Security FUD Alert: Flame On. Flame Off. Flame Out.

Here we go again, and this one is not (energy) sector specific. It's more geo-specific ... see: Middle East and North Africa, at least for now. This is a clear-cut case of marketing security through fear, uncertainty and doubt (FUD), and using the press's predictably Pavlovian response to maximize impact.

Depending on where you fit in the cyber food chain, maybe you like it, but I'm sick of it. Sick of it, I say. And I'm not going to take it anymore! (Yeah, right)

Here's the opening salvo fired on March 29 by InformationWeek (and many others), giving you the fever-pitch, straight up horror story, no chaser:

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known as Flame ... appears to be even more sophisticated than the Stuxnet.

And with that we were off to the races. Just about every IT, cybersecurity and even mainstream media outlet picked up and broadcast the story in the first 24 hours. No questions asked it seemed.

Then along comes CSIS Senior Fellow James Lewis, two days later, with something quite a bit more tempered:

Flame is not a weapon, it's not the most sophisticated, it's not really that new, but it might be part of a large battle shaping up over the future of the Internet. Cyberespionage happens every day. This should not be news.

With that, Lewis definitely helped bring the hysteria down a notch or two. Much appreciated, Jim.

Finally we've got what I hope becomes the final word on this event, in the form of a post from my colleague and friend, cybersecurity expert Chris Poulin of new IBM company Q1 Labs. Chris begins:

I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.

And then Chris turns the mike over to IBM X-Force's statement on the subject:

At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.

Like the way that piece finishes: very very low threat vs. high profile in the press. Succinctly said, and to me, what should be the nail in the coffin of this ridiculous escapade.

Security professionals in the electric sector and elsewhere: how are we going to be taken seriously by senior business leaders if some of us, even a small percentage, keep using misleading, inaccurate and gratuitously sensationalist methods to try and drum up more business? It's embarrassing.

I don't need to tell you there's plenty of business out there for vendors who play fair and square. Don't cry wolf unless there's a wolf. Don't say the sky is falling unless it is. Be good: important businesses and other organizations need your help, but they won't let you help if they don't trust you.

Image credit: Wikipedia

April is the Cruelest Month for Critical Infrastructure Security

We have none other than T. S. Eliot to thank for the prescient and uncannily accurate observation he made 90 years ago. Of course he was probably referring to something else ... I can tell you if you really want to know.

As my brother from another mother Earl Perkins just noted in a Waste Land-esque post yesterday, hoards of self-appointed guardians of realm have decided that it's time to call out the government and corporate conspiracies behind the grid modernization movement. Those scheming elites who either by design, or negligence, are setting us up for a future that would make Cormac McCarthy's The Road look like a stroll though Disneyland.

Perkins, just a hair's breadth away from boiling over, says: "Alright, that’s enough!"

And continues:

I cannot pick up a news feed or peruse a blog about ... industrial control security (e.g. securing the electric power grid, water, transportation, intelligent health care systems, etc.) without reading yet another story about how life as we know it will end any day now once mysterious governments and other dark elements of the Underworld wreak havoc on our comfortable lives. They will hack into nuclear power plants and cause meltdowns, they will control transportation systems and airport control towers and cause wrecks to occur and planes to crash, they will pollute the rivers and shut off the power, they will etc. etc. etc.

Alarmist people, please chill out. Why not use your energy for something more constructive? Take a photography class. Learn how to bake. Re-connect with family. Bike across Europe. 

Alarmists, I bet if you were around when our innovative ancestors were putting the finishing touches on the first wheels, you would have shouted that this technology would eventually lead to deadly cart, then chariot, then coach and car crashes. And certainly the mobility wheels would enable would threaten our privacy.

Alarmists, I can sympathize. Like you, I sometimes feel anxious. Spring-time stirs my dull roots too with memory and desire. But hey, let's use that energy to build and to secure. Not to tear down.

Listen, Earl's a reasonable man, but you don't want to see him when he's angry. Here's his post in FULL. Have a peaceful weekend all.

Image credit: Pieter Breugel via Exploring "The Waste Land"

Absurd David Chalk Smart Grid Security Talk

I know I tend to respond, Pavlovian dog style, when awful stuff like this pops up, but I can't help it. Perhaps you've seen THIS already, as Jesse Berst wrote a post around it on his widely read SmartGridNews site.

