August 4, 2011 By Larry Karisny
Recent reports have clearly demonstrated that cyber wars are real and happening. So what are the implications and when are people going to at last take notice? Forbes reported recent attacks included an unprecedented series of cyber attacks on the networks of 72 organizations globally -- including the United Nations, governments and corporations -- over a five-year period. The White House as of yet has not disclosed the organizations effected by this most recent attack dubbed "Operation Shady RAT."
So what are people who live, eat and breathe this stuff every day saying? I am part of a group that has been discussing this in a Smart Grid Security group headlined, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems." The discussion started 14 days ago and with the recent events I thought some of the comments are very appropriate and I would like to share them.
Theodore Wood, Partner and Patent Lawyer at Sterne Kessler Goldstein & Fox
"I believe we have to direct more of our immediate attention and grid-related stimulus spending toward enhancing the resiliency of the existing grid. William Pentland’s article in Forbes this past May, discusses his finding that about 75 percent of the 2009 federal stimulus dollars have been directed to advanced metering infrastructure (AMI). Our own research and analysis of IP in these areas supports this contention. However, in order to have a more direct impact on grid security, we need more direct investment in cyber resiliency strategies (hardware and software), including things such as strong encryption and key management techniques, network access control, intrusion response systems, rootkit detection, etc. I believe that an infusion of federal spending into these areas will spur R&D, facilitate development of quality IP, and help ensure that cyber security innovation and technology are more commercially attractive from both the vendors' and investors' perspectives."
Andrew Wright, CTO at N-Dimension Solutions
“I agree with Ted regarding the need for more economic stimulus for grid resiliency and cyber security. Of the $4.3 billion ARRA funding, most of it went to smart meters, MDMs [Meter Data Management], and consultants, and relatively little to real security. And in any case, that was 100 out of 3,300 utilities in the U.S. We need to change the economic equation so that utilities do not have to prioritize security against other technologies, and the best way to do that is to build security in. But that needs economic incentives for manufacturers to spend time on security functions rather than others. IP protections for grid resiliency is one way to do this.”
Joe Weiss, Managing Partner at Applied Control Solutions, LLC
"As an engineer, there is no doubt it is technically possible to do this -- I am not a threat analyst and so cannot say why it has or has not happened. Stuxnet should be a glaring example of its potential. I had this specific discussion with Richard Clarke many years ago and provided several reasons why it could happen and yet not be public. There are minimal control system cyber forensics so when there have been major infrastructure failures, it is generally not possible to determine if cyber was involved. There already have been numerous significant control system cyber incidents in the U.S. that have killed people, caused major electric outages, shut down nuclear plants, etc. When a critical infrastructure incident does occur, there is a reticence by the government to acknowledge it is a cyber incident. I believe the lack of control system cyber forensics and end-users unwillingness to report has stifled progress on securing industrial control systems."
Stacy Bresler at National Electric Sector Cybersecurity Organization
“Reporting cyber incidents or potential incidents is an issue. Being a former cyber security manager at a large asset owner, I understand the lack of willingness to report. Currently the mandate to report a cyber incident is to the ES-ISAC which is essentially the regulator despite claims of dividing lines within their organization. That alone is a deterrent for more reporting. I'm with Joe on this ... I don't think our intelligence agencies always have the facts put together before they make blanket statements. We do need better tools to help in forensic efforts but that needs to be coupled with proper training for those in the field. There are forensic experts out there and I believe ICS-CERT has a jump team on the ready ... but I don't think that is enough. We definitely do not have an aggregated view of what is really going on and we can't manage what we can't measure!"
Robert Cragie Consultant for HAN/Smart Energy/Security at Pacific Gas & Electric
"The 80/20 rule applies here. With a relatively small amount of effort you would get a huge improvement in security. ICS manufacturers and implementers have to wake up to the fact that their ancient systems need to be brought up-to-date using security procedures (business process, physical and cyber) commonplace in IT and telecoms infrastructures. The INL SCADA evaluation report highlights the woeful lack of security in electricity T&D substations, e.g. adding dial-up modems with no cyber security protection to substation equipment still using default passwords so a maintenance operator can control remotely. Stuxnet was clever but still propagated by the practice of passing USB flash drives around with the virus on. Back in the day, it was floppy disks which spread viruses in this way. Do we never learn?"
This is what the people who work on these issues are seeing. There is always some hype but there is also some things that are not disclosed. From simple fixes to a clear need to invest into new cyber security solutions, the war is on and the war is real. God bless our military and their efforts in securing our country but if our national power grid goes down our losses could be much greater.
Larry Karisny is the Director of Project Safety.org, smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure. Reprint courtesy of MuniWireless