Security FUD Alert: Flame On. Flame Off. Flame Out.

Here we go again, and this one is not (energy) sector specific. It's more geo-specific ... see: Middle East and North Africa, at least for now. This is a clear-cut case of marketing security through fear, uncertainty and doubt (FUD), and using the press's predictably Pavlovian response to maximize impact.

Depending on where you fit in the cyber food chain, maybe you like it, but I'm sick of it. Sick of it, I say. And I'm not going to take it anymore! (Yeah, right)

Here's the opening salvo fired on March 29 by InformationWeek (and many others), giving you the fever-pitch, straight up horror story, no chaser:

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known as Flame ... appears to be even more sophisticated than the Stuxnet.

And with that we were off to the races. Just about every IT, cybersecurity and even mainstream media outlet picked up and broadcast the story in the first 24 hours. No questions asked it seemed.

Then along comes CSIS Senior Fellow James Lewis, two days later, with something quite a bit more tempered:

Flame is not a weapon, it's not the most sophisticated, it's not really that new, but it might be part of a large battle shaping up over the future of the Internet. Cyberespionage happens every day. This should not be news.

With that, Lewis definitely helped bring the hysteria down a notch or two. Much appreciated, Jim.

Finally we've got what I hope becomes the final word on this event, in the form of a post from my colleague and friend, cybersecurity expert Chris Poulin of new IBM company Q1 Labs. Chris begins:

I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.

And then Chris turns the mike over to IBM X-Force's statement on the subject:

At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.

Like the way that piece finishes: very very low threat vs. high profile in the press. Succinctly said, and to me, what should be the nail in the coffin of this ridiculous escapade.

Security professionals in the electric sector and elsewhere: how are we going to be taken seriously by senior business leaders if some of us, even a small percentage, keep using misleading, inaccurate and gratuitously sensationalist methods to try and drum up more business? It's embarrassing.

I don't need to tell you there's plenty of business out there for vendors who play fair and square. Don't cry wolf unless there's a wolf. Don't say the sky is falling unless it is. Be good: important businesses and other organizations need your help, but they won't let you help if they don't trust you.

Image credit: Wikipedia

Another Disclosure, this time with ICS CERT's Blessing

We're only a few months past Basecamp, and here we go again. Only this time there are fewer voices urging restraint.

Wired's Threat Level blog put up a story of a certain control system OEM that seemed uniquely unaware of the risks it had built into its products, and unwilling to make a change of any kind. At the time of publication, 25 April 2012, the company still hadn't budged.

Then, on 1 May 2012, the Christian Science Monitor was telling a different story: the vendor pledged to make and distribute a fix.

The Wired article ended with a couple of sentences that concisely capture this problem and make you want to laugh and cry at the same time:

Numerous researchers have been warning about the vulnerabilities for years.  But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.

Have your heard the term "goat rope"?  How about "goat rodeo"?  This situation is definitely one of those ... and maybe both. Hope both the vendor and user sides figure out how to get their ducks in line, and fast.

Photo credit: Mike Baird at Flickr.com

April is the Cruelest Month for Critical Infrastructure Security

We have none other than T. S. Eliot to thank for the prescient and uncannily accurate observation he made 90 years ago. Of course he was probably referring to something else ... I can tell you if you really want to know.

As my brother from another mother Earl Perkins just noted in a Waste Land-esque post yesterday, hoards of self-appointed guardians of realm have decided that it's time to call out the government and corporate conspiracies behind the grid modernization movement. Those scheming elites who either by design, or negligence, are setting us up for a future that would make Cormac McCarthy's The Road look like a stroll though Disneyland.

Perkins, just a hair's breadth away from boiling over, says: "Alright, that’s enough!"

