Security FUD Alert: Flame On. Flame Off. Flame Out.

Here we go again, and this one is not (energy) sector specific. It's more geo-specific ... see: Middle East and North Africa, at least for now. This is a clear-cut case of marketing security through fear, uncertainty and doubt (FUD), and using the press's predictably Pavlovian response to maximize impact.

Depending on where you fit in the cyber food chain, maybe you like it, but I'm sick of it. Sick of it, I say. And I'm not going to take it anymore! (Yeah, right)

Here's the opening salvo fired on March 29 by InformationWeek (and many others), giving you the fever-pitch, straight up horror story, no chaser:

Step aside, Stuxnet: Newly discovered espionage and information-gathering malware known as Flame ... appears to be even more sophisticated than the Stuxnet.

And with that we were off to the races. Just about every IT, cybersecurity and even mainstream media outlet picked up and broadcast the story in the first 24 hours. No questions asked it seemed.

Then along comes CSIS Senior Fellow James Lewis, two days later, with something quite a bit more tempered:

Flame is not a weapon, it's not the most sophisticated, it's not really that new, but it might be part of a large battle shaping up over the future of the Internet. Cyberespionage happens every day. This should not be news.

With that, Lewis definitely helped bring the hysteria down a notch or two. Much appreciated, Jim.

Finally we've got what I hope becomes the final word on this event, in the form of a post from my colleague and friend, cybersecurity expert Chris Poulin of new IBM company Q1 Labs. Chris begins:

I’m not so impressed: I believe we’re seeing the beginning of a long line of copycats, and Flame is a klunky primate of the next stage in the evolution of advanced malware; it’s just another generation in the APT ontogeny.

And then Chris turns the mike over to IBM X-Force's statement on the subject:

At this time, Flame appears to be limited to a very small geography, primarily certain countries in the Middle East, and does not appear to autopropagate. This malware appears to be highly targeted and designed to infect a minimal number of specifically targeted individuals. Consequently, the immediate threat from this malware, in the general network population, remains very very low despite its high profile in the press.

Like the way that piece finishes: very very low threat vs. high profile in the press. Succinctly said, and to me, what should be the nail in the coffin of this ridiculous escapade.

Security professionals in the electric sector and elsewhere: how are we going to be taken seriously by senior business leaders if some of us, even a small percentage, keep using misleading, inaccurate and gratuitously sensationalist methods to try and drum up more business? It's embarrassing.

I don't need to tell you there's plenty of business out there for vendors who play fair and square. Don't cry wolf unless there's a wolf. Don't say the sky is falling unless it is. Be good: important businesses and other organizations need your help, but they won't let you help if they don't trust you.

Image credit: Wikipedia

McAfee signals "All Clear" following its Duqu Alarm

Was able to attend most of the webinar today, where Peter Szor, senior director of research at McAfee Labs, laid out his and his company's latest thinking on the Stuxnet variant to a largely electric sector audience.

Here's the essentials, according to Szor:

• There's been no control system involvement
• Duqu is not targeting energy or utility assets
• Attacks have been observed in the UK, US and Iran
• Also maybe in Austria, Hungary and Indonesia
• The command and control server is/was based somewhere in India

That's it. I hadn't posted on Duqu yet because I was trying to gauge its potential impact on our industry before making an alarmingly sound myself.

So far it looks like you can go back to security business as usual, which means you're paranoid, anxious and jumpy, and that a note like this telling you Duqu is harmless only makes you more certain that it's anything but.

Such is life in this happy profession.

Not all Smart Grid FUD is Created Equal

Depends were it comes from. In this case, I'd probably give the Center for Strategic and International Studies (CSIS) and McAfee the benefit of the doubt, pardon the pun. Even if there's the slightest grain of truth in this statement, it is cause for concern for our side:

Because of tight government controls, China's own grid was ranked in the survey as the best protected from cyber attack. A strict regime of compulsory government inspections compares to a third of British critical infrastructure providers who said their network had never been audited by authorities.

Here's the article in Britain's Telegraph, the CSIS link, and the recent McAfee report at the heart of all this.

Remember, even if this info makes you worried, the right thing to do with that anxiety is to channel it into positive action that can enhance the protection of our grid systems through improvements to policy, planning, process, technology, etc. It's a common refrain on this blog but I repeat again, good work rarely gets done in the fetal position.

Image credit: Stephen Brace on Flickr.com

Smart Grid Security East Going Great, but Where are the SCADA/ICS Companies?

