the board to participate, if they are approved by the president, according to the legislation.</p><p>The bill has not moved forward in Congress since its introduction, which suggests that many do not see a need for an overhaul of the current disclosure system. </p><p>“It’s just not realistic for NSA, CIA, or the military or other international governments to start disclosing these tools they’ve developed for cyber espionage,” Couch says. ​ ​</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 2017 ASIS News<h4>​Those We Cheer This Year</h4><p>ASIS presented MANY awards at the ASIS International 63rd Annual Seminar and Exhibits to celebrate members and partners with noteworthy accomplishments in 2017. These honored members and supporting organizations exemplify the determination and capability of all involved with the Society.</p><p>ASIS is pleased to recognize these outstanding accomplishments. The Don Walker Award for Enterprise Security Executive Leadership celebrates an individual who demonstrates a commitment to promoting security management education, certification, and standards. This year, it was presented to Raymond T. O’Hara, CPP. A former ASIS president, O’Hara currently serves as executive vice president at AS Solution. Throughout his career, he has supported lifelong learning, board certification, and the development of the next generation of security leaders.</p><p>The Presidential Award of Merit is presented to individuals who contribute to ASIS as exemplary volunteer leaders. The 2017 recipients of the award are Joseph N. Masciocco and Les Cole, CPP. Masciocco, president of Security Integrations, is a 33-year member of ASIS who is a senior regional vice president. He has been involved in ASIS volunteer leadership since 1995.</p><p>Cole, who passed away on September 15, 2017, was an ASIS member for 41 years, and served as a council vice president from 2011 to 2016. Don Knox, CPP, a fellow council vice president, accepted the award on behalf of Cole and his family.</p><p>The Certification Organization Award of Merit goes to entities that have made strides advancing the professionalism of the security field through board certification. The award was presented to Guidepost Solutions and Tech Systems.</p><p>In addition, the Certification Regional Award recognizes individuals who help advance ASIS board certification. Winners this year are Randolph C.D. Brooks, CPP, Region 6C; Mushtaq Khan, CPP, PCI, PSP, Region 13A; J.D. Killeen, CPP, Region 6B; Allan L. McDougall, CPP, PSP, Region 6B; Garfield A. Owen, PSP, Region 7B; Percy J. Ryberg, CPP, Region 8C; Jasvir Singh Saini, CPP, Region 13A; Gwee Khiang Tan, CPP, Region 13B; Larry D. Woods, CPP, PSP, Region 4A; and Richard J. Wright, PSP, Region 3C.</p><p>The I.B. Hale Chapter of the Year Award recognizes chapters of ASIS who excel in membership growth, educational programming, publications, and the advancement of the security profession. The chapters recognized in 2017 were the Mexico City Chapter and the National Capital Chapter. </p><p>The Roy N. Bordes Council Member Award of Excellence, presented to Doug Powell, CPP, PSP, distinguishes an ASIS council member who helps engage the next generation of security professionals through sharing their knowledge and expertise with ASIS educational programs and publications.</p><p>The E.J. Criscuoli, Jr., CPP Volunteer Leadership Award was presented to Dr. Rolf Sigg. This award acknowledges the contributions made by one member to ASIS’s chapter and regional levels over an extended period of time.</p><p>The Matthew Simeone P3 Excellence Award is administered by the ASIS Law Enforcement Liaison Council and recognizes programs that promote cooperation between public and private sectors. The 2017 award was presented to the Columbus Police Department’s Capital Crossroads and Discovery SID Program.</p><p>The Transitions Ad Hoc Council, with the support of the ASIS Foundation, confers three Council Certification Scholarships to individuals serving in law enforcement who are seeking ASIS board certification. In 2017, the scholarships were awarded to Lieutenant Chapin T. Jones of the Louisville (Kentucky) Metro Police Department, Officer Henry K.S. Chong of U.S. Customs and Border Protection, and Lieutenant Brian T. Woods of the Los Angeles Police Department.</p><p>The ASIS Foundation also supports the Military Liaison Council Certification Scholarships. The 2017 recipients of these scholarships are Lieutenant Colonel Robert Kwegyir Sagoe, who serves at Headquarters Northern Command in Ghana; Master Sergeant Liviu Ivan and Lieutenant Colonel Eric Minor, who both serve in the U.S. Army at the Mission Command Center in Ft. Leavenworth, Kansas; and Lieutenant Colonel Richard Cobba-Eshun, who serves in the Department of International Peace Support Operations for the Ghana Armed Forces.</p><p>This year is the 40th anniversary of the ASIS International Board Certification Program, initiated in 1977 with the Certified Protection Professional® (CPP) designation. Four individuals have been active CPPs since the program’s inception. They were recognized at the Opening Luncheon on Monday, September 25. They are Dr. James D. Calder, CPP, professor at University of Texas; Don W. Walker, CPP, chairman of Securitas Security Services USA, Inc.; Dr. Kenneth G. Fauth, CPP, senior consultant at K. Fauth, Inc.; and James P. Carino, Jr., CPP, senior consultant at Executive Security Consultants.