Tuesday, March 30, 2010

Old Reliable: A New Grid Needs New Virtues

On March 24nd, the US House of Representatives Subcommittee on Energy and the Environment considered and approved a new piece of legislation, the "Grid Reliability and Infrastructure Defense (GRID) Act ", moving it to the full Energy and Commerce Committee for debate. It was co-authored by Massachusetts' own Ed Markey, and is intended to raise awareness and responsibility for protecting the next generation of electrical grid infrastructure, the one that gets improved with Internet-style technologies.

It would be hard to argue with the premise of this bill, that our own national defense relies on power, and that power is largely expected to be derived, or backed, by the national Grid. Simple logic tells us that:

Threat to Our Grid = Threat to Our National Security


Andy, in his authorship of the DoD Energy Blog, has often heard and written about the goals of a more independent, but still integrated, relationship between military facilities and civilian power, but any major moves in that direction are still mainly plans and not practices.

That said, and with gratitude for the efforts of the subcommittee to bring additional cyber security focus to the new Grid, there remains a very important disconnect where the legislation must be tuned and clarified if the desired outcome (a more secure grid to better ensure national security) is to be achieved. The issue is that the nature of security on a more interactive grid, comprised of more multipurpose, less synchronous systems, will require a different set of goals and measurements to address and understand the threats that are impending.

The First Pitches

The GRID Act is reported to be a new incarnation of House Resolution 2165, a bill introduced in April of last year, under the title, "The Bulk Power Protection Act of 2009". At the time, Andy and I were just starting to publish our research and thoughts on the Smart Grid Security blog, and we took a trip down to DC to meet with the staffers contributing to Congressman Markey's bill. (We had very similar conversations during that time with Senator Joe Lieberman's team on Senate Resolution 946, "The Electric Infrastructure Protection Act of 2009") We requested that additional descriptive text be added to the limited definitions that were in place to describe the security, the assessment techniques, and the responsibilities, within the legislation. These definitions were all concerned with cyber security issues that impacted reliability, and in a modern interconnected utility, reliability alone is insufficient. Reliability is necessary, but not nearly enough, to provide the protection that our most critical national infrastructure requires.

Why Reliability Is Not Enough

Clearly, consistent and available power is central to the goal of any regulatory or legislative effort. In the new grid, however, reliability as currently defined ignores some extremely common tactics and entry points for attack. An incomplete articulation of the desired security steady state will almost guarantee that important areas will remain unaddressed, and that priorities for security investment will not create the maximum positive effect.

This incomplete view may be related to the natural inclination of the power community to contemplate power as just-in-time inventory, and the grid as a unique and complex set of wires and systems that deliver and balance that power. With that context, the most important events are those that are likely to cause an issue/outage in the very near future. This model, while excellent when considering natural disasters, load balancing, and the avoidance of an imminent cascading failure, falls short in the face of the types of threats that are becoming increasingly likely in a more IT-enabled grid.

In this modern, post-Internet boom Grid, networks have become more exposed, systems are typically more standard and more numerous, and personal computing, whether through email, browsing, or mobile computers, are all part of the equation. Because of this, many threat vectors and risk types are threats first to the integrity of systems, and would only be characterized as threats to reliability during the period of time it takes for them to run and do their damage. Here is an example of the material nature of this disconnect.
Utility IT manager Fred regularly takes his company laptop home in order to monitor some operational information and to catch up on reporting from the day's activities. On reaching home, as Fred connects, he also is receiving emails onto his computer, from both internal and external senders. One of these emails contains a well-constructed spear-phishing attack, which ends up installing a version of the old Worm-SDBot network-sniffer worm on his computer. In the morning, at the office, this worm travels to unsuspecting computers on the network, picking up traffic, and searching for administrative privilege on systems.
Is this a reliabilty problem? I think it would be quite a stretch to construe an operator error/email insecurity as such, particularly given the very clear description of vulnerability within the GRID Act. I also believe that the description would not even characterize the sniffer software ultimately installed on the internal network as a vulnerability:
"(7) GRID SECURITY VULNERABILITY—The term ‘grid security vulnerability’ means a weakness that, in the event of a malicious act using electronic communication or an electromagnetic weapon, would pose a substantial risk of disruption to the operation of those programmable electronic devices and communications networks, including hardware, software, and data, that are essential to the reliability of the bulk-power system."
This is a meaningful disconnect, particularly considering the amount of new investment, the amount of new standards development, and the number of new players entering into the field of Grid Security.

