Smart Grid

Verizon and DistribuTECH ? Demonstrating Real Business Solutions for Challenges Facing Utilities

Tue, 29 Jan 2013 11:04:00 -0600

What keeps utility executives up at night? Let me count the ways.

With the DistribuTECH Conference running January 29-31, my Verizon colleagues and I will be meeting with leaders in the utility industry on issues ranging from securing the smart grid and critical infrastructure to business continuity to deploying cloud computing services in the utility and energy industry.

At the heart of these solutions lies security – securingthe data, the communications, and the information -- and I will be joining some of my Verizon colleagues at our booth #1001. I will be discussing emerging security threats to the utility enterprise, including:

Data is at Risk – And a New Security Philosophy is Brewing – Today’s security environment is very challenging and the old concept of the “perimeter” – the moat around the castle protecting the organization – is not as effective as it once was. With the proliferation of portable media and smart devices and the increased difficulty with corralling critical data, enterprise managers must evolve their security philosophywith the approach that they can have a data breach at any time under many different circumstances and they must establish a strong, practiced incident response team to protect important data more than you did in the past.
Too Many Opportunities for Harm – Too Much to Protect -- Data is ubiquitous. Just think about your smart phone, laptop, desktop computer, tablet, USB drives, CDs, DVDs, and other collections of data. How can that be controlled, protected and how can the enterprise be sure it is not being stolen or fraudulently injected into the enterprise? Today’s enterprise manager must have a holistic view of security and they need to realize that a simple perimeter of firewalls and routers is simply not adequate. You need a security strategy, a policy, and a game plan that can be validated, supported and realistic versus today’s threats.
Control System Vulnerabilities – New Modes of “Operational Attack” – Ever heard of “Stuxnet?” Many utility executives have heard of this attack on a nuclear facility’s industrial control system (ICS). The ICS for the utility is very fundamental and includes the Energy Management Systems (EMS) and Supervisory Data Acquisition and Control Systems (SCADA) that are crucial for the safe and reliable operation of the electric grid or gas pipeline. Today’s enterprise manager needs both IT and operations technology awareness and needs to understand how to protect those systems from both a cybersecurity and a physical security standpoint.
The Smart Grid and Security Opportunities – The smart grid is not new anymore. Across the nation, utilities –ranging from electric to gas to water – are implementing smart meters and automated metering infrastructure to operate more efficiently, intelligently and responsibly – and help improve customer service.However, the smart grid brings some key security issues for utility executives to address, including: physical security of the components, encompassing meters; cyber security of the IT systems such as communications, data routing and processing; privacy of the data – an especially new issue in the United States; and data storage to address the massive data – on the order of terabytes -- that is being generated by the new meters and infrastructure.
Mobile Security and Consumerization of IT – Today’s enterprise manager is facing new challenges with mobile data as well as the “consumerization’’ of IT and the growing trend of employees wanting to use their own phones, tablets, and laptops to connect with enterprise business resources. This can be a huge concern when it comes to data security; privacy of the employee’s own data; and addressing responsibilities for data security, storage and backup.
Disruptive Technologies and Trends – No question, today’s security environment is becoming larger and more complicated. “Disruptive technologies’’ brought by cloud computing, IPv6 and other capabilities can be a tremendous benefit to the enterprise and its mobile workforce. However, these new technologies provide new schools of thought when it comes to security management. Verizon experts can help customers determine the best path in addressing these challenges.
Regulatory Issues – From federal mandates on securing critical infrastructure to discussions of possible new rules and regulations regarding cybersecurity, utility companies face a variety of sometimes changing regulatory issues. Verizon experts can help customers tailor their systems to address changing requirements.
Supply Chain Cyber Security Risks – Another challenge for today’s utility and its management is security protection for meters, equipment, and software that may be contaminated with fraudulent parts or cyber malware during manufacturing and shipment. This is an area that is becoming a frequent point of conversation in utility board rooms and at utility conferences; however, more must be learned about this threat. Because of Verizon’s key work with critical infrastructure, we have dedicated resources focused on the supply chain security risks.

So, as you can see, there are many reasons why today’s utility executive – especially the Chief Information Security Officers (CISOs) – may not sleep well at night. There are many different challenges on the plate and there are many different issues that need to be addressed. Verizon has expertise in these different areas and we can bring to bear technology and expertise to help better understand threats and what to do about them.

We look forward to seeing you at Booth 1001 at DistribuTECH. If you can’t join us, please visit our News Center at http://www.verizonbusiness.com/us/about/news/ to keep up with the latest Verizon happenings.

Four Layers of Smart Grid Security ? Where is Your Data?

Mon, 05 Nov 2012 12:26:00 -0600

For the past four years the “smart grid” has been a hot topic of interest in the energy and utility sectors as well as for the operators of water and sewer systems.

In December 2007, the U.S. Congress passed and the president signed Title XIII of the Energy Independence and Security Act of 2007 (EISA) into law creating the foundation for the modern day smart grid. EISA provided the legislative support for the U.S. Department of Energy’s (DOE’s) smart grid activities and reinforced its role in leading and coordinating national grid modernization efforts. In fact, even today the DOE online booklet – “The Smart Grid: An Introduction”– remains an excellent desk reference for the executive or policy maker to gain a quick understanding of just what constitutes the “smart grid.”

As a security professional and having been in the energy and utility industry for more than 30 years I have been very focused on the smart grid and how it can be secured. I’ve been actively doing research on this topic for several years and have found that in order to help simplify and understand smart grid security issues, it is better to examine the four layers – the physical layer, the cyber layer, privacy and storage.

Physical Layer – how are the smart grid components protected physically?
Cyber Layer – how are the smart grid components and systems protected from cyber hack and attack?
Privacy – how is the smart meter data protected so that a customer’s privacy is not harmed?
Storage – just what do you do with all the data generated by the smart grid and how do you protect it?

Interestingly enough, I developed this layer model about two years ago and it still remains viable today – albeit with new stories on how the industry has responded to some of these challenges and opportunities in securing the smart grid.

For instance, in the past few years the U.S. National Institute of Standards and Technology (NIST) has published NISTIR 7628 Smart Grid Cybersecurity Guidelines(Volumes 1-3). Even though this is considered a guideline, it is often cited as the performance standard for many smart grid deployments.

From physical security to cyber security, smart grid security remains at the forefront at the industry.

On theissue of privacy, The Future of Privacy Forum(FPF)and TRUSTehave given us a great example of how the utility industry can take steps early to address customer concerns. The organizations recently announced afirst-of-its-kind privacy seal programfor companies using consumer energy information. The seal will be available to firms offering home energy management, remote home control or security, smart thermostats and other services that depend on access to consumer energy data, whether that data comes from a smart meter or from in-home sensors.

I recently discussed the layered security concept on October 22 at the GridCommsconference in London. In addition, in November I will be meeting with industry experts and speaking at the Cybersecurity Malaysia Awards Conference and Exhibitionin Kuala Lumpur and I have been invited to the prestigious invitation-only Bloomberg Energy Smart Technologiesleadership roundtable in Amsterdam.

If you make it to any of these conferences, please be sure to reach out and say hello.

The smart grid can be complex. But with diligence and an eye to securing the layers, a smart grid can be secure.

Emergency Communications and the U.S. Nuclear Industry ? Satellite to the Rescue

Tue, 21 Aug 2012 13:58:00 -0600

The world certainly remembers when the massive tsunami hit Japan on March 11, 2011. The video images alone captured the destruction and impacts on the Japanese infrastructure and its residents. The tidal wave that hit the Fukashima Dai-Ichi nuclear station essentially destroyed major emergency power capabilities, resulting in core meltdowns in several reactors. Since then there have been many questions about what happened and why.

In the United States, the U.S. Nuclear Regulatory Commission (NRC) closely monitored the Fukashima accident and response activities – not only to see how the United States could offer any assistance but to identify how U.S. nuclear plants could be better prepared for such a calamity.

Of note, a key aspect of the Fukashima accident noted by the NRC was the earthquake and resulting tsunami were “beyond design basis” for the Fukashima site scheme. Basically this means is the Fukashima nuclear station was hit with an earthquake and tsunami that was beyond what the plant was designed to withstand. Hence, the plant faced major damage because certain seismic and flooding protections were not built into the plant.

The NRC in a March 12, 2012, letter concluded that they had“…confidence to conclude that an accident with consequences similar to the Fukushima accident is unlikely to occur in the United States (U.S.). The NRC concluded that continued plant operation and the continuation of licensing activities did not pose an imminent risk to public health and safety.”[1]

However, the NRC – with Fukashima in mind – has required all U.S. nuclear plants conduct evaluations on the seismic, tsunami, flooding and other external hazards and the potential impact on their sites. The NRC has also asked that the U.S. nuclear plant emergency plans be closely reassessed while recognizing that Fukashima highlighted the need to ensure the communication equipment necessary for emergency event response can be powered for sustained use if the plant faced a prolonged blackout.

In addition to the required plant assessments promulgated by the NRC, the Nuclear Energy Institute (NEI)-- the policy organization for the nuclear technologies industry – established several task forces to review the Fukashima eventand determine lessons learned to apply at U.S. nuclear plants. One task force established by NEI was focused on communications during an extended loss of power and published a technical report (NEI 12-01) providing recommended criteria to assist with the physical plant/policy/procedure assessments that identify enhancements that could provide a means to power equipment needed to communicate on-site and offsite during an extended loss of power event.

Most if not all U.S. nuclear plants are actively performing the necessary assessments delineated in the NEI report as well as those mandated by the NRC. Verizon is working with some of these plants to assist in ways to sustain emergency communications in the event of an unforeseen event like Fukashima.

The NEI notes that the nuclear industry must assume that in an emergency all offsite communications infrastructure – such as wireless towers, landlines, microwave towers and telephone central office buildings – is inoperable within a 25-mile radius of the site. So what’s the solution in such an emergency? Satellite communications.