For folks who had the privilege of attending both the first conference in San Jose and this second one in Knoxville, there are several things that jump out at you now that we're more than halfway through:

• Interest is up ... My guess is that there are 2 to 3 or maybe 4 times more attendees overall, and that a much higher percentage are utilities personnel. Also, the conference and exhibit area feels more robust, probably because there are many more sponsors and partner orgs involved
• AMI/meter vendors are getting better and better on security. I was especially moved by Edo Dubrawky's talk on how very thorough he and his team are on software security issues at every stage of the development lifecycle. Definitely seems like solid progress
• Still, after attending Travis Goodspeed's "Embedded Systems Vulnerabilities from the Bottom Up" session I don't think I'll ever trust any electronic device ever again (and that's going to make this job tough). You should see what he can do with toys, toasters, garage door openers and more. All the meter guys (and the rest of us) were paying close attention. So progress is happening, but determined super geniuses still can show we have a long way to go in many departments

But my main issue is that while there's more coverage of Operational Technology (OT) SCADA and ICS security issues, to me it feels like we're still not doing nearly enough. Part of that is that the conference remains skewed heavily towards IT vendors and attendees coming from IT backgrounds. While some of the boutiques who provide OT security services are present, the big OT players should be here telling us how they're responding to Stuxnet's wake up call in their current installed base as well as in their future designs. So, to that end ...

Dear Siemens, ABB and the rest: how about you attend next time and help make this the more meaningful, balanced and productive conference I believe the organizers intend it to be? Apart from the fact that we still haven't figured out, as an industry and a community, how to demonstrate progress to our stakeholders (i.e. measurement/metrics), inadequate consideration of pressing OT security matters is the biggest elephant in the room. An electric-sector security pachyderm we're going to have to deal with one way or another ... and soon.

Photo credit: Namibnat/Vernon Swanepoel on Flickr.com

"How Stuxnet Spreads" and How to Slow it Down ... plus an Updated Stuxnet Dossier

If you've had enough of Stuxnet at this point, I wouldn't blame you. In fact, if your job has nothing to do with making sure your utility is operating with as little operational risk as possible ... or more specifically, protecting ICS/SCADA systems from present and future targeted attacks, you should probably just move on and do something else right now.

If you're still with me, however, you should read this just-released white paper: "How Stuxnet Spreads – A Study of Infection Paths in Best Practice Systems," written by a small cadre of highly capable subject matter experts. Here's where they pivot from describing the worm (which they do very well now that it is more fully understood) to articulating helpful remediation steps:

Is the situation hopeless? We certainly do not think so; we do believe that ICS/SCADA security best practices must improve significantly. First, the industry needs to accept that the complete prevention of control system infection is probably impossible. Determined worm developers have so many pathways available to them that some assets will be compromised over the life of a system. Instead of complete prevention, the industry must create a security architecture that can respond to the full life cycle of a cyber breach. One area that needs attention is in the early identification of potential attacks....

More goodness ensues. And if that leaves you hungry for more, you'll want to check out Symantec's recent update of their authoritative Stuxnet dossier, available HERE.

Stuxnet Update: Anonymous Speaks Up

You'd think an international network of cyber activists (aka: attackers) with a name like Anonymous would want to keep as low a profile as possible. Not so, it seems.

In a post late last year I posited that we'd likely be seeing attackers go to school on Stuxnet and release their own modified and likely re-purposed versions. The post also cited a thoughtful and reasonable approach for dealing with these follow-on attacks.

Now (in case you missed it) comes Anonymous boasting that they've got Stuxnet code and threatening that they may use it to pursue their anarchic aims. Lovely.

So, I'd say it's long past time for sober minded utility cyber security professionals (and those who assist them) to get cracking on how they're going to:

1. Greatly limit the open doors in their networks, systems and apps through which Stuxnet-like attacks can enter, and, 
2. Be developing and testing their emergency response plans to ensure they can recover from successful Stuxnet-ish penetrations as rapidly as possible

Will Stuxnet be a Learning Opportunity?

Here's a guest post from my IBM colleague Brooks La Gree, with whom I attended the big Distributech conference in sunny San Diego last week. He and I have been talking about Stuxnet and its potential impact on the energy sector since it first surfaced, or rather, first surfaced on this blog, back in July 2010. Here's Brooks:

During congressional testimony on the Stuxnet worm in November 2010, it was recommended that Stuxnet should be leveraged as a learning opportunity to better prepare the industry for things to come. So bearing this in mind, I attended my first Distributech with the question "how many utilities and energy industry players are aware of Stuxnet?"

