Monday, February 27, 2012

Hayden Goes Inside on Grid Security for Internal Threats

Sometimes it's the ones you trust the most who can hurt you the most.

It's not something I normally say when meeting with clients, but after attending maybe a thousand or so on-site and virtual security presentations to all manner of customers and organizations, one very common statement you hear is that insider threats are more pervasive and potentially damaging than external threats.

If you buy that (and I recommend you do) it sort of makes you look at your employees and colleagues a little differently, right? Maybe you need to add a mind reader or at least a psychiatrist to the payroll, though today there are analytics that can greatly help the rotten eggs.

Electric grid security expert Ernie Hayden is back again, this time with a piece on internal organizational cyber introspection (article HERE). I'll give you a tapas-sized preview with an excerpt you won't reach till near the end:
The bottom line is that insider threats can (and probably have) happened to every enterprise. With the increased global nature of business competition, it wouldn’t surprise me if this challenge increases, along with increased external cyberthreats to our IT systems. Organizations must always remain alert to the insider threat, including making plans for the inevitable risks to systems. Those organizations that are knowledgeable of the risks and are well prepared for such eventualities will benefit from knowing how to respond quickly to reduce or prevent the insider threat.
To me, that's a call to action for preparation, practice, and resiliency capabilities. In case you miss it as you read through through Hayden's article, he and I suggest you follow the link inside to Carnegie Mellon University's CERT Insider Threat Center. It has a tremendous amount of useful information on insider threat issues, how to detect them, how to defeat them, etc.

Note: If you're not already registered on the SearchSecurity site, becoming so is not difficult or timeconsuming, just make sure you don't accidentally agree to get spammed. There's a nice opt out selection near the bottom of a long list of subscription choices.

Photo credit: Alisha Rusher on

Saturday, February 25, 2012

Weekend Youtubing: "Smart Meters are not a Killer Fascist Conspiracy"

I have found the ultimate antidote to the sum of all Smart Meter fears in the form of this video. Before you start it, however, please note that it's really not entirely safe for work. It has many funny bits but a few naughty bits too. Ok, you've been warned ... now enjoy.

Thursday, February 23, 2012

Fifteen Minutes for a Better Grid Security Workforce

Not too long I ago we posted on the NBISE effort to build a better security professional for critical infrastructure sectors like ours. A lot of work (especially ground work) has been done since then and now NBISE is ready to take it up a notch, with broader input from the wider world ... including potentially: you.

Check this out:
The National Board of Information Security Examiners (NBISE) is partnering with the Pacific Northwest National Laboratory to contribute to the development of the U.S. cybersecurity workforce by developing a detailed Job Performance Model (JPM) for Smart Grid cybersecurity personnel in the functional areas of security operations, intrusion analysis, and incident response.

NBISE and PNNL manage the Smart Grid Cybersecurity (SGC) Panel, which oversees and contributes to the Department of Energy’s efforts to develop a job competency model and assessment focused on the job responsibilities and unique skill set of Smart Grid cybersecurity specialists. This SGC survey seeks to determine the critical cybersecurity job tasks in the Smart Grid environment.

This survey is an important step towards the development of a job performance model for cybersecurity roles necessary to secure and protect the Smart Grid. If your expertise and experience is related to security operations, intrusion analysis, and/or incident response, then this survey is for.  Details: 
  • The survey will require approximately 15 minutes 
  • You may participate in this survey using any web browser and will require no special software 
  • This survey is anonymous. The record kept of your survey responses does not contain any identifying information about you unless a specific question in the survey has asked for this. If you have responded to a survey that used an identifying token to allow you to access the survey, you can rest assured that the identifying token is not kept with your responses. It is managed in a separate database, and will only be updated to indicate that you have (or haven't) completed this survey. There is no way of matching identification tokens with survey responses in this survey.
Got it? Ready? Well here you go ... 
For further information regarding the Smart Grid Cybersecurity Panel Job Analysis Questionnaire, please click HEREAdditional information on NBISE and its Job Performance Methodology may be obtained by clicking HERE.
Photo credit: Dave Stokes on

Tuesday, February 21, 2012

Responses to Post on James Lewis and 2012 Cybersecurity Act

I get many great responses to posts here at the SGSB, but seldom as many and as quickly as were elicited by last night's post: A Grid Guy's Perspective on James Lewis' Testimony re: the Cybersecurity Act of 2012.

Here are two of the best for your consideration and edification.

The first is from Joe Weiss of Applied Control Solutions:
Jim Lewis may not be aware that more than 200 actual control system cyber incidents have occurred to date. There have been more than 20 control system cyber incidents in the North American electric grid including three major cyber-related electric outages and 2 nuclear plants shut down from full power. Unfortunately, even though the batting average is still low, it is not miniscule anymore.
If this is so, then why did James/Jim Lewis choose to omit the control systems info? Or maybe it wasn't intentional? I really don't know, and Joe doesn't either. BTW, Joe has a blog of his own and it's completely Unfettered.

Now see this, from Bryan Owen of OSIsoft, who comments on both the Lewis' testimony as well as on my glass half full characterization of the NERC CIPs:
On one side we need to let the market work – let entities who suffer a breach pay the price (even the ultimate price of survival). Regulation is needed where a breach affects others and especially as remediation approaches the business capital value. Certainly for the grid, cascading fault is a very real consequence with high cost impact. However, I won’t go so far as to agree the CIPs represent an effective defense in this context. To clarify, the CIPs do provide some margin of effectiveness for major control centers (no surprise since NERC 1200 effort focused on these domains). Much of the mess with CIP today comes from misapplication of control center centric protection to highly distributed systems and assets.
I'm pretty sure he knows more than I do, so I'll let those remarks stand and try to get smarter. Anyway, that's all for now. Would really like to get James Lewis' response. Let's see what we can do ...

Monday, February 20, 2012

A Grid Guy's Perspective on James Lewis' Testimony re: the Cybersecurity Act of 2012

James Lewis is Mr. Cybersecurity these days. A colleague (hat tip: Steve O) just sent a note out pointing to a new article appearing front and center on tonight, featuring prominent statements by Dr. Lewis, the Tech Policy Directer of K-Street think tank CSIS.

Two weeks ago I wrote a post that ridiculed as alarmist a few quotes, including one ostensibly made by  Lewis, that appeared on another well known financial media site.

And just last week he testified before a Senate subcommittee about what he likes, and what he finds wanting, in the draft bill that's looking increasingly likely to make it through Congress sometime soon.

You should note that unlike last year's Grid Act which passed the House (HR 5026 Grid Reliability and Infrastructure Defense Act), the focus of the current bill, and therefore of Lewis' testimony, is not energy sector specific. Here's one of his opening sections in which I find nothing not to like:
Reducing risk and vulnerability in cyberspace is a fundamental challenge. In considering this  problem, we have learned through painful experience that market forces will not secure cyberspace and that existing authorities are inadequate for national security and public safety. The list of private sector companies, including technology leaders, whose defense have failed is long and would be longer if all breaches were disclosed. Continuing to use voluntary, market driven approach to this new national security concern is irresponsible and guarantees a successful attack against our nation.
Our sector, of course, has the NERC CIPs. Much derided in some circles, though in my mind a huge improvement over the kind of security we'd likely see from pure "market forces," the NERC CIPS are anything but voluntary. And when versions 4 and/or 5 go into effect, they'll cover many more systems and require more security controls for most.

The 2012 Cybersecurity Act aims to give DHS the lead in securing critical infrastructure and it's unclear to me how it might supplement or complement current the NERC CIPs. More on that later.

Meanwhile, towards, the end of his testimony, Lewis sounds a positive note that quickly turns ominous:
Anyone who tells you that we do not know how to do cybersecurity is sadly out of date. The National Security Agency, the National Institutes of Standards and Technology, and other Federal agencies are pioneering techniques that can strengthen America’s defenses. But while we can require implementation and measure the rate of implementation in the Federal government, there is no comparable ability to measure and secure commercial critical infrastructure. This remains the single largest vulnerability for America in cyberspace. 
So while we have the NERC CIPs, you can take his point about "no comparable ability to measure" critical infrastructure to mean that while audits occur and fines sometimes levied, neither DOE, nor FERC, nor NERC keep track of how the utilities are doing. There's no standard framework that tells us which utilities are doing a great job and which ones are lagging. IMHO that is a problem.

You can read Lewis' full testimony HERE.

And one more thing: on Lewis' CSIS page he also includes a link called Serious Cyber Events. It's a comprehensive list of the most noteworthy known attacks and breaches since 2006 till present. Out of a total of 87 events cited, only 2 involved power systems:
  • January 2008. A CIA official said the agency knew of four incidents overseas where hackers were able to disrupt, or threaten to disrupt, the power supply for four foreign cities
  • April 2009. Wall Street Journal articles laid out the increasing vulnerability of the U.S. power grid to cyber attack also highlighted was the intrusions into F-35 databases by unknown foreign intruders
2 out of 87 would be a horrible batting average (.023 - yikes!) on any baseball team. But in this game, which really is no game, it's an average I'd like the sector to maintain. So keep one eye on the NERC CIPs and beyond, and keep the other eye on what James Lewis and Congress have in store for us.

Sunday, February 12, 2012

Sensitive Digital Data: These Days, You Can't Take it With You

Though this may change in the future, I haven't travelled much outside the US since joining IBM.  My most recent trip was to three Scandinavian countries, and I have to admit it, I didn't think too much about taking extra security precautions while abroad.

