Thursday, December 30, 2010
Happy New Years Eve Eve. As we say goodbye to 2010, here's a look at what's coming up next year, conference-wise.
NIST Smart Grid Cyber Security Conference
Northeastern University, Boston, MA
18 January, 2011
Smart Grid Security East
1-2 March 2011
European Smart Grid Cyber Security Forum
14-15 March 2011
Also, be on the lookout for another European conference (in Amsterdam) from the same team that hosted the first 2-day conference on Smart Grid Security in August 2010 and that's running Smart Grid Security East. This page gives you a round-up of that first conference, and here's a write-up I did on the blog when it was over.
And as always, keep your eyes open for conference and workshop announcements from NIST, IEEE, DOE and others as the year progresses - I'll try to spot them early and list them here to give you as much advance notice as possible.
Meanwhile, please have a safe and fun night tomorrow night.
Photo credit: MoLeY2k on Flickr.com
Tuesday, December 28, 2010
Even though I’d always take the worst form of government in the world except for all the others, over all the others, sometimes one might be forgiven for longing for a country with an omnipotent, benevolent, entrepreneurial, clear-thinking, decisive, dictator (see above). Perfect, centralized direction could crush cultural and bureaucratic inertia, and make sector modernization a lot simpler than it is in some places right now. Right?
Consider the situation in the US and other countries where power, particularly power over power systems, is distributed across many organizations. Earlier this month, Pike Research Smart Grid analyst Bob Lockhart responded to a few questions regarding the state of grid security ownership. You can read this exchange HERE.
Lockhart notes that in the US, the bulk of the electric system (not to be confused with the Bulk Electric System) falls outside the jurisdiction of Federal authorities. The burden for guiding and protecting the distribution system belongs to the utility regulatory offices in each state, each which sets its own policy. It should also be noted that in the absence of Federal policy on privacy, that too is left to each state.
It's Good to be King
In countries where the utilities are 100% owned and operated by the government (not normally a very effective or efficient approach I am compelled to mention), the guy(s) in charge can move directly to issues of how they want to develop and operate their grid, how fast they want to modernize, and how much security rigor they want to enforce ... or not. I mean, who's going to tell them "no"?
But Kingship has its Limits
Lest we envy other authoritarian countries' ability to orchestrate grid changes too much, even the world’s most powerful, best intentioned dictator could only do so much with the current slate of challenges that comprise the overall Smart Grid security challenge. Imagine you were this dictator and wanted to bring rapid, comprehensive security improvement to your nation's electric infrastructure ... what would you do with the following:
- Employee awareness and education. Email, web use, mobile, USB and other removable media safe use practices, etc. Would the death penalty for policy violations due the trick?
- Ensuring compliance with emerging interoperability and security standards, internal and international. Actually, if you're a real pariah state, who cares about international?
- Making sure new grid systems, those built by utilities themselves as well as by vendors in the supply chain, are developed with security baked in from the get-to, applying Secure by Design principals. This is important on both IT and operational technology (OT) systems like SCADA and Intelligent Control Systems (ICS). How to motivate the supply chain is a big issue. I mean, you can't kill your suppliers, right?
- Devising rules and standards for comprehensive security controls for grid systems, from generation, transmission, distribution, consumption and edge. You're going to SMEs for this,and unless you've completely sealed your borders, many of these folks long since departed to countries where they were paid fairly for their expertise.
The Security Benefits of Variety
Lockhart sums it nicely:
... countries with a government monopoly grid can take a one-size-fits-all approach. On the down side for them, that implies that a single attack against their entire national grid could be successful and there is probably a single point of attack for that grid. Here in the USA we have over 3,200 utilities -- some with millions of customers, others with a few thousand. So obviously they are not going to all be running on the same infrastructure and therefore the same security approaches will not work for all. It is not unthinkable that some smaller utilities will end up clients of service providers running cloud computing environments. Those will probably be private clouds, but still a centralized, third-party cloud. Personally I think that’s a good thing because small enterprises cannot afford as sophisticated security as a large-scale integrator of clouds will implement.Agreed. So maybe the takeaway is that as much as we rail against and lament the chaos, inefficiency and sub-optimality of our current approach, it is, from a security perspective and with apologies to Voltaire: the best of all possible worlds.
Photo credit: Allstar/Paramount/Allstar
Tuesday, December 14, 2010
No, I'm not going to show you how this blog's sausage is made. Instead, wanted to give you an idea of who else is partaking on a regular basis as one indicator of which countries and organizations are taking grid security most seriously, or at least are most curious about it.
A few other details while we're at it
In 2010, a typical day at the SGSB saw visitors from a 15-20 different countries read this blog, a third arriving via Google or Bing, another third via FeedBurner email subscriptions (over 600 now and counting), and the rest coming from links in articles and on other sites.
In terms of types of organizations these folks come from (which you can sometimes see and sometimes not), all or most of the larger US, Canadian and European utilities, Federal and State regulators, technology and services providers, and universities are all well represented.
While millions-of-hits per day sites like the Drudge Report and ESPN.com have little to fear from the SGSB, I'm expecting a slow and steady up-tick in readership next year as more Smart Grid initiatives roll out, as standards begin to mature, and as new business models emerge and evolve. Not to mention threats and responses.
Had a great 2010 - thanks for being a part of it. Looking forward to 2011 !!!
Photo credit: havankevin on Flickr.com
Friday, December 10, 2010
For more from GridWise here's a LINK to the organization's cyber security resources page. These are great people moving mountains as they advocate for Smart Grid progress. Highly recommend you give them your support and/or get involved if you haven't already.
Thursday, December 9, 2010
Boulder, Colorado-based Clean Tech research firm Pike Research recently released a comprehensive report on the current state and market size of the security business related to global Smart Grid initiatives. This is such a nascent market, you've got to give them credit for even attempting this project. And having seen it, I can say it's a darn good piece of work. You can see Pike's own description and the table of contents HERE as well as register to pay and get a copy (yes, it costs significant money).
