Talking cyber security: practices, policies, scenarios
NESCO: empower states, aggregate incident data, help frontline
I spoke about cyber security last week with Patrick Miller, president/CEO of EnergySec and principal investigator for its offshoot, the National Electric Sector Cybersecurity (NESCO), a public-private partnership operated by EnergySec with funding from the Department of Energy.
Miller had been the lead security technician for PacifiCorp, which provides energy services in nine states, including Utah, site of the 2002 Salt Lake City Winter Olympics, when he was tapped to lead SCADA-related security for those Olympics across multiple states. That led him to found the nonprofit EnergySec NW, then EnergySec, which applied for and won DOE funding to establish NESCO, which is open to asset owners, vendors, government agencies and academics. Today, EnergySec's mission is education, training and workforce development in the entire energy sector, while NESCO is exclusive to the power sector.
The following, two-part article was culled from our hour-long discussion of cyber security for electric utilities.
Intelligent Utility: What's your view of the pending executive order on cyber security waved by the Administration after a Cyber Security Act failed to pass Congress?
Miller: I've seen a copy of the draft. What's being proposed seems like a motivator. There's only so much the president has the authority to do. Congress still has to make the laws. The president just clears some obstacles, so to speak.
In general, what we're trying to get to is that there are a lot of security-related data out there and we're trying to connect the dots in advance and predict what's about to happen. We're in a sea of data, we're swimming in data, so it's very challenging to turn that into useful information.
Federal agencies are fairly good at that. They can connect the dots reasonably well. They have visibility into certain areas that the utility can't see. But in reality, the utilities are on the front lines. They're the ones that see the attacks on them on a daily basis.
A lot of the "noisy" attacks are stopped at the firewall. But regular phishing campaigns and other elements that are rumored - no one has confirmed that any of these attacks have gotten through, other than the few vendors who have disclosed breaches.
Information sharing? The reality is, in no uncertain terms, the feds want access to that data, primarily because they're trying to stop a legitimate, credible threat. But the industry is concerned about what else they're going to do with that data.
The utilities are very concerned; there's been no shortage of proposed legislation and regulation that would severely impact their business. If you're an executive in risk management, would you want any more data going to someone who has the potential to affect your bottom line? It makes business sense to withhold as much data as you can because there could be a regulatory or legislative avalanche coming your way.
Sure, it's the right thing to do to stop the next attack. But from a business point of view, from the CIO, CFO, CEO standpoint, their concern is whether the organization makes money. Most utilities I have spoken with actually want to share the information from a "good critical infrastructure citizen" standpoint, but are afraid of the potential regulatory risks and financial impact that come with it.
So this "information sharing" invitation is always viewed differently by the utilities themselves.
Intelligent Utility: Certain information is already required to be reported and shared, isn't it?
Miller: There are certain types of information that are required to be shared but few will share beyond the absolute required minimum. Some approaches are purely voluntary, at the comfort level of the utility or whichever party is sharing the information. Utilities can share raw data, or utilities can anonymize and sanitize their data. But there is an enormous amount of sharing going on where the voluntary approach is taken. Between each other, utilities voluntarily share a lot of data along with the context surrounding it. That's how you connect the dots, the wider, contextual picture, from which you can begin to draw inferences.
Intelligent Utility: What sort of data are we talking about?
Miller: Utilities are notoriously good at telemetry and that's true too for the security staff within them. They're getting security telemetry from their devices. We've seen a lot of organizations start out with strong passwords, firewalls, anti-virus, anti-malware, integrity assurance tools. As we mature, what we're getting now is lots of operational data and using security logic to mine that data and show trends, areas of security interest from just standard operational elements. When you combine information from the security devices with the operational information, you get a much clearer picture from an overall security telemetry perspective. We have to do root-cause analysis, we want to find out why something failed. Really "good" attacks can't be detected. You can't stop the illegitimate use of legitimate credentials. But then, if you look at the contextual information, you can infer that an event may be the illegitimate use of legitimate credentials, for example. Sophisticated attackers don't come in through the front door with a marching band. They enter the system just like one of your employees or as one of your employees; they piggyback on legitimate traffic.
Intelligent Utility: Are we talking mostly about investor-owned utilities? Are municipal utilities coalescing around the American Public Power Association's cybersecurity efforts? And coops around National Rural Electric Cooperative Association?
Miller: We're not just about investor-owned utilities. It's a similar but different model for municipalities. It still boils down to money. Municipalities often use the electric utility or other utilities as an anchor for their general fund. That keeps taxes low and diversifies their portfolio, so to speak. Because municipal utilities often answer to an elected board, it becomes a challenging dance around politics, funding, rate cases. It's a similar but different model with the coops, too, because they're trying to keep rates as low as possible for their members. Yet they have prudent expenses and their board still has to answer whether they're wasting money or putting the organization at risk. So it still comes down to spending your money the right way. And not always how much you're spending but how much loss you're preventing. That's about equal from a ratepayer perspective. Think of cyber security spending as the insurance model. You'd get upset with your CEO if you knew they'd failed to buy insurance in an area where they knew they had risk.
Intelligent Utility: What's your view of the threat landscape?
Miller: In a general sense, it's very real, very legitimate. Even without hard facts, hard data - no one is going to give you that right now - even though Secretary of Defense Leon Panetta got up and said, "Yes, there have been credible attacks on U.S. infrastructure, including the electric grid." Obviously he gave no examples. But think about it. If you were going to attack, economically or otherwise, another country, what is your target? It's either their electric infrastructure or their communication infrastructure. In this country those two things are the same. Our communication and electric infrastructure are essentially woven into a single fabric. So from a target value standpoint, that has the highest value. Simply put. Nothing else compares.
I come from a family full of cops, and they're always thinking in terms of motive, means and opportunity - those three elements describe crime or cyber incidents in the larger perspective. In this scenario there's definitely motive, means and opportunity. Any utility can tell you they turn away an enormous number of attacks from their front door on a regular basis. They'll all openly admit that because it's already public, traversing the public Internet. What gets through, on the other hand, is a different set of data that most people don't talk about.
There's a side conversation, with respect to risk. We're all worried about China, but China is not going to take out our power grid tomorrow. We owe them too much money. It does make sense for them to exfiltrate enormous amounts of data. China doesn't fight many wars in real time. It fights wars on a long-term perspective; they fight the 100-year war. Other nation states, such as Iran, or non-governmental organizations, such as Hezbollah, Al Qaeda, have active short-term motives. What's not on most people's radar is organized crime and other quasi-NGOs, say, in South America.
The reality is it doesn't matter whether it's organized crime or a nation state or an NGO. The target value is so high, you just assume our electric and communication infrastructure is the No. 1 target.
How do you eat that elephant? One spoonful at a time. I've been advocating for actuarial data. We need to be reporting when breaches happen. We've done it for people, now we need to do it for these systems. Right now, with respect to cybersecurity, nobody is sharing this data at all. So what we're doing, in no uncertain terms, is we're guessing at what we think the biggest risks are. It's not wise money spent. That's why a lot of CEOs are frustrated. Am I even spending my money in the right place? And if I am, how would I know? So we need to get to a point where, in a coordinated approach, a utility is only penalized if it doesn't report minimal data and do root-cause analysis. I'd hate to see an over-bearing, burdensome, penalizing approach. But if we at least start to look at breach data, we'd glean whether we're putting our resources in the right spot.
Intelligent Utility Daily