Satellite communications can be encrypted and can be used with Voice over Internet Protocol (VoIP) as well as used for data transmission. In addition, satellite is an available option for the 60 or so nuclear plants across the continental United States. Satellite not only provides the utility the ability to demonstrate to the NRC that they can maintain sustained communications -- even if the area around the nuclear site has been devastated -- but satellite is highly reliable and can support business operations and emergency voice and data communications.

Fukashima was a horrifying and sad event. However, lessons learned from the episode can be captured and applied across the global nuclear industry.

[1]US NRC Letter dated March 12, 2012 REQUEST FOR INFORMATION PURSUANT TO TITLE 10 OF THE CODE OF FEDERAL REGULATIONS 50.54(f) REGARDING RECOMMENDATIONS 2.1,2.3, AND 9.3, OF THE NEAR-TERM TASK FORCE REVIEW OF INSIGHTS FROM THE FUKUSHIMA DAI-ICHI ACCIDENT

ICSJWG Releases New ICS Vulnerability Disclosure Framework

Thu, 26 Jul 2012 15:09:00 -0600

In a move that may be helpful for utilities, the Industrial Control Systems Joint Working Group (ICSJWG)on July 23 published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document -- Common Industrial Control System Vulnerability Framework. The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies. Unfortunately, the industrial control systems/supervisory control and data acquisition(ICS/SCADA) industry has been criticized for less than effective disclosures of vulnerabilities in critical infrastructure systems and products. This new document is intended to provide a foundation for the industry to follow once vulnerabilities are discovered and how the faults should be revealed to the vendors and the operators for remediation.

The ICSJWG notes that the new paper is “a living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.’’

The document can be a good starting point. Key sections include:

Software Vulnerabilities (Types and Associated Remediation)
Mechanisms for Identifying Vulnerabilities
Types of Disclosure (Private, Public, Third-Party)
Vulnerability Disclosure Policy Components
Terminology/Glossary
Sample Disclosure Policy Overview
References

If you work with ICS/SCADA systems and if you could be in a situation where you are aware of vulnerabilities but do not have a sense of how they should be handled and revealed, I’d strongly suggest you look over this framework as a guide. Secondly, if your company develops and/or tests ICS/SCADA software, then this framework can be a good starting point in developing your own internal policy and procedures for handling and ultimately disclosing newly discovered ICS vulnerabilities.

Effective Security Requires Involved Leadership

Wed, 04 Apr 2012 16:08:00 -0600

In reading about critical infrastructure protection and cyber security issues every day, I’m beginning to see a theme in our industry that is of special interest to me – cyber threats.

When I attended the RSA Conference at the end of February, the first day of the conference included an announcement from Carnegie Mellon and RSA about the results of a survey conducted by Carnegie Mellon’s CyLab regarding governance of enterprise security. Using the Forbes Global 2000 list, the CyLab survey revealed that most corporate executives and external boards of directors are still not involved in governing their company’s cybersecurity strategy. A good summary of the results and some thoughts from Kelly Jackson Higgins of Dark Reading can be foundhere.

Sadly, the CyLab survey is on the mark and we need more leadership from corporate boardrooms and executive suites to help our fellow chief information security officers be successful in this very dynamic world of cyber threats.

That theme is underscored by this recent item in Insurance Dailyunder the headline: “Directors must wake up to cyber threats.”

Not only should corporate boards grasp how exposed their companies are to the digital threat environment, but they should gain some understanding of the cyber threats they face and to make sure adequate procedures are in place to mitigate the consequences of a serious data breach.

So, what does this mean? Leadership from the top is vital in setting cybersecurity policies and defenses. It is important for all employees and corporate contractors to be diligent about protecting the corporate assets – including data and information. At Verizon we have found that this sensitivity cannot be easily “pushed up” from the CISO but really needs to have the tone set by the CEO and board.

I don’t think anyone would ever say that cybersecurity would be easy. However in today’s environment of attacks and threats from cybercriminals, nation-states and the disgruntled employee should be top of mind with corporate boards and the executive suite to make sure every employee remains at the front line of defense.

Verizon recently released the 2012 Verizon Data Breach Investigations Report (DBIR), the company's landmark report series that examines the state of cybercrime and data breaches around the world. Be sure to get copies to your board members, your CEO and executive team so they can gain a perspective of the global security trends and how to better protect your enterprise.

RSA 2012 - Are utilities ready for secure electric grid deployments?

Tue, 28 Feb 2012 16:15:00 -0600

This week in San Francisco is probably the largest, sustained meeting of information security professionals in the world. The security conference sponsored by RSA, the security division of EMC, is in its 21^styear of operation bringing security researchers and luminaries from around the globe. This is my sixth time attending this meeting and I remain pleased at the quality of the show.

As a “kick off” to the meeting, RSA and Carnegie Mellon University’s CyLab released a white paper, “Governance of Enterprise Security: CyLab 2012 Report.” In summary, CyLab performed an analysis of how boards and senior executives are governing security and privacy of their digital assets which include networks, systems and data. CyLab used the Forbes Global 2000 list for their survey candidates.

What struck me profoundly is that the key conclusion in this report was: “…boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets.” This is especially interesting – and troubling – in light of the continuing cyber attacks on enterprises and governments that are often discussed in press releases and analyst reports.