Purported Canadian security expert David Chalk is saying to anyone who will listen (and that's a lot of people) that there's a "100% certainty of catastrophic failure of the energy grid within 3 years."

Chalk's eight-minute, Smart Grid snuff film has all the requisite apocalyptic theatrics of a political attack ad. It shows light bulbs exploding in slow motion, shaky images of the 2007 DHS Aurora attack demonstration already posted on Youtube (HERE again if you like), and the following "Smart Grid Facts":

• Completely Hackable
• Bills Going Up
• Privacy cost
• Health Issues
• Fires
• Democracy Gone?

Beyond Chalk and the apparently unhinged Citizens for Safe Technology, not sure who benefits from this craziness. But it seems to be another odd thing for the media to shine a light on, attract moths and eyeballs, and spur less-than-lucid conversation.

The video concludes with a message that solar power is the one proven path to the world's energy salvation and away from the sure perils of the Smart Grid. As SGSB readers and many others already know, the current grid isn't well suited to handle large amounts of intermittent cleantech power.

Since one of the drivers for deploying Smart Grid tech is to allow wider use of wind and solar, Chalk and fellow film-makers, please figure out what you want. And please do so in private.

Just when you thought it was safe to Calculate: More "Incalculable" Smart Grid Security Doom for your Consumption

It might be a form of Tourettes, sorry. But every once in a while I feel compelled to shine a harsh light on articles that go too far or way too far in in the FUD department. Especially those from reputable publications.

What was Said

Here are a few selected citations from the first part of the less-than-soberly titled article in question:

• "Internet-based terrorists would be capable of causing blackouts on the order of nine to 18 months."
• “The dollars are incalculable.” 
• “There’s some percentage of utilities out there that just don’t take this seriously.” 
• "Energy companies including utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection."  

SGSB Non-Scientific Analysis

If the attacks come from bad guys based on the Internet, then the outages could be 9 - 18 months. I see. And the money at stake is so large as to be impossible to estimate. Thanks to recent debates over the US budget and deficit, my eyes and ears are now well accustomed to figures of $15 Trillion and beyond, but clearly the damages from hacking the grid must be even higher. "Some percentage" ?!?  You mean, a non-zero percentage that's so high as to be incalculable, right? And although I've never used the term WTF in this blog before, in the murky world of cyber attack and cyber security, WTF is "an ideal level of protection"?

In case you feel like I'm manipulating you, you can read the whole piece HERE. But suffice it to say, do we really need this? Are these types of "studies" and "journalism" doing much to advance thinking and spur action on securing the grid, or rather simply aiming at inciting panic?

I'll try to keep from blurting out what I really think.

Apocalytic image courtesy of PSD Collector

Insane in the Brain - Why your Smart Meter may soon be on the Most Wanted List

Words fail me (which is weird, right?). Way too many radiating radio waves for comfort:

Although smart meters are too new to form definitive conclusions regarding their long-term risk, data from several studies show about twice the risk of a rare kind of brain tumour in those who've used a cellphone half an hour a day for 10 years. These tumours normally take 40 years to develop.

If the so-called nuclear expert from California, referenced in this article, is right, you need to get out of your house immediately, wireless, wired or no Smart Meter. And don't go outdoors either ... far too many radio waves out there as well, not to mention the sun. And wolverines.

Hmm, that's funny, sounds like a cave is your best bet. Which is where I said you should consider going in the previous post. I'm detecting an early trend.

It's going to be ok, though. Our ancestors did some of their best work in caves, as you can see in Werner Herzog's latest film.

Re: Cyber Threats and the US, CNBC says Go Crazy Folks, Go Crazy

CBS' 60 Minutes has done this to us before. Now you can thank CNBC for next round of cyber hysterics, driven home with whiz-bang graphics and ominous, brooding orchestration. Here's the preview of tonight's show ... you can't say you weren't warned.



I recommend seeking shelter immediately. In a cave. For decades. Oh, and you'll need to leave you iPad at home.

More info on "Code Wars: America's Cyber Threat" can be found HERE.

"Go Crazy Folks" courtesy of late, great sportscaster Jack Buck