And continues:

I cannot pick up a news feed or peruse a blog about ... industrial control security (e.g. securing the electric power grid, water, transportation, intelligent health care systems, etc.) without reading yet another story about how life as we know it will end any day now once mysterious governments and other dark elements of the Underworld wreak havoc on our comfortable lives. They will hack into nuclear power plants and cause meltdowns, they will control transportation systems and airport control towers and cause wrecks to occur and planes to crash, they will pollute the rivers and shut off the power, they will etc. etc. etc.

Alarmist people, please chill out. Why not use your energy for something more constructive? Take a photography class. Learn how to bake. Re-connect with family. Bike across Europe. 

Alarmists, I bet if you were around when our innovative ancestors were putting the finishing touches on the first wheels, you would have shouted that this technology would eventually lead to deadly cart, then chariot, then coach and car crashes. And certainly the mobility wheels would enable would threaten our privacy.

Alarmists, I can sympathize. Like you, I sometimes feel anxious. Spring-time stirs my dull roots too with memory and desire. But hey, let's use that energy to build and to secure. Not to tear down.

Listen, Earl's a reasonable man, but you don't want to see him when he's angry. Here's his post in FULL. Have a peaceful weekend all.

Image credit: Pieter Breugel via Exploring "The Waste Land"

Absurd David Chalk Smart Grid Security Talk

I know I tend to respond, Pavlovian dog style, when awful stuff like this pops up, but I can't help it. Perhaps you've seen THIS already, as Jesse Berst wrote a post around it on his widely read SmartGridNews site.

Purported Canadian security expert David Chalk is saying to anyone who will listen (and that's a lot of people) that there's a "100% certainty of catastrophic failure of the energy grid within 3 years."

Chalk's eight-minute, Smart Grid snuff film has all the requisite apocalyptic theatrics of a political attack ad. It shows light bulbs exploding in slow motion, shaky images of the 2007 DHS Aurora attack demonstration already posted on Youtube (HERE again if you like), and the following "Smart Grid Facts":

• Completely Hackable
• Bills Going Up
• Privacy cost
• Health Issues
• Fires
• Democracy Gone?

Beyond Chalk and the apparently unhinged Citizens for Safe Technology, not sure who benefits from this craziness. But it seems to be another odd thing for the media to shine a light on, attract moths and eyeballs, and spur less-than-lucid conversation.

The video concludes with a message that solar power is the one proven path to the world's energy salvation and away from the sure perils of the Smart Grid. As SGSB readers and many others already know, the current grid isn't well suited to handle large amounts of intermittent cleantech power.

Since one of the drivers for deploying Smart Grid tech is to allow wider use of wind and solar, Chalk and fellow film-makers, please figure out what you want. And please do so in private.

Too (Much) Smart: Meters, Grids, Cars, Phones

"Smart" in the electronics sector generally connotes a device with a processor and some built-in communications, though sometimes it's just meant to convey coolness. But as the media increasingly links "smart" with "dangerous", marketers may need to find another strategy soon.

Of course, this doesn't bode well for consumer adoption of Smart Meters and the Smart Grid. Angst is bubbling up in the ranks of those who leave comments below cautionary and increasingly inflammatory online articles. For example, here's a surprisingly coherent entry found beneath a recent post on looming cyber issues with "smart" cars:

If we're not careful, we'll end up changing the definition of the word "smart". "Smart" = dumb enough to be cracked and hacked. We'll have this issue with smart phones, smart cars, the smart grid, smart appliances, not to mention our regular computers.

He's right of course, and that's a big part of the challenge, along with the media's desire to document and propagate this assertion, and drive fear, uncertainty and doubt (FUD) deep into the mass market.

Like successful TV shows that eventually Jump the Shark (wander too far from their original concept), all marketing fads also eventually run out of steam, after which point they become comical if not pitiful. This will eventually happen (if it hasn't started already) with the prefix "smart" automatically placed in front of every new gadget and appliance.

And when that happens if not sooner, we might want to find a new term for what we now call Smart Grid. It's been called other things before; another name isn't going to hurt. And no, I don't think "Super Smart Grid" will do.

Photo credit: Ivan Walsh on Flickr.com