I want to note here that this legislation also completely ignores the security of information that will likely be traveling on these internal Grid networks. While the Grid Act specifies consideration for classified and non-classified information about Grid vulnerabilities and exploits, it remains silent on the subject of protection for financial, personal/private information, and even configuration and control information.

So what's missing?

In general security parlance, a comprehensive security program or approach involves three categories of concern around protection: Confidentiality, Integrity, and Availability (CIA). While one could argue that Availability is addressed robustly in the Act, the first two attributes are pretty much absent. ( Headline: "Two-thirds of Security CIA is MIA in the GRID Act!") These concepts must be introduced and influence any legislation in this space. New legislation must highlight the types of data that need protection, and the integrity of operational systems and records must be assured.

In our 2009 meetings on the Hill, I recommended a few changes that describe the necessities with more detail in these areas.
  • Integrate Integrity
    As a simple exercise in improving clarity, I inserted the phrase "...or integrity..." following every use of the word reliability in the original HR2165. In the Grid Act, an example byproduct of that same exercise would be this change to our vulnerability definition:

    "(7) GRID SECURITY VULNERABILITY—The term ‘grid security vulnerability’ means a weakness that, in the event of a malicious act using electronic communication or an electromagnetic weapon, would pose a substantial risk of disruption to the operation of those programmable electronic devices and communications networks, including hardware, software, and data, that are essential to the reliability or integrity of the bulk-power system."
    Enforcing protection of system integrity would create the drivers to search for and eliminate malware, spyware, and insecure configurations, while also ensuring that the mission-critical data is kept safe and clean.
  • Understand a Wider Group of Threats
    In order to encourage more effort on identification and elimination of spyware and passive reconnaissance programs, I also made an addition to the concept of threat, which originally only called out "disruption" as the negative impact, but which I extended to read:

    "...disruption, or which could otherwise act to reveal, attempt to reveal, or poses a significant risk of revelation of confidential, proprietary, or sensitive information, whether of logistic, personal, or operational nature."
    This language mitigates the risks of more long-lived threats and more passive information gatherers intended to reveal any number of internally identified weaknesses.
  • Share the Love
    Information sharing in the Act centers on the topics of identified vulnerabilities, bad actors, risks, and exploits. These risks, however, can in some cases be mitigated by more educated acquisition behavior. The organizations which buy or regulate the buying of systems have good experience that they can share, and can potentially reduce the likelihood of stranded assets, insecure deployments, and wasted investments. Again, in HR2165, I offered the following paragraph to help bring this concept to the activity:

    "'(3) PROVIDING RECOMMENDATIONS- The Secretary shall provide recommendations regarding appropriate activities pursuant to development of standards for acquisition and assessment of components to any critical electric infrastructure system so as to minimize the opportunity and likelihood of cyber vulnerability, including validation of hardware, software, data, and service components to be implemented in the generation, transmission, delivery, or billing, of electric services."
    If more rigorous best practices can be developed, recommended, and adopted, they will reduce the amount of in-house security verification effort that is necessary for each and every component product or service.
Whence?

Legislation arises from an unusual combination of need, understanding, cost, and will. These are the same characteristics that are driving decisions made on the Smart Grid. We must all look to inform, influence, and encourage legislation that will direct the utility industry to protect both itself and us.


No comments: