Thursday, January 31, 2013

Electric Sector Security Observations from Distributech 2013

The show is over for me as I'm up in LA for some IBM training, but it was a very good 2 days. Here's a few of the highlights I took away:

  • Saw a great new product with immediate applicability to AMI (and other wireless network) security with crossover applications in restoration, routing and reliability
  • Patrica Hoffman, DOE's Assistant Secretary for the Office of Electricity Delivery and Energy Reliability (OE), following great, largely renewable-energy oriented keynotes from senior executives at SDG&E and Cal ISO, gave her perspective on the world and beat a drum loudly for improved cybersecurity awareness and action towards the end of her talk
  • Speaking of DOE, after visiting several security vendor booths found a remote outpost DOE cybersecurity booth in the far corner of the big hall. Those folks seemed glad to have any human contact :)
  • One industry security guru whose knowledge I implicitly trust said he would like to see a greater emphasis on security architectures this year. Too many point products are being bought and strung together with little consideration for the bigger, enterprise protection picture. And that's a recipe for weakness and inefficiency, and for the folks recommending or doing the buying, a formula for losing credibility and trust
  • I couldn't make the conference's security focus panel but if someone did and has some impressions to share, please do and I'll post them here.
  • Lastly, from my extended family at IBM flown in from all over the world, definitely detecting heightened security awareness and interest from utilities that until recently weren't all that active.
For those still in town and/or next time you're in town, highly recommend the new Blind Burro restaurant ... ate their twice and it's fantastic. So far, scores a ridiculously high 4.5 our of 5 stars on Yelp. Mmmm tasty.

Wednesday, January 30, 2013

The Cybersecurity Crew at Distributech 2013

First off, let me say that for those travelling to San Diego from northern or northeastern USA, or northern Europe or Russia for instance, this conference is worth it simply as a respite from persistent cold temps and dreary midwinter landscapes.

Now this may sound a bit gossipy, but so far, in terms of our small community of energy sector cyber security practitioners, I've already meet up with some old acquaintances and and have met for the first time, face to face, others.

Met up with Liza, Darren, Slade, and has a great talk over dinner with Ernie. Though with Darren it was really just eye contact because by the time my IBM theater preso on security breaches with Steve Dougherty was done, Darren had, Jason Bourne-like, vanished into crowd.

Will get to travel more widely through the exhibit hall today and will craft a more security content-laden post later today or tomorrow, I promise.  Cheers, Andy

Monday, January 21, 2013

Conference Alert: Security at Distributech 2013


The annual electric sector conference in North America is coming up next week in San Diego. Called Distributech, the 7,500 or so attendees will peruse booths featuring the latest reclosers, transformers, comm gear, outage management systems, etc.

They can also peruse me, as I'll be at the large IBM booth alongside colleagues discussing solutions for:
  • Smart Metering and AMI
  • Distributed Energy and Electric Vehicles (EVs)
  • Asset Management
  • Grid Operations
  • Communications and Cloud
And of course, security, privacy and compliance. I'll be there with my security consulting services colleague and industry veteran, Steve Dougherty. Will also be doing a 30-minute auditorium session called "Utility Cyber Breach Scenarios & Responses" which should be a good one.

If you can make it, here are the details:
  • Dates: 29-31 January
  • Venue: San Diego Convention Center 
  • URL: http://www.distributech.com/index.html
While the conference is going on, will be tweeting highlights from @sgsblog. Lastly, if you aren't attending, will be happy to share findings and observations afterwards on the blog and/or via other means.

Photo credit: Wikimedia.org

Monday, January 14, 2013

Fresh Thinking on Security for 2013 and Beyond

If you have even the slightest interest in security ... even the slightest, my ten-year colleague, mentor and friend, and early SGSB co-blogger Jack Danahy has just penned a piece well worth your reading.

Here's a part of it that should spur you to read the rest:
New security audiences, from general managers to contract attorneys, from entry-level programmers to boards of directors, are becoming engaged and involved in the definition and execution of what formerly was a purely technical and parochial security domain. The financial health and well-being of enterprises is now much more directly impacted by security concerns, and so security responsibilities and decision-making are becoming more strategic.

Thursday, January 10, 2013

Security Double Dutch: Shodan Points out Critical Infrastructure Gaps in the Netherlands


Hat tip to friend and colleague Steve D for shooting this my way.
Security researcher Oscar Koeroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!
I've been to the Netherlands several times and saw the country in the news a lot recently when UberStorm Sandy raised concerns that New York City should perhaps get similar types of protective systems. I can assure you that this is about much more than a preference for dry feet.

Read on to find out how control system search engine Shodan once again reveals what systems are directly connected to the Internet. Warning, it paints a full picture, but it's not a pretty picture, and hopefully you won't find systems in your charge popping up in the findings window!

Here's the complete article from Tofino, replete with lurid details of password mismanagement, accusations, denials and counter-accusations, and that sort of thing. Best keep a Heineken or two handy.

Photo credit: nrc.nl

Tuesday, January 8, 2013

DoD Software Assurance for Electric Sector Security?


Behold the electric sector software supply chain. It includes:

  • The code that comes with the systems you procure: IT, OT, mobile, Smart Meters, etc.
  • The code that your developers buy or borrow and use as part of their software development lifecycle (SDLC)
  • The code developed, bought or borrowed by integrators you've hired
  • The code your personnel download in the form of patches
  • Other code that's crept in through the cracks, including code you didn't intend to procure, like the malware you've detected and removed
  • ... and the malware resident on your systems that you don't know about yet

The US Department of Defense has been thinking about this for a long time, and recently codified a pretty robust response in the form of the National Defense Authorization Act (NDAA) of 2013.

Would this help remove vulnerabilities and substantially bolster security in our sector? You bet. Could it ever come to pass. That I don't know. But let's watch how it works in DoD, learn some lessons, and see what we can use.

Here's the article in NextGov on this. Hat tip to my Federal colleague, Tim F, for shooting this my way.

Photo credit: breakingmuscle.com

Thursday, January 3, 2013

DHS ICS-CERT reports malware on power control systems

Happy 2013!

OK, enough frivolity. Let's turn down the Nat King Cole, step out from under the mistletoe, and get down to brass tacks.

First, in case that compound acronym is new to you, it stands for: the Industrial Control System - Computer Emergency Readiness Team, and it lives in the US Department of Homeland Defense.

This organization just issued a public quarterly report that describes, at a high level, a recent incident at a power generation company you'll be interested in. I'll get out of the way and let you read the first bits for yourself:
MALWARE INFECTIONS IN THE CONTROL ENVIRONMENT
ICS-CERT recently provided onsite support at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment. The malware was discovered when an employee asked company IT staff to inspect his USB drive after experiencing intermittent issues with the drive’s operation.