Granted, the implications of Stuxnet are subject to interpretation, but the fact remains this virus penetrated and reprogrammed parts of the critical infrastructure. Since this is such a watershed event, I’d sort of pictured alarm bells and flashing lights going off in utilities everywhere. So during Distributech I conducted a non-scientific poll to see how many utility employees had heard of Stuxnet. Here's what I found:

• Of at least 75 people I spoke to directly, approximately ten knew of Stuxnet, with three or four aware of its potential implications to critical infrastructure
•  The audience of the "SCADA and Network Infrastructure" panel session was asked by a panelist as to who was familiar with Stuxnet, and of approximately 200 participants, around 30 or so raised their hands 

While I know from experience there are dedicated groups of very smart people working across the industry and government to address the issues surfaced by Stuxnet, the answer to my question in general appears to be "not that many".  However, I remain optimistic that as the security conversation continues to gain traction at events and conferences, awareness and knowledge will reach the necessary critical mass. Never before has the saying "knowledge is power" been so apropos.

Looking Back and Looking Forward on Smart Grid Cyber Security at GridWise 2010

As Mark Twain (or Hemingway, Cicero, Voltaire, Blaise Pascal or George Bernard Shaw) once said "If I had more time, I would have made it shorter." That's true of the 25-min audio that accompanies  - feel free to fast forward. But believe you'll find the content here interesting, and depending on your line of work vis a vis the Smart Grid, maybe even helpful.

GridWise 2010 Cyber Security Update

View more webinars from Andy Bochman.

There were several good questions and comments during the Q&A session that followed, but the one I appreciated most was that this wasn't the typical doom and gloom message that typifies many energy sector security presentations.  I count that as good news as that is a design objective. As we've said before, no good work gets done by people in the fetal position. And we've got plenty of work to do.

For more from GridWise here's a LINK to the organization's cyber security resources page. These are great people moving mountains as they advocate for Smart Grid progress. Highly recommend you give them your support and/or get involved if you haven't already.

Stuxnet Visualized

As one often hear's a picture is worth a thousand words, and at 30 frames per second, a good video is worth that much more. Here's Symantec's Liam O Murchu, the same engineer who presented to us at the IEEE Smart Grid Survivability Workshop last month (see post HERE), in a nicely crafted presentation showing how Stuxnet works its (black) magic.

The balloon pop at the end is a good metaphor for what is happening to industry's recently burst beliefs that control systems are safe from cyber attack.

Still looking, BTW, for a nice video, white paper, or even a scribbled note on a cocktail napkin for best practices to defend against future Stuxnets beyond banning USB drives.

I Mind this Gap: The Distance Between the Future Smart Grid and Today's Mix of Security Challenges

For a critic of alarmist, sensationalist Smart Grid headlines, I'm a bit surprised the blog editor in me approved this one by the blogger in me. But to dust off a 50 cent word from grade school writing class. it was the juxtaposition of two statements made in the past few days that got me going.

One is a great reminder of the very many compelling reasons we're building this thing from one of the industry's most articulate Smart Grid advocates, GTM's Senior Smart Grid Analyst David Leeds. The other is a sweeping cautionary statement on Stuxnet-like threats last week by one of the most respected security minds in the business, former AEP and NERC CSO Mike Assante, (now CEO of NBISE).

Here are a few snippets from Leeds' piece. First, what the Smart Grid will do for us:

The ... smart grid will not only bring new communication capabilities to mission-critical grid devices and end-user appliances in order to optimize energy efficiency, reliability and security, but will also serve as the enabling platform to plug in the next generation on clean energy technologies, such as rooftop solar systems, wind farms and electric vehicles.

And from an economic perspective, why we need to build it now:

While today’s distribution grids, lacking real-time visibility and control, are largely running blind and consequently costing the U.S. economy approximately $100 billion to $150 billion each year in power outages, tomorrow’s grid, much like the human body’s own nervous system, will have sensory intelligence embedded throughout, giving the grid the ability to anticipate disruptions, and even to self-heal.  

OK, I'm motivated ... let's build this sucker stat!  But hold on ... the gap I'm referring to in the title, is, of course, the yawning chasm between what you hear Leeds' saying must be done, and Assante's message (which we're about to get to), which communicates that as a nation, we're not ready for this.

Mr. Assante is not an alarmist - far from it. In fact, that's why his word counts for so much in this space. But his vocation and experience put him perpetually on the lookout for issues that bring risk to critical infrastructure systems, and when he sees one, his job is to sound a considered, highly targeted alarm audible to senior decision makers, which is what he just did in Washington.

Here's one of his first points - it sets the high-level stage for some of the more granular suggestions he makes later on:

Developing and implementing effective indicators, defenses, and countermeasures to cyber threats like Stuxnet demands that we look not just to the security community but also to the system designers, planners, engineers, and operators of our essential technology and physical infrastructures. We must take a prudent and proactive approach that enhances our ability to learn and apply knowledge fast enough to manage the dangerous consequences that come with these types of attacks. We can no longer ignore known system weaknesses and simply accept current system limitations. We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts address the highly-advanced security challenges facing our cyber-dependent critical infrastructures.

That's a lot, a whole lot. Maybe too much to hold in main memory. But then he puts a finer point on it, shining light on operational systems ...

No one should be shocked that cyber exploits can be engineered to successfully compromise and impact control systems. Study after study has identified common vulnerabilities found across control system products and implementations. The exploitation of a hard-coded password design in one vendor’s implementation will not be an uncommon or isolated occurrence.

And finally, towards the close, here's one of several actions he recommends:

Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.

Not a full solution, mind you, but certainly a firm step in the right direction from where we are now: make more information available to the community so we can more quickly adapt and update our defenses. Today in the energy sector, there's nothing like this. Hence, a gap in knowledge.

Then there's this: we're concerned that Stuxnet's massive attack penetration strategy that defeated most current cyber defenses, armed with more broadly targeted payloads in future versions, and it's definitely getting attention. But less obvious, yet almost as much of a concern. is that a focus on High Impact Low Frequency (HILF) a.k.a., advanced cyber threats, might prompt utilities to take their eyes off more mundane, but nevertheless serious, day-to-day attacks on their systems.

This second gap is the one in setting security priorities ... between preparing for advanced threats as well as ensuring that essential security best practices and defenses are maintained to combat everyday threats from malware, criminals, insiders, etc. There's crawling, walking, then running, and so far on securing the electrical infrastructure, most would say we're crawling.  And then there's walking and chewing gum at the same time: preparing for diverse threats and doing a good-enough job on all of them. This is not a job for wimps, and it's going to take a long time before we see significant progress.

So let's end with David Leeds, alright? When security challenges seem overwhelming it's always helpful, for me anyway, to revisit why we're putting ourselves through all of this in the first place.

[The] U.S. is hardly alone in promoting smart grid as an economic growth engine; virtually every major economy is now either piloting or deploying smart grid technologies, and it’s now understood that you can not run a digital 21st century economy on a 20th century grid.

Maybe we can fuse Leeds' economic drivers with Assante's security cautions and recommendations and come up with a middle-path approach that keeps attackers at bay and keeps the LED lights burning bright.

Click HERE for more on HILF threats and what we might do about them.

Photo credit: Cindy Andrie on Flickr.com

Beating Stuxnet to Death (Before it Beats Us)

If it feels like I'm belaboring the importance of understanding Stuxnet, it's because, IHMO, it's a threat well worth belaboring. Stuxnet is Mother of all industrial and utility sector cyber wake-up calls. And if you're an asset owner asleep at the wheel, it could be your momma, and your daddy too (see: who's your daddy?)

As I mentioned in a previous Stuxnet rant, good security tools and best "defense in depth" practices are a less-than-complete defense:

No matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in.

Now here's a real expert, Andrew Ginter of Industrial Defender on the excellent Findings from the Field blog, laying out the harsh reality of the Stuxnet wake-up from a (NERC and DHS) security standards point of view:

A site protected with whitelisting/HIPS ... would have been CFATS or NERC compliant, and would have been protected from Stuxnet. Unfortunately, I am aware of only a handful of such sites, and no HIPS protection is mandated by NERC or CFATS. Sites with only anti-virus deployed are seen by today’s regulations as having adequate malware protection, but that protection would not have prevented Stuxnet compromises in the first year the worm circulated.

If you're new to whitelisting, here's a ZDNet blast from the past in 2008, featuring Microsoft security guru Scott Charney making the case that whitelisting is the future for most/all successful cyber security strategies. From my understanding of this approach, it's a huge step forward from where many orgs are today. But I also recall hearing Symantec's reverse engineer and Stuxnet expert Liam O' Murchu saying he thought Stuxnet could/would potentially morph to circumvent whitelisting defenses. Yikes.

Nevertheless, NERC and NERC CSO Mark Weatherford have been busy issuing guidance to utilities on how to best combat Stuxnet and Stuxnet-like threats. We're not privy to the actual details of that guidance, but you can gain a little insight into NERC's actions here and here.  I'm not sure it's a Stuxnet defeater, but I for one am quite happy to hear Weatherford calling for more security in software development and sourcing processes.

Regarding preparations for future versions of Stuxnet targeting electrical infrastructure, forget compact fluorescents for the moment. Got midnight oil? Start burning it.

Much improved sub-optimal defenses and recovery plans are vastly more desirable than what we've got in the field today.

