Tuesday, February 2, 2010

Dawn of a New Day? Cyber Security Attack Disclosure and Implications for US Utilities

First, a Little Anti-Alarmism
There are changes coming, but the sky is not falling. Our cyber defenses are in need of more attention and more focus, but they are generally pretty good. The Smart Grid is clearly a new chapter, and ensuring we get as much of the required security designed and deployed correctly up front will save all of us a great deal of time and trouble later on.

Software and the Smart Grid
First, Let's start by articulating something that should be obvious: The biggest difference between today’s grid and the Smart Grid is software. You may protest and say "That's crazy! The software is a small part. The Smart Grid is growing with millions of new meters, many miles of new high voltage power lines, innumerable sensors, and of course, fault current limiting superconducting transformers." There is no arguing with those additions, but, when all is said, done, and deployed, the whole system may actually lose some mass, as this IBEW video, linked to in an earlier article here, makes clear.

Now back to the software, the key enabler of the Smart Grid. Over the past 30 years, it has been what separates modern enterprises from their pre-IT ancestors by making them faster, smarter, more efficient and more flexible. However, a well-documented but unintended consequence has been that it has also made them much more vulnerable. It's not just that potential bad guys can cause harm with software tools of their own; the real downside is that even on a good, hacker-free day, a large amount of uncertainty surrounds the consistent operation of this most critical corporate ingredient.

Software Provenance and Security
Most large organizations don't know where their software came from, at least not in a comprehensive manner. Any individual application can come from one or several of the following sources:
  • Internal development teams
  • Outsourced development providers
  • Packaged applications
  • Software as a Service ( SAAS )
  • Web services
From a security perspective, none of the above is necessarily more or less secure than the others. Software provenance is often quite opaque to users. Even when you buy a software from Vendor X, there's no guarantee that all the code was developed by Vendor X coders. There is usually no guarantee that the software is bug-free, that it doesn't include glaring programmatic weaknesses that make it an easy target, or even that it's not already harboring malicious code that can be triggered in the future and cause your organization and / or your customers great harm.

Approaches to securing software systems vary based on what you have to work with. Knowing where and by whom the software was built is a good start. Other factors such as access to source code, access to architects or subject matter experts who really know their way around an application can be a big help. Absent these things you'll want analysts trained and experienced in penetration (or Pen) testing, engineers whose job is to think and act like an attacker, find the easy ways into a system, tell the right folks what they've found, and often recommend hardening approaches.

Attacks on Software Source
All of this, however, is mere prologue to the story that began unfolding earlier this month related to published accounts of attacks against Google and a variety of other popular software vendors. The details are a bit sketchy, but the core elements include:
  • US tech companies have recently experienced a series of very serious cyber attacks that appear to have originated in Asia
  • Google admits that a couple of Gmail accounts were partially compromised
  • Firms report that the apparent target of the attacks was source code relating to popular software packages
This is an interesting phenomenon, because it describes an organic growth model for further hostile behavior. The accounts of the recent attacks in the press are clear on at least two facts: that a zero-day vulnerability led to the breaches, and that source code for familiar software systems was a major target of the attacks on the multiple vendors. According to Richard Steinnon, as quoted on darkreading,
As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products.
So you see, one feeds the other. Zero-day vulnerabilities are very hard to find. Most popular software packages have been around for a while, and have been well wrung-out in the market. Finding something new and vulnerable in them is neither common nor simple. With the source code, however, it becomes much more straightforward. Looking from the inside out, it is like having a map to the functionality, and weaknesses are revealed that would be very hard to find just searching from the surface. The fact that one of these vulnerabilities was found and then used to steal more source code leads to a conclusion that this is a pretty well-thought-out approach. The attack has been described as sophisticated, and using its spoils to sow the seeds of future attack vectors is equally so.

The Curtain Pulls Back
The big news, however, isn't so much that these events are happening, but rather that they're being discussed so openly. According to Atlantic journalist Marc Ambinder, we have Google to thank for that:
Google's revelation that they'd been hit was deemed a "watershed" moment by security industry analysts, but the other 32 companies who were hit have not followed suit and have begged the government to keep their identities a secret. The government has no choice but to protect their identities -- even as policy encourages greater transparency about the scope of such attacks.
Two weeks ago events reached fever pitch with Secretary of State Clinton speaking out in Washington against nation-supported (if not sponsored) cyber attacks by China and Iran, among others. Basically, she's calling out a new opposition axis, only this time it's isn't an Axis of Evil, it is an Axis of Cyber Threats.

On the Cyber Defensive
In case you didn't know it, US companies and government organizations have long been victims of and targets for cyber attack. This doesn't make the US unique, by any stretch, but recent increases in the frequency of damaging attacks is surprising, given the presence of some excellent cyber security defense programs on our side, and with the increasing instances of public regulation and legislation on the topic. The main culprit appears to be the seemingly innumerable Internet connection points that present attackers with unexpected access to both flaws in software and system configuration errors. These deliver the necessary opportunities for getting to other applications and to sensitive data. With US companies, there is little recourse for companies, little ability to hit back. That's our policy. Again, Mark Ambinder:
[These are] the U.S. network security rules of engagement. Defend, don't attack.... For example, if a U.S. site comes under attack [from a foreign site], the victim -- assume it's an intelligence agency -- can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them -- but once that threshold is crossed, it cannot attack the sites. [Most attackers] have no such rules. In fact, [some governments] teach attack techniques to a large group of state-sponsored hackers, and part of the classroom work is for them to conduct actual attacks on sites around the world, including the U.S.
US companies are only obligated to disclose the loss of customers' private information, and they don't have to be very specific about how the loss occurred, so there isn't much improvement in protection as a result of understanding how a successful attack transpired.

Take Aways for Utilities

Smart Grid initiatives are driving a huge increase in Web connectivity for utilities at this very interesting point in the evolution of cyber offense and defense. A big part of that increase comes in the form of new online energy applications and services being built by Google and dozens of start-up companies including Silver Spring Networks, GridPoint, Grid Net, Tendril and ten-year demand management veteran EnerNOC. Are all as forward minded re: security as Google? Time will tell.

We know utilities in other countries have come under cyber attack ... at least one incident induced significant outages. We also know that malicioius code has found its way onto US utility computer systems. But there's lots more we don't know and there are many questions to consider while we're still in the formative stages of the Smart Grid build out:
  • Will large US utilities become targets for big cyberattacks similar to those that just hit Google?
  • Will they have the defenses in place to protect customer data and maintain reliability as well as it appears Google did?
  • Especially as they rely so heavily on enormous amounts of reliable, high quality power, will Google and other more mature cyber security victims be willing to share their best practices with the utility community?
  • What obligations do utilities have for disclosing cyber attacks they endure, especially ones that cause tangible damage? And if they do disclose this info, to whom do they disclose it: FERC, NERC, NSA, each other, or the general public?
Despite repeated warnings from experts and the press (for example: here and here) since the Google breach headlines appeared, progress on disclosure from other affected organizations, forensics on the actual mechanisms, and informed recommendations have been slow. That must change. Utilities and their software/service providers should be pressing for information and for assistance, because this kind of data and experience can educate and invigorate utility CIOs and CISOs so that they can err on the side of over-preparation when performing security planning on behalf of their companies and their customers. Nothing could more fundamentally weaken our nation and our competitiveness than an organized and successful attack on our power infrastructure, and these incidents present an uncommon opportunity to learn.

Photo Credit: Mike Baird @ Flickr

No comments: