Thursday, May 31, 2012

Security FUD Alert: Flame On. Flame Off. Flame Out.

Here we go again, and this one is not (energy) sector specific. It's more geo-specific ... see: Middle East and North Africa, at least for now. This is a clear-cut case of marketing security through fear, uncertainty and doubt (FUD), and using the press's predictably Pavlovian response to maximize impact.

Depending on where you fit in the cyber food chain, maybe you like it, but I'm sick of it. Sick of it, I say. And I'm not going to take it anymore! (Yeah, right)

Here's the opening salvo fired on March 29 by InformationWeek (and many others), giving you the fever-pitch, straight up horror story, no chaser:
Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known as Flame ... appears to be even more sophisticated than the Stuxnet.
And with that we were off to the races. Just about every IT, cybersecurity and even mainstream media outlet picked up and broadcast the story in the first 24 hours. No questions asked it seemed.

Then along comes CSIS Senior Fellow James Lewis, two days later, with something quite a bit more tempered:
Flame is not a weapon, it's not the most sophisticated, it's not really that new, but it might be part of a large battle shaping up over the future of the Internet. Cyberespionage happens every day. This should not be news.
With that, Lewis definitely helped bring the hysteria down a notch or two. Much appreciated, Jim.

Finally we've got what I hope becomes the final word on this event, in the form of a post from my colleague and friend, cybersecurity expert Chris Poulin of new IBM company Q1 Labs. Chris begins:
I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.
And then Chris turns the mike over to IBM X-Force's statement on the subject:
At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.
Like the way that piece finishes: very very low threat vs. high profile in the press. Succinctly said, and to me, what should be the nail in the coffin of this ridiculous escapade.

Security professionals in the electric sector and elsewhere: how are we going to be taken seriously by senior business leaders if some of us, even a small percentage, keep using misleading, inaccurate and gratuitously sensationalist methods to try and drum up more business? It's embarrassing.

I don't need to tell you there's plenty of business out there for vendors who play fair and square. Don't cry wolf unless there's a wolf. Don't say the sky is falling unless it is. Be good: important businesses and other organizations need your help, but they won't let you help if they don't trust you.

Image credit: Wikipedia

Wednesday, May 30, 2012

Workshop Alert: ENISA Flexing Grid Security Muscles in Brussels

This announcement, from the European Network and Information Security Agency (ENISA) hit my inbox earlier today and you might like to see it, especially if you are based in Europe (or would like a reason to visit). I reduced it down for your more rapid consumption:
  • Title: Workshop on “Security Certification of Smart Grid Components”
  • When: June 27, 2012
  • Where: Rue de la Loi, 130-1040 - Bruxelles (that's Brussels, Belgium, for you non Euro types)
  • Who (should attend): Participants and speakers of the workshop would be national certification authorities, EU officials, hardware and software manufacturers, energy service providers and certification laboratories from EU and US
  • Organizers: ENISA in cooperation with the European Commission
  • For details and to register, click HERE
The stated objectives of the workshop are to:
  • Support the Member States in better understanding the challenges of the Smart Grid component certification process 
  • Contribute in the harmonization of different certification policies followed by the Member States 
  • Invite Member States to present their national certification schemes and private sector to present their views on the matter 
  • Debate about the possible steps to take, at national and EU level, to speed up the secure introduction of Smart Grids
Sounds somewhat akin to IEC 62443 2-4. Perhaps there's some overlap or potential to leverage existing work. Anyway, if you've got something to contribute, or a desire to learn, go if you can ... and don't skip the mussels.

Thursday, May 24, 2012

SGCC Releases Smart Grid Privacy Fact Sheet

In January of this year we gave you a privacy post related to the Smart Grid Consumer Collaborative (SGCC) from a panel session it organized the day before the Distributech conference in San Antonio.

Time has passed and now the same great org has produced a short, sweet, and very helpful fact sheet on Privacy for the layman, also known as the "man on the street", the "generalist", the "consumer" or from the electric utility industry's point of view: THE CUSTOMER.