If you want to get a better feel for the experience of the lead author, Bob Lockhart, THIS detailed Q&A on Smart Grid security was just posted yesterday, 8 December 2010. There's a lot of goodness in the interview, and I like this comment here on getting employees on the right (and same) page:
One area of security that gets too little attention in smart grids is employee awareness. It is critical for employees of utilities, systems integrators and other involved entities to understand what security is implemented, why it is there, and their responsibilities to support it. This requires a proactive education program. Whether we’re talking e-mails, Web courses, or stand-up instruction matters less than that the points are gotten across to the workforce.In light of this year's biggest attacks: the one targeting IP theft at Google and dozens of other large co's, Stuxnet, and Wikileaks, it's clear that employee awareness (and it's lack) and behavior played a major role in all of them. In his big report, Bob tackles standards, business drivers and technology challenges too, and I think he describes it all with a substantial amount of mastery. Might be worth your while to check it out.
Photo credit: krytofr on flickr.com
Wednesday, December 8, 2010
Since I've been covering their emergence, Smart Meters, the gateway drug for the Smart Grid, have been alleged to do some or all of the following:
- Cause confusion or brain cancer
- Facilitate attack by foreign nations
- Help utilities get rich by cranking up rates forever
- Give Barack Obama control of your house
- Signal criminals when your house is ready to be robbed
- Reveal to the government when you're doing naughty things
- Reduce fertility in laboratory mice
... these so-called 'Smart Meters' may be deliberately 'tricked' to register a higher consumption reading than is actually true. Obviously, this would produce more revenue for the greedy utilities and the greedy governments which are constantly looking for new ways to screw the people.Well said Sir! And tell you what - if after reading these you find yourself converted, you can go HERE for all your anti-Smart Meter propaganda needs including bumper stickers and yard signs.
We're trying to update the grid for the 21st century: bringing better efficiencies, improving reliability, and enabling greatly increased use of renewables and EVs, and this is the response from some folks.
As Charlie Brown used to say, "Good grief."
Photo credit: "Radio Waves" by Thomas Anderson on Flickr.com
Tuesday, December 7, 2010
Been saying it all year: tension is building between those who want to tighten up security standards faster and those who was to take a gentler, but more predictable path. FERC and NERC have been the primary protagonists in this struggle, as described a few months ago HERE.
For those who are paying attention, a few items that have surfaced as the year winds down, and here's a short summary for you:
First we have the so-called "bright line" ruling in which FERC says we (especially NERC) need a new and crisper definition of the bulk electric system (BES). Here's an excerpt in their own words:
Today's final rule directs NERC to revise its definition of the term “bulk electric system” to ensure that the definition encompasses all facilities necessary for operating an interconnected electric transmission network .... FERC said the ultimate goal ... is to eliminate inconsistencies across regions, eliminate the ambiguity created by the current characterization of the 100 kilovolt (kV) threshold as a general guideline, provide a backstop review to ensure that any variations do not compromise reliability, and ensure that facilities that could significantly affect reliability are subject to mandatory rules.So the ball's in NERC's court on that one. A few days after that press was released, FERC Commssioner Jon Wellinghof spoke out on security and the Smart Grid for Forbes.com. Seems like he really wishes things could go a lot further and a lot faster than they have so far, and that Congress hasn't come through yet:
... there have been a number of legislative proposals put forward, none of which have been passed….Without mentioning it by name, he also plugs the GRID Act which is still stuck half-way through Congress:
We do believe that there’s some additional authority necessary with respect to cyber-security, especially with respect to an imminent threat or vulnerability. We think FERC needs the authority to issue an order to the utilities to take a specific action. Right now we don’t have that authority. It all has to go through the National Electric Reliability Corporation…. It’s kind of a cumbersome process now, that takes a lot longer than you would want if you knew of some immediate threat or vulnerability….Which brings us to some analysis of what's on deck for 2011 in the NERC CIP world. From NERC CIP compliance experts Abidance Consulting, here's their well informed take on which way this will likely play out in version 4 of the CIPs:
The NERC CIP Standards are being reviewed and updated by various NERC committees to include the Standards & Development Team .... The new version(s) will categorize Critical Assets and Critical Cyber Assets based on impact assessment as “High”, "Medium" and "Low". The new methodology will not use the current Critical Assets and Critical Cyber Assets. [Rather], CIP standards will be customized to each category based on their impact on the BES ....That's a heck of a lot of change. Too much for some, though others would call it long overdue. And here's a big (and good) one:
The new version of CIP will expose several assets to CIP compliance requirements unlike today as the serial connection will no longer be able to provide immunity from compliance.This change, if and when it takes effect, will reverse a trend that some analysts have used to argue that the CIPs actually weaken grid security.
We could go on, but this is a blog and our job is to keep these posts short and tasty. Kind of like tappas. Speaking of which, there's plenty of action on the menu for 2011 for utility security pro's and everyone in the community who wants to see them succeed. Looking forward to it!
Photo credit: Erik Fitzpatrick on Flickr.com
Monday, December 6, 2010
Lovingly hand-assembled one at a time like a Phantom? Uhhh, no. The Volt manufacturing process seems to draw more from Tron than from Rolls Royce. Check it great video HERE.
So GM has invested big time in being able to create a large number of Volts fast. Good thing, because GE recently committed to buying 12,000 Volts next year, and sales are just beginning in New York, New Jersey, Connecticut, California, Texas, Washington, D.C., and Michigan.
I've always felt that the huge efforts to accelerate the arrival of the Smart Grid at residences was a case of too much spending for too little benefit, and that the prospect of trimming 5-15% off their home electric bill would not be a sufficient motivator for the majority of Americans to change their behaviors
But electric vehicles (EVs) like the Tesla Model S and Nissan Leaf, and plug-in hybrid electric vehicles (PHEVs) like the Chevy Volt, depending on their rate of adoption, may have me revising that opinion. You see, while they are charging, each of these cars draws the electricity of another entire house (or more). That's enough electricity use to make savings more desirable, and enough additional demand to prompt utilities to closely monitor which neighborhoods are adding EVs the fastest, so as to avoid overloading local transformers through preemptive, targeted upgrades.
Let the good times roll. Oh, and this just in via a sharp-eyed colleague and worth your time: Why Electric Cars will Drive the Smart Grid.
