On 9/11: cyber security and power
Homeland security calls for `best practices'
On the anniversary of 9/11, the discussion of cyber security in the power sector continues to grab headlines. Let's update the topic and then review some of the themes that continue to drive discussion.
As we all know, actual cyber security measures aren't discussed publicly, so I'll provide a raft of links to our work covering, essentially, "how to think about cyber security"—that is, those fuller discussions that I'll merely touch on here and resources for further delving. Here goes:
"Cyber is the most active, the most dynamic and the most threatening risk we have," said Department of Homeland Security Secretary Janet Napolitano yesterday, at the opening day of ASIS 2012 in Philadelphia. (Quote is courtesy of Government Security News (GSN).)
"Napolitano backed a reported White House draft executive order that calls for private infrastructure companies to develop voluntary `private sector baseline' protections for `core infrastructure,'" which apparently includes the power and chemical industries, according to a GSN report (link above).
That draft order would establish a voluntary program for the power industry to establish best practices in cyber security and develop standards in partnership with government agencies.
Let me jump in here. There's no shortage of best practices for cyber security in the power sector, which is actively engaged with government agencies on security-related standards. On the latter point, let's reference here a three-part interview I did last year with Annabelle Lee, now a technical executive with the Electric Power Research Institute (EPRI), which began with "Security: Organic Effort Required for Cyber Security." Lee guided and coordinated the creation of the NISTIR 7628: "Guidelines for Smart Grid Cyber Security," which is available from NIST in Volume One, Volume Two and Volume Three.
The other articles include "Security, Part II: Control Systems and IT Systems" and "Security, Part III: Cyber Security Demands End-to-End Thinking."
It's an appropriate subject for Sept. 11, a date that 11 years ago marked the most horrendous terrorist attack on the United States homeland in modern times. I was born not far from Ground Zero in New York and members of my family have periodically served in government in Washington, D.C. So I'm not likely to forget that our failure to imagine the callousness at the heart of terrorism can surprise us again. We were not prepared for the use of domestic airliners as weapons of mass destruction because we couldn't imagine that degree of madness.
So, today, are we actively and adequately addressing the threats to our critical infrastructure?
Have we sufficiently absorbed the lessons of 9/11 in order to adequately imagine the disregard for innocent human life that enables terrorists, be they domestic or foreign, to pursue their plots?
Frankly, I don't believe so. Here's another line from the GSN article:
"The ICS CERT (Industrial Control System Computer Emergency Readiness Team) has sent damage assessment teams to infrastructure company sites in response to cyber attacks 78 times in the last year," Napolitano told the ASIS 2012 audience. "Private industry needs clearer guidelines for sharing information with federal authorities."
That line about "sharing information with federal authorities" brings up the fact that many people tell me that utilities are loath to report cyber incidents. They may even be unclear that one has occurred.
Eleven years after 9/11, with administrations run by both Republicans and Democrats, and we're still talking about "clearer guidelines," "voluntary best practices" and private-public cooperation on standards?
There are many reasons for this pathetic impasse, many of them stemming from political cynicism. But many of them stem from sheer incompetence and indifference. As cyber security experts can tell you, security often comes down to people. If we have the will and determination to make the homeland more secure, we can stay one step ahead of malefactors, be they individuals, criminals, terrorists or foreign adversaries.
Anyone who cares to spend only a couple hours on the subject quickly learns that the Chinese and the Russians and possibly others, including allies, have embedded monitoring software on our grid to learn how it works, its strengths and its weaknesses. No real adversary is going to exploit those weaknesses until or unless they decide to initiate hostilities with the U.S. That's a huge disincentive to exploit our vulnerabilities. But what's to stop lesser players from wreaking havoc with our digitally based economy by exploiting the many vulnerabilities we've ignored or overlooked? If you delve into the subject, you'd also learn that sophisticated industrial espionage in the power sector is commonplace.
When a power executive asks for concrete examples of cyber security attacks in the U.S., I think of two answers. One is found in a link embedded in the following column, "Cyber Threats Grab Headlines," in which the U.S. has made it clear that a cyber attack on the homeland will be considered an act of war. I.e., unless you're ready for full-scale conflict, do not launch a cyber attack on the U.S. That's undoubtedly holding back nation-state actors, but the same methods may be available to state-less terrorists, criminal syndicates and even domestic actors.
It's also critical to keep in mind that cyber attacks just as easily can be the unintended consequences of an innocent mistake. That's where "defense in depth," or multiple layers of processes, protocols, people and technology create an ostensibly impenetrable barrier to intrusion. Again, the key is people.
Yes, a certain amount of sophisticated software and cyber security measures need to be applied —and I'm no expert in that field. Yes, much of that work goes on behind closed doors or takes place in hushed conversations among qualified practitioners.
The basis for cyber security is the approach taken by people and if you had to identify one crucial vector of vulnerability, it's people. Read a little about "social engineering" and how it is applied to test cyber security at power utilities. Turns out people are easily tricked and they are lazy when it comes to adherence to protocols that could eliminate much of our exposure. Probably not the people charged with cyber security, who take all this quite seriously, but utility personnel who may not grasp their role or executives who do not regularly pound this into everyone's head and provide rewards and disincentives for failure to comply.
I'm just getting warmed up, with more points to make and more resources to provide, so I'll continue this theme tomorrow. Please join me.
Intelligent Utility Daily