William T. (Tim) Shaw
PhD, CISSP

Companies – and organizations in general – end up accumulating a lot of information over time. In the good old days (i.e., circa the 1970s and prior) that information would have been captured in strictly physical forms: printed and hand-written documents; books and notes; photographs, slides, film, photocopies, audio and video tape; microfiche, etc. Not to say that there wasn’t information contained in the computer systems of the day, but the portion stored on electronic media would have been a tiny fraction of the overall information held by a typical company.

In those days the management, tracking and control of information was done primarily through physical means. And the method for depicting the sensitivity of information was also basically physical: color coded labels, locked filing cabinets, special file folders, cover pages with warning notices, special stickers, etc. Today there is still a vast amount of information maintained in physical forms, and although that ‘paperless office’ we were all promised has yet to arrive, the shift from physical to electronic is well under way, aided by low-cost and high-capacity computer storage, processing power and network bandwidth.

When information is stored electronically there are different challenges in managing its confidentiality, integrity and distribution than those associated with physical storage. Shredding (properly) and burning a paper document effectively destroys it, but merely “deleting” an electronic document doesn’t actually make it go away. If a physical file is handed over from one party to another, the initial partly no longer has possession of it, presuming a copy was not made, of course. But sending an electronic document to another party does not eliminate the one held by the initial party since you are actually just sending a copy. Likewise, if someone alters a physical document, that tampering may be easily detected. But alterations to most electronic documents are normally undetectable.

All of this makes for special requirements in order to provide equivalent (or superior) information management in an electronic environment. There are even information management challenges at the transition points between electronic and physical mediums.

For example, many of those networked printing centers and their digital copier/scanners contain hard drives. A document passing through one of them may be retained on disk for an undetermined time until eventually being overwritten. The study and addressing of these issues is part of what Information Technology is all about – well, that and getting your PC working again when you catch the latest virus or forget your new, really-long-and-complicated password!

From this point, I‘ll restrict my discussion to electronic information management, since most organizations already have processes and procedures in place for managing physical information. (They may be terrible, but they probably exist!)

The first step in managing information is to make a determination of the various categories of information you need to manage and protect. Then, you need to define the rules for controlling access to such information and the protective requirements for that information within each category. Typical information categories include things like company financial information, customer proprietary information, personnel/employee information, sales and marketing information, production information, payroll information, maintenance information, and so forth. For electric utilities, there is also the information associated with critical bulk electric system assets, the associated cyber systems and the cyber security program itself, all of which must be identified and protected per NERC CIP-003.

Information access control determines who is allowed to see, copy, modify and delete information and with the procedures and mechanisms associated with each such activity. Some categories of information may be freely available to all to see –but not to alter or delete. One example of this category is the information posted on your company web site.

Other information may be restricted to only employees (i.e., “company internal”) or subsets thereof, as defined by job function or title or department (e.g., only people in HR can access personnel information and only people in accounting can access payroll information). Individuals within a given access group may vary in the extent of their permitted access. That is, they can see but not delete, or see but not copy, the information.

Some information needs to be especially well protected due to the consequences that could result from its loss, disclosure to unauthorized individuals or alteration of the information without permission. Everyone understands that having a drug formulation improperly disclosed could have major financial consequences. However, it’s less obvious to people outside the industry – and perhaps some people inside the industry – that having generation unit outage schedules disclosed could impact the bid price in a power market.

NERC CIP-003 requires a utility to protect sensitive information associated with their critical assets, systems and cyber security program; failure to do so could result in a violation and a subsequent penalty. Protection of information may involve the use of encryption to make the information unusable to those not authorized to have it, and it may also involve duplicating the information – whether on a ‘shadowed’ disk or by making a backup copy on removable media – to prevent any data losses due to computer failures. Encryption, in the form of “hash codes” (also called message digests) generated from a given document, can also be used to detect alterations of that document. Access to information can be restricted and controlled by the assignment of user accounts that allow/deny access to specified servers, file systems and/or directories. When information is transmitted between computers (including manual transfer on portable media), encryption can also be used to protect it from eavesdroppers or theft.

As I mentioned earlier “deleting” and/or “transferring” electronic information doesn’t usually have the same results as with conventional (usually paper-based) data storage because with most electronic media, “erasing” the information doesn’t actually make it go away.

So if it’s essential that a file containing sensitive information be truly deleted, then special steps have to be taken to make certain that true erasure actually happens. NERC CIP-007 requires that data storage media from CDAs (critical digital assets) being redeployed or retired must be completely erased or destroyed. Merely “deleting” all the files on, or even re-formatting, a hard drive will not prevent data recovery by a dedicated foe. The National Institute of Science & Technology (NIST) recommends a multi-pass random data overwriting of a hard drive in order to make its contents truly unrecoverable. Personally, I prefer a sledge hammer.

Change control and auditing of electronic information can also be a challenge. Most of the documentation that needs to be created and maintained as part of a NERC CIP-compliant cyber security program is also supposed to include an audit and approval trail. An electronic document, such as a Microsoft-Word document, can include a couple of pages for a modification log and can even use the change tracking features built into that package. But such a log is only trustworthy if everyone having access to the document is equally trustworthy and follows agreed-upon procedures.

Indeed, there is nothing about a basic word processor, spreadsheet or other such application that forces compliance with modification logging and auditing procedures and policies. However, document management packages exist to solve that problem. With such a package, electronic documents must be checked-out by users, with the package keeping track of who did this and when. Then, the package compares and logs changes to every document when it is checked back in by a user, as well as recording that event. Most document management packages allow modifications to be rolled back (i.e., un-done) to recreate any prior version of a given document.

Another critical step in managing information is to establish a written policy – as well as the associated educational processes – that will inform and guide employees and contractors as regards the classification, proper handling and required protection of sensitive information. Always remember that if you want people to treat information properly, you must tell them what is expected of them and also explain the consequences for violating the security policy. Where information protection is tied to actual laws or regulations, people especially need to be made aware of this and that there may be legal consequences that go beyond those the company may impose for security policy violations.

Regular readers know that, on occasion, I’ve suggested that IT professionals don’t always understand the subtle but serious differences between pure business/IT systems and mission-critical automation systems. On the other hand, electronic information management is something the IT folks know far better than your average automation/control system engineer. Reaching and maintaining fully auditable compliance with the NERC CIP requirements involves creating, protecting and maintaining a lot of documentation and information. This is one area where I would highly recommend involving your IT organizations. And there are other areas too, but that will be the subject matter for a future column.  – Tim

About the Author
Dr. Shaw is a Certified Information Systems Security Professional (CISSP) and has been active in industrial automation for more than 30 years. He is the author of Computer Control of BATCH Processes and CYBERSECURITY for SCADA Systems. Shaw is a prolific writer of papers and articles on a wide range of technical topics and has also contributed to several other books. He is currently Principal & Senior Consultant for Cyber SECurity Consulting, a consultancy practice focused on industrial automation security and technologies. Inquiries, comments or questions regarding the contents of this column and/or other security-related topics can be emailed to timshaw4@verizon.net.