Well, if you know anything about this big company, it's that it does business in almost every country on the planet, and it puts a lot of emphasis on building new business in new and growing markets.

Imagine, as I sometimes do, that I was a senior executive ... or a high ranking military or government official. Then my preparations and precautions might have been a little different.  How different you say?

Try this on for size, from a description of the recent actions of a senior analyst at the Brookings Institute bound for China:
  • "He leaves his cellphone and laptop at home and instead brings loaner devices, which he erases before he leaves the United States and wipes clean the minute he returns" 
  • "In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely" 
  • "He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive" 
  • "He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop” 
Mind you, it's probably wrong, or at least misleading, to single out China here, because unless I'm very much mistaken, every country has access to most of the same technologies. China is different, though, as a great deal of the hardware in laptops and phones is made there.

If you read down through the comments following the article (and there are many) you may light upon one that caught my eye: "So why would your physical location make that much of a difference?" I'm not technical enough to understand all the implications of this question, but my guess is the answer is "not as much as one might think/hope."

Anyway, something to think about from a national security point of view. And as someone who promotes international conferences on energy and security as part of my social media avocation, these issues need to become part of the awareness of everyone in our industry whose travels take them across international borders.

You can read the whole NYT's article HERE. I think you'll find it interesting.  And, hat tip to Ernie H for providing this LINK to recent guidance on laptop security when travelling abroad. Warning: it's a very long list.

Image courtesy of DeclanTM at

Thursday, February 9, 2012

Webcast Alert: Discussing 2012 Smart Grid Security this Morning on Virtual Energy Forum

I'm the warm up act this morning (2/9/12) for the main show, Dr. Peter Fuhr of DOE, who'll be doing a talk on "The Implications Of Cyber Security For Smart Grid Tech Development".

Show starts at 11 am ET (USA). You can get the details, as well as register to attend, right HERE.

This will be recorded too, so if you come to this post after the fact, it'll be available on demand.

Monday, February 6, 2012

Just when you thought it was safe to Calculate: More "Incalculable" Smart Grid Security Doom for your Consumption

It might be a form of Tourettes, sorry. But every once in a while I feel compelled to shine a harsh light on articles that go too far or way too far in in the FUD department. Especially those from reputable publications.

What was Said

Here are a few selected citations from the first part of the less-than-soberly titled article in question:
  • "Internet-based terrorists would be capable of causing blackouts on the order of nine to 18 months."
  • “The dollars are incalculable.” 
  • “There’s some percentage of utilities out there that just don’t take this seriously.” 
  • "Energy companies including utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection."  
SGSB Non-Scientific Analysis

If the attacks come from bad guys based on the Internet, then the outages could be 9 - 18 months. I see. And the money at stake is so large as to be impossible to estimate. Thanks to recent debates over the US budget and deficit, my eyes and ears are now well accustomed to figures of $15 Trillion and beyond, but clearly the damages from hacking the grid must be even higher. "Some percentage" ?!?  You mean, a non-zero percentage that's so high as to be incalculable, right? And although I've never used the term WTF in this blog before, in the murky world of cyber attack and cyber security, WTF is "an ideal level of protection"?

In case you feel like I'm manipulating you, you can read the whole piece HERE. But suffice it to say, do we really need this? Are these types of "studies" and "journalism" doing much to advance thinking and spur action on securing the grid, or rather simply aiming at inciting panic?

I'll try to keep from blurting out what I really think.

Apocalytic image courtesy of PSD Collector

Thursday, February 2, 2012

Hayden on Common Security Hiccups in Electric Utilities ... and How to Cure 'Em

It's going to take more than a lozenge to get your utility where it needs to be, security-wise, but this article in SmartGridNews, by former Navy officer and stout energy sector industry veteran Ernie Hayden, gives you some simple ways to get started if you're in the early stages.

First of all, here's his powerful, overarching philosophical restorative:
Why do ... security program weaknesses exist? I suspect it is because security is still a “gotta do” issue rather than a core value.
There's a lot of meaning, and a ton of history in those 23 words. And so where do core values come from? Why the Executive suite, of course. In my military and post-military careers, I've found that leadership by example is the only leadership that really works.

In the second half of this article Ernie proclaims 5 steps to get well. I don't want to just list them here ... they're worth the effort it'll take you to click through, but note that the first is an echo of the quote above:
Support and emphasis by the CEO and key executives. This is first and foremost.
As we noted in the previous post, one of the clearest and simplest indicators of CEO support is the appointment and empowerment of a senior security executive (no need to reinvent the wheel here; let's do what other sectors have done before us and call him/her the CSO).

I think if your utility could swallow that one recommendation you'd feel better (and remedy a swath of security root causes and symptoms) in no time.

Photo credit: ghindo at