Also, this adds to my own current call for an increased “security conscience” from the executive management and designated security executives in today’s companies and utilities.

For instance a few weeks ago I was on a panel hosted by Pike Research to discuss electric grid security issues. The “normal” points about the electric grid were discussed…

But, when it came to a question on the readiness of electric utilities to meet the challenges of smart grid security, my answer was straightforward:

No. The majority of utilities are generally not ready for secure electric grid deployments.

Why would I say this? Unfortunately there are several reasons. One reason for this comment is that the culture of security tends to be a “gotta do” to satisfy the regulators rather than being an imbued cultural norm from the CEO down to the field technician.

Another reason is that the focus on security in the US electric utility space tends to focus on the financial penalties for not complying with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards rather than on the benefits of a strong security program for both the company and the neighboring – and connected – electric utilities.

A final reason why security tends to be given lower tier status is that utilities are missing a key component. They are missing a leader who sustains and espouses a culture of cyber security throughout the organization. In other words they are missing an assigned cyber security leader who is a “security conscience” for the organization. They are the champion to push the security agenda upwards to the executive management and Board of Directors as well as push down to the field workers and general staff.

In other words, the concerns I’ve raised above have been underscored by the CyLab report for industries beyond utilities.

How do you get this culture established? How is it groomed? The first step is the CEO needs to be the key advocate for a security mindset. The CEO needs to proclaim their expectation for an effective security program that first and foremost protects the company’s data and assets.

This suggestion is consistent with the first recommendation of the CyLab report.

Secondly, the CEO needs to appoint and empower a senior security executive with adequate experience, credentials, technical skills and leadership capabilities to be the “security conscience.” This security executive should be permitted to “…ask the hard questions…” and ensure that security is part of the corporate culture and mindset. They should also have the ability to stop work – just like a Quality Assurance Manager – should security not be included in application code or program implementations. Of course, the security executive will need a team to help him with his charge and again, qualified, experienced staff should be part of the security team.

Finally, I am not advocating that security be a huge cost center. But, I can also say that some studies have shown that by “bolting security on” to systems after they have been deployed can cost up to three times more than the original expense of including security in the initial design of your systems, processes and programs. Hence, your higher expenses – which you avoid with a solid security program – can be avoided and in turn help pay for part of the security organization – and save you money in the long run due to more secure operations.

So, RSA has started off with a “bang!” The theme is more about leadership than technology. Finally, I highly recommend that the leadership of the numerous global companies imbue your staff with the knowledge that security and effective risk oversight and governance is good for the company, for the customers and for the employees. You will be glad you did.

Do you Think Forward?

From Albania to the Ukraine ? Cyberwarfare Definitions Vary

Tue, 28 Feb 2012 10:04:00 -0600

“Cyberwarfare has become an unavoidable element in any discussion of international security.” This quote comes from a report issued by the United Nations Institute for Disarmament Research (UNIDIR) and prepared by the Center for Strategic and International Studies (CSIS).

The referenced report is Cybersecurity and Cyberwarfare 2011. I happened across this report while doing some research on cyberwarfare analyses and was quite surprised at the content and level of quality analysis in the document itself. It is a comprehensive review of open-source literature performed by CSIS staff where they researched how individual country governments are organized to deal with cybersecurity, ascertain if they have a military command or doctrine for cyber activities, and if they have any plans to acquire or develop offensive cyber capabilities.

The document is written in two distinct parts. The first section is focused on summary paragraphs for each country identified with a military doctrine and organization for cybersecurity and cyber warfare. This section includes succinct summaries for 33 different countries ranging from Albania to the Ukraine.

The second section includes a list of those countries with civil policy and organizations for cybersecurity. This section includes summaries for 36 different countries on their national civil activities focused on cybersecurity. This list is does not overlap with the list in the first section so you actually get an excellent summary view of the topic for 99 different countries.

Please recognize that this document was built on the data from open-sources so the summaries are probably just skimming the surface relative to national plans and doctrines on cyberwarfare. That said, this is an excellent reference on the topic and a good starting point for added research. In particular the footnotes included in the report are substantial and offer excellent paths for closer examination of a country’s policies.

One element I found interesting were the different euphemisms used to describe cyberwarfare. For example, the country of Belarus describes cyberwarfare as “information confrontation.” Brazil identifies “cybernetics” as a strategic sector of their national defense. And India is creating a military “cybersquad” for their planning and preparations.

Overall, this is a very interesting and compelling read which gives you a high-level view of the global cybersecurity and cyberwarfare preparations.

By the way, Verizon has a booth this week at the RSA Security Conference in San Francisco. Please be sure to stop by our booth and say hello! You can also learn more about our own efforts to defend our clients from cyber attacks.

Do you Think Forward?

The Smart Grid and World Economic Forum: The Interesting Side of Connectivity

Wed, 22 Feb 2012 16:36:00 -0600

Today I was introduced to an absolutely fascinating document released by the World Economic Forum of Geneva Switzerland. The Global Risks 2012 report is the 7^thannual release by the World Economic Forum where a group of more than 450 risk experts evaluate and assess potential risks to the world in the areas of economics, environment, geopolitics, society and technology. The report includes some excellent graphic representations of the different risks relative to “likelihood” and “impact” as well as some interesting ways of showing the interrelationships between the different risks.

