Talking cyber security, Part Two: practices, policies, scenarios
NESCO: empower states, aggregate incident data, help frontline
This is the second part of a two-part interview with Patrick Miller, president/CEO of EnergySec and principal investigator for its offshoot, the National Electric Sector Cybersecurity (NESCO), a public-private partnership operated by EnergySec with funding from the Department of Energy. For background on his role and organizations, as well as the first half of the interview, please see "Talking Cyber Security: Practices, Policies, Scenarios."
At the end of Part One, Miller had been advocating for the role of states in ensuring that utilities have established workable levels of prevention, detection and response to cyber threats, and the touting the value of aggregating and analyzing "breach data," that is, a combination of cybersecurity-related data and parallel operations data, to make inferences about actual threats rather than theoretical threats.
Intelligent Utility: Is breach data what the government wants, possibly through an executive order or legislation?
Miller: Possibly, but I don't think it's a federal problem to solve. The states are in the best position. Congress has been writing legislation around personally identifiable information, health care records. In the vertical perspective, we've already got finance and health care covered. Even the utilities have to report whether their customer information has been breached because it contains personally identifiable information, credit data. If, for example, there were an extension of that legal proxy to mandate that any critical infrastructure must have a minimum bar with respect to detective capabilities - they'd have to know whether they'd been breached - and from there they'd have to mount some investigative effort and produce an investigative product. [The aggregate effort to analyze this data] shouldn't be massive, it should start small. Pick out, say, three key indicators that we need to be looking at right away. From a NESCO standpoint, that's not our mission. But I am advocating, as a concerned energy industry citizen, that we need to be spending our money in the right places.
Intelligent Utility: So you're saying that utilities should be given the leeway to establish their own detection capabilities and have some threshold for showing that they've investigated the cause.
Miller: That's right. And if we were to turn this around from a regulatory standpoint, we should mandate a minimum level of prevention, detection and response - because, ultimately, you're not going to stop an advanced, coordinated attack. They're going to get in. They say with safecrackers, it's time, tools and materials. Utilities are in the same situation. That said, you should at least raise the wall high enough that you minimize the window of opportunity to the sophisticated attackers and you focus your detection and response on them. It may make sense to regulate a minimum bar for detection and response efforts then add incentives for anything above and beyond that, which could dramatically shift the model.
So we need to go to that risk-based approach. NERC has done a good job at determining what's critical infrastructure and what's not. But there's been a study, at least in the Western states, that everything right at and under the 100 kV line can bring down the entire Western interconnection. And these are engineering studies. So it's hard to say whether or not the engineering perspective is the most comprehensive or effective approach. We should start by examining what's really happening. What are the real risks? And how do we go about putting in measures to protect, detect and respond? Once you marry those three pieces - prevention, detection and response - you end up with resilience. It's not about stopping an attack, it's about operating through it.
Intelligent Utility: Do you see a centralized role for information sharing in this scenario? It sounds like breach data is most valuable in aggregate.
Miller: It certainly is. At a national security level, federal agencies should get the sanitized, non-attributable data. So, at a national clearinghouse level, that data should be coordinated with what we're seeing in water, finance, telecom, transportation, so that that data can be mined for correlations. That's what we're trying to do. The utilities are going to do what they're going to do. If a utility is under attack, the federal government has limited capability to come help you. You're on your own. So why pretend it's otherwise? Let the utilities deal with the problem on their own. Then the federal government can add value where it can: looking at this from an over-arching policy perspective. How can we design future legislation? How should we shift, if risks begin to change? That way we can regulate at the speed that risk is happening, versus trying to legislate reactive risk, which means you're stopping yesterday's problem, tomorrow.
Intelligent Utility: On the other hand, if you assume that the president, his defense secretary and federal intelligence agencies are genuinely concerned about homeland security, you can see the motivation for a top-down approach in an effort to ensure minimum standards.
Miller: Arguably yes. Let me back up a bit. I believe that there's a possibility a cyberattack could take out portions of the grid. In some cases, even widespread portions, temporarily. The only way to get the entire grid down for an extended period is by massive physical damage. Attacks often are spoken of in terms of "OMG, blackout!" Yes, perhaps for two or three days. And, unfortunately, there could be significant loss of life, economic losses. But the reality is that such a scenario isn't going to be catastrophic. When you talk about risk you have to go beyond your human sensitivity blinders and really look at the legitimate and logical extremes. So I don't see widespread physical damage to our equipment outside of a large-scale physical attack combined with cyber stuff. That would be challenging.
