Whitsitt on What's Up with the NIST CSF

Before you click through on the link provided below, I have to tell you that this write-up is not just about the NIST Critical Infrastructure Security Framework (CSF), but it's also a review of the current state of the security profession/practice/belief system, depending on your vantage point.

Penned by Jack Whitsitt of EnergySec, who among other things helped design the cyber security policies for the Transportation Security Agency (TSA) when it was just getting started. Be forewarned: Jack is no ordinary security guru. Because he's a practicing artist too, he brings both hemispheres to this challenge, and as a result, his perspectives and insights are unlike what you'll likely encounter anywhere else.

NERC CIPs Catching up to iPhone Version Numbers

OK, imagine an auction barker: "Bids opening at NERC version 3, do we have a version 3? ..."

"Yes! How about version 4?" Etc.

Well, according to Honeywell's NERC CIP guru Tom Alrich (of the famous, eponymous and quite helpful blog), it now appears that the next version of the CIPs to which utilities must comply will be neither version 4 nor  5 but rather version 6!

I was stunned as were many of the those in online attendance. Tom explains his reasoning on the EnergySec webcast and much more, which you can see HERE. There's a lot of helpful information for utilities of all sizes dispensed in this hour long piece, with some deep dives into the ramifications of high, medium, and low risk assets.

Now, depending on whether we get an iPhone 5s or 6 next month, it's clear that NERC will not allow the CIP versions to lag far behind.

----------------------------

Attended most of this webinar online, but hat tip to my former colleague and (hopefully) current friend, Nebraskan Dave Hemsath of IBM for sending me the replay.

Photo credit: KCRW.com

Motivation through Compensation: Paying Utilities to Upgrade Cyber Defenses

Now we're getting somewhere!  The long submerged topic of "who should pay" for electric utility cyber security improvements has just breached the surface and is now bobbing up and down in clear daylight.

A recent article in Bloomberg documents several large US utilities' efforts to recover current and future cyber security investments the same way they get paid for other infrastructure programs: by getting clearance from their state utility commissions to approve these expenses in their rate cases.

Actually rate payers (aka electricity customers) will pay one way or another, as they should, for the essential service that makes our modern lifestyles possible.  Possible methods of payment include:

• Absorbing the costs to their businesses and their lives associated with brown outs or black outs or electricity quality issues stemming from successful attacks on control centers or systems
• Paying more every month to cover some, most or all (TBD) of their utilities' cyber-protection expenses
• Or, as Pepco CIO Doug Myers said, as cited in the Bloomberg article, allowing utilities to be reimbursed through federal grants

This concept was articulated more formally by Michael Daniel, special assistant to the President on Cybersecurity, when he included rate recovery as one of a number of cyber incentive strategies for critical infrastructure providers:

Rate Recovery for Price Regulated Industries — Agencies [DHS, Commerce, Treasury] recommended further dialogue with federal, state, and local regulators and sector specific agencies on whether the regulatory agencies that set utility rates should consider allowing utilities recovery for cybersecurity investments related to complying with the Framework and participation in the Program.

As this blog often reiterates, we have to acknowledge and accept the costs of living in a technology-enabled world, where the impulse to cyber secure important services must become every bit as natural as physically securing our more tangible valuables.

Else, I have a nice cave I'd like to show you. And no, it doesn't have wifi.

NIST Thinking about Cyber Security for Critical Infrastructure Company Boards and CEOs

I just returned from the beautiful UC San Diego campus (hmmm, if only I could travel back in time and attend this school instead ...) where NIST assembled hundreds of cyber security (and other) professionals to advance the initiative known as the Critical Infrastructure Cybersecurity Framework, or CSF for short.

So far some are happy with progress made and some are quite the opposite. I think a little more time will have to pass and we'll have to see what comes out of the NIST oven ahead of the final workgroup session coming up in Dallas.

NIST Critical Infrastructure Cyber Security Framework (#NISTCSF) Effort Steaming Ahead

Five hundred souls or so are expected in sunny San Diego this week for the 3rd round of meetings intended to produce new cyber security guidelines for operators of US critical infrastructure.

