Wednesday, October 31, 2012

Computer Security Giant Speaks Out on Current Sub-Optimal State of Affairs

Cybersecurity-oriented readers,

In case you didn't see it in the flurry of all the Sandy related news (or because you didn't have power for related reasons), wanted to make sure to acquaint you with one of the living legends in our field, Peter Neumann, who with DARPA's help, is still going strong.

In short, Dr. Neumann has been:
... a voice in the wilderness, tirelessly pointing out that the computer industry has a penchant for repeating the mistakes of the past. He has long been one of the nation’s leading specialists in computer security, and early on he predicted that the security flaws that have accompanied the pell-mell explosion of the computer and Internet industries would have disastrous consequences.
There's much more to say, but believe the NY Times' John Markoff will say it better than I would, so click HERE to go straight to the article.

Tuesday, October 30, 2012

For Energy and other Critical Infrastructure Companies, Supply Chain Security Trap Door Remains Wide Open

Another week, another awful revelation related to security weaknesses in widely (and I do mean WIDELY) installed control system products. Last week we THIS and that was revealed, now this week we pile on with an issue that impacts seems well nigh insolvable.

From Ars Technica:
"The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands," Reid Wightman, a researcher with security firm ioActive, told Ars .... "There is absolutely no authentication needed to perform this privileged command," Wightman said.  Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks.
Perhaps we'll learn something in coming weeks that will reveal the scope isn't as big as it seems. But until then, I'll leave you with a comment from one of the Ars readers that get's to the heart of the supply chain security challenge:
If it sounds too stupid for words BUT it would make life easier for the developers or admin, then it's sure to have happened. 
Sad, but I'm afraid, true. HERE's the whole article for you.

Tuesday, October 23, 2012

Good ICS-CERT Guidance for You, Electric Utility Security Pro

Hat tip to Jeff M aka Mr. NISTIR. Surely you've seen reports in the press and, depending who you are, maybe through more official channels, that companies in every sector are under persistent cyber assault these days. The DHS and other US Federal agencies are working overtime (sometimes literally, sometimes figuratively) to keep up.

With our own sector in mind, DHS recently published ICS-CERT Technical Information Paper ICS-TIP-12-146-01A: Targeted Cyber Intrusion Detection and Mitigation Strategies. I think you'll find this material very helpful, no matter what level of technical depth you possess.

Friday, October 19, 2012

Supply Chain Security Awareness on Upswing for Energy and Comm Sectors

10/25/12 Update: Huawei just said it is ready to have all its source code tested for security. Would other vendors be so bold?

------------------

If you don't subscribe to the online version of the Wall Street Journal, you probably don't get its daily CIO feed, which provides a nice topical tapas-sized taste of what's on folk's minds every morning.

One of those folks is me, and I've been stirred up lately by all the press (The Economist, 60 Minutes, etc.) and Capitol Hill attention Chinese communications equipment maker Huawei has been getting. Personally, I haven't have any direct contact with Huawei or its products, but I have a gut-level response when a company gets pilloried solely on where it's headquartered or the nationality of the owner(s).

Wednesday, October 17, 2012

Electric Sector Security Metrics Mother Load

Not all are technical metrics, nor are they all technically, metrics.

But in the space of just a few months this summer, North American electric utility executives and their security leadership have seen a spate of new guidance documents published that intend to help them manage, monitor, and measure the effectiveness of their cyber risk mitigation strategies and controls.

Where once there was just the cross-sector ISO 27000 series to steer your security course by (or for Federal folks, FISMA), there are suddenly a near handful of freshly minted how-to manuals at their disposal:
DOE's Electricity Subsector Cybersecurity Maturity Model (June 2012)
Metrics for utilities to use to baseline and gauge effectiveness
DOE’s Electricity Subsector Risk Management Process (May 2012)
Helpful translating cybersecurity into risk management framework 
NARUC's Cybersecurity for State Regulators (June 2012)
Questions utilities will be asked by their state public utility commissions
NIST’s NISTIR 7628 Assessment Guide (Aug 2012)
And if you live in or keep an eye on California, then there’s the metrics work and data privacy rules of the California Public Utilities Commission (CPUC) to consider. It’s working collaboratively with the three big investor owned utilities (IOUs) to bring Smart Grid metrics to fruition, and despite some initial skirmishing, seems resolute in adding security metrics to the mix.

So now maybe the guidance utilities need most is: with limited resources already maxed out on NERC CIP related activities, how to select and implement the best and most helpful pieces from the list above.

Ironic, is it not, to hear the SGSB describe a flood of security metrics in our industry?

Tuesday, October 9, 2012

Conference Alert: A Risk Management-Focused GridSec

Things have been changing over the course of half a dozen or so GridSec conferences the last 3 years:
  • Increasingly, a risk management vs. pure compliance approach to security is in evidence at utilities
  • Practical, business-oriented metrics and measurement mechanisms are being developed and used to increase visibility and understanding of current state and challenges, and to facilitate prioritization
  • Describing security requirements and incidents in language more accessible to management and more aligned with core utility values and business drivers, including safety and reliability
  • More attention to Operational-side issues
What attendees will experience at the upcoming summit will be an update on the evolution of grid security, privacy and compliance issues that reflects the evolution of the bullet-ed points of the above.

The details you need to get/be there:

  • When: 22-24 Oct 2012
  • Where: PG&E head office, 77 Beale Street, San Franciso, CA
  • Web page for more info and reg: HERE

Lots of great speakers are lined up and the hallway talk is always interesting too. Hope you can make it.

Tuesday, October 2, 2012

Electric Sector Vulnerability & Breach Round-Up


Thanks to Jeff St. John at Greentech Media for doing all the legwork required to put together this comprehensive yet readable account summarizing most/all of the recent activity.

As a non-alarmist, there are a few lines I'd write differently, I'd use a different image, and the term Smart Grid is used loosely, as a number of these events and vulnerabilities are not related in any way to Smart Grid technologies.

But overall, I like that all of these things are in one article. And I think Jeff does a good job, as a non-security expert, of capturing the scope of this problem set:
That makes securing today’s grid a matter of upgrading the ability of millions of endpoints like smart meters and grid controls, along with the chain of networking and software that binds them to the utility enterprise, to protect themselves from attack, as well as warn the system when that attack is occurring, which can trigger a series of security responses to detect, prevent or minimize it -- a so-called “defense in depth” approach.
So, have a look HERE, when you're ready to get stirred up by all the recent reports.

Oh, and don't forget, the White House just acknowledged a significant attack (thanks Al Jazeera and others) and big US Banks have been getting hammered by large denial of services attacks the past few weeks as well. More on those HERE.

Looks like we all  better be working harder and smarter going forward.

Photo credit: Boston.com

Monday, October 1, 2012

Utilities to Commerce Chairman Rockefeller: Let's Talk and Team on Cybersecurity

We've been watching the back and forth for several years now.  2010's GRID Act didn't make it across the legislative finish line, and a similar fate just befell the Cybersecurity Act of 2012.

In response to a recent letter (read THIS first if you can) from Senate Commerce Committee Chair Jay Rockefeller, the four most significant electric utility groups banded together to craft a response.  And what a great response it is!