Project Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Last Updated on Thursday, 21 January 2010 07:26 Written by Jeffreycarr Thursday, 21 January 2010 07:26

Proj Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

How financial pain and an angry public can safeguard our critical infrastructure

Last Updated on Sunday, 29 November 2009 10:32 Written by Jeffreycarr Sunday, 29 November 2009 10:32

Allan Paller laid the groundwork in his testimony before a House hearing on SCADA Systems and the Terrorist Threat in October, 2005 when he relayed the following story:

Microsoft systems are being put more and more into SCADA systems. You are buying them. GAO just came without a report that said that the problem—not just, a few months ago—came out with a report that says the problems in SCADA security are getting worse because they are connected to the Internet and because they are buying off-the-shelf, vulnerable operating systems. So how do you make somebody who has a powerful monopoly over all of the computers that we buy change their way and deliver safer systems? About 2-1/2 years ago, the CIO at the Air Force got up at a public meeting and said, we are now spending more money to fix the problems we have because of Microsoft bugs than to buy the stuff in the first place. But he did something that no one else has done. He took Federal procurement power and said, we are going to fix this. And what he did is he consolidated all of the contracts that the Air Force has with Microsoft, all of them, and in doing that he saved $100 million. It is a half-a-billion-dollar procurement, but he has got provable savings of $100 million. But that wasn’t the exciting part of it.

The exciting part of it was that he required Microsoft to deliver systems that were preconfigured according to the standards that DHS helped create, that the National Security Agency really fronted, and an organization called the Center for Internet Security brought together. So there was consensus benchmarks for what safe means, and that allowed the Air Force to require the vendor to deliver safer systems. It was a lot of argument, a lot of negotiation, but in the end Steve Vollmer (sic) and Microsoft said yes. And what I am trying to show you is you can actually change the rate at which systems get safer by using combined buying power, and that is what I believe can be done very quickly in a SCADA environment

In this country, there is no greater leverage to bring about change than Profit. Many power companies do not disclose successful network breaches out of fear that it will cost them financially. They do not implement changes that will harden their networks because it will hurt their bottom line. And because compliance on these issues is still voluntary, they are within their legal rights to do so. I think Allan had exactly the right idea 4 years ago but since we’ve seen no significant progress on the part of the asset owners and operators, it’s time to up the ante. Since profitability is the driver for this industry, that’s where pressure needs to be applied. And they know that time is coming, or at least Rick Sergel (the out-going CEO of NERC) does. Here is a quote from his November 5, 2009 speech entitled “A New Reality” before NERC/s Board of Trustees and Member Representatives Committee:

On this issue in particular, we have a deadline. Congress is presently considering legislation that would overwrite the SRO* model for setting cyber security standards. A parallel discussion is ongoing in the major media, and has been ongoing for quite some time. In April, we saw the impact an article in the Wall Street Journal could have. We’re expecting to see a 60 minutes piece air in late November or December. Make no mistake, the questions will come. The decision time-frame on these issues is measured in weeks, or perhaps months but not years. It is our goal to provide that in a reasonable timeframe. If we don’t, others will.

(* SRO means Self-Regulating Organization)

Now is the time to up the pressure on this sector. Change their SRO status and force compliance to standards that we already know must be put in place by establishing heavy fines when they do not comply. Microsoft has been forced to make changes in its business model not only by the U.S. Air Force in the example Paller gave the Committee but, more recently, by the EU.

Most importantly, there needs to be a public outcry with accompanying letters to our representatives in Washington. The risk to the public due to ongoing vulnerabilities in the Grid is very high. Further, should a major blackout occur, there is no 911 response to a family in trouble. They are on their own for the duration however long or short that period is, vulnerable to whatever threat manifests without benefit of Police  response because every officer will be deployed to guard critical facilities; all because it didn’t make “business sense” to the Independent System Operator in their region to harden their networks against known vulnerabilities. If this makes you as angry as it does me, then you need to let your representatives know.

If it helps, feel free to point to this blog post or send them a copy of our report when it comes out in December, or just tell them to call me. I’ve met with a few folks from the House Committee on Energy and various affiliated Subcommittees and am happy to do so again until this problem gets successfully resolved.

NERC v FERC: A symbol of all that’s wrong with securing the Power Grid

Last Updated on Saturday, 7 November 2009 11:30 Written by Jeffreycarr Saturday, 31 October 2009 03:50

The state of affairs in how the U.S. has organized security responsibilities for our most critical infrastructure would be comical if it wasn’t so maddening.

Apart from the lunacy of trusting the owners of power plants to police themselves (NERC), and that, up till now, the Federal government has been enabling that lunacy (FERC), I particularly “love” this comment:

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. (my emphasis added)

That’s how pervasive the illusion is that of the myriad of attacks that are defended against the Grid every day, and in spite of the hundreds of known vulnerabilities (not to mention the unknown number of 0days), that a U.S. Congressman on the House Energy and Commerce committee still thinks that by some statistical miracle there have been no successful breaches of the Grid yet.

I don’t know if our report will succeed in penetrating that illusion yet or not (we still have a few weeks left to go), but if nothing else I hope it will inform the work of the The Committee on Energy and Commerce and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology that changes to the division of authority between NERC and FERC must be forthcoming, and, more importantly, that cyber-related incidents must be publicly reported and investigated, and asset owners and operators must be held financially and legally accountable.