This article gives you the most recent update on status including cares and concerns related to privacy, business case, and getting senior management buy-in to even consider following this framework in the first place:

http://insidecybersecurity.com/Cyber-Daily-News/Daily-News/nist-meeting-poses-major-test-for-obama-cybersecurity-push/menu-id-1075.html

It references this DHS doc from earlier this year that attempts to pave the way for CEOs to become more engaged in their organization's cyber security efforts, called Cyber Security Questions for CEOs:

https://www.us-cert.gov/sites/default/files/publications/DHS-Cybersecurity-Questions-for-CEOs.pdf

Lastly, if you want to see more of the process without actually getting your feet weight (or getting on a west-bound plane) here are a few resources for you:

The emerging framework itself: http://www.nist.gov/itl/cyberframework.cfm

Details on the San Diego workshop: http://www.nist.gov/itl/csd/3rd-cybersecurity-framework-workshop-july-10-12-2013-san-diego-ca.cfm

Live webcasts of the proceedings can be viewed via these URLs:

Day 1 (Wednesday) Webcast: http://www.youtube.com/watch?v=3hJww5_BDSQ
Day 2 Webcast: http://www.youtube.com/watch?v=SLVW0vFw0gI
Day 3 Webcast: http://www.youtube.com/watch?v=-9hORcAcXNA

I'm flying out today, along with a few of my IBM colleagues. Looking forward to seeing some of you there.

Photo credit: The San Diego Union-Tribune

Super Cyber Security Reading: 2Q ICS-CERT Monitor

Unfortunately, the Energy Sector wins this competition over last 12 months

There are few publications you can read that will tell you more about the current state of cyber awareness and attacks on critical infrastructure orgs and systems than this than the Monitor.

All the NIST Critical Infrastructure Security RFI Responses You Can Eat

Re: the many and various submissions from companies and individuals to NIST, someone who knows more than a few things about grid security recently tweeted twice thusly:

Reading - and in many cases laughing at - #NISTCSF responses

and ...

The responses? Mostly neutrally irrelevant, some nonsensical. I've marked only 14% so far for "real" read later

I just want you to set your expectations bar sufficiently low before you click HERE and read all of the responses.

By the way there were a few good and very good responses too.

If, after reading, you not only feel like you have something to suggest that hasn't yet been suggested, but you also want to physically transport and immerse yourself in this grand sausage making activity, then ...

For more information on the 2nd workshop coming up in late May in Pittsburgh, and a link where you can register, click on THIS.

Photo credit: @Doug88888 on Flickr.com

NatGas Cybersecurity getting a lot more Visibility

Thanks to colleague H. Chantz for spotting this article and sending this way.

As has been the case quite a bit this year, once again we are in the realm of SCADA/Control System security. William Rush of the Gas Technology Institute states it plainly, if somewhat dramatically:

Anyone can blow up a gas pipeline with dynamite. But with this stolen information, if I wanted to blow up not one, but 1,000 compressor stations, I could,” he adds. “I could put the attack vectors in place, let them sit there for years, and set them all off at the same time. I don’t have to worry about getting people physically in place to do the job, I just pull the trigger with one mouse click.

There are no NERC CIPs for the gas industry, but with 25-30% of US electric power and a whole lot of home heating coming from gas, it's time to get moving on better securing this infrastructure.

Pipeline operators, now alerted to the fact that sensitive access control information to important subsystems is in the hands of folks outside the industry (and outside the country it seems), need to get moving. And I'm sure they will, but it's a BIG job.

The whole Christian Science Monitor article is HERE.

Photo credit: War News Updates

NIST Critical Infrastructure Cybersecurity Framework RFI and Workshop Details

We're about a month away from the first NIST workshop to help create the new framework described in the recent Executive Order, as well as from the 5 pm, USA ET, April 8 deadline to submit responses to the RFI.

To refresh, here's what they/we are trying to do:

The goals of the Framework development process will be: (i) To identify existing cybersecurity standards, guidelines, frameworks, and best practices that are applicable to increase the security of critical infrastructure sectors and other interested entities; (ii) to specify high-priority gaps for which new or revised standards are needed; and (iii) to collaboratively develop action plans by which these gaps can be addressed. It is contemplated that the development process will have requisite stages to allow for continuing engagement with the owners and operators of critical infrastructure, and other industry, academic, and government stakeholders.

If you are so moved and have something to say (and NIST and I hope you do), here's how to submit your ideas and recommendations:

Old School

For those who prefer to communicate longhand by dipping your peacock feather quill into the inkwell on your vintage desk, "Written comments may be submitted by mail to Diane Honeycutt, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899."

DHS' CSET: a Remedy for Electric Sector Security Measurement and Reporting Complexity Pains?

Sorry about that ridiculously long title, but felt it couldn't be helped this time. Thanks to Dr. Les Cardwell of Central Lincoln PUD, a publicly owned utility serving communities on the coast of Oregon.