Because of my background in critical infrastructure and cyber security I was drawn to the discussion about technological risks including cyber attacks, critical systems failure, etc. “Case 3: The Dark Side of Connectivity” includes four pages of succinct, very informative perspectives and thought leadership on the digital systems that connect critical infrastructures, people, systems, and processes.

One quote I found most interesting and subtly profound was “Today, there is a sense that we understand the benefits of the Internet more fully than we understand the risks.” The report even went on to note, “Companies are increasingly aware of cyber threats but are not necessarily sure how to address them.”

Cyber attacks were listed in the report as one of the top 5 most likely risks to be faced globally for the next 10 years. This was the first time the “cyber” perspective has ever made it to the top five listing for the WEF reports which is quite notable -- but again is probably due to the substantial interconnectivity of systems, processes and people digitally.

The final key idea raised by this section of the 2012 report is the idea that online security is an example of a public good; where costs are borne privately but benefits are shared. Essentially, everyone is buying anti-virus and security solutions for their own protection but there is a benefit to others by me protecting them from SPAM and viruses. An interesting economic perspective.

Overall, this is a very insightful read that at a minimum will make you think. It will make you think about the global risks we face, and regarding the digital security environments, it will make you realize that we don’t really know all the risks of our interconnected environments.

Do you Think Forward?

Cyberthreats Recognized by FBI

Tue, 07 Feb 2012 12:52:00 -0600

On January 31^stFBI Director Robert Mueller and National Intelligence Director James Clapper noted in a US Senate hearing that cyber threats – such as cyber-espionage, computer crime and attacks on critical infrastructure – will surpass terrorism as the number one threat facing the US.

Sadly, this may not really be “news” for those of us who have been closely following cyber crime, cyber espionage, and cyber warfare these past 10 years.

For instance, this past week there was an announcement about Chinese-backed attackers breaching security at seven different law firms in Toronto as well as Canada’s Finance Ministry and Treasury Board. It appears that their intention was to steal data associated with the $40B acquisition of the world’s largest potash producer by an Australian mining giant. Access to this data is invaluable and it can give an advantage to the thief during deal negotiations.

There have been similar concerns expressed as far back as 2008 when there were concerns about attacks on global oil and gas interests in order to steal exploration data and use the information to have an advantage during leasehold contract purchases.

Adding to the FBI’s announcement, the World Economic Forum announced on January 27^ththat they would launch a new initiative to improve global cyber resilience which they are calling “Partnering for Cyber Resilience.”

Fortunately, the large institutions of the world are beginning to recognize these threats and the harmful impacts they can have on our economy and critical infrastructure integrity; however, there is a lot more that needs to be done.

For instance companies need to take cyber security seriously. Often we have seen examples where simple controls such as employee education, anti-virus, and system patching are not effectively performed – and maintained. We’ve seen the advancements in mobile computing but without any forethought in the cyber consequences if the devices are stolen or hacked. The 2011 Verizon Data Breach Investigations Report (DBIR) – written in conjunction with the US Secret Service and Dutch authorities – can give you other examples of breaches we’ve seen and ways to at least hinder them.

It is great news to see and hear that US government authorities continue to raise the flag on cyber-impacts; however, this is not something that should be taken lightly and it cannot be solved by the US government alone. It is a national issue requiring all levels of support and attention.

Do you Think Forward?

DistribuTECH - Smart Grid and SCADA: They Both Need Security

Wed, 25 Jan 2012 09:35:00 -0600

After perusing the online version of the DistribuTECH 2012 program, I was pleased to see that the topic of security was the subject of many panel discussions. This is great news since it shows that the industry – especially those focused on the smart grid and smart meters – are really paying attention to security of these systems. Well done!

I was also pleased to see that SCADA – aka Supervisory Control and Data Acquisition – was even raised as a topic of at least four panels. What was also good to see was that Smart Water Meter SCADA and security was part of the dialogue. Again, Well Done!

It appears that the industry is willing to openly acknowledge and respect the fact that security is necessary for the success of all the smart metering and SCADA systems deployed – whether it be for electric systems or water systems or even sewage systems. They all need to be secured in order to ensure that the data is protected, the control signals are not modified, and the systems are available when needed.

I was surprised to note, however, that the topic of privacy of the smart meter data was not a part of the discussions. In fact, this Summer’s ruling from the State of California Public Utility Commission and that there is an entire volume of the Smart Grid Cybersecurity Guidelines (NISTIR 7628) have certainly raised awareness of the need to maintain the privacy of the smart meter data; however, I wonder why it wasn’t raised as a topic at DistribuTECH – especially since they have moved ahead to include the “S” word – Security.

Anyway, it is good to see that the distribution side of the industry is advancing and including open discussions about the security of these systems. Keep up the good work! Just include privacy at next year’s meeting.

By the way, please stop by the Verizon Booths #4411 and 4721 when you are at DistribuTECH this week! We’d be happy to talk to you about our security offerings for smart grid infrastructure implementation and assessment.

Do you Think Forward?

DistribuTECH and the Ninety-Seven Percent

Tue, 24 Jan 2012 14:52:00 -0600

As DistribuTECH gets underway this year in San Antonio, the focus will be on the lower voltage systems all our homes and businesses rely upon. These systems are really important to all of us in order to move the higher voltage power from generating plants so it can be used to keep the lights on, run our refrigerators, and run our computing systems.

Just last week I learned about the importance of these systems when a combined snow, ice and wind storm hit the Seattle area and knocked out power to my neighborhood for 56 hours.

But, another thing has run through my brain cells as I think about DistribuTECH. What about the physical and cyber security situation?

Well, we know that the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards 002 to 009 are in place and being implemented by those organizations that supply or could affect the higher voltage electric transmission systems in North America over 100,000 volts. But, what about the distribution systems?

Well, the distribution systems are not covered by the NERC CIP so there is no mandate to follow the NERC CIP for the lower voltages. And there are no other cyber security mandates for the distribution grid – including the “smart grid meters.” That said, however, there are the National Institute of Standards and Technology (NIST) in NISTIR 7628, Smart Grid Cybersecurity Guidelines – but again, they are just guidelines and are not required to be followed.

Anyway, for a Masters course I’m currently taking I prepared a white paper on U.S. electric grid cybersecurity governance and through some interpolations of current data, I figured out that almost 97% of the US electric grid circuit miles – from transmission to distribution – are not covered by any cyber security mandates.

This makes me wonder if we are protecting the transmission systems – the key 3% -- from cyber attacks, what about the larger part of the bull’s eye? Through our leading managed security solutions portfolio and professional security consulting services, Verizon is addressing security challenges for our enterprise and government customers. We want to work with you to be part of the solution.

Please stop by the Verizon Booth this week at DistribuTECH and learn more about our security offerings for utilities, energy companies and enterprises alike.

Do you Think Forward?

Read all about it! Smart grid security paper from Pike Research

Mon, 28 Nov 2011 10:17:00 -0600

By Ernie Hayden CISSP CEH, Managing Principal – Energy Security, Verizon Energy & Utility Practice

I have been a student of electric utility cybersecurity issues for years. During my tenure with Verizon I’ve continued to study, analyze and offer advice on energy security issues including the “smart grid.” One security professional I’ve had the privilege to get to know and exchange ideas is Mr. Bob Lockhart, Senior Analyst focused on smart energy and cyber security for Pike Research. I’ve been and continue to be impressed with Bob’s “sense” of the smart grid security issues and challenges. And, because of his background as an “on-the-ground” CISO, I really am impressed with his pragmatic perspectives.

This week Pike Research published a seminal white paper written by Bob entitled “Utility Cyber Security – Seven Key Smart Grid Security Trends to Watch in 2010 and Beyond.” This paper is available free of charge from Pike Research(registration is required).

Seriously, Bob is a solid researcher and I’ve learned to listen to his perspectives. But, this white paper will certainly raise some eyebrows. For instance, the opening paragraph of the report says: “Utility cyber security is in a state of near chaos. After years of vendors selling point solutions, utilities investing in compliance minimums rather than full security, and attackers having nearly free rein, the attackers clearly have the upper hand. Many attacks simply cannot be defended.”

I think Bob makes a good point and it certainly got my attention.

Anyway, the key sections of the white paper I’d encourage you to pay attention to include:

One Size Doesn’t Fit All – Cybersecurity Investments Will be Shaped by Regional Deployments
Industrial Control Systems – Not Smart Meters – Will be the Primary Cyber Security Focus
Assume Nothing – “Security by Obscurity” Will No Longer be Acceptable
Chaos Ahead? The Lack of Security Standards Will Hinder Action
Aging Infrastructure: Older Devices Will Continue to Pose Challenges
System Implementation Will be More Important than Component Security
The Top Five Most Promising Smart Grid Cyber Security Technologies

This 16-page document says a lot about the state of smart grid security. Take some time to read it, think about it and do something with this information.

This blog was also posted on Think Forward

NERC Critical Infrastructure Protection Standards out for Comment and Ballot

Tue, 22 Nov 2011 16:17:00 -0600

By Ernie Hayden CISSP CEH, Managing Principal – Energy Security, Verizon Global Energy & Utility Practice

On November 7, 2011, the North American Electric Reliability Corporation (NERC) published the revised Critical Infrastructure Protection (CIP) standards Version 5. You can view the new proposed CIP revisions here.

Essentially this new version includes CIP-002 to CIP-009 plus two new CIPs CIP-010 and CIP-011. NERC has also issued a revised set of NERC glossary definitions. Finally, they have included a proposed implementation plan. These documents are up for a formal 60-day comment period through to Friday, January 6, 2012.