Photo credit: Betsy Weber on Flickr.com
Tuesday, November 30, 2010
UPDATE: Brilliant IBM colleague Jeff Jonas post on WikiLeaks implications and some potential first steps forward for sensitive-data intensive orgs. Click HERE to read it.
We talked about this today a little on day one of the 2nd Annual Canadian Smart Grid Summit in Toronto. Not sure how the other participants felt, but for me, in the early days of designing and deploying world class security and privacy controls for the electrical utility industry in the wake of WikiLeaks makes me want to stop and reassess. Everything.
From an information security point of view WikiLeaks founder Julian Assange is a villain as dangerous as any penned by Stan Lee. And in Army Private Brad Manning, we've got the perfect lackey ... a worst-case scenario inside threat and substantially misguided youth who may not live to fully appreciate the damage he's caused his country and its allies.
Manning is no Megamind; far from it. The security flaws he overcame were policy shortcomings, not technical exposures.
While no organization is bullet proof, other sectors often point to the US DoD as an exemplar of security best practices. And who knows, maybe DoD has the best policy in DIACAP, the best internal and external guidance in the world, and the best tools and security controls money can buy. But you know what? Nothing prepares you for the thing you didn't see coming.
As North American utilities work to achieve and maintain rudimentary security via NERC CIP compliance, implement best practice cyber and physical security controls in IT and OT, and wrestle with how to best combat future threats as powerful as Stuxnet, WikiLeaks lessons should have them question every foundational assumption about what they're seeking to protect, how they're going to protect it, and from whom.
This Atlantic article, How the Pentagon Hopes to Prevent More WikiLeaks Embarrassments" tries to shine some early light on potential ways out of this morass for the Pentagon and State Department. But for me, pondering enormous Smart Grid data flows, in organizations that never had to segment and store anything like this before, has me wanting to call a time out.
We've all got a lot to learn from Stuxnet and now WikiLeaks. It's much too much in too short a period of time to assimilate. But we've got to try. We've got some big decisions to make in 2011 and we'd better get most, if not all of them right.
Photo credit: Michael Vroegop on Flickr.com
Monday, November 29, 2010
Enernex's Kevin Brown on Intersection of Physical and Cyber Security Challenges in Smart Grid Devices
As a cyber guy, I've not imagined physical security as being much more than perimeter fences, surveillance cameras and good locks. Brown's discussions on battery life expectancies, how high you should mount pole-mounted devices, and how easy is to become king of reclosers were all eye openers for me.
Visually, there's not a lot more going on than in My Dinner with Andre. But the content, which truly bridges the physical and cyber worlds, is utterly compelling, fascinating stuff. It's over 20 minutes long, so make sure you find an open spot in your schedule. You won't want to multi-task through this one or you'll miss a lot.
Physical and Cyber Security for a Smart Grid from Erich Gunther on Vimeo.
The balloon pop at the end is a good metaphor for what is happening to industry's recently burst beliefs that control systems are safe from cyber attack.
Still looking, BTW, for a nice video, white paper, or even a scribbled note on a cocktail napkin for best practices to defend against future Stuxnets beyond banning USB drives.
Tuesday, November 23, 2010
For a critic of alarmist, sensationalist Smart Grid headlines, I'm a bit surprised the blog editor in me approved this one by the blogger in me. But to dust off a 50 cent word from grade school writing class. it was the juxtaposition of two statements made in the past few days that got me going.
One is a great reminder of the very many compelling reasons we're building this thing from one of the industry's most articulate Smart Grid advocates, GTM's Senior Smart Grid Analyst David Leeds. The other is a sweeping cautionary statement on Stuxnet-like threats last week by one of the most respected security minds in the business, former AEP and NERC CSO Mike Assante, (now CEO of NBISE).
Here are a few snippets from Leeds' piece. First, what the Smart Grid will do for us:
The ... smart grid will not only bring new communication capabilities to mission-critical grid devices and end-user appliances in order to optimize energy efficiency, reliability and security, but will also serve as the enabling platform to plug in the next generation on clean energy technologies, such as rooftop solar systems, wind farms and electric vehicles.And from an economic perspective, why we need to build it now:
While today’s distribution grids, lacking real-time visibility and control, are largely running blind and consequently costing the U.S. economy approximately $100 billion to $150 billion each year in power outages, tomorrow’s grid, much like the human body’s own nervous system, will have sensory intelligence embedded throughout, giving the grid the ability to anticipate disruptions, and even to self-heal.OK, I'm motivated ... let's build this sucker stat! But hold on ... the gap I'm referring to in the title, is, of course, the yawning chasm between what you hear Leeds' saying must be done, and Assante's message (which we're about to get to), which communicates that as a nation, we're not ready for this.
Mr. Assante is not an alarmist - far from it. In fact, that's why his word counts for so much in this space. But his vocation and experience put him perpetually on the lookout for issues that bring risk to critical infrastructure systems, and when he sees one, his job is to sound a considered, highly targeted alarm audible to senior decision makers, which is what he just did in Washington.
Here's one of his first points - it sets the high-level stage for some of the more granular suggestions he makes later on:
Developing and implementing effective indicators, defenses, and countermeasures to cyber threats like Stuxnet demands that we look not just to the security community but also to the system designers, planners, engineers, and operators of our essential technology and physical infrastructures. We must take a prudent and proactive approach that enhances our ability to learn and apply knowledge fast enough to manage the dangerous consequences that come with these types of attacks. We can no longer ignore known system weaknesses and simply accept current system limitations. We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts address the highly-advanced security challenges facing our cyber-dependent critical infrastructures.That's a lot, a whole lot. Maybe too much to hold in main memory. But then he puts a finer point on it, shining light on operational systems ...
No one should be shocked that cyber exploits can be engineered to successfully compromise and impact control systems. Study after study has identified common vulnerabilities found across control system products and implementations. The exploitation of a hard-coded password design in one vendor’s implementation will not be an uncommon or isolated occurrence.And finally, towards the close, here's one of several actions he recommends:
Require critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.Not a full solution, mind you, but certainly a firm step in the right direction from where we are now: make more information available to the community so we can more quickly adapt and update our defenses. Today in the energy sector, there's nothing like this. Hence, a gap in knowledge.
