Cybersecurity in Today's World

Image courtesy of pcbdesign.org

 

December 27, 2012 By Larry Karisny
Curt Massey spent an entire 35-year career protecting our national security. His military service, civilian law enforcement, corporate security and military contracting experiences have imbued him with the unpleasant knowledge of our core vulnerabilities and a visceral drive to build a team capable of finding answers to questions most don’t even want to ask. “Look, it’s my team," Massey has said, ”they don’t see impossible, they see challenges which they are eager to overcome -- they are saving the world, I just juggle cats.”
A visionary and entrepreneur, Massey now leads STT's strategic direction. Here is what he had to say about today’s world of cybersecurity.

It seems we are suddenly being hit with all sorts of cybersecurity breaches. In general, what seems to be the problem?

Photo: Curt Massey
In my opinion, we aren’t suddenly being hit with cybersecurity breaches; they are just being reported on a much more frequent basis than in the past. With stockholders and political pitfalls to worry about, many corporations and government entities under-reported cyber attacks and losses until the effects and potential for catastrophic harm have just become too obvious to ignore. Add to that equation the fact that more and more of our critical infrastructure has moved online, and you suddenly have a great plethora of ripe targets whose value continues to increase exponentially.

What is a typical breach and why don’t current security solutions address it?

I hate to say this, but I don’t see a "typical" breach; cyber-crime and cyber-warfare (yes, we are under attack right now) attacks are now directed across all possible targets; basically any machine hooked to the Internet. The techniques used in these attacks haven’t changed, there have been new cyber-crime tools and devices that incrementally increase efficiency and the ease of use for these criminals and national enemies, but all the possible basic means of attack are known and they utilize the same attack vectors. These are the same security holes and flaws that have been with us since prior to the commercialization of the Internet. The major computer/Internet security players attempt to mitigate damage by treating the symptoms, while doing nothing to address the disease. Like prescribing aspirin for headaches while ignoring the tumor that is killing the patient.

Will standards, certifications and compliance address these problems?

No. I will accept that they are well-intentioned, but standards, certifications and compliance are part of the problem. They are the prime reason that all the industry and government experts state that you cannot stop a determined hacker from compromising your network. Standards, certifications and compliance force you to keep an inherently insecure system insecure. If you go all the way back to a nascent ARPANET and follow its incremental development from 1974 to just prior to commercialization in the early 1990s, you find that it was a trusted network, there were no "strangers" involved and it was designed to maximize redundancy during a period where computers were unreliable. The fact of the matter is that the Internet was designed from the ground up to be open, and the practical result of that is the inherent insecurity we see today. The warnings and pleas by the true pioneers of the Internet to address security flaws were completely ignored in the rush to commercialize it.

What is the newest problem that has been found in foreign manufactured chip sets?

Once again, a beast of our own making; after the vast majority of our chip-manufacturing capacity was driven overseas, China – ever industrious and ever serious about their own national security – got into the chip-manufacturing business in a very large way. Years later we find that a great many of our computers and other machines and devices that use microchips -- that could be virtually everything -- are "infected" with rogue chips. These rogue chips are malevolently hard-coded with routines that automatically begin communicating to China’s, and other countries’ cyber-warfare commands, which can also send instructions to these rogue chips. We can’t just replace these millions of chips, as we no longer have the capacity to produce them and, not so shockingly, China and others will not allow us to put inspectors in their chip-manufacturing supply chain

So, yes, we are now forced to rely on the good will of China and other foreign chip suppliers as part of our national security policy; I’m not very comfortable with that.

Are the Russians and Chinese that good or are we just that bad?

The same conditions that enable self-educated children to hack into the Pentagon make cyber-crime and cyber-war "low hanging fruit;" it’s cheap, it’s easy and, for some bizarre reason, there is a great deal of prestige attached. Anybody can acquire the knowledge and tools to penetrate systems hampered by adherence to current standards, certifications and compliance. If you just enter "hacking," or more properly, "cracking" as a search term online, you are well on your way to becoming a world-class hacker.

Have you ever been breached, in any way, by any of the penetration testers or outright hackers who have gone up against your technology?

No. You can’t attack what you can’t see … or touch.

What is so different about your security approach and why does it work?

Most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it.

We refused to accept that premise.

We devoted a huge amount of research into exactly what makes the Internet insecure and found that the answer was right there for anybody with an open mind who cared to invest a little time. We identified the inherent flaws and determined methods to fix them. Our approach was simple in concept, but excruciatingly difficult and complex in execution. We had to be able to "plug the inherent security holes" and ignore the protocols and standards that promulgate an insecure Internet. But our technology also had to still be able to function seamlessly and flawlessly within that same environment and do so in such an efficient and faultless manner so as to run unnoticed by the user and incur negligible performance hits on average computers. It needed to be redundant, self-healing and not interfere with existing network infrastructure.

We have achieved our goals. A properly configured STTealth network is impenetrable from external and internal cyber-attack. Our messaging component is orders-of-magnitude more advanced, stable and … private than any other technology in existence.

Oh, and those rogue chips? They are completely emasculated and isolated; we also identify machines thus affected.

Where do you see IPS security going in the next few years and where are the roadblocks occurring?

We will truly solve the issue for those smart and agile enough to incorporate our technology. Many, of course, will continue to keep their heads in the sand and will find that, as more networks become unassailable by virtue of our technology, they will become the focus for continually increasing attacks. Many haven’t been attacked simply because the Internet is such a target-rich environment.
As far as the road blocks, once again, standards, certifications and compliance; that and the fact that people are stuck in this "punch, counter-punch" mentality of reacting after their current, very expensive IPS is broken and then buying the next, very expensive version and on and on, ad-nauseum. This scenario certainly makes some players a lot of money, but it will never solve the problem.

I do believe that we will all look back on the era from the early 90s until today as a very strange time when we allowed the very conditions to exist that enabled widespread cyber-crime and cyber-war.

Cybersecurity and 'Smart Encryption'

December 19, 2012 By Larry Karisny
 

Paul “Prem” Sobel is a Cal Tech master of science in electrical engineering and has dedicated a 40-year career to protecting mission-critical systems.
He worked with IBM, NASA, Northrop and Intel before launching MerlinCryption LLC. He developed an exponentially stronger encryption with variable key length called the Smart-World’s Smart-Encryption.
In this edited interview, Sobel discusses encryption and other security technologies and critical infrastructure vulnerabilities.

Where are we today in encryption methodologies architecture?

Paul "Prem" Sobel, Cal Tech master of science in electrical engineering

Since World War II, increasingly sophisticated encryption algorithms have been developed with early keys sizes starting at 16 bits and growing to 512 bits. Computer speed, with use of statistical analysis, cryptanalysis, mathematical and brute force techniques have broken, and will continue to break, these encryption algorithms.

Where do you see current major legacy encryption architectures in supporting future requirements?

DES, RSA, SSL and AES algorithms produce simple key strands, which continually repeat in cyphertext.
Current encryption methods also require that keys are transmitted by known mechanisms between end points, which are easily intercepted or spoofed. These two inherent weaknesses explain why a criminal’s attack of choice is against the key. The next generation of encryption must eliminate these two major risks. The new Anti-Statistical Block Encryption (ASBE) utilizes variable-length keys that scale between 2008 bits and 2 GB, which are reinforced by variable-length passwords up to 64KB.
The ASBE method uses a random data generator that generates-destroys-recreates keys and passwords on demand, making key/password transfer between end points unnecessary. The communication and storage of encryption keys and passwords are also not needed, which circumvents criminal interception.

Future requirements will also dictate a more simple and inexpensive key management system. Today’s Public Key Infrastructure (PKI) is economically and operationally an albatross. Research shows that organizations spend between $47 and $5,921 for the creation, distribution and maintenance of each PKI key in use. PKI management involves certificates, registration authority, directory management, central key deposit, external validation and protocol. Future encryption methods must find alternatives to secure key communication and management.

Can Intrusion Prevention System (IPS) security put us on a catastrophic path of the whole security architecture collapsing?

IPS architects must secure against external attacks and insider attacks. The approach is different for each threat. External attacks can be thwarted with strong whitelisting and using advanced authentication. Two- and three-factor authentication is not enough. Airtight multi-factor requires validating both people and machines over and above the “something known,” “something physically possessed,” and “something unique” that the industry typically uses today. MerlinCryption also employs “something temporary,” which increases authentication to 10 and more factors. All authentication data (both inbound and outbound) needs to be strongly encrypted.

Sophisticated internal espionage may overcome typical two-factor authentication. Again, the use of additional factors and something temporary fortifies prevention. A stealthy security system against insider attacks must encompass data-at-rest, data-in-motion, data-in-use and data-in-change. Real-time data change can be protected with an encrypted in-memory solution. Monitoring and recording activity helps identify the source of foul play. Using strong encryption, with larger variable-length keys, derails system compromise.

What characteristics would you suggest to look for when selecting a solid IPS security solution?

An airtight security process must not only deny access, but also secure data integrity while alerting operators of foul play. Instead of requiring every smart grid node to be capable of detecting intrusion, it is recommended to use multi-factor time-varying authentication and strong encryption with larger, variable-length keys. Keys that require no transfer are most advantageous. Additionally, it is an optimal strategy to have a separate system, which monitors for and reports intrusions on the smart grid networks

Built-in whitelisting can enable which code is allowed to communicate or cause critical actions. This security measure not only prevents but also alerts of an attempted violation of the whitelist.

We are putting billions of networked applications out with little concern for security. Where is the vendor disconnect in these security needs?

Before the recent outcry, security was often regarded as merely a nice feature. However, with the $388 billion cybercrime business now as large as the international illegal drug trade, and threats of foreign espionage, encryption is no longer a choice. Today’s environment requires that developers and OEMs strategically address the use of strong encryption and multi-factor time-varying authentication in the design phase of any project. A good security system must encompass data-at-rest, data-in-motion, data-in-use and data-in-change.

Are compliance, mandates and executive orders helping cyber security?

Compliance and security are not the same. Compliance sets a minimum standard. A system can be in full compliance and still be totally at risk. The concept of “minimum standard" is an open-ended problem, which evolves along with the evolving sophistication of the attacks. Mandates and executive orders are often “too little, too late.” Systems and their architecture must be proactively designed to address future attacks.

What needs to be done today to expedite readied security technologies in support of sensitive areas such as critical infrastructure?

Protecting access to status, states, reports, machine software updates, commands and controls is paramount to critical infrastructure security. These systems have unique high-risk challenges in different network zones, automated processes and device networks, including servers, human-machine interface (HMI), intelligent electronic devices (IED), controller logic, and industrial network protocols. Adequately securing critical infrastructure requires a dynamic encryption engine, which works in tandem with strong authentication.

As example, a man-in-the-middle strives to intercept messages, change updates, block alerts, or other false data injection between meters and the utility company. This type of attack against the grid would require authentication and encryption to securely, dynamically and flexibly transmit status messages, alarms and alerts between operators, security intelligence and machines in a sub-second response. The smart-grid operator needs the flexibility to continually change all key, password and authentication parameters, on command.

Protection of our critical infrastructure is a serious and immediate challenge for security leaders, striving to thwart potential incidents. Fortunately, the new ASBE encryption technology overcomes the obstacles of older encryptions and supports a national move to dependable security.

How can manufacturers prepare for new security requirements?

It is imperative that all systems, old and new, have more memory than currently needed, both RAM and Flash. This is needed for new functionality, evolving security threats, monitoring and alerts, and perhaps things yet to be thought of.

Two simple last questions: Why is security being breached today and has your solution ever been breached?

In today’s power-grid environment, we are connecting things that were never connected before, and they were never meant to be connected to the Internet.  We are also working with old security architectures that can’t scale to today’s needs. These archaic systems do not address the complexity of SCADA control systems, and many were not built for network conductivity. The old ways won’t work. Critical infrastructure security needs a fresh look.

To answer your second question, the MerlinCryption solution has been pen-tested by the best -- including some noted hackers in Ukraine and Russia. ASBE encryption has never been broken. Encryption keys that disappear after they are used can’t be compromised. It doesn't have to be complicated.  It is a matter of using common sense.

Acronyms & Definitions DES | Data Encryption Standard RSA | a public-key encryption technology developed by RSA Data Security, Inc. SSL | Secure Socket Layer AES | Advanced Encryption Standard OEM | Original Equipment Manufacturer Cyphertext is encrypted text

Industrial Control System Security:                   a reliability Issue?

November 5, 2012 By Larry Karisny
 
Cyber Security Expert Joe Weiss has spearheaded the ICS Cyber Security Conference for 12 years, and when he calls in the troops, the best come to serve. Last month’s conference held at Old Dominion University's Virginia Modeling Analysis and Simulation Center -- VMASC in Suffolk, Va. -- was no different. I had a chance to attend the conference and talk with Weiss about Industrial Control System (ICS) security, and this is what he had to say.
 
Karisny: Your conference first and foremost reinforced that industrial control system (ICS) security is different and it is not just IT. Can you briefly explain?

Weiss: ICSs are purpose-built systems for performing specific tasks. They are built with a mix of commercial off-the-shelf systems (such as Windows) and proprietary realtime operating systems, proprietary communication protocols, and have very specific operating requirements. They were built with minimum computing resources and to operate on their own networks to maximize reliability.  They are built to operate for long periods of time (up to 10-20 years) with minimal downtime and will be replaced when they are obsolete or functional operating requirements change. Generally, they will not be replaced because of security reasons. Their primary function is to provide safe, reliable operation with computer operators and system integrators trained for reliable operation not security. From a cyber security perspective, the most important considerations are availability of the process and authentication of the devices; confidentiality is generally not important for the data "in motion." The concern is that inappropriate use of IT technologies, policies, and/or testing such as penetration testing could, and has, impacted the performance of ICSs.
 
Karisny: There were validated disclosures of targeted critical infrastructure cyber incidents in the conference. Without disclosing too much confidentiality can you explain these incidents and their significance?
 
Weiss: There were two ICS cyber incidents that occurred recently that were discussed. These two unintentional incidents are important as they have not been seen before, they represent two different control system suppliers, and there is no guidance in what to do.
In the first case, the utility was in the final stages of a plant distributed control system (DCS) retrofit. During the installation process, the view of the process (the operator displays, etc) were lost. Neither the utility nor the on-site vendor support was able to get the view of the process restored. It took a vendor link from about 2,000 miles away to get the view of the process back. It raises several questions:
1.What caused the loss of view?
2. Why were the on-site staff not trained about this situation?
3. What did the headquarters staff know that allowed them to get the process view restored?
4. What other facilities have suffered this problem?
5. Could this problem be intentionally caused?
The second case was a complete loss of logic in every plant DCS processor with the plant at power. The event occurred more than once and led to complete loss of control and loss of view. (This is well beyond what I thought was the worst case scenario.) What saved the plant were the old hardwired analog safety systems that shut down the processes. The plant has not been able to determine the cause of the loss of logic. They have documented the situation, contacted their vendor, and provided the vendor their recommendations. The utility is still waiting to hear from their vendor. The concern is this could happen to any industrial facility from any control system supplier. It is not clear if this can be done maliciously.
 
Karisny: There is a need of sharing cyber breach information but legal issues seem to be deterring this information from even private disclosure. From government intelligence agencies to private sector confidential disclosure, how can we minimally gather this information in some type of a cyber breach clearing house?
 
Weiss: My view is that end-users will share information if they feel it will help them. That means they need a venue where they feel they can get knowledgeable feedback so that all sides (the discloser as well as the attendees) get something from the disclosure. I also don’t believe private industry trusts the government so a DHS or other government-sponsored vehicle will not work. The ICS Conference works because there are smart people there that can provide intelligent feedback to the presenters and the end-users feel they will not have their information disclosed.
 
Karisny: Will the difference in ICS require a different way of developing ICS security? Were there some promising new technologies capable of addressing these differences discussed in the conference?
 
Weiss: As mentioned before, ICSs are different than IT. Generally, IT security suppliers are taking their existing IT solutions and attempting to “customize” them for ICS.  What should be done is to understand how the ICS works and what could compromise ICS reliability and/or safety. Then, develop solutions that address those specific concerns.  I know of only one technology that seems to have taken this approach. It is still in the R&D stage.
 
Karisny: A hacker can rapidly respond without recognition or requirement of following cyber security rules and regulations. This is not the case for the good guy in cyber security. With an abundance of standards, regulation, compliance and oversight in cyber security, is there a way to offer short cuts to let the good guys get in?
 
Weiss: Unlike the good guys, a hacker doesn’t have an organizational chart to follow. As best as I can tell, the only time the IT and ICS communities worked together flawlessly was the development of Stuxnet. The North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards are a good example of a compliance rather than security mindset. The NERC CIPs have made the grid less reliable and less secure as well as becoming a roadmap for hackers to compromise the grid. That is, the NERC CIPs publicly identify the size requirements to make a facility critical which allow one to determine which power plants, substations, and control centers will have cyber security requirements and which will not. With the current set of NERC CIP standards, approximately 70 percent of power plants, 30 percent of transmission substations, and all distributions systems have no cyber security requirements.  Until certain government organizations stop being more afraid of the bad guys learning something rather than educating the good guys, industry will be in trouble because the bad guys want to learn and the good guys will continue to be unaware. This lack of understanding of critical vulnerabilities was demonstrated by the Aurora discussions at the conference. These first public discussions were new to almost all conference attendees.
 
Karisny: What is it going to take to get utility senior management buy-in on understanding the possibility and consequences of a cyber attack incident and the talent required to mitigate and prioritize resources for ICS cyber security?
 
Weiss: Until utility management treats ICS cyber security as a reliability issue rather than a compliance issue, there will be less than robust utility attendance at the ICS Cyber Security Conference. The question is how to reach and educate utility management about the reliability and safety issues of ICS cyber security. The ICS Cyber Security Conference is not a utility conference but a cross-industry ICS cyber security conference. We had a significant number of end-users from water, chemicals, oil/gas, manufacturing, food, pipelines, and DOD. My belief is that the electric industry is not a leader in cyber security of control systems because of the NERC CIPs creating a culture of compliance not security. The leaders in cyber security are the oil/gas and petrochemical industry with DOD starting to take this more seriously. One would hope that after all of the power issues with Hurricane Sandy, utility executives will take ICS cyber security more seriously before it is too late.

For more a full observation summary of the conference by Joe Weiss please click here .
 
Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure

SmarTown™: Anomaly Detection: Front-Door Infrastructure Security

SmarTown™: Anomaly Detection: Front-Door Infrastructure Security

Anomaly Detection: Front-Door Infrastructure Security

Photo from Shutterstock

 

"Outlier Detection"

September 20, 2012 By Larry Karisny
 
The Digital Communities article "Have Hackers Won?" -- with Columbia Computer Science Professor and Federal Trade Commission Chief Technologist Steven Bellovin -- gave a clear explanation of security limitations because of the size and complexity of buggy software code, and limitations in authentication and encryption. "Authentication won’t do it," Bellovin explained in the article. "In most breaches, the bad guys go around the strong authentication, not through it."  He went on to say that as part of a national study, he analyzed every CERT advisory issued up to 1998 and found that 85 percent of them were code problems, configuration errors, etc., that encryption couldn’t fix.

While this may be a difficult problem to address, it is not impossible. It does, however, require a new way of looking at what real security is and how to effectively secure business process information.

Understanding True Security

While technology has delivered benefits, it has also delivered a new set of security risks and business problems, including large volumes of questionable data; vague accountabilities, and ongoing maintenance of business rules, to name a few. As we have digitally automated our business and control processes, we have reached a point of complexity from which it is impossible for a manager to see the-day-to-day actions of these processes or even detect a security breach.  New visualization tools are necessary to assist managers if they are to accurately and effectively direct these business processes.  This is where anomaly detection will help. 

Currently, data collection, buggy code, network encryption and authentication are all viewed and audited at the system output level. Real-time system data and unwanted business events could be detected too late in this type of security system. Security then must be viewed, audited and authorized at the event enterprise input level to achieve higher security levels required for critical infrastructure.

Our current security systems are collecting so many security no's at the output level that intrusion prevention and detection systems are reaching the point of overload. To date there have been over 17.7 million viruses detected.  Add bandwidth eating high-end encryption to the mix and things are eventually going to start slowing down. So how do we handle all these security no's?  The answer to this problem is simply say yes.

It's almost impossible to manually watch, detect, audit and correct all these business activities in the complexity of today’s business processes.  Even when doing this through coordinated government compliance like NERC CIP in securing the power grid, the minute we think we are done and walk away something changes.  These compliance processes cost a lot of money, take a lot of time and can’t guarantee security anyway.

So what if we could create an anomaly algorithm that could audit, detect and approve positive input events in business processes. And if we could do this then wouldn’t risk management and security actually just be a byproduct of allowing these positive business events to occur?

"Anomaly detection," says Wikipedia, is also called "outlier detection" and refers to detecting patterns in a given data set that do not conform to established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains. 

In the workplace predetermined activities of employees, information systems and combined human and information system events produce specific desired business process results.  Anomalies are tools that can specifically detect and audit the defined patterns of these combined human and system activities.  A change in the normal pattern of these activities can offer a business manager very specific information that can assist in improving the business process or even detecting a major business or system breach.

Real-World Fix
This may seem like security fantasyland or something that is still on the drawing board but it’s not. The problem is not that it is not available or it doesn’t work. It is available.

Like most paradigm shifts it takes awhile for people to get it and human nature sometimes confuses threats with benefits. We need to start leveraging tools that can view, audit and improve business processes and improve security at the same time.

Grid Security Summit Assembles Top Security Experts

Photo by James Jhs. Creative Commons License Attribution 2.0 Generic

August 6, 2012 By Larry Karisny
I have spent the last few days moderating and recording The  Smart Grid Security Virtual Summit which will be webcast on August 9th. I highly recommend this summit. Speakers include a who’s who list of top industry experts who offer their opinions on how to correct the real issues related to securing the power grid.  From what we have done to what we need to do, summit sessions are real eye openers disclosing problems and providing answers to critically needed smart grid and critical infrastructure security questions.

I moderated the panel discussion “Smart Grid Security, Past, Present and Future” which include industry professionals I have previously interviewed for Digital Communities. Bob Lockhart -- a senior research analyst contributing to Pike Research’s smart-grid practice with a focus on cyber security markets -- co-authored a white paper with Research Director Bob Gohn on the Seven Trends to Watch in Utility Cyber Security.  From market projections for this new multi-billion dollar cyber security business to the current state of near chaos in securing the power grid, the discussion was packed with reality checks of where we are and where we need to be in securing the grid.

The panel discussion continued with outspoken industry leader Patrick Miller who views the need for cyber security from both the public- and private-sector sides. Miller is president and CEO, EnergySec and principal investigator of National Electric Sector Cybersecurity Organization (NESCO), a public-private partnership between the U.S. Department of Energy and EnergySec to enhance cybersecurity in the electric sector. Miller suggested less talk and more action in addressing security breach concerns and discussed a high-level view of power grid security.


Ending the panel discussion was Ted Wood , director at Sterne, Kessler, Goldstein & Fox. Wood's job is the discovery and protection of intellectual property in things like smart-grid security. From international cyber security espionage to plain old American ingenuity, Wood offered a unique view to the realities of cybersecurity. Wood leads the firm's Grid Industry Group, where he focuses on helping innovators involved with ensuring power grid resiliency in an evolving smart-grid infrastructure.  His discussion focused on how small business ingenuity can protect intellectual property while fast tracking creative solutions through the bureaucracies of big business and big government.

I spoke in the second panel discussion,  Is Current Legacy IPS And IDS Security Enough For The Smart Grid And Critical Infrastructure?  My presentation focused on how current security solutions may be too costly, too complex and too inefficient for critical infrastructure requirements.  From securing Intrusion Prevention Systems (IPS) that now must securely encrypt the new end point of nano sensors chip sets to Intrusion Detection Systems (IDS) that must now be able to view real time event anomalies and business processes, this discussion showed the need for security technology change. The subject of why we need to look at smart-grid security differently was first discussed in my recent article, Smart-Grid Security Will Force New Ways of Thinking. This presentation expanded on this article and discussed proof points of why new security solutions are required for smart grid and critical infrastructure security.

The second session speaker was Phil Smith, founder and president of TLC Secure who has had a long and illustrious career with senior technical and managerial roles at HP, Cisco, NASA, Lawrence Livermore National Lab and others. He is the innovator, architect and developer of several implementations of mobile devices as well as the cryptographic libraries and identity management components. Smith has worked with critical infrastructure encryption security used in wireless sensors in atomic power plants and Department of Defense applications.  His time tested applications of Intrusion Prevention System (IPS) security showed how true end-to-end security can be achieved for the smart grid.

The last prerecorded panelist, Rajeev Bhargava, is CEO of Decison-Zone and an expert in the information management field that has architected, developed and built next-generation cyber security, risk, fraud and privacy solutions. In 2010, Rajeev Bhargava received a U.S. Patent for the world’s only technology capable of 100 percent fraud and system security protection. Bhargava discussed a completely new way of addressing Intrusion Detection System (IDS) security through the prediction, detection and correction of event anomalies in realtime business processes.  This discussion revealed why current IDS solutions are not enough for smart grid system security.  
Additional session discussions included:


1. Identifying and Mitigating Cyber and Physical Threats to Smart Grid SCADA Systems , William Lawrence, chief technologist; Energy & Cyber Security Lockheed Martin;
2. A Utility Perspective on Smart Grid Security Status and Challenges, Ward Pyles, senior security analyst, Southern Company;
3. Regulators' Role in Smart Grid Security: What They Want to Know, Alan Rivaldo, cyber security analyst, Public Utility Commission of Texas;
4. Recent TVA Experiences and Insight on Smart Grid Cyber Security,John Stewart, specialist engineer, Power Control Systems, Tennessee Valley Authority and
5. Security Issues Surrounding Cloud Computing and Big Data in the Smart Grid, William Souza, manager - Security Integration, Reliability Services Division, PJM Interconnection. 

Click here for more information on the conference which will be web broadcast Thursday 9 a.m. to 5 p.m. EST.

Flame Virus, a Controlled Burn?

Don't Play With Fire

May 31, 2012 By Larry Karisny
 
In Florida I have a friend who is a park ranger who does controlled burns in hope of curtailing any large park brush fires.  This may be similar to how the new virus Flame is being used. Like any controlled burn, however, there are risks of the fire getting out of control.

We need to come to a consensus on cyberwar. It has officially started and the weapons are improving. The new computer virus nicknamed Flame, also known as Flamer, sKyWIper and Skywiper and Stuxnet 20, is many times worse than its predecessors. It has the capability of specifically attacking its targets and evading detection.

Based on its predecessors Stuxnet and Duqu, Flame can spread to other systems over a local area network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.

These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

Taking away the sociological and political ideologies of whose side we are on in cyberwar, the recent cyber attacks demonstrate the current vulnerability of our legacy security solutions. What Flame is doing in targeted Middle East attacks can be done in other countries, even the ones releasing the attack. There is a first response advantage but the technical nature of computer virus propagation could leak the virus to unintended areas as did Stuxnet. Playing with these vulnerabilities is like playing with fire.  

In a recent conference in Orlando Florida, UTC Telecom 2012, the consensus of those who were somewhat involved in cyber security was that there clearly is no 100 percent capability of securing even our critical infrastructure. This concern was further emphasized when keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in knowledge of cyber security. One or two hands went up out of 500 in the audience. Weatherford responded by saying we need to prepare our workforce and find talent "to prepare the next generation for cybersecurity. Gaps in talent means gaps in security."

Even the Department of Defense is recognizing the need for forging private-industry partnerships on cybersecurity. This makes sense when the Internet and much of the experience behind it will be found in the private sector. There is a clear issue though, for those who have pursued DOD cyber security jobs or partnerships. That issue is secret and top secret clearance.  There needs to be a better way to address needed background checks than the current clearance procedures.

A person with secret or top secret clearance may have little experience in cyber security or tremendous experience in cyber security but no ability to quickly and economically obtain secret or top secret clearance.

We are faced with some tough decisions as they relate to cyber security with few if any quick decisions. With a limited cyber security workforce and clear cyber security vulnerabilities it seems time to look for new security solutions rather than playing with the appropriately named Flame virus. We can’t continue to patch cyber security while thinking we can manipulate these vulnerabilities in targeted cyber attacks. This could and has already backfired.  We have to minimally overlay new security protection or wipe the slate clean and look for new ways of addressing cyber security or this controlled Flame may get out of control.

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Smart Grid Security: An Inside View from Patrick C. Miller

Patrick C. Miller

Security is bolted on, not baked in.

May 14, 2012 By Larry Karisny

Patrick C. Miller is president and CEO of EnergySec, a 501(c)(3) nonprofit organization formed to support organizations within the energy sector in securing their critical technology infrastructures. A March survey by EnergySec of 100 energy security professionals revealed that two-thirds think smart-grid projects do not adequately deal with security threats. Larry Karisny, director of Project Safety.org, interviewed Miller about the survey and the subject of smart-grid security.

Karisny: Your survey results from top industry professionals seemed to clearly demonstrate a real concern with the lack of security in today’s power grid. Is this what you expected?

Miller: Yes, it isn’t far from what I’ve heard from them over the past few years as we’ve ramped up the grid modernization efforts. Overall, the grid itself is highly resilient, but we are implementing new technologies and new connections without fully understanding the emergent issues that arise with this degree of innovation and complexity.

You stated that we are moving so fast with smart-grid innovation that rather than baking in security we are bolting it on. Does this mean that we will be adding modules or maybe recall retrofits to insure security to some even recently deployed power-grid equipment and devices?

Yes, I speculate there will need to be some unexpected retrofits or replacements for early technology or components. Without question, more security modules, shims or wrappers will need to be employed. Utilities have an expectation that these digital devices will have a life-span somewhat similar to the older analog elements they replaced. For discussion’s sake, let’s say they think the new digital meter will last 15-20 years. How much will the digital technology surrounding the meter change in that same span? How will the attacker landscape change during this timeframe? To give a general comparison, how many new smartphones will you own between now and when this meter is replaced with the “next generation?”

Are personal security concerns legitimate and are you seeing safeguards to protect personal privacy in the smart grid?

This isn’t a hard problem to solve. For example, opt-in/out programs for any data beyond what is necessary for operations could be one solution. Such an approach would provide those who are sensitive to the matter an option that doesn’t immediately involve going backward and ripping out the smart meters. There are some cryptographic protections for the data, depending on the implementation, but the areas of concern often seem to reside in the ownership of the data and how the data may be used beyond the operational needs of the utility (either by the utility or any third party).

One of the positive responses to the survey was a user acceptance of security for online utility payments.  Is this a false sense of security or could the power companies maybe learn something form banks when it comes to cybersecurity? 

Many of the utilities use already existing financial clearinghouses to process payments. I think those that are familiar enough with securing an electric utility know that payment, or lack thereof, doesn’t directly [immediately] affect the flow of power. Power can still be delivered, even if the payment, billing or end-point metering system isn’t perfect.

Standards are necessary in developing industrywide technologies but they also delay solutions from being deployed.  How can we expedite security standards while keeping pace with smart-grid technology deployments?  

Take a page from Nike and “Just Do It.” We can move as quickly as we want. Moving too fast isn’t the best approach, but neither is moving too slow. My personal belief is that we’re past due for standardization. I think some of the churn has been around governance of the standards and not the standards themselves. Maybe some flexibility in this area might let everyone feel more comfortable, resulting in more substantial movement.

Can you give examples of some of the security innovations that you are currently reviewing and testing?

Our organization does not do this research directly, but we are involved in many security-related conversations on the subject of grid modernization software and hardware. I know many vendors are at least thinking about the problem and how to solve it. A much smaller number of vendors have solid traction and are implementing security at a pace that equals innovation of new features. Even fewer are at the tip of the sword with a holistic model that balances cutting-edge innovation with proven security development approaches such as thorough code review and rigorous supply-chain management.

How can we “architect” a sustainable power grid without having as you said a “spare power grid” to test and deploy fixes?

Infrastructure isn’t inexpensive. Building a full-replica spare is as costly (or more) as building the original. The most cost-effective approach is to use representative platforms, virtualization, simulators, emulators, etc. I think everyone understands that “testing in production” is at the edge of the risk spectrum. It may or may not go wrong for any one specific test, but if it does, the consequences may be severe. For any new system deployed, a portion of the project budget should be allocated to include a satsifactory test (or quality assurance) environment. This is an unpopular position to take in such a tight economic landscape because it can add significant cost to any endeavor.

We talk about security in the power grid because that is our focus. Isn’t there a lot more “smart” that needs to be secured in other industries and the smart grid may be just the start?

This is an area of interest for me. I think we are ultimately seeking a modernized power system that is somewhat self-aware, self-healing and self-managed. This implies an emergent intelligence much like a flock of birds or school of fish. They are all unique individual organisms (devices), but they can operate with a collective, emergent intelligence as a single unit when dealing with threats, obstacles, food (fuel) sources. Securing the entire environment in a utility will be profoundly different when we achieve this state.

It is far too expensive to entirely replace the legacy grid components with the newer “smarter” elements, so there will still be a fairly substantial base of analog, electromechanical and “old” or “dumb” devices in the grid. This aging equipment will be working alongside tomorrow’s amazing new intelligent gadgetry, maybe even in the same rack. Securing this breadth of historic and future technology will be our greatest challenge for the security profession in the electric sector.

Larry Karisny is the director of http://www.projectsafety.org/home.html Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Smart Grid Security, Challenges and Change

April 18, 2012 By Larry Karisny

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

With former CIA director R. James Woolsey, Jr., wanting to attack smart grid security threats -- the FBI documenting low- and high-tech electrical theft, and Homeland Security reporting 86 attacks on computer systems in the United States that control critical infrastructure, factories and databases -- you would think that the deployment of smart-grid security would be put on the fast track to an immediate solution. Well let's see.

The Smart-Grid Security Circus
If you were to review where we are today in addressing the need for cyber security in our power grid you would find a lot of starts, changes, delays and even do-overs. NERC Critical Infrastructure Protection (CIP) is working on version 5 of its cyber security compliance, and release 2.0 of the NIST Framework that includes updates to many of the 75 standards from Release 1.0 while adding 22 more. To add to the confusion, there is a brand new organization creating new alliances to support the certification and promotion of an interconnect standard for wireless smart-grid devices. The cost and time of trying to become compliant with these guidelines and standards will put smart-grid security years off before it can achieve any agreed-upon security solutions. With immediate security needs evident, there must be a way out of what people in the security business are now calling the "smart grid security circus."

We can’t just throw something on the wall when it comes to critical infrastructure security, but business as usual isn’t going to help either. The bureaucracies and oversight groups are becoming so numerous that large organizations can't get anything done and small entrepreneurs -- that may be holding the solution in hand -- can't afford the time and cost of going through the endless oversight, compliance and standards processes. No one knows this better the EnerNex, a company that offers innovative and professional electric power research, engineering and consulting services to government, utilities, industry and private institutions. In a discussion with Erich Gunther, Chairman and CTO of EnerNex, he stated "simply being compliant with a security standard such as NERC CIP doesn't mean that your grid is secure."

“While I would never characterize the grids as bulletproof," said Pike Research Analyst Bob Lockhart, "I believe that the operations teams have built in safeguards at the physical level that we don’t understand. That still doesn’t excuse the behavior regarding cyber security. Also the lack of standards – other than CIP, which considers distribution grids out of scope – hinders almost everybody from making a decision. You might check out the white paper we just released – my section (trend #4) addresses that.”

Robert Former, head of security research and testing at Itron, said the smart grid security circus is "The sound of [a] paradigm shifting without a clutch,” Former -- quoted in a blog -- continued: “Utilities have to be more enterprise security-aware. With these incidents at organizations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we’re going to fix a security problem is to expose it.” The key words in this quote are "paradigm shift," "cover up," and "exposure." These words require drastic change in what and how things are currently done in addressing smart-grid security.

Change is a Security Requirement not a Luxury
There are those saying that power grid security could best be addressed by not changing and keeping legacy power grid-island security (standalone service centers not interconnected) or that smart meters should be kept dumb. I can assure you these are just not viable options. We need to first consider the tremendous benefits that would be lost and minimally the economic efficiency, stability and security that could not be achieved if we kept legacy systems in place. In security, for instance, both legacy electromechanical and digital smart meters can be breached by rather low-tech methods at the meter location. The only way the breach could be remotely detected is if the breach was realtime and intelligently connected to the smart grid. I referred to these new intrusion prevention systems (IPS) and intrusion detection systems (IDS) security capabilities in my last article, “Smart-Grid Security Will Force New Ways of Thinking.” Electrical theft including legacy meters in India is estimated at 40 percent and is the main reason they are adding intelligence to their power grid. From simple theft to international espionage, there are too many critical security benefits offered by power-grid intelligence to turn back to legacy operations that may seem secure. We must move forward in deploying the required changes to rapidly support current and future requirements in securing needed power-grid intelligence.

We Are Securing System Architecture
System security was the big disconnect that I saw on the smart grid. Coming from a network background, my initial discussions with power companies and meter companies were a little confusing at best. After many discussions and a few explanations, I at last found that today's power grid is just a bunch of sometimes connected operational islands. From the stand-alone power substation to the dumb power meters, in most cases nothing was connected to nothing. With this type of stand-alone system background it was no surprise to me that there was limited knowledge of network and system security and some rather different ways of addressing power grid security though physical operational security.

So we went from nothing to securely connecting sometimes real-time data from every home to a limited and sometimes non-existent power company network infrastructure. This was a bit much for power companies to address all at one time while looking at staged-system approaches in building both network and system security. Even meter companies merging with wireless mesh and modular gateway companies are just now starting work with security software and chip-set companies in addressing these new system architectures. In fact Pike Research has identified the "system architecture" approach as one of the top 10 smart grid trends to watch in 2012.

Can Current Legacy Security Technologies Secure the Smart Grid?
To properly answer this security question I think we need to look at two critical requirements that have changed in the smart grid. If the network demarcation is now the smart-meter optical-communication port, then what are you connecting your smart meter to? This new and previously undetected network edge point of breach is now the new end of true end-to-end smart-grid security. This now changes the end point of intrusion prevention system security and the technologies that can achieve it. Two, internal and external real-time network and business process security requires real-time intrusion detection system security.

This changes current IDS solutions that currently collect historical intrusion data and now requires the capabilities of addressing real-time anomaly detection and even predictive security breach capabilities. Few IPS and IDS security solutions even offer the capability of these true end-to-end and real-time data-security requirements. We are reaching a new need and maybe a new way to address these new security requirements.

As power company and communication companies go through their collaboration culture shock, security companies who historically never talk to each other are going through theirs too. They now must now all collaborate on new security requirements and open the doors on how to achieve them. Even current security solution companies must change their way of looking at security if they are expecting to address the unique security requirements of the smart grid.

Conclusion and Recommendations
I can't emphasize enough the importance of moving forward in addressing these critical smart-grid security requirements. After covering this security issue for a few years I have come to the conclusion that we are still fighting the uncomfortable issue of change rather than keeping our eye on what we are trying to accomplish. Sometimes we are dealing with more people than technology issues and sometimes too much technology and not enough people issues. To this I offer these suggestions in adjusting to change while staying focused on the goal.

1. Don’t surrender to complaints
People are normally suspicious of change especially when it involves big business and big government. From discredited wireless radiation concerns to personal privacy issues, the hype of these complaints many times outweigh the facts. The complainer and naysayer often do not have the whole or big picture. Given the opportunity they should be asked would they be willing to pay 4 times as much for electricity by not having the smart grid? Change is something that is difficult for both energy producers and energy users. With change comes complaints and suggestions, both of which have value in tweaking the proper goal without drastically changing or eliminating it.

2. Remember you are your history
The power generation and distribution companies have a tremendous history of innovation with safety and security always the top priority. This track record should be leveraged with the understanding it started with people complaining that electricity was too dangerous to distribute. These people and technical challenges were no different than the difficulties that power companies had to address in the beginning of electric power production, transmission and distribution in the past. Today’s electric power industry needs to be addressed with the same creative innovation and leadership that was done in the past.

3. Expect the unexpected
When deploying new technologies you should expect and be prepared for the unexpected. For instance when we put IPS and IDS security in the network, these technologies should be able to adapt rapidly (if not real time) to any needed changes that occur in the smart grid. If current security technologies do not offer these capabilities, do not underestimate that you may need a complete paradigm shift to achieve the needed security requirements. Paradigm shifts are not always comfortable or easily understood but are sometimes the only avenue of doing things right.

4. Know elements of victory
Government and communication companies invading the power companies space was at best uncomfortable. We should recognize the differences between government, companies and technology providers but never take a “are you for us or against us” attitude. People must work together, carefully listening with proper leadership in charge following the plan. That is when things get accomplished. That's when victory occurs.

5. Don’t fall short of your goal
I am shocked when I hear comments from the naysayers of the smart grid that think we can just stay at status quo. We need to focus on the goal and the tremendous benefits the smart grid will bring and address the critical security issues it now faces that could flat out just turn it off. Like power companies did in the past, they simply need to step up and try again.

Smart-Grid Security Will Force New Ways of Thinking

Ignoring critical infrastructure security problems is no longer acceptable.

January 4, 2012 By Larry Karisny

Editor’s Note: Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Security attacks are real, validated, and are becoming more costly. According to security expert John McNabb, electric utilities assume they suffer about 10 percent losses to theft each year. The Edison Electric Institute estimates that in 2009, electric power companies earned more than $352.5 billion. That puts electricity theft alone at more than $35 billion, and doesn’t include the cost of peak production premiums and power outages that cost an additional $80 billion annually. All this could be curtailed by making the power grid intelligent and secure.

Adding intelligence to just the demand side of the power grid could produce savings estimated to be as high as 26 percent — a finding announced last month that came from a smart grid contest in Texas. Even with the cost of smart-grid upgrades estimated at $1.5 trillion by 2030, the efficiencies of adding secure intelligence to the power grid seem cost-effective. But none of this will happen without effective security.

Power grid security isn’t just about money. Personal security and national security are at stake. Appearing before the Senate Armed Services Committee in June, then-CIA Director Leon Panetta said, “The next Pearl Harbor could very well be a cyberattack that cripples our government, security and financial systems.” Power companies are beginning to take these threats seriously and are even beginning to disclose these threats in SEC filings. Con Edison isn’t the first utility to disclose cybersecurity as a serious threat in SEC filings, but it’s perhaps the first to describe cyberattacks as a stand-alone risk category. Failure to disclose such breaches or to follow North American Electric Reliability Corp. (NERC) compliance can cost power companies a million dollars a day in mandated penalties.

The threat of endangering personal data from hacked smart meters was recently demonstrated by Tony Flick and Justin Morehouse in a presentation at Defcon 18, which is available in its entirety on YouTube. Flick earlier wrote “Securing the Smart Grid: Next Generation Power Grid Security”, warning of these projected breaches. Threats to personal security and the national power grid are reaching critical mass.

Smart-Grid Security Chaos, Compliance and Collaboration

So how are we doing on securing power infrastructure? The latest Pike Research report on grid security said, ”Utility cybersecurity is in a state of near chaos.” With concerns about the chaos of vendors and regulations, Pike Research also observed a dawning awareness by utilities and vendors during the past 18 months of the importance of securing smart grids with architecturally sound solutions. But correcting these problems might be slowed down by spending billions of dollars on meeting federally mandated security compliance — rather than investing in the development and testing of security solutions.

There are signs, though, of a focused collaboration from the public and private sectors in methodologies to rapidly deploy grid security. A new demonstration project will be conducted jointly by partners Sensus, EnerNex and the Department of Energy’s Oak Ridge National Laboratory addressing this critical need for security. The three partners will collaborate on the project, dubbed the Automated Vulnerability Detection (AVUD) system. The system uses function extraction (FX) — a disruptive new technology platform that can detect and fix software-hardware issues before they become big problems. The system is designed to keep a step ahead of security threats rather than playing catch up as we are now doing.

Intrusion Prevention and Detection Are Key

Complexity within the smart grid boils down to several points. The “smart” part of the grid is a sensor talking to a communication link connected to a database. This is further simplified by the sensor and database information being basically a machine-to-machine application passing consistent data though the network.

In the simplest terms, security breaches occur basically for two reasons. The network wasn’t secure to begin with or someone got in that shouldn’t have. The industry separates these categories into two separate security solutions: One is called Intrusion Prevention Systems (IPS), and the other is called Intrusion Detection Systems (IDS). The two capabilities, combined in a security system, can pretty much keep the bad guys out.

The problem is we can no longer look at IPS and IDS solutions of the past when trying to secure the enormous amount of data now in the grid data. The old way of doing this is just too expensive, too complex, too slow and frankly doesn't get the job done. We must look for ways to simplify and improve security solutions.

New Applications Require New Thinking

Adding security solutions to the smart grid likely will be a massive task. With predictions of 1 trillion intelligent devices connected by 2015, we must learn quickly. These devices are no longer just computers or telephones. There are now billions of microchip devices with small processors offering specific “Internet of things” functionality that often doesn’t require any human intervention. These machine-to-machine devices are the new nerve endings of networks and applications; these devices offer intelligence to a variety of venues, from national critical infrastructure to intelligent home systems. The difference today is that we now have moved the demarcation of network intelligence from typical communication radios or gateways to intelligent microprocessing chips within smart devices. With this type of volume and small processing power, we need to look at new ways of adding security to intelligent networks and applications. Large companies like IBM, Lockheed Martin and Accenture are positioning themselves for a piece of this new $40 billion smart-grid security market. They are spending millions on development and are looking for partners and acquisitions in support of their solution product portfolios.

TLC Secure Inc., a company focusing on intrusion prevention in smart-grid security, looked at the potential complexity of managing Public Key Infrastructure and decided to offer a Layer 2 vendor and protocol-agnostic solution. Phil Smith CEO of TLC Secure Inc. said, "Sensors and their internal communication ports have been defined as the new point of breach in smart meters, as have SCADA operations in the smart grid. By encrypting at Layer 2, we secure everything above it and solve a lot of the vulnerabilities —and the problem of too much diversity and overcomplicated Layer 3 solutions with too little interoperability. This yields stronger blanket security, and greatly simplifies it as well.”

A white paper by John McNabb and companies like InGuardian and IOActive have already verified breaches in smart meters. Layer 3 network security alone is no longer the defining demarcation point of network security. Realizing this, TLC developed a security solution “offering true end-to-end IPS by securing the weakest link of smart networks, from database to the smart meter chipset."

Smart Networks Require Real-Time Detection

With many smart-grid database feeds now being real time, even Intrusion Detection System security needs to be looked at differently. A recent white paper written by Dr. David Chalk presented a new way of looking for real-time data anomalies, in a detection technique called “cyber forensics.” Rather than waiting for an unknown virus to be recognized by a massive global database, Decision Zone's approach historically mirrors what the smart application should be doing and then detects in real time any changes in these defined anomalies. Smart-grid sensor data is relatively simple and consistent, so these application parameters can be securely checked in control systems while flagging any changes in the defined application.

Chalk said, “Just the smart grid alone will collect massive amounts of data. With this much data being collected, typical IDS data-centric approaches for protection of the smart grid won't work. A paradigm shift to ‘process-based audit’ is needed. Decision Zone uses a discovery technology to generate the underlying process then adds a live causal audit application that can then identify any anomalous event to the underlying process prior to failure.“

Conclusion

We are trying to use older security technologies to secure more networks and network applications than we ever have. There is a rule of thumb in security that must be addressed if we are to move forward in protecting these massive intelligent networks: If we make the security solutions too expensive, too difficult to operate or too slow, people won't use them.

We must find simpler and more economical ways of addressing these critical needs in intelligent security. Securing the smart grid will be the defining proving ground for the new security solutions that will safeguard intelligent applications today and in the future. We need to focus on the funding and development of these critical security technologies if we are to enjoy the benefits of the future’s intelligent network applications.