</p><p>ASIS salutes all these award winners for their valuable contributions to the security profession.</p><h4>A Digital Transformation</h4><p>Remaining relevant in today’s on-demand, content-driven world means that associations must be data-driven, customer-obsessed, hyper-connected, and agile. The need for innovation has never been greater.</p><p>With a clear directive to transform the organization through the strategic use of technology, ASIS strives to remain at the vanguard of the evolving security profession. It is currently engaged in a broad range of innovative projects, including a major redesign of the primary website and the underlying technologies that support both rapid content creation and the online and mobile member experiences that users expect in the consumer world.</p><p>In early 2018, ASIS will launch phase one of a multi-year transformation project focused on improved and personalized content access, user-centric search and commerce, online community, and integrated systems for learning and certification.</p><p>Building on a world-class enterprise system for commerce and content management, the new website will use a taxonomy structure to drive better content organization. Users will enjoy an intuitive and dynamic navigation structure to browse the site, and they will be presented with streamlined, personalized content.</p><p>One of the key strategies is to create a powerful search function that will unify content from a variety of ASIS sources (Web, learning, Security Management, and events, for example). By creating a search-centric site that allows users to filter results, ASIS will be able to meet its goal of helping members in their “moment of need” by providing resources of all types in a single interface.</p><p>There will be a major facelift for the website, incorporating a more graphical and modern interface with relevant imagery, infographics, and videos to present content in a variety of ways on both desktop and mobile devices. </p><p>The “mobile first” initiative also ensures that all online experiences—from search to joining the organization—are simple and engaging on any device, regardless of size. In addition to the website overhaul, ASIS will be upgrading its membership database, including new functionality for engagement, certification, profile management, and data analytics.</p><p>The system will be tightly integrated with the website to ensure a positive user experience across platforms. ASIS will be asking members to fully update their online profiles, both to help drive online personalization and to comply with the EU General Data Protection Regulation, which takes effect in 2018.</p><p>Finally, ASIS will launch an online community platform aimed at providing its customers, members, and prospects with one secure location to interact and build value within the security profession. By providing an online home where members can network, share ideas, answer questions, and stay connected, ASIS will empower them to engage in real time with their peers, chapters, ASIS staff, and industry experts. The online community tools will also allow the Society to provide more engagement for committees, councils, and chapters, and serve as a dynamic online membership directory.</p><h4>Life Member</h4><p>Michael A. Khairallah, a member of the New Orleans Chapter since 1981, has been granted Life Member status. He has served ASIS as a regional vice president, assistant regional vice president, and chapter chair.</p><h4>​MEMBER BOOK REVIEW</h4><p><em>Implementing Physical Protection Systems: A Project Management Guide</em>. By David G. Patterson, CPP, PSP. CreateSpace Publishing; available from ASIS; item #2335; 330 pages; $58 (members); $63 (nonmembers).</p><p>Author David G. Patterson, CPP, PSP, drew on decades of experience in physical security project management to write <em>Implementing Physical Protection Systems: A Project Management Guide. </em>The book is a comprehensive guide to the processes involved in setting up various elements of physical security plans.</p><p>As a follow-up to the author’s prior text, Implementing Physical Protection Systems, this book is geared towards the project management aspects of any physical security endeavor. It provides a clear review of the many topics under the umbrella of physical security. While covering many of the basic elements of physical security (lighting, fencing, alarming, and cameras), it also goes into the more technical aspects of cabling and necessary support networks.</p><p>If you are not a physical security specialist, but aspects of the technology side of security still fit within your area of responsibility, this book may be appealing. The text is simple to understand and the more complex parts of these projects are explained in terms that most security generalists will be familiar with.