Some key changes in these new Version 5 documents include:

CIP-002, Version 5, requires the categorization of Bulk Electric System (BES) cyber systems according to a “bright line” criteria. Of note, this is different from the original CIP-002 requirements issued several years ago where the utilities could use some judgment when declaring critical assets. Now, the “bright line” criteria is very specific and allow for less interpretation as to whether an asset is critical or not. The “bright line” criteria also mandates that the different critical cyber assets be identified as “High Impact” and “Medium Impact” on the Bulk Electric System. (You can get more at this link.)
Because of the changes to CIP-002 and the new “bright line criteria” then CIP-003 through CIP-011 are impacted on their implementation due to the new list of defined critical assets and critical cyber assets.
CIP-010 is a new standard focused on Configuration Management and Vulnerability assessments previously defined across several CIP standards in Versions 1 through 4.
CIP-011 is a new standard that defines Information Protection and Media Sanitization requirements previously defined across several standards in Versions 1-4.

Besides these two new CIP standards and the new Version 5 changes, the Implementation Planis especially important. The first key point is that the Version 5 standards shall become effective no sooner than 18 months after approval. One NERC document states that the Version 5 standards shall “…become effective on the later of January 1, 2015 or the first calendar day of the seventh calendar quarter after the date of the order providing applicable regulatory approval.” (Whew!)

Additionally, because the new “bright line” criteria now delineate “High Impact” and “Medium Impact” systems, the utility is obligated to implement the new changes with “High Impact” systems being implemented faster than “Medium Impact assets.

Overall, these changes are both subtle and substantial. There are new terms being injected into the process where “Critical Cyber Assets” are no longer defined but instead referred to as BES Cyber Systems. And, of course, the bright line criteria are a step change in how assets are identified and categorized.

If you are working with electric utilities, transmission operators, and companies that generate and/or buy and sell electricity on the North American electric grid I’d suggest you take time to read these revised documents and recognize that electric grid system cybersecurity is continuing to evolve.

This blog was also posted on Think Forward.

Are New Smart Grid Initiatives Secure?

Thu, 03 Nov 2011 16:29:00 -0600

A colleague of mine - Jack Walsh at ICSA Labs - shared some interesting thought leadership on smart grid security. He took a fresh look at Advanced Metering Infrastructure(AMI), which I thought my followers would be interested in reading – so I have shared it below. I look forward to your thoughts regarding smart gird security – and answering any related questions.

Best regards,

-Ernie

Are New Smart Grid Initiatives Secure?

Throughout the world, electric utilities are developing and implementing Smart Gridinitiatives. Here in the United States, the Advanced Metering Infrastructure(AMI), a subset of the Smart Grid, is already being rolled out in many areas. In northern California, for example, the utility PG&E has been rolling out smart meters to 9 million household customers.

Comprised of smart meters and other devices that are capable of two-way communication between utilities and our homes and offices, AMI devices allow consumers and utilities to regulate their electricity usage and even control load. My primary question is: shouldn’t the security of these components be carefully evaluated before being deployed? Will all this two-way communication compromise privacy or lead to a denial of service at the worst possible time either for one or many consumers?

Unless there are fully developed standards that specify what security functions should be evaluated in AMI components, AMI component security evaluations are going to vary widely in terms of breadth and depth of testing. Groups like the NIST Smart Grid Interoperability Paneland other organizations such as the OpenSG AMI-SEC Task Forceare poised to make strides in this area and ICSA Labs works with them whenever possible.

Having tested security products for more than 20 years, we at ICSA Labs believe we have a pretty good idea where to start when it comes to testing AMI components. With that in mind, my colleague, Darren Hartman, has written this short whitepaper, “Smart Grid: AMI Component Security,” describing the essential security mechanisms of AMI components that need to be evaluated to better verify that they have been implemented properly.

Do you Think Forward? We look forward to your thoughts and comments.

This blog was also posted on ICSA Labs.

A New Philosophy for Security Professionals

Thu, 15 Sep 2011 00:03:00 -0600

By Ernie Hayden CISSP CEH, Managing Principal – Energy Security, Verizon

Security professionals around the world are fighting a very challenging battle. Their objective is to protect their corporate physical and information assets but each day there is a new story announcing a successful system breach by such “organizations” as Anonymous, LulzSec, Antisec, etc. Unfortunately, their job is like trying to block every hole in a kitchen colander with one hand tied behind your back.

In my 10 years as a security professional I’ve watched our perspectives of enterprise security change drastically. Originally the thought was to “protect the perimeter.” However, that has changed because there really is no perimeter with such things as thumb drives and mobile devices (aka, smart phones).

Our adversaries have also changed their modes of attack. From the old days of blasting many organizations with viruses and worms they are turning more to targeted – “rifle shot” – attacks using social engineering and focused on individuals with broad administrative access to the corporate computer systems. Hence, their attack is really like shooting at one hole of the colander and once in, the adversary can then set up back doors, perform scanning and foot printing of the enterprise computer network, and finally attack the databases containing the corporate crown jewels.

I think the word “daunting” may not be adequate to describe the challenges today.

New Commentary – A New Philosophy

As I attend different security conferences and read new thought leadership on the subject of corporate information security I’m noticing a new theme surfacing. That theme is you should assume your security systems are breached. You should assume that you can, and will be breached. You will be – and could already be – compromised.