Then there's this: we're concerned that Stuxnet's massive attack penetration strategy that defeated most current cyber defenses, armed with more broadly targeted payloads in future versions, and it's definitely getting attention. But less obvious, yet almost as much of a concern. is that a focus on High Impact Low Frequency (HILF) a.k.a., advanced cyber threats, might prompt utilities to take their eyes off more mundane, but nevertheless serious, day-to-day attacks on their systems.
This second gap is the one in setting security priorities ... between preparing for advanced threats as well as ensuring that essential security best practices and defenses are maintained to combat everyday threats from malware, criminals, insiders, etc. There's crawling, walking, then running, and so far on securing the electrical infrastructure, most would say we're crawling. And then there's walking and chewing gum at the same time: preparing for diverse threats and doing a good-enough job on all of them. This is not a job for wimps, and it's going to take a long time before we see significant progress.
So let's end with David Leeds, alright? When security challenges seem overwhelming it's always helpful, for me anyway, to revisit why we're putting ourselves through all of this in the first place.
[The] U.S. is hardly alone in promoting smart grid as an economic growth engine; virtually every major economy is now either piloting or deploying smart grid technologies, and it’s now understood that you can not run a digital 21st century economy on a 20th century grid.Maybe we can fuse Leeds' economic drivers with Assante's security cautions and recommendations and come up with a middle-path approach that keeps attackers at bay and keeps the LED lights burning bright.
Click HERE for more on HILF threats and what we might do about them.
Photo credit: Cindy Andrie on Flickr.com
Sunday, November 21, 2010
As this Wall Street Journal video points out, the majority of TV ads for colleges shown during football halftime breaks are cookie cutter simple and formulaic. This spot, though focuses on several recent ones which break the mold. Most notably, from the SGSB's point of view, is the one from University of Minnesota featuring long-time clean tech and Smart Grid security advocate, Dr. Massoud Amin.
Here's the WSJ piece that makes the case:
And for the full 30-second U Minn energy ad they're applauding, click HERE.
Production standards are so high and the content so compelling, you might think you were watching an IBM commercial.
Wednesday, November 17, 2010
Key points are:
- Using spot checks on systems to go beyond the current paper chase approach to validating CIP compliance; and,
- Acknowledging that attackers and malware will find ways around/through current "outer wall" based network defenses, instituting a less perimeter defense-oriented approach to security controls with guidance on use of DMZs in between internal networks
Monday, November 15, 2010
And the fourth version of the CIPs with its expanded scope only promise to add to the workload, and the expense. But guess what? High above these electric sector security and governance skirmishes float financial analysts. Picture them as smartly suited genies on flying carpets woven from $100 bills, foretelling the economic future sector by sector.
And what are they saying of our beloved one? Here's a starter from "Utility Stocks Energized" in this past Sunday's WSJ:
"It's funny to say 'growth' and 'utilities' in the same sentence, but it's more of a growth sector than people think," says Jamie Cox, managing partner at Harris Financial. What's powering this growth? A building boom. Some higher-potential utility companies are upgrading their power plants, building out transmission lines or expanding into renewable-energy markets such as solar -- all of which could help boost future profits and dividends.So how do you like that? As various pundits ponder the lethargic pace of the clean tech revolution and others pronounce it much ado about nothing, those in the rarefied air of the brokerages see what's plainly in front of everyone's noses, and signal that it is good.
Thursday, November 11, 2010
Not sure even the most robust physical security controls could have prevented this crashing chimney-induced local loss of service. As Chrissie Hynde of the Pretenders put it: "Way to go, Ohio". How did this substation arrive at this sorry state of affairs you may ask? See for yourself in this short and scary video:
Guess from a security point of view, we'd have to catalog this one under "some things are just out of our control" as energy security policy wonks, right next to city busting asteroids and mid-continent nuclear explosion-generated EMP bursts.
Here's the full page of pictures and the article on MSNBC's photoblog page.
Photo credit: MSNBC
Monday, November 8, 2010
Just a short one this week, but with a point I think is well worth airing. A few months ago I wrote a post called "Security isn't the Biggest Threat to the Smart Grid" in which I linked to, and commented on articles taking a previously lauded utility and its partners to task for mistakes that appeared obvious in hindsight.
All I want to say is that we're all in exploratory mode and will be for some time. Much of the technology is new, the standards are still forming and the new business models are embryonic at best. We should profusely thank each and every utility that has the guts to move out early and take a few calculated risks. From them we get early views of what works ... and what doesn't, that can be leveraged by all who follow.
I'm sure that some customers and regulators will disagree, but from this lofty perch, you won't hear me beat up on any utility for taking the lead on security or other actions that help bring the shape of the future Smart Grid more clearly into view for all of us.
Photo credit: http://www.flickr.com/photos/pointshoot/
Monday, November 1, 2010
Takes Two (or more) to Tango: Building a Foundation for Smart Grid Security with International Allies
Anyone who's pondered the enoromous challenges ahead of us immediately recognizes that Smart Grid security is a team sport. We struggle to get the US's smart grid standards house in order, with a mix of Federal leadership and hopeful cooperation among the 50 state utility commissions and across our dozen or so regions. It remains to be seen how much team spirit emerges from this effort. Yet even if we make good progress, electrical infrastructure security at home is no guarantee of national energy security.
Fossil fuel sourcing and climate change issues aside, US economic (and to a lesser extent, military) well being would be significantly impaired if our key allies and trading partners had their grids knocked out by successful and sustained cyber attacks.
While many may grumble that the NERC CIPS are not nearly robust enough, a scouring of available online documents reveals much less attention is paid to cyber security requirements in E&U project planning. I will be travelling to Europe this week to deliver some training so will attempt to get my own first hand findings from the field, and will report accordingly.
But a look at some of our closest international buddies: Australia, Canada, New Zealand, and the United Kingdom reveals a desire to leverage US resources and lessons learned to the benefit of all. The International Electricity Infrastructure Association (IEIA) recently met in Washington, DC, and from what I heard through the grapevine, these folks are all interested in knowing more about what we're doing, and in some cases, will base their moves on what they see us doing.
Here's what the IEIA lists as its objectives:
- Founding participants defined the following objectives for the IEIA Forum, as directed by an international Steering Committee representative of participants:
- Enhance protection of the electric infrastructure of Australia, Canada, New Zealand, the United Kingdom and the United States.
- Stimulate active involvement of electric sector and government stakeholders and participants
- Provide a framework for collaboration among represented countries on a government-to-government, industry-to-industry and government-to-industry basis
- Identify and address infrastructure assurance priorities
- Align government and industry participant efforts to identify common initiatives and deliverables
- Share experience, information, solutions and other mutually identified resources
Photo credit: http://www.flickr.com/photos/zabara_tango/
Friday, October 29, 2010
One must keep in mind that there will be far more poorly coded, totally untrustworthy firmware and software in the field for decades (the existing installed base) than new, more secure systems following sound development practices installed over the same time period. Dealing with this reality and the fact that the old stuff will not be ripped out should be a priority."Thanks" to Erich Gunther of Enernex. So, sports fans, while I and others keep beating the drum for more-secure new software, would a few of you mind getting on the challenge Erich's pointing out? Like, right away please.
Monday, October 25, 2010
As I mentioned in a previous Stuxnet rant, good security tools and best "defense in depth" practices are a less-than-complete defense:
No matter how solid an org's security policies, no matter the level of adherence to defense in depth principles and security best practices, no matter how much security technology was deployed and how up-to-date it was kept, it is very likely that Stuxnet would have found a way in.Now here's a real expert, Andrew Ginter of Industrial Defender on the excellent Findings from the Field blog, laying out the harsh reality of the Stuxnet wake-up from a (NERC and DHS) security standards point of view:
A site protected with whitelisting/HIPS ... would have been CFATS or NERC compliant, and would have been protected from Stuxnet. Unfortunately, I am aware of only a handful of such sites, and no HIPS protection is mandated by NERC or CFATS. Sites with only anti-virus deployed are seen by today’s regulations as having adequate malware protection, but that protection would not have prevented Stuxnet compromises in the first year the worm circulated.If you're new to whitelisting, here's a ZDNet blast from the past in 2008, featuring Microsoft security guru Scott Charney making the case that whitelisting is the future for most/all successful cyber security strategies. From my understanding of this approach, it's a huge step forward from where many orgs are today. But I also recall hearing Symantec's reverse engineer and Stuxnet expert Liam O' Murchu saying he thought Stuxnet could/would potentially morph to circumvent whitelisting defenses. Yikes.
Much improved sub-optimal defenses and recovery plans are vastly more desirable than what we've got in the field today.
Thursday, October 21, 2010
A viable question is:
If we know we can't practically defend against Stuxnet or its spawn, what is our approach? Giving up is not an option. "Roll with the punch" may end up being a viable strategy. How could we design control systems, or other IT environments for that matter, to be resilient enough to take a potential knock out punch and yet be able to come back up swinging? Another question may be, "in the end, can we optimize our investment by planning to take the punch rather than futilely hiding from it?"I think this is a great way of conjuring where we were trying to go (mentally) at the recent Smart Grid Survivability workshop, and where we need to get to asap as an industry.
Wednesday, October 20, 2010
"Smart" in the electronics sector generally connotes a device with a processor and some built-in communications, though sometimes it's just meant to convey coolness. But as the media increasingly links "smart" with "dangerous", marketers may need to find another strategy soon.
Of course, this doesn't bode well for consumer adoption of Smart Meters and the Smart Grid. Angst is bubbling up in the ranks of those who leave comments below cautionary and increasingly inflammatory online articles. For example, here's a surprisingly coherent entry found beneath a recent post on looming cyber issues with "smart" cars:
If we're not careful, we'll end up changing the definition of the word "smart". "Smart" = dumb enough to be cracked and hacked. We'll have this issue with smart phones, smart cars, the smart grid, smart appliances, not to mention our regular computers.He's right of course, and that's a big part of the challenge, along with the media's desire to document and propagate this assertion, and drive fear, uncertainty and doubt (FUD) deep into the mass market.
Like successful TV shows that eventually Jump the Shark (wander too far from their original concept), all marketing fads also eventually run out of steam, after which point they become comical if not pitiful. This will eventually happen (if it hasn't started already) with the prefix "smart" automatically placed in front of every new gadget and appliance.
And when that happens if not sooner, we might want to find a new term for what we now call Smart Grid. It's been called other things before; another name isn't going to hurt. And no, I don't think "Super Smart Grid" will do.
Photo credit: Ivan Walsh on Flickr.com
Monday, October 18, 2010
At the IEEE Smart Grid Surivivability workshop held at SEI in Arlington, VA last week, we had a front row seat for a great presentation by Symantec's Liam O'Murchu, one of three Stuxnet reverse engineers Symantec has had on the case for over three months straight.
Though I've been following Stuxnet on the SGSB (first post HERE) since shortly after it surfaced (well after it was born circa 2009), Liam provided some insights that surprised all of us I think, including:
- To escape detection while targeting every Windows OS from 2000 to 7, the attack team purchased each and every version of all anti-virus products for each OS and then designed Stuxnet to ensure they wouldn't be noticed by any of them
- Stuxnet is evolving its capabilities to infect systems and replicate within an organization, yet its payload remains unchanged. Meaning: the target remains the same ... and maybe the attackers aren't yet satisfied they've accomplished their mission
- On the human-interest side, he noted that the reverse engineering paths he and his colleagues have been following are the same or similar to those blazed by the the team who crafted the attack.Though lots of evidence points that way, Symantec (unlike Ralph Langner and others) is not ready to say that Iran's nuclear operations are the only or primary target of Stuxnet. There are still several parts of Stuxnet they've yet to crack and their research continues
- In addition to phenomenal anti-virus evasion techniques, Stuxnet includes lots of other stealth approaches and myriad attack strategies for getting passed OS defenses, through firewalls, increasing its privileges, and much, much more
But the bad news is that for aspiring bad guys, Stuxnet is a master class, a surprising visit from "attacks of the future" to present day 2010 on how to do more damage than you ever thought possible. We'll see Stuxnet again, and if it's pointed at us (US utilities, other industrial operators) next time the payload may be quite different.