The 2-sided sheet contains lots of helpful orienting bits like what's a "smart grid" and "what is a smart meter", but the part I like best comes near the end:
The privacy of electricity usage data is protected now and that will not change with the use of smart meters. Electric companies, the federal government, and the suppliers of critical electric grid systems and components are working together to strengthen consumer safeguards, develop a best-in-class data security model and enforce its implementation.
Talk about a pure pro-education / anti-FUD message. I am think I am in love.

Photo credit: Roland at

Tuesday, May 22, 2012

WSJ on Speaking Cybersecurity Truth to Power

This is a short post with a security message that appeared in a prominent place, a message worth repeating.

In the Wall Street Journal's relatively new CIO Journal, editor Michael Hickins highlighted recent statements from a local Boston-area healthcare CIO, and pointed to preliminary findings in a Carnegie Mellon cyber security and corporate governance report.

In "Speak Cybersecurity Truth to Power", Hickins said:
Boards of directors are clueless when it comes to cybersecurity — and that’s a great opportunity for CIOs to prove their worth. John Halamka, the highly regarded CIO of Beth Israel Deaconess Medical Center in Boston, tells CIO Journal that “cybersecurity is a great way to stay in touch with the board because there’s high visibility.”

Monday, May 21, 2012

Measuring Security? In the Electric Sector? Are you Serious? Someone Is.

Tried making the case most recently with Time for Electric Sector to Measure Up on Security and Smart Grid Security Truth: You Can't Do What You Don't Measure but couldn't detect a measurable response.

Without a lingua franca for security, how will anyone ever know which organizations are doing a comparatively better or worse job? Whether one's own organization is kicking butt or having its butt kicked?

Chances are the only folks with this information today are hackers who spread their attacks across dozens of them. They can see which utilities offer them an easier path in than others. But I don't imagine they're sharing this information too freely.

I'm tired of this ambiguity. Perhaps you are too. And so, it seems, is the State of California.

Wednesday, May 16, 2012

Re-reminding you about NESCO's upcoming Electric Sector Risk Management Session

In a few weeks (30-31 May to be specific) there will another grid security and risk management conference. As someone who keeps an eye on all of them, not all conferences on this topic are created equal, and this one run by the DOE-funded National Electric Sector Cybersecurity Organization (NESCO) appears to be one of the best.

Posted on it a few weeks ago HERE, or you can go directly to the event site HERE.

Photo credit: New Orleans Marriott

Tuesday, May 15, 2012

Announcing the First Electric Sector CSO List

You've been holding your breath for this, I know, so I'm happy to announce you can resume normal respirational activities. As the title says, this post begins the process of assigning kudos to utilities who've been so bold and proactive as to appoint and empower a senior professional to run cyber security across their organizations.

By this I mean a senior business (more than a technical) professional charged with developing, promulgating and enforcing security policy across operational and information technology boundaries, across all lines of business.

Monday, May 7, 2012

IBM CISO Study as Predictor of Future Electric Sector Cyber-Security

IBM recently interviewed security leaders in a bunch of companies, recorded their responses, and teased out findings that I think you'll find interesting.

Respondents ultimately fell into one of three categories: Influencers, Protectors and Responders. I can't say how many electric sector professionals were queried, but there's a callout box featuring an anonymous VP of IT who is quoted as saying:
Security leaders are becoming more closely integrated into the business – and more independent of information technology.
Right on, and from my interactions with the community, that statement holds true for a small but growing number of utilities.

Wednesday, May 2, 2012

Another Disclosure, this time with ICS CERT's Blessing

We're only a few months past Basecamp, and here we go again. Only this time there are fewer voices urging restraint.

Wired's Threat Level blog put up a story of a certain control system OEM that seemed uniquely unaware of the risks it had built into its products, and unwilling to make a change of any kind. At the time of publication, 25 April 2012, the company still hadn't budged.

Then, on 1 May 2012, the Christian Science Monitor was telling a different story: the vendor pledged to make and distribute a fix.

The Wired article ended with a couple of sentences that concisely capture this problem and make you want to laugh and cry at the same time:
Numerous researchers have been warning about the vulnerabilities for years.  But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.
Have your heard the term "goat rope"?  How about "goat rodeo"?  This situation is definitely one of those ... and maybe both. Hope both the vendor and user sides figure out how to get their ducks in line, and fast.

Photo credit: Mike Baird at