• Moore Security Blog

The Squirrel Army

Physical Security/Infrastructure Assurance

Whenever designing infrastructure or systems, diligent risk assessment along with a holistic approach to security are critical to realization of long-term value, both of said resources and of security efforts; when treated properly, security cannot be an afterthought. An organization’s entire threatscape must be evaluated from every possible angle, and each threat thoughtfully mitigated. Proper security/assurance requires that security be an integral consideration during design, development and implementation of critical resources and systems. This is due to the unique, broad and deep nature of typical threatscapes. There is no one size fits all approach, but there are a few established frameworks and methodologies which can help, such as Security by Design (SbD) or the Secure SDLC (Software Development Life Cycle). For many organizations such tools are effective at improving the performance and efficiency of security functions. SbD is more generally applicable to enterprise scenarios, in a variety of contexts including but not limited to physical security. For example, the fundamental principle of minimizing one’s attack surface area would’ve equated to designing/installing cables protected from all formidable threats stemming from the intended environment (including squirrels). In a more typical enterprise an apt example might be that the server room or data center is housed in a facility in New Orleans, LA, one of the most flood prone cities in America. You’d be accepting a notable level of risk not to stage each of your servers over a foot from the ground, given several daily rainfall records for the area of 12 to 13 inches. Analysis & design practices which subscribe to the third core pillar (Availability) of the information security triad (Confidentiality, Integrity and Availability) would likely spur auditors/management to identify this flood threat and mitigate it appropriately. It is always prudent to thoroughly explore/assess hardware related threat vectors, as well as those of software, business processes and any other information or infrastructure assets. The act of deliberately setting out to minimize one’s attack surface can help open their eyes to risks and threats they might otherwise have missed. The Secure SDLC on the other hand is a concept more apt to enterprise ( or other) software systems development efforts. There exists several incarnations of the Secure SDLC, and many organizations stand to gain from assessing which of them is the most appropriate fit for them. Custom tailoring can add additional value. Fundamental to the idea is that security is best addressed as a continuous and integrated concern. In other words, security is baked in any time an opportunity presents itself. For example, your MIS department might mandatorily include as part of its Testing phase of the SDLC, security focused test cases which help ensure appropriate safeguards are in place before end user usage begins. This way security is consistently both less costly and more effective.

When security of any kind is a half-baked effort, or worse, an afterthought, the likelihood and likely severity of exceptions (events or risks not directly accounted for in design/implementation) increase drastically. A current and underrated example of this phenomenon is the ongoing havoc squirrels are wreaking on the U.S. power grid.

As mentioned in 2015 by John Inglis of the National Security Agency, the #1 threat to the U.S. power grid is not a cyber-attack as many would guess. It’s squirrels. Though plausible, the cyber-attack concerns are mostly theoretical and forward-looking. Meanwhile we have had power outages in all 50 states caused by various wildlife, led by squirrels, followed distantly by birds, and third and least by snakes. These rankings, by numbers of reported incidents per species, tend to stay consistent from year to year. According to Cyber Squirrel 1, squirrels, who tend to chew through wire coatings, inadvertently committing suicide by electrocution, have been linked to an average of over 3 dozen power outages per year over the past 32 years. The grid was designed to sufficiently withstand heat, cold, wind and rain, while wildlife was not a consideration during analysis, design, implementation or testing. If it had been, the result would be either an implemented design which mitigates the threat posed by wildlife or a logical, benefit/cost analysis based reason why power plant authorities have chosen to accept the risk and resulting losses.

To investigate whether your company might benefit from the Secure SDLC or an immersive introduction to Security by Design (SbD), contact us now.


© 2019 by Moore & Company Advisors L.L.C.