I wrote about this topic in an article in Asian Powerthis past June. And interestingly enough, there is even more commentary surfacing on this new philosophy from many different sources.

Back in December 2010, Deborah Plunkett, the head of the U.S. National Security Agency’s (NSA) Information Assurance Directorate announced that computer systems must be built with the assumption that the adversaries will get in. She even stated that the most sophisticated attackers are going to go unnoticed on the NSA’s networks. With these new philosophies, the focus will be on assuming that all components of the system are not safe and to make sure their practices, policies, procedures and mitigation schemes are adjusted accordingly.[1]

This same theme of assumption of breach was also echoed in a PriceWaterhouseCoopers white paper called “Are You Compromised But Don’t Know It? A New Philosophy for Cybersecurity.” Here they go on to reinforce the new philosophy – assume you have been or will be breached and protect your systems and data accordingly. They advocate that this approach is more realistic and can allow you to be more flexible in protection of your high-value assets.

In the Verizon Data Breach Investigations Report for 2011, there is a demonstrated increase in data breaches caused by external agents. In other words, these external entities need to somehow breach the security systems to gain access to the information. And statistically the report goes on to show that the data breaches occurred by:

50% utilized some form of hacking
49% incorporated some sort of malware
11% employed social engineering tactics

What Do You Do with this New Philosophy?

With this new philosophy you need to realize that the standard “signature-based” defensive measures do not necessarily work to identify and stop the more sophisticated attacks. You also have to realize that even the smallest hole in your perimeter – that one hole in the colander -- could be compromised. Don’t forget, that is all the attacker needs.

Please recognize that this challenge to the assumption of a secure perimeter is not just the failure of employees opening phishing emails. Often the factors include highly complex software, new attack methodologies, and the ever-crumbling perimeter caused in part by constant detection of vulnerabilities by security researchers and organized criminals in conjunction with the increased use of smart phones and the consummerization of IT.

So, what to do? Mr. Kirk Bailey, CISO of the University of Washington in Seattle, has offered some guidance on how he is approaching this problem in the field.

Kirk is offering 10 Key Practices he is implementing under the philosophy of assumed breach. They are listed below – but please realize that these are not easily implemented, they are fraught with pushback from traditional security professionals, and each one could be described more thoroughly than this article can accommodate. That said, they include the following:

Implement a Risk Management Framework for reporting. Have a structure that is repeatable and readily demonstrates trends. For instance, Verizon offers the VERIS Framework, a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner, which is used in creating the Data Breach Investigation Report.
Conduct asset profiling and inventory. Know where your “crown jewels” of data, intellectual property and trade secrets are and separate out the data that can be lost with minimal impact.
Prioritize assets and related risk-mitigation efforts. Focus on protecting the “crown jewels.” Continue to use and implement traditional layers of defense but recognize that they will not be 100% effective.
Clearly define roles and communication plans. Know who your trusted contacts are for incident response. Practice your incident response before you really need it.
Implement aggressive risk transfer programs through detailed contracts and insurance underwriting.
Establish and sustain active and strategic alliances to allow for effective and trusted cross-communication about threats, mitigation schemes and lessons learned.
Implement a business intelligence (aka “warfare intelligence”) program that includes effective situational awareness features.
Establish “advanced” incident response and management capabilities. Think outside of the normal cyber incident response practices to include incorporation of trusted contacts, stealthy communications, and attacker evidence.
Develop an active response capability.
Practice strategic isolation for your key executives, scientists and knowledge workers. Limit presence on social networks that can be used by attackers for targeted hacks.

Kirk has reiterated that the above are not a checklist and are not adequately described in one or two sentences; however, he sees that the new philosophy including assumption of breach will require new thinking and for security programs to be built upon a “flexible fabric.”

In any risk discussion, the notion that there will always be some percentage of risk that cannot be eliminated is always present. You have to assume that this risk will always be there, and often it's due to things way beyond your control. Examples include human misbehavior, fundamental flaws with networking protocols, ditto for software, hidden back-doors, and design flaws in third-party hardware and software that you've bought and installed. That said, even with a “zero risk” mentality, you still need to realize that no security system is 100% effective.

Conclusion

There is a new shift in security thinking that is rattling the security philosophies of many of my peers. However, as shown by the rapid succession of comments on this new approach, the assumption of compromise may allow you to be more effective in implementing layered security systems, protecting the high-value data, and being flexible enough to think like a cyber criminal and stop the attacks or at least mitigate their damage early in the theft.

Basically, be ever vigilant. Constantly monitor and inspect your security systems, inspect your “crown jewels” and look for suspicious activity or minute changes that cannot be explained, and look at your logs and egress filters for stealthy communications to and from these systems.

Finally, educate your executives. Help them realize that your job is that much harder and that resources are needed to educate the employees, protect the data, and somehow control the egress of information leaked by accident or by direct theft.

[1]Reuters Canada, December 16, 2010 http://ca.reuters.com/article/technologyNews/idCATRE6BF6BZ20101216

This blog was also featured on Think Forward