Utilities could shoot to Roll with Stuxnet Junior's Punch - an SGSB Reader Chimes In

Got this comment in response to my most recent Stuxnet post - Surviving Stuxnet and its Offspring. It's from an IT security pro at AEP:

A viable question is:

If we know we can't practically defend against Stuxnet or its spawn, what is our approach? Giving up is not an option. "Roll with the punch" may end up being a viable strategy. How could we design control systems, or other IT environments for that matter, to be resilient enough to take a potential knock out punch and yet be able to come back up swinging? Another question may be, "in the end, can we optimize our investment by planning to take the punch rather than futilely hiding from it?" 

I think this is a great way of conjuring where we were trying to go (mentally) at the recent Smart Grid Survivability workshop, and where we need to get to asap as an industry. 

Stuxnet Update V: Surviving Stuxnet and its Offspring

Though I wouldn't look for a movie version any time soon, like the Davinci Code for Smart Grid and other cyber sleuths, the story of the Stuxnet worm keeps getting more and more mysterious.

At the IEEE Smart Grid Surivivability workshop held at SEI in Arlington, VA last week, we had a front row seat for a great presentation by Symantec's Liam O'Murchu, one of three Stuxnet reverse engineers Symantec has had on the case for over three months straight.

Though I've been following Stuxnet on the SGSB (first post HERE) since shortly after it surfaced (well after it was born circa 2009), Liam provided some insights that surprised all of us I think, including:

• To escape detection while targeting every Windows OS from 2000 to 7, the attack team purchased each and every version of all anti-virus products for each OS and then designed Stuxnet to ensure they wouldn't be noticed by any of them
• Stuxnet is evolving its capabilities to infect systems and replicate within an organization, yet its payload remains unchanged. Meaning: the target remains the same ... and maybe the attackers aren't yet satisfied they've accomplished their mission
• On the human-interest side, he noted that the reverse engineering paths he and his colleagues have been following are the same or similar to those blazed by the the team who crafted the attack.Though lots of evidence points that way, Symantec (unlike Ralph Langner and others) is not ready to say that Iran's nuclear operations are the only or primary target of Stuxnet. There are still several parts of Stuxnet they've yet to crack and their research continues
• In addition to phenomenal anti-virus evasion techniques, Stuxnet includes lots of other stealth approaches and myriad attack strategies for getting passed OS defenses, through firewalls, increasing its privileges, and much, much more

In short, no matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in. We're very lucky that the apparent target doesn't seem to include systems important to the US or our allies. This is clearly focused on very, very specific control elements like certain make/model pumps and actuators. If it doesn't find exactly what it wants, it does nothing else. It's polite. That's good news.  So we got our wake-up call.

But the bad news is that for aspiring bad guys, Stuxnet is a master class, a surprising visit from "attacks of the future" to present day 2010 on how to do more damage than you ever thought possible. We'll see Stuxnet again, and if it's pointed at us (US utilities, other industrial operators) next time the payload may be quite different.

Written by Liam and team, Symantec's 51-page Stuxnet Dossier remains the definitive document on Stuxnet.  We'll be hearing more from them as they (and others) make new discoveries, but there's already plenty of info available now on how to begin hardening your org against the future spawn of Stuxnet, even if those defenses might be less than complete.

Photo credit: Digipam on Flickr

Stuxnet Update III: Death to USB Thumb Drives

Funny, I just used a thumb drive to print out a presentation on a hotel business center printer last week. I put that drive back in my briefcase. Next thing I do after posting this post will be to put that tiny device on the rail of the Boston Green Line subway that runs just outside my front door. And you should probably do your equivalent of the same. And then we should all go cold turkey and not touch the things again (even they're kind of cute and convenient as hell).

For those wondering whether the USB drive-facilitated Stuxnet virus is over hyped or not, Kapersky Labs senior security analyst Roel Schouwenberg has fifteen words for you:

This is without any doubt the most sophisticated targeted attack we have seen so far.

You can read Joe's latest Stuxnet post HERE.

OK, off to catch that train.

Photo credit: Wheels00/Mark Brown at Flickr.com

SGSB Stuxnet Update

It's been 2 weeks since my first Stuxnet post on July 27. Now here's the best update so far I've seen on Stuxnet as of August 12, 2010. It's an Industrial Defender Q&A session with some apparently very knowledgeable and very motivated webinar participants. You can see it HERE.

And also, in case you missed it buried inside a long post from the recent SG Cybersec Summit, THIS Symantec update is dense and rich in good Stuxnet info. One thing to remember as you read these write-ups, both co's acknowledge that analysis on Stuxnet is far from complete. Stay tuned.

Photo credit: Fred Hemerick on Flickr.com