I'm sure, from the president's perspective, that someone is giving him the human perspective in terms of lives and dollars lost. The national labs have actually run modeling on this and they've done great work. But for the president, there's always that human angle: "Won't someone think of the children?" The reality is that the current regulatory structure only addresses the bulk transmission system. Maybe a little generation. But grandma's oxygen machine, the local cop and fire shops? They're not on that list for critical protection, with respect to distribution. And distribution is handled at the state level. I know FERC is trying to move down into the states' territory and it'll be interesting to see how that unfolds. We know that the utilities are on the front lines. We know the feds have said they really can't come help you if the situation gets beyond a given scenario. If that's the case, let's admit and ask what the feds can do. Well, if I were the president, we've got some good forensic capabilities, good intelligence capabilities, what can we share to empower those on the front lines to make their jobs easier?
Intelligent Utility: Still, the folks at the federal level are responsible for our safety, even if they act just to cover themselves.
Miller: I agree, there are a lot of politics involved. But I think we need to have a real discussion about real risks, not theoretical risks. And the only way to understand real risk is through actuarial data. When you treat human patients, you don't solve the problems by simply giving the doctor new tools, you go to the patient and say, if you adopt these behaviors, you'll live ten years longer. Push it out to the front lines.
Intelligent Utility: You've just said that widespread, persistent blackouts are unlikely. What are the likeliest outcomes of cyber attacks?
Miller: Right, any company in general, but utilities in particular, don't realize that the currency of the future isn't dollars. It's data. And the gold of the future is going to be electricity or energy. We're married to it. There's no way any future society can live without massive quantities of energy. So whoever solves the energy challenge will be the winner, the superpower of the future.
The currency to get us there is going to be data. Right now, access to that data is the competitive edge. The stage is being set for the next superpower and that superpower will be defined by their ability to manage their energy in real ways. That's forward looking. Let's just look a few steps ahead.
We've already changed from gold and dollars to data. I say that because Facebook and Google make untold billions of dollars on innocuous data. If that data has value, can you imagine the value of data above and beyond that? Especially if you aggregate data and make inferences based on it. Then you can infer trends and get ahead of them, if you're savvy.
So in a competitive landscape, where superpowers look to advance beyond each other, aggregating enough data to predict where your national and corporate competition is going will win the day.
From the utility perspective, coops ask me why they should spend any money at all on cyber security. The conversation goes like this: I say, "Because you've got a lot of data." "Who wants access to my data?" "Organized crime. Data is money. You're a bank. They will steal and sell your data. And at some point that'll come back to you and you'll have a PR mess to clean up and it might cost you a lot." So you can spend a little now and save that mess down the road or you can spend it then.
Intelligent Utility: Depending on the actor, the game is to convert data into money, power or economic advantage. Depending on the actor and motive, can you map them to the outcome? Wherever all those lines cross is the threat landscape.
Miller: Exactly. China isn't at war with us by most definitions, it's arguably competing with us economically. That's at one end of the spectrum. At the other end of the spectrum you have near-term actors such as Iran, Al Qaeda and others. So the landscape runs the entire gamut. In the middle somewhere is organized crime, which doesn't care about anything except making more money.
Intelligent Utility: Can we also discuss the unintended consequences of an innocent mistake or the scenario in which a disgruntled employee causes harm?
Miller: As I've said, it's very hard to stop illegitimate use of legitimate credentials. That can mean an accident by a privileged person. Everybody has accidentally deleted something they didn't think they had access to. I was joking with an operations guy who said that no cyber attack will ever inflict as much damage as we've done to ourselves through our efforts to keep the grid up. He's absolutely right.
We spend too much time thinking we can stop something from happening. We need to properly break our efforts into three parts, 33 percent each: prevention, detection and response. Anything that's accidental would still have 66 percent coverage. Our ability to hurt ourselves goes down. And the ability of someone else to hurt us goes down. That's real resilience.
Editor's note: Cyber security will be on the agenda for IT executives at next month's Knowledge2012 Summit, in Houston, Texas, Nov. 12-14, an Energy Central event that brings together customer service and IT executives for closed-door sessions on the power sector's top issues.
Intelligent Utility Daily