Wednesday, December 16, 2009

More than Taters Found in Idaho

Finding detailed, organized, and educational material that relates traditional IT and cyber security to the challenges of SCADA and the Grid can be a very time consuming activity. There are multiple higher-level documents, and/or very detailed documents, (Here, here, and here, as examples) that help to describe the expanding threat surface that IT enablement and pervasive internetworking will bring, but finding meaningful and relatively detailed information on the topic can be daunting.

For my own bootcamp/bootstrap education, I have been consuming first, "Securing SCADA Systems", by Kurtz, and then "Cybersecurity for Scada Systems", by Shaw. But these are probably more dense than is neccessary for those who are looking for a more readily consumable description of challenges and recommendations. In trying to find that level of content for you, our valued readers, I stumbled upon course material from some extremely helpful folk at Idaho National Labs. Don't let the nuclear tone and front page announcement of graphite testing fool you, there is a four hour course and an eight hour course here, and they have a raft of good content inside.

One of the slides was especially excellent, and I present it here by way of both introduction to our newer readers, and as validation for those who have, with us, been working to highlight and hopefully increase the level of IT/Cyber security discussions that are surrounding the Smart Grid. Here it is:

It is hard for anyone to deny that the worlds of modern internetworked information technology and of the existing SCADA-driven grid are merging. That said, this diagram, which while using information derived in 2007, shows the manifest disconnect in security practices and priorities between the two communities as they operate today. This data is directly in support of much of what we are seeing, and clearly reinforces some recent feedback we have gotten. In moderating a panel at last week's IQPC Scada and Control System Security Summit, Andy and I got a question relating to the new burdens that the Smart Grid was placing on the existing grid for things such as Antivirus/Anti-malware software, Intrusion Detection/Protection, and more. It became clear that these arguably baseline technologies were not yet deployed broadly within the utility community, and that the introduction of the Smart Grid was causing people to finally start to view them as important, if not required. This was not to say that they wanted it, or that they felt comfortable that they could accommodate the additional load on their systems, but the perceived connectivity of the Smart Grid is causing them to consider this, for the first time, as a priority.

Coming from an IT perspective, this was surprising. According to members of the audience, the Windows XP Service Pack 2 BIOS security change that occurred years ago had disrupted multiple SCADA systems, as have more recent instances of corruption and malware, as reported in the media. Considering that, it is almost unthinkable that basic security technologies have not been deployed, even if only in response to the unacceptable vulnerability conditions. Unthinkable or not, we need to start thinking hard about it, because clearly it is happening.

Some of the reasons for this lack of progress are well-known. The overtaxed nature of both the systems and the individuals charged with their operation, the proprietary nature of some of this infrastructure, and the cost-averse nature of many utility commissions all conspire to a preference for the pretense that these are isolated, and therefore inviolable networks.

This slide points out, with vivid clarity drawn from analysis of these control systems, how far there is to go, and how different the drivers and fears of the organizations are from those who typically and aggressively pursue security at a proactive or holistic level.

We are just now beginning to recognize and recommend the need for a balanced approach to IT and Cyber security in the new and existing Grids. The work done at INL is extremely helpful in creating a bridge between the existing and incoming Grid and Smart Grid communities, and I recommend that you take the time to examine it to the purpose of expanding the group that can speak in, and be concerned with, the colliding challenges of internetworked computing, security, expertise, stability, and staffing.

Tasty Tater Image Courtesy of: / CC BY 2.0

No comments: