“What will it take for people to wake up?” I was talking with Joe Weiss yesterday. He studies control system security vulnerabilities. He also sponsors a high-level cyber security conference, the most recent iteration was held recently at Davidson University.
Press is not allowed at his event, because all talks concern very sensitive security holes and no one will talk on record about them. However, Joe told me that several incidents were reported where hackers gained access to the control system. In some cases, no one can figure out how they got into the control system itself. Evidently, control system vendors are not talking.
The usual cybersecurity experts, valuable as they are, really stop at the network level. Weiss contends that there are holes inherent within the control system itself that also need to be addressed.
He says his recent ICS Cyber Security Conference hosted the first public discussions of Aurora. Aurora is a gap in protection of the electric grid. Aurora is starting Alternating Current (AC) equipment (generators, motors, etc) out-of-phase imposing a large torque which can cause significant loss of equipment life or damage. One way Aurora can be caused is by remotely manipulating relay configuration settings.
News from Bloomberg
Within a few hours of my conversation with Weiss, I received my daily update email from Jason Calacanis’ Launch ticker. He sent me to a U.S. Senate. “U.S. Senate Republicans yesterday killed cybersecurity legislation backed by President Barack Obama, increasing prospects the White House will implement some of the bill’s provisions through an executive order.”
The article continues, “Supporters failed 51-47 to get the 60 votes needed under Senate rules to bring the bill up for passage. Republicans blocked the same measure in August, saying it would lead to more government regulation of business.
“It to some degree hardens the lines of division, which makes it more likely we’ll see an executive order rather than an attempt to revive the legislation in the near term,” Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in an interview.
“The only other thing that can produce legislation is a major cyber security meltdown,” said Baker, a partner at the Steptoe & Johnson law firm in Washington.
Administration officials have continued to warn about cyber threats capable of widespread damage. Defense Secretary Leon Panetta in a speech in New York last month said computer assaults by other countries or extremist groups could be as destructive as the Sept. 11 attacks.”
Joe continues to preach that utility companies have their heads in the sand regarding the cyber security threat. He continues to document breaches. This article seems to confirm it.
The problem with Control Systems Security is that people need to do this starting at the very basic process level and work their way up from there. Most IT security experts see it from the top and look down. The top-down viewpoint is often dangerously out of touch with what the security measures are supposed to protect. Most IT security experts are all about protecting the network and the information. They ASSUME that by protecting the information that they are protecting the infrastructure. Yet they are flummoxed when confronted with the notion that something continues to happen even when they deny access. This is very much outside their experience, but they have no idea what to do about it.
Control Engineers, conversely, have very little idea what their networks actually do, how they do it, or what can access that network. They can tell you everything the process was supposed to do, but are stumped when asked what will happen if asset so and so has been hacked. They had not planned on it. It wasn't in the design criteria.
So we demand that people magically securify these systems and that something wonderful will happen. Good luck with that. This is an evolutionary process. It will be slow. There isn't a damned thing that anyone can do about it, so it is time to tell the IT crowd that if the sky is falling, it is time we put the networks indoors. Likewise, it is time to tell the engineers that we can not keep the process under cover forever. We need to build more resiliency and integrity checks in to it so that we can expose it to the rest of the world.
And it is time to tell the green eye shade crowd of data surfers and miners to gather their data out of band instead of directly from the system. Big data has a cost, and it isn't nearly as cheap as they think it is.
Finally, regarding the legislative fluffery, see Patrick Coyle's blog. http://chemical-facility-security-news.blogspot.com/2012/11/reid-kills-cybersecurity-bill.html
I agree with him: Reid must have known this was a toxic move and he put it out there specifically so that it would fail. This was done so that the President would have the political backing for an executive action. The problem is that I don't think the executive branch of government has any better idea of how to regulate these things than the legislative branch.
Be careful what you ask for. You might get it.
Good post; Joe is correct in that "cybersecurity" from the IT perspective is network firewall (with maybe some IDS/IPS and a form of whitelisting thrown in for good measure). But the IT folks are simply pushing the technologies that they know and are comfortable with, that's human nature. And "security" is a concept still so foreign to most on the engineering side that many still vehemently oppose it as being a "nice to have" let alone a requirement. It's human nature for them to resist change, especially when it makes their jobs more difficult. Convenience and Security are on opposite ends of the see-saw, the more you get of one, the less you get of the other. At some point, the industry (maybe with the "encouragement" of government) is going to have to realize they need to tip the balance a lot heavier towards security.
It's fortunate there are people like Joe and members of the media like Gary that talk about this critical need, but its unfortunate that most end users and asset owners still don't listen.
What makes anyone think that Government can solve any problem better than the private sector? Politicians are not experts at any thing but how to be reelected. This problem needs to be addressed by those whose bottom line can be affected by a cyber attack. Whether an attack is to the infrastructure or purely via cyber means, it makes no difference. The consequences will be the same. Those who choose to stick their heads in the sand will be woken up when it happens to them. If they do not learn from these experiences or do not try to prevent them, the natural process that man has progressed by throughout time will determine the survivors. There is nothing wrong with this process. We do not need a big nanny (or big government) always trying to keep us from making mistakes.
I was quite intrigued by reading your post . Automation and control systems are helping people make their life easier and safer. I always look for new technological advancement in these areas as they interest me and i see the bright future in terms of development in such area.
Thanks for this wonderful information