Saturday, December 24, 2011

SGSB Quick Look Back at 2011 Smart Grid Security

Instead of hitting you over the head with a sledgehammer of an epic year-end wrap-up post with dozens of links to as many posts, how about I take it easy on you and point back to just a couple of stand-outs?

The first is was the most widely read post, with over 3,000 separate views, and it was called "The Value of Black Hat for Smart Grid Security." It basically makes the case that vendors of insecure or un-secure-able electric sector products will eventually be called out in one fashion or another, and concludes with:
Suppliers thinking they'll save money by moving slowing on improving the security characteristics of their products are playing with fire. The lesson of Black Hat is that they'll be found out. It may not be by NERC. And their utility customers may be focusing on other pressing challenges. But sooner or later, the Black Hat crew will be on your case and when they do it'll take more than tons of money to get your troubles behind you.
The second is mentioned here simply because it was my favorite, as well as the favorite of many folks who told me so via email or at conferences and such. "The Best Talk Ever on NERC CIPS and Grid Security ... Period." It's not the blog post, so much as the talk by FERC's Stephen Flanagan to which it linked, that got people worked up. In my mind, never was the corporate psychology of compliance so artfully skewered.

Lastly, I'm psyched about the re-emergence of early SGSB blogger, fellow IBMer, and eternal cyber security guru Jack Danahy on these pixelated pages. Beginning with "A New Breed of Security Attributes for our Time," he's begun a series of deep dives on thoroughly rethinking cyber security strategies, policies and practices in this and other sectors. Am greatly looking forward to see where he takes this in 2012.

Hope everyone is taking a little bit of well deserved down-time with friends and family. We've got a ton of work to do next year and it'll be best to hit the ground running with a fresh pair of legs.

Merry Christmas and Happy New Years.  Andy

Photo credit:

Friday, December 16, 2011

Industrial Defender Report Highlights Control Systems Operators' Increasing Responsibility Overload

The sharp folks at ID just released a survey-based report called "Managing Automation Systems: Critical Infrastructure Operators’ Challenges & Opportunities" which is chock full of interesting findings. You'll quickly see the challenges that rose to the top of their findings include issues are much more about people and process than about technology.

Here's a sample from the overview:
  • On paper responsibilities don’t align with day-to-day activities. Over the past several years, industrial automation professionals have seen their responsibility broaden from managing operations to managing security and, in some instances, managing compliance. However, there is a clear gap between the time these individuals commit to each requirement, regardless of whether they own a high degree of responsibility
  • Similar management requirements exist across security, compliance and operations functions. In other words, actions and activities necessary to support a security program may be strikingly similar to what’s required for compliance management and operational management within critical infrastructure
  • Infrastructure operators are constrained in their ability to manage these overlapping requirements. This is particularly true when it comes to managing multi-vendor environments with assets from a mix of industrial automation suppliers
It's a familiar story, right? Too much being asked of too few, with the quality of the work that gets done likely to be, well, sub-optimal. Sounds like some business process optimization and automation is in order ... and in the meantime, maybe pay increases for the folks who are asked to get this mountain of important work done.

Recommend you read the full report ... it's a brisk read at <10 pages.

Friday, December 9, 2011

Go On Admit it: You're Exposed and Vulnerable on the Holi and all the other Days

What began last week with a call for a new set of security attributes, now continues with a fleshing out and update of our thinking re one of the key security constituents: vulnerabilities.

In his latest mega-post, you'll find some cyber security truth telling that's as much psychology as technology. With Sigmund F staring you down, one arm akimbo, the other hoisting a cigar, Jack begins with a consideration of how much emphasis our society places on identifying and remedying personal weaknesses of all kinds, and the effects thereof:
... most people overreact to their personal insecurities, and even those imaginary weaknesses can create wholesale changes in behavior.
And then quickly pivots to the cyber security realm:
Once we switch tracks to begin the discussion of vulnerabilities within software or systems, our nature somehow changes. We stop compensating and obsessing, and begin the easier tasks of ignoring and rationalizing. We do not treat vulnerabilities as potential disasters, and we definitely do not get therapy to help us talk through the underlying issues that have created our vulnerabilities and insecurities. We seem to just move on, waiting for the actual disaster to prod us into some reaction to problems we had known about (at least in the abstract) for a good long time.
We build armies, navies and air forces to protect ourselves from actually and potentially hostile other nations. With some exceptions, we buy and don expensive helmets in case we fall or get hit when riding our bikes. We wash our hands in an attempt to keep potentially harmful germs at bay. So why do we think of cyber security threats and responsibilities differently? 

The FULL POST offers more insights and potential solutions. And if you want more Sigmund, and a little bit of Carl, you go see David Cronenberg's latest film which features both of them: A Dangerous Method.

Friday, December 2, 2011

A New Breed of Security Attributes for Our Time

I've been on the subject of grid and Smart Grid security measurement and metrics now for quite a while, and all around are signs that we're making slow but steady progress.

In Jack Danahy's latest mega-post on security from an industry perspective, you'll find a call to substantially overhaul the way security practitioners do business, with an emphasis on, among other things, measurement:
We should be able to describe how much time and money is spent to prevent the introduction of vulnerabilities vs. preventing the exploit of vulnerabilities vs. preventing the release of private information. We should be able to point to the documented practices in place to remediate vulnerabilities that are found, or to interrupt exploits in process, or to clean-up after a breach has occurred. In order to justify the strategic importance of security we must take a fresh look at the criteria by which we judge and measure it.
Warning: this material is not for the meek or groggy. Make sure you've got your got your thinking cap on straight before digging into the full post, HERE.

And note: this isn't the first time Jack has summoned the Parkerian Hexad. He took his first electric sector-specific run at it on a year and a half ago, HERE.

Image credit:

Follow-up on Illinois Water Pump Hack Case

This isn't pretty, but it would be good if you knew the whole, emerging, story. My recent post said it wasn't an international cyber attack ... or a cyber attack at all, and that we had been through yet another round of grid security FUD.

But the truth seems to be worse that that. I've got a fuller picture now, having had some contact with Joe Weiss who is, for better or worse, in the thick of it. Here's yesterday's post from his Unfettered Blog:
This story would be funny if it wasn't so scary. Wired magazine has broken the real story (or the latest iteration of the real story). The link is here. So it wasn't evil hackers from Russia after all. From the sound of it, more like a Keystone Cops fire drill. Nobody checked with anybody. Lots of people assumed things they shouldn't have assumed, and now it's somebody else's fault and we're into a finger-pointing marathon.
Securing our infrastructure is complicated and tough enough as it is, without self-inflicted wounds of this type. From what I could see, the water pump control system in question was a complete security mess, connectivity and configuration-wise. It's connection to the web easily visible with Shodan.

Don't know Shodan yet? You should. Seriously. Here's a nice intro from John Matherly on it. If you're an asset owner and you can see your system on Shodan, you've got some work to do. 

And if you're part of a government or industry org charged with getting information out to help keep owners and operators appraised of threats, please do a great job. We're depending on you.