Les wrote in and shared some of what he recommended to NIST and DOE regarding the recent RFI on the "Framework for Reducing Cyber Risks to Critical Infrastructure."

I'm not going to reprint the entirety of his submission, but will share with you two things here. First, Les' articulation of the need for a way to keep complexity in check as we go about this search for a new/better security framework for our community:

Heralding the Dawn of Critical Infrastructure Security Metrics

You may like this blog because of its emphasis on business-oriented security metrics and measurement. Or you may loathe it for the same reason (though if you do, you shouldn't still be visiting much).

Can't measure, can't manage. On this we agree, right?

So ... we're two weeks past the Presidential executive order (EO) that kicked off a new round of meetings that will ultimately produce a new NIST framework for grid security. You can read about the goals for this thing, including the RFI process HERE.

Thanks for EnergySec's Patrick Miller who tweeted yesterday that this round of work is designed, among other things, to produce metrics that can be used to assess the current security posture of your organization.

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands

Hat tip to friend and colleague Steve D for shooting this my way.

Security researcher Oscar Koeroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!

I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

Read on to find out how control system search engine Shodan once again reveals what systems are directly connected to the Internet. Warning, it paints a full picture, but it's not a pretty picture, and hopefully you won't find systems in your charge popping up in the findings window!

Here's the complete article from Tofino, replete with lurid details of password mismanagement, accusations, denials and counter-accusations, and that sort of thing. Best keep a Heineken or two handy.

Photo credit: nrc.nl

So Far, it Seems WAMPAC Systems are Insecure by (Lack of) Design

Thanks to colleague Jeff K for pointer to recent NESCOR reports.

First things first: in IBM and elsewhere the phrase "secure by design" is used to describe a project or a system where security requirements are considered at the earliest stages, right along with all the functional requirements.

Now for new initiates, WAMPAC = Wide Area Monitoring, Protection and Control, and the term refers to a group of new technologies and capabilities that will put the Smart in Smart Grid much more than the more attention grabbing Smart Meter.

April is the Cruelest Month for Critical Infrastructure Security

We have none other than T. S. Eliot to thank for the prescient and uncannily accurate observation he made 90 years ago. Of course he was probably referring to something else ... I can tell you if you really want to know.

As my brother from another mother Earl Perkins just noted in a Waste Land-esque post yesterday, hoards of self-appointed guardians of realm have decided that it's time to call out the government and corporate conspiracies behind the grid modernization movement. Those scheming elites who either by design, or negligence, are setting us up for a future that would make Cormac McCarthy's The Road look like a stroll though Disneyland.

Perkins, just a hair's breadth away from boiling over, says: "Alright, that’s enough!"

And continues:

I cannot pick up a news feed or peruse a blog about ... industrial control security (e.g. securing the electric power grid, water, transportation, intelligent health care systems, etc.) without reading yet another story about how life as we know it will end any day now once mysterious governments and other dark elements of the Underworld wreak havoc on our comfortable lives. They will hack into nuclear power plants and cause meltdowns, they will control transportation systems and airport control towers and cause wrecks to occur and planes to crash, they will pollute the rivers and shut off the power, they will etc. etc. etc.

Alarmist people, please chill out. Why not use your energy for something more constructive? Take a photography class. Learn how to bake. Re-connect with family. Bike across Europe. 

Alarmists, I bet if you were around when our innovative ancestors were putting the finishing touches on the first wheels, you would have shouted that this technology would eventually lead to deadly cart, then chariot, then coach and car crashes. And certainly the mobility wheels would enable would threaten our privacy.

Alarmists, I can sympathize. Like you, I sometimes feel anxious. Spring-time stirs my dull roots too with memory and desire. But hey, let's use that energy to build and to secure. Not to tear down.

Listen, Earl's a reasonable man, but you don't want to see him when he's angry. Here's his post in FULL. Have a peaceful weekend all.

Image credit: Pieter Breugel via Exploring "The Waste Land"

Industrial Defender Report Highlights Control Systems Operators' Increasing Responsibility Overload

The sharp folks at ID just released a survey-based report called "Managing Automation Systems: Critical Infrastructure Operators’ Challenges & Opportunities" which is chock full of interesting findings. You'll quickly see the challenges that rose to the top of their findings include issues are much more about people and process than about technology.

Here's a sample from the overview:

• On paper responsibilities don’t align with day-to-day activities. Over the past several years, industrial automation professionals have seen their responsibility broaden from managing operations to managing security and, in some instances, managing compliance. However, there is a clear gap between the time these individuals commit to each requirement, regardless of whether they own a high degree of responsibility

• Similar management requirements exist across security, compliance and operations functions. In other words, actions and activities necessary to support a security program may be strikingly similar to what’s required for compliance management and operational management within critical infrastructure

• Infrastructure operators are constrained in their ability to manage these overlapping requirements. This is particularly true when it comes to managing multi-vendor environments with assets from a mix of industrial automation suppliers

It's a familiar story, right? Too much being asked of too few, with the quality of the work that gets done likely to be, well, sub-optimal. Sounds like some business process optimization and automation is in order ... and in the meantime, maybe pay increases for the folks who are asked to get this mountain of important work done.

Recommend you read the full report ... it's a brisk read at <10 pages.

GridEx 2011: NERC CyberSecurity Exercise is Upon Us

Practice makes perfect ... or at least makes you better.

I mentioned this back in July HERE, now thanks to Dave Dalva of BAH, I can tell you a big exercise is coming up this week, starting tomorrow:

The grid security exercise, scheduled for November 15-17, will test NERC’s and the electricity industry’s crisis response plans, and validate current readiness in response to a cyber incident. The exercise also will serve as an opportunity to enhance collaboration and strengthen industry security processes and capabilities.

Follow this LINK to a bulletin on the exercise as well as a compilation of some of the best grid security presentations I've ever seen, from NERC's recent conference in New Orleans (see Presentations tab at bottom of page).

Results and findings should be available around mid December, and I'll be sure to post material that's cleared for public consumption.

Smart Grid Security Manifesto

No sooner do I find and post on what I think is the definitive statement on Grid security-related compliance (a couple of weeks ago, HERE), then I immediately find its companion piece, related not to compliance but to critical infrastructure security.

Of this one, (most) hyperbole aside, I'm saying this is our call to arms, a manifesto for how not to be overwhelmed and wimp out in the face of big complexity, evolving risks, and the hysteria of the press.

You'll have to wade through a few prefatory remarks about the NESCOR workshop and some other stuff, but soon you'll be hitting the good stuff, like:

Watching the various engines of civil society warm up and set to addressing the daunting task of critical infrastructure cybersecurity is very interesting, like an episode of Build it Bigger. Some would say it is also very depressing or even very frightening. I would disagree with those folks. We have managed to rise to the challenge of securing the Internet so far; I think we will rise to the challenge of securing our physical infrastructure as well.

In addition to our first talk at NESCOR, I got to spend some time on the phone with author Chris Blask today and we covered some of this ground. It's clear the man has spent a lot of time thinking through issues that still have many of us in the community perplexed. To whit:

The cognitive and physical efforts of many people are being applied to industrial control system security today, and the workforce is expanding. The process will be flawed and the recommendations revised and the standards complained about. Public criticism of all or parts of the process will wax and wane. It will go on forever and incidents will occur and, yes, due to unforeseen or unaddressed issues these will almost definitely include incidents that cost human lives.

Even if things go well, there will be blood. And that might get some folks worked up and anxious, except for this wrap-up:

But the work will get done.

This is the clear anti-Smart Grid Security fear, uncertainty and doubt (FUD) voice I've been seeking. Titled "Winning the Critical Infrastructure War," you can read the whole piece by following THIS LINK to InfoSec Island. I recommend you do.

What's Going On? - US Outage Reporting from DHS

Hat tip to IBM physical security pro Clayton Hollister for pointing out this great resource: the DHS Daily Open Source Infrastructure Report ... pronounceable acronym: DOSsIeR.

Simply click the day you want to check out, select "fast jump" to energy and you'll get DHS' account of some of the most significant (not too sensitive) electricity outages in the USA. Or pick another sector like nuclear, chemical or water to see how they're faring.

I think you'll agree this is pretty interesting if you haven't seen it before. Sure is a heck of a lot info and incidents to manage. Good thing DHS has 200,000 employees. Holy cow, that's huge. They're almost half the size of IBM!

Re: Cyber Threats and the US, CNBC says Go Crazy Folks, Go Crazy

CBS' 60 Minutes has done this to us before. Now you can thank CNBC for next round of cyber hysterics, driven home with whiz-bang graphics and ominous, brooding orchestration. Here's the preview of tonight's show ... you can't say you weren't warned.



I recommend seeking shelter immediately. In a cave. For decades. Oh, and you'll need to leave you iPad at home.

More info on "Code Wars: America's Cyber Threat" can be found HERE.

"Go Crazy Folks" courtesy of late, great sportscaster Jack Buck