</p><p>A longtime member of the ASIS Physical Security Council, Patterson compiled information and concepts from experts in the technology aspects of security, delineating steps of the project in easy-to-read references. From risk assessments to deliverables and all action steps in between, his book serves as a valuable guide. Borrowing from the simple explanations he provides may help security practitioners explain the processes to nonsecurity leaders. For example, there is a section on documenting effectiveness, which can easily translate to return on investment, a term that every business leader should understand.</p><p>Clearly not intended to be the definitive text on all technical aspects of implementing security projects, the book will serve well as a resource to pull off the shelf at the onset of a new physical security project.</p><p>[Note: Author David Patterson passed away September 2, 2017.]</p><p><em><strong>Reviewer: Michael D’Angelo, CPP,</strong> is the principal and lead consultant for Secure Direction Consulting, LLC, a Florida-based independent security consulting firm. He served on the South Miami, Florida, Police Department for more than 20 years, retiring as a major. He is an ASIS member and currently serves on both the Healthcare Security Council and the ASIS Transitions Ad Hoc Council. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Unseen Threat<p>​Traditionally, factory security assessments have been directed towards the inside of the factory or plant and not to the more exposed perimeter, including the perimeter wall of the factory structure and the fence line. Similarly, assessors often look at the factory’s cyber network and examine the configuration of servers, switches, and human-machine interfaces, but may pay less attention to the outside of the facility walls and physical grounds because they tend to fall outside the classic cyber and physical security boundaries. </p><p>However, with the increased awareness of the security weaknesses that industrial control systems face, there has been a growth in requests to security and consulting companies for combined cyber and physical security assessments of factories and critical infrastructure. The North American Electric Reliability Corporation (NERC) puts out Critical Infrastructure Protection (CIP) standards that strengthen the cybersecurity of North American electric grid operations, and recent updates emphasize the importance of strengthening both physical and electronic security perimeters. </p><p>A shift in the industry toward enterprise security risk management (ESRM)—which focuses on using risk assessments to inform an organization’s security approach—moves beyond assessing physical security. However, this can be a difficult shift for facilities that do not have a clear risk profile.</p><p>This gap in the security assessment process offers an opportunity for plant managers to take an ESRM-inspired approach and better understand their security and infrastructure vulnerabilities to both physical and cyber threats.​</p><h4>DRAWING THE LINES</h4><p>Two security concepts raised in the NERC CIP are related to electronic security perimeters (ESPs) and physical security perimeters (PSPs). The ESP is an imaginary perimeter drawn around a set of critical cyber assets and is usually defined by the location of perimeter access points such as firewalls and modems. The PSP is typically defined as a six-sided border that surrounds critical assets. In the NERC model, the border is intended to totally enclose the ESP. </p><p>Although the ESP is a logical, imaginary depiction, it gives a sense of the electronic traffic flowing into and out of a critical set of digital assets as well as the physical plant. This assessment is normally performed by evaluating network topology diagrams, walking down network systems looking for telephone and wireless infrastructure, and conducting interviews with plant operations technology staff. If done thoroughly, the assessors are also looking at wireless traffic such as cellular, LAN network, or Wi-Fi connectivity flowing across the ESP.</p><p>A PSP is more readily determined and tangible. Here, security is literally walking along the perimeter of a room or building that is enclosing the ESP. Security is normally looking for any means of physical penetration such as doors, ventilation louvers, or an opening under the wall or fence. A PSP determination is more natural and can be readily performed by a skilled physical security professional.​</p><h4>ELECTRONIC PERIMETERS</h4><p>A structured but more unusual way to approach a facility assessment is to start with the ESP and PSP concepts in mind and to apply them to the footprint of the facility being examined.  </p><p>Begin with an overhead view of the facility and the corresponding fence line if possible. One technique is to obtain the satellite view of the facility from an online mapping tool such as Google Earth. Alternatively, a plan view drawing of the facility and surrounding grounds obtained from the facility service manager may be used.</p><p>Using this overhead view, draw a border around the facility perimeter with an optional border at the fence line. Once the analysis boundary has been identified, pinpoint both tangible and invisible services and activities, including underground, airborne, or surface vectors. Consider services that cross this boundary and place them on the map where they enter the facility.