How to think about cyber security
Public discussions of cyber security typically begin with the usual emphasis on its critical importance, followed by a demurral on practical details.
The good news is that these public sessions - such as one on Wednesday at the IEEE Power and Energy Society conference in New Orleans - do discuss how to think about cyber security. And that's an angle the layperson can get their arms around.
Dave Norton, a certified information systems security professional, works on critical infrastructure protection for Entergy and led a panel on "Cyber Security of Transmission and Distribution Control System Assets." I'll touch on just a few of "Norton's mantras" here today.
He began with a definition.
"Cyber security," Norton intoned, "is a mutually reinforcing fabric of policies, processes, technologies and people assembled to identify, control and protect information assets, through a formalized, programmatic strategy that is authorized by management and infused into routine organizational operations."
Don't run for the exits, it gets better.
"Cyber security sounds kinda sexy but [information security is] a discipline that's been ongoing for 30 or 40 years now," Norton continued. "It pertains to information that's being stored, processed or moved. The 'golden triad' in information technology, according to the CIA, [includes] confidentiality, integrity and availability of information. Who gets to see it? It must be right when you see it. And it needs to be there when you need to see it."
For control systems, the priorities are reversed, Norton said. In real-time control systems at the core of your operations, it has to be there when you need it, some data dropout is acceptable and confidentiality is less important.
"We talk about the 'walnut model,' which is hard on the outside and soft and chewy on the inside," Norton said.
"How do we do this?" he asked. "It's a combination of organizational controls - that has to do with people and processes - and technological counter-measures."
"A wise old man at the National Security Agency once told me to think of this in five blocks: security for computers ("compusec"), communications ("commsec"), physical assets ("physec"), operations ("opsec") and personnel ("persec")." (Being a word guy, I had to mention these hybrid terms.)
"Keep your eye on the prize," Norton declared, in a tone of voice suited to security discussions. (I.e., ignore me at your peril.) "That's the integrity and confidentiality of your information."
The fact that utilities are in a position of holding a public trust only magnifies the responsibility to get this right. Another magnifier of cyber security's importance: control systems are at the nexus between the past and the future right now, Norton said.
On a practical level, security costs are rarely justified by themselves. Start in the utility's core operations and work outward. Security features are most likely to be included as byproducts of efficiency upgrades. Yet legacy equipment most likely needs replacing, rather than upgrading.
That means upgrading security will take more than a decade as capital expenditures are made. Make security features an integral part of equipment specifications for vendors, Norton suggested. Later, Jeff Dagle, who works in energy technology development at the Pacific Northwest National Laboratory, added: "bake it in, don't bolt it on."
But don't lapse into a siege mentality, thinking "they're out to get us," Norton warned. "Most of this is about good practices to protect the asset."
He underscored the challenge ahead when he noted that each year in the United States, only eight people earn a Ph.D. in computer security and only three of those remain in this country to work.
A few more gems:
- "We can't stop them, we can only slow them down."
- Find the sweet spot; the last 5 percent of security measures is "incredibly expensive."
- The top 20 list of vulnerabilities never changes - it still all comes down to people. "Trust no one."
- "Compliance does not equal security."
- Connect with upper management, their entire business depends on security. ("Don't discount public perception.")
- What you don't know CAN hurt you.
Ample food for thought.
Intelligent Utility Daily