Written by Liam and team, Symantec's 51-page Stuxnet Dossier remains the definitive document on Stuxnet. We'll be hearing more from them as they (and others) make new discoveries, but there's already plenty of info available now on how to begin hardening your org against the future spawn of Stuxnet, even if those defenses might be less than complete.
Photo credit: Digipam on Flickr
Thursday, October 14, 2010
During Ira's presentation, he discussed the linked concepts of "common sense" and "common knowledge". In the social networking community, a lack of knowledge among many, particularly the young, about how all of this sharing could really hurt them, leads to decisions that we see as stupid, as lacking any sort of common sense about privacy, propriety, and personal space. As he was describing the disconnect between these adult values and the narcissistic need to share, I started to think about the challenges we are seeing in achieving a real and consistent set of common goals or methodologies as we work to secure the Smart Grid.
We see some organizations expressing security in terms of reliability, others in terms of privacy, still others in terms of financial justification and utility viability. A quick couple of keystrokes brought up some examples:
- NRECA has provided some content that is customized and adapted to various smaller utility newsletters that talks about "Balancing Smart Grid Buzz with Common Sense". It presents a view of the coming Smart Grid in more conservative terms, tamping down some of the projected customer enthusiasm about new features with a strong dose of cautionary logic. The Dawson Public Power version of the piece closes with:
"There’s a big difference between being on the cutting edge or the bleeding edge of technology. Dawson Power wants neither. We want the “proven edge”..."
- On the other hand, common sense means something very different to some Smart Grid deployers in Texas. According to an article in Electric Light and Power, It is about evolution and revolution:
“Texas is the one I always point to, and the main reason, I would say, is they are taking a very common sense approach,” [eMeter chief regulatory officer Chris] King said. “The legislature passed a law saying, ‘We want smart meters.’ They didn’t spend 10 years trying to boil the ocean. They have home area network interfaces in the meters, as does California, but in Texas they’re already live. California is a year away, maybe two."
“Texas knows they’re making mistakes—they’re small—and they make a fix.”
- In April, the New York Times carried this thought on a differing style of Smart Grid common sense:
...Ralph Izzo, chairman and CEO of New Jersey's Public Service Enterprise Group, said better marketing may not be the answer to addressing the gap in consumer understanding of electricity use or changing consumer behavior.
"I think we tend to overstate the contribution that sophisticated technology can and should make," Izzo said.
"I feel like just shouting, 'Stop. Apply some common sense,'" he said. "Before we start championing multibillion-dollar investments in smart grids that control set-back temperatures on refrigerators because there is or isn't going to be a Super Bowl ... we need to get folks to caulk around their windows,"
So what do we do with all of this?
The fact of the matter is that there does not exist a common base of knowledge, objectives, or outcomes, that can be applied to the megalithic, polymorphic, thing we think of as the Smart Grid. This means that individual organizations, regulators, customers, and implementers will likely have a different basis from which to develop appropriate solutions and timetables. As so often happens, the definition of common sense is not so common. That isn't because the concerned parties aren't sensible, it's because they are highly sensible to their own uncommon needs.
This teaches us a new lesson, that solutions and proposals need to be very specific in their goals and rationales, and organizations must establish a common base of knowledge for discussions on any proposal's merits. Only with that shared understanding can we rely on the "common sense" of good people to create solutions that will ultimately make sense for the common good.
Tuesday, October 12, 2010
Covered in all the major news outlets today, including the WSJ, this is great clean tech news as well as energy security news. Here's why:
- It's a win for renewables as it'll now be much easier and cheaper (and therefore, much less risky) to deploy big offshore wind turbines
- It's a win for energy security as one of the most congested parts of the national grid will have more pathways and options for routing electricity, especially in the NY/NJ region
- This should help the perpetually stalled Cape Wind project get out of the blocks. If folks down south can pull off a wind infrastructure project of this magnitude, how come forward looking, business minded, PhD-educated, renewables friendly northerners have been arguing about this modest first step for 10+ years with nothing to show for it? Wind energy in Massachusetts is in danger of being OBE - overcome by current events
For me, the second point on energy security is also a boost for Smart Grid security. Absent hostile submarines with cable cutter-enabled frog men, this transmission addition will give grid operators more room to breath, even as it makes it more likely they'll be figuring out how to best manage gigawatts of new intermittent power over the next several years. We'll be relying on more technology to handle this challenge of course - here's to ensuring it's developed and deployed with security in mind: up front, built in, and by design.
Thursday, October 7, 2010
Though I'm writing you from the land of Click and Clack, this piece is about a topic you'll probably not hear covered on their show. CNET journalist Elinor Mills, who I had the pleasure of meeting at the first Smart Grid Cyber Security Summit in San Jose in August, recently keyed: "Cars, the next hacking frontier." And as electric cars (and cars in general) have been on my mind lately, this really caught my eye.
As we've noted in previous posts, there are some surprising similarities in the ways previously isolated systems are being (often wirelessly) connected in the electric and automotive sectors. For most consumers, computers + code + communications = fun. But for security watchdogs, these same elements = trouble. And ultimately, cars and the grid will marry (and their coupling will produce precocious new security challenges) in a space industry calls V2G - meaning Vehicle-to-Grid.
Elinor links to an earlier CNET article of hers, "Hacking a Car", in which Stefan Savage of UC San Diego invokes history to make the connection:
If you look at PCs in the early 1990s, they had all kinds of latent software vulnerabilities. It didn't matter so much because PCs were at home and not connected to everything else. Then they were connected to the Internet and the latent vulnerabilities were exposed to outside attack. We see cars moving in much the same direction. There is a strong trend to provide pervasive connectivity in cars going forward. It would be good to start working on hardening these systems and providing defenses before it becomes a real problem.
Someday the cyber terrorists will strike, locking everyone into their cars and disabling the engines, thus ensuring a swift and bloodless invasion of the United States. Then it will be up to the Amish to defend the country. We is doomed ..."I beg to disagree on three counts:
- The Amish are tougher than you think. See this short clip on Amish Rake Fighting
- Bikers are even tougher than the Amish, and they won't be locked out
- We're going to figure the security angles out up front and make sure cars remain as safe or safer than they are today -- though I'm not sure how safe that is
Monday, October 4, 2010
While it's fun to think of all the great new gadgets and devices that are enabled by the Smart Grid (and that the Smart Grid enables), none of them could even begin to work without the "invisible glue" out of which the entire enterprise is being constructed: software.
As we rush to deploy Smart Meters by the millions, consumer portals, HANs and iPad applications that can communicate with them, meter data management systems (MDMS) to handle the tons of data that's generated, electric vehicles (EVs) to push local electric infrastructures to the limit, and synchrophasers across the continent to give us a better view of "the greatest engineering achievement of the 20th century", it's important to not forget about software just because we often can't see it.
Thursday, September 30, 2010
Thanks to David Leeds and his Smart Grid team at GreenTech Media (GTM) for building this novel and helpful view of the Smart Grid vendor world. In this end-to-end view, some companies are listed once; others have entries in multiple offerings categories.. (Click on image above for larger view) or follow THIS LINK to get more info on the report and see a larger, hi rez version of the map.)
I note the listing of primarily boutique outfits in the security column. I've had experience with all of them and can report that all are solid. It's been my experience that the bigger outfits with significant, more scalable security capabilities in other sectors are working on tuning their offerings to the energy space and are at varying stages of maturity in this effort. In coming weeks will try to ferret out more info from GTM and the other analysis firms covering Smart Grid security to get a more comprehensive view for you.
Sep 30 Update: Stuxnet takes out an Indian Satellite? See Jeff Carr's article in Forbes.com
Hat tip to IBM cyber defenders and watchdogs Scott Warfield, Brooks La Gree and others for pointing out these several articles. All followed Ralph Langner's revelations that he and his small cyber forensics team in Germany seem to have found the smoking gun ... the code that tells you what Stuxnet is really after.
I won't ruin the surprise; you'll get your answer when you click on any of the following links. But I'll give you a clue: it's the SCADA/ICS (OT/Operational Technology) in a system that's bigger than a breadbasket. And sometimes it glows.
In ascending order of technical sophistication, here are some links to get you educated right quick:
One of the hundred questions I have is whether the folks who built this beast intended (or realized) that it would have impacts far beyond its initial target. And whether that mattered. Or if it was intentional and the scope is larger than it might at first appear. And what's next. And and and ....
And then there's this, from another Langner dispatch just in:
The analysis that Langner has conducted shows that it is not technically difficult to inject rogue ladder logic into PLC programs. It is important to understand that this vulnerability cannot be considered a bug, either technically or legally, so it should not be expected that vendors would be able to release a “patch”.Nice, huh? Stay tuned.
Photo credit: ViZZZual.com on Flickr.com
Monday, September 27, 2010
You know we try to keep it calm here, but what an incredible experience I just had !!! Just returned from a week in the Lone Star State speaking in Dallas and Houston, then back to Dallas again, the second time for the Electric Vehicle (EV) Showcase just around the corner from Big Tex. Man, was it worth the flight back to Love Field, and not just for the fried butter and fried beer.
On the first day I got to meet spokes-model (and true product expert) Alicia, then take the Volt (they had three on hand) for a spin on a curvy test track. I loved the way it looked, sounded and handled. A well-informed Chevrolet-rep named Brian gave me plenty of good details before during and after the drive, and I felt that many others like me will feel comfortable welcoming this car, that on most days will consume no gasoline, into their lives.
Now's here's a few details from the Executive Panel on day two to give you a broader look at what's going on behind the scenes to pave the way for this (plug-in hybrid) electric car and others like it. A panel moderated by Texas Public Utility Commission (PUC) chairman Barry Smitherman included leadership from GM, IBM, Texas transmission and distribution utility Oncor, the Electric Power Research Institute (EPRI) and construction firm Beck. Here are some highlights of what they discussed:
- EPRI is working three main focus areas at present: 1) understanding consumer attitudes and expectations re: EV's, 2) early preparation of EV charging infrastructure, and 3) ensuring adequate utility infrastructure, particularly distribution transformers
- Texas is one of the initial wave of seven states for Volt deliveries in late 2010, starting in Austin then fanning out from there. In 2011, expect to see Volts available for sale in all 50 states
- Oncor sees two critical EV roll-out success factors: 1) the practice of off-peak (night-time) charging, and 2) early (and I do mean early) notice to utility co's when an individual is considering the purchase of an EV
- IBM is all about the information layer surrounding EVs and vehicle-to-grid (V2G) infrastructure and is looking at it 3 ways: 1) knowing how much energy from renewable sources is available at any time, 2) how utilities can have access to enough right info to know how much they need to spend on infrastructure, and 3) market and business-related IT that helps consumers as much as possible, particularly enabling ease of use, as well as providing national standards running from the charging points to the cars to the utilities themselves
- To help move 18 Gigawatts of clean wind energy, the moderator noted that Texas is spending $5 billion to run high voltage transmission lines hundreds of miles from windy west Texas to its cities
- Here's one I hadn't thought of before ... it's kind of subtle. According to EPRI, range anxiety is eased by the presence of charging stations outside the home and business, whether EV drivers use them or not
- The electricity required to go a full 40 miles in a Volt costs about $1.10
- Finally, the best part from national security security as well as environmental/climate points of view: most Americans drive 20 or fewer miles per day. The great majority drive fewer than 40 miles on work days as well as weekends. When these folks drive Volts, they are going to be using gasoline only rarely. Think about what that means when the number of Volts, Volt 2.0's and other EVs hit the roads in the millions and tens of millions
And I'll leave you with this nugget from a sign you pass upon entering the incredible Cowtown Diner in downtown Forth Worth:
Never ask a man if he's from Texas.
If he is, he's most likely already told you.