</p><p>Infrastructure to consider includes electric power feeds from substation or emergency generators, natural gas or propane, water, sewer, enterprise and public fiber connections, telephone and cable television lines, and other commercial services. Inbound services such as product feeds from other facilities and deliveries like mail or packages, as well as outbound shipments, should also be taken into consideration.</p><p>Electronic signals that cross in and out of the facility include Wi-Fi, cellular, radio, and satellite communications, and these should be included on the risk map. For example, while performing an assessment of a client’s facility, including a wireless security inspection, Wi-Fi service was detected but was not owned or provided by the enterprise. The investigation revealed that the signal was from a nearby house and was not secured, allowing employees and visitors at the factory to connect to the rogue Wi-Fi. Such a connection could contaminate the individual’s laptop or mobile phone, as well as other Wi-Fi–equipped devices, with a worm, virus, or ransomware from the unknown and uncontrolled Wi-Fi.</p><p>A similar vulnerability was discovered at another power plant: a contractor’s trailer adjacent to the plant fence line had an insecure Wi-Fi set up, which was available inside the power plant.</p><p>Depending on the age and type of property, identifying these services may be a challenge. Older facilities may not have the necessary drawings, infrastructure diagrams, or employee knowledge to identify where the underground lines are for some of these services. Older facilities also suffer from abandoned equipment and systems that tend to be ignored because they are no longer in service. If the client has recently purchased the property, it may not know where these services enter or exit the plant.</p><p>An additional complication is that some services have dual feeds from separate locations. For instance, a data center will normally have redundant power and communications at different perimeter locations. These should be reflected on the analysis mapping.</p><p>Once these various activities and services have been identified and listed, begin looking at the vulnerabilities each poses to the plant and to the availability of the facility operations. </p><p>The perimeter assessment should be more holistic than simply walking down a fence line or the perimeter of a building. For example, while performing this analysis for a client, a problem was identified with the underground water feed into the plant. The plant had only one line entering the plant supplying potable water, service water, and fire protection/sprinkler water. The line ran under the fence, across a large field between the fence and the factory itself, and then into the building with some feeders going to the fire pumps located outside the factory in a field. The line could be subject to backhoe or digging damage because it was not effectively marked, but the larger problem was outside of the fence.</p><p>Beyond the fence line was the water service building—a small, unmarked wooden structure that contained the tap into the local city water supply, as well as several isolation valves and a flow meter for billing and volume calculations. The inspector discovered the building open and unoccupied—the door padlock was hanging open on the hasp. This would have allowed an attacker to shut the water supply valves and take advantage of the unlocked padlock to either lock the valves or close and lock the building door, thus delaying emergency responders to reopen the valves. Such an attack would have posed serious consequences for the factory because closing these valves would have shut off all water to the facility.</p><p>The inspector needs to look at all telltale signs and artifacts—many of which are prominently placed—that could tell an attacker where a softer and more vulnerable service feeding the plant is located. For example, site and facility architects use underground vault covers that explicitly label the service. That practice can be helpful for maintenance and emergency response but it also provides an easy target for criminals. </p><p>Similarly, the way these vault covers are secured could be problematic. The covers should be locked, but an added layer of security includes using tamper-resistant fasteners or proprietary screw heads and bolts.</p><p>Conducting an integrated, ESRM-based analysis helps bring awareness of what crosses facility boundaries, whether it be in electronic or physical form. It encourages plant managers to document underground infrastructure and fill gaps in knowledge, and provides enhanced planning for both physical and wireless attacks from modes ranging from surface injections to airborne threats. By mapping out both the physical and electronic perimeters, a facility’s security approach can be based on what can and cannot be seen.  </p><p><em>Ernie Hayden, PSP, Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), SANS Global Industrial Cyber Security Professional (GICSP), is the ICS cybersecurity lead at BBA, a Canadian engineering company. He is a member of ASIS. ​</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465