If he's not, there's no use in embarrassing him
Photo: Volt dashboard power display
Tuesday, September 21, 2010
The Smart Grid for Intellectuals: Replay of Webinar for the American Intellectual Property Law Association (AIPLA)
Just did the intro piece on the Smart Grid for an audience of mainly patent attorneys interested in Smart Grid-related intellectual property (IP) issues and litigation trends.
Titled, "Intellectual Grid: Intellectual Property Issues in Smart Grid Innovations" this 60-minute presentation won't be everyone's cup of tea, but for folks on either side of the Smart Grid IP technology (and maybe new business process) table, this may be quite helpful.
If you're game, click HERE to register and view.
Photo credit: "Brain Coral" by Laszlo Ilyes on Flickr.com
Industry sonar and radar detect nothing but collision ahead as these orgs plow ahead on their respective vectors: FERC wants more security faster for utilities; NERC wants to hold steady with slow, incremental changes. There's some method to each approach, though they're clearly not compatible. I summarized thusly in this week's HuffPo article:
The case for going faster rests on a couple of basic facts and observations. Here are just a few:
- Attacks on energy systems are increasing in tempo and sophistication (for those who haven't heard of it yet, the recently emerging Stuxnet virus has provided a real wake up call for industry in terms of attackers' advanced capabilities
- Other industries/sectors have much more substantial security controls and governance already in place and have only benefitted from them
- Emphasizing security early in the Smart Grid window will yield benefits including cost savings and much better efficacy
- Oh yeah, and one more little thing: and our entire economy and the well being of our nation depend on secure and reliable power infrastructure
- Cultural challenges inside utility co's will hinder attempts to make them change too much too quickly
- Regulatory impediments need to be resolved before the whole system can be secured. For example, the fact that the Feds only have jurisdiction over generation and high-voltage transmission assets, while policy for low-voltage distribution is left to the states, and there's little/no standardization of state policy at present) Security standards are still taking shape. NERC's CIP standards are still in their infancy, and NIST just released the 1.0 version of its "Smart Grid Cyber Security Strategy and Requirements"
- Lastly, it costs money to significantly ratchet up the security posture of any complex system, not to mention the one that's been called the greatest engineering achievement of the 20th Century
Photo credit: Rosmary on Flickr.com
Thursday, September 16, 2010
Many SGSB readers, though well versed and skilled in the ways of technology, might nevertheless say, "what the hell is a Twitterstorm?"
It's a fair question, and my simple answer is it's an online conversation and Q&A session between a bunch of folks, conducted 140 characters at a time. Maybe by haiku. This is no place for the verbose, and maybe because of that, it should be information dense and entertaining.
As the title of this post indicates, the central focus is on EVs, PHEVs and their interaction with today's grid and the emerging Smart Grid. The Smarter Planet folks at IBM are hosting it this coming Monday, September 20th, and you can see details HERE on how to join in on the fun.
Please make it if you can. No umbrella necessary.
Photo credit: LISgirl / Emily on Flickr.com
(BTW, for those of you unfamiliar with Twitter and Tweets, prior to this BTW note, this post consumed 651 characters not counting spaces. Twitter counts spaces. That's brevity.)
Monday, September 13, 2010
Either way, HERE's the piece ... and while you're at it, see if it in any way explains what you're doing here.
Thursday, September 9, 2010
For those not in the know, this SANS is not "without" in French. Wikipedia's description does the job:
The SANS Institute, founded in 1989, provides computer security training, professional certification through GIAC (Global Information Assurance Certification), and a research archive - the SANS Reading Room. It also operates the Internet Storm Center, an Internet monitoring system staffed by a global community of security practitioners. The trade name SANS (deriving from SysAdmin, Audit, Networking, and Security) belongs to the for-profit Escal Institute of Advanced Technologies.The National Institute of Standards and Technology (NIST) has published "Guidelines for Smart Grid Cyber Security," a three-volume, 537-page report aimed at "facilitating organization-specific Smart Grid cyber security strategies focused on prevention, detection, response and recovery." The publication includes "high-level security requirements, a framework for assessing risks, an evaluation of privacy issues at personal residences, and additional information for businesses and organizations to use as they craft strategies to protect the modernizing power grid from attacks, malicious code, cascading errors and other threats."
Liston: Unfortunately, "smart grid" is just the latest in a series of technologies that have been deployed with security as an afterthought. While I applaud any effort to better secure our infrastructure, it's a bit late to talk about "security strategies" at this stage of the game. The key question is whether some of the quite-sound recommendations can be retrofit into the existing deployment models.
Pescatore: There is still an opportunity for better security to be built-in to the smart grid build out, vs. try to pretend a compliance regime like NERC/CIP will force it in later. Section 7 of the third volume has a good attack surface analysis that should be a starting point.
Paller: John Pescatore's comment illustrates one reason that this NIST document and others like 800-53 are exacerbating the nation's cyber risk instead of helping to mitigate the risk. NIST buried the critical information (the attack surface) in the 7th chapter of the third volume (after lengthy, but non-specific descriptions of 197 separate controls in more than 350 pages).
Paller (cont): A central tenet of effective security is that offense informs defense. In other words, do the most important things first! That means guidance must start with, and be organized around, the attack surface; and guidance must be prioritized according to risk from each attack vector. Which of the 197 recommendations matters most? Which must be implemented first? How will we know that they were implemented effectively? If NIST doesn't know the answers to those basic questions, what are they doing writing guidance? For failing to prioritize the guidance, and for burying readers in information of little immediate consequence, NIST earns a grade of "D" on its new report.Here's a LINK to third volume if you want to check out chapter 7. Begins on page 29.
I definitely support the editors' point that once again, we're seeking to add security after most of the horses have left the barn. Goes against the popular security mantras of the day: "Secure by Design, "Build Security In," etc. Though not sure how this could have played out otherwise.
I'd be interested in hearing a candid NIST response to this criticism. They worked fast and furious for a long time bringing 7628 together and there's a lot of goodness in it. I saw some of that process first-hand as an early (albeit very infrequent) contributor. In terms of how they structured it in the end and what they chose to emphasize, there was definitely a method to their madness.