Flame Virus, a Controlled Burn?

Don't Play With Fire

May 31, 2012 By
In Florida I have a friend who is a park ranger who does controlled burns in hope of curtailing any large park brush fires.  This may be similar to how the new virus Flame is being used. Like any controlled burn, however, there are risks of the fire getting out of control.

We need to come to a consensus on cyberwar. It has officially started and the weapons are improving. The new computer virus nicknamed Flame, also known as Flamer, sKyWIper and Skywiper and Stuxnet 20, is many times worse than its predecessors. It has the capability of specifically attacking its targets and evading detection.

Based on its predecessors Stuxnet and Duqu, Flame can spread to other systems over a local area network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.

These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

Taking away the sociological and political ideologies of whose side we are on in cyberwar, the recent cyber attacks demonstrate the current vulnerability of our legacy security solutions. What Flame is doing in targeted Middle East attacks can be done in other countries, even the ones releasing the attack. There is a first response advantage but the technical nature of computer virus propagation could leak the virus to unintended areas as did Stuxnet. Playing with these vulnerabilities is like playing with fire.  

In a recent conference in Orlando Florida, UTC Telecom 2012, the consensus of those who were somewhat involved in cyber security was that there clearly is no 100 percent capability of securing even our critical infrastructure. This concern was further emphasized when keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in knowledge of cyber security. One or two hands went up out of 500 in the audience. Weatherford responded by saying we need to prepare our workforce and find talent "to prepare the next generation for cybersecurity. Gaps in talent means gaps in security."

Even the Department of Defense is recognizing the need for forging private-industry partnerships on cybersecurity. This makes sense when the Internet and much of the experience behind it will be found in the private sector. There is a clear issue though, for those who have pursued DOD cyber security jobs or partnerships. That issue is secret and top secret clearance.  There needs to be a better way to address needed background checks than the current clearance procedures.

A person with secret or top secret clearance may have little experience in cyber security or tremendous experience in cyber security but no ability to quickly and economically obtain secret or top secret clearance.

We are faced with some tough decisions as they relate to cyber security with few if any quick decisions. With a limited cyber security workforce and clear cyber security vulnerabilities it seems time to look for new security solutions rather than playing with the appropriately named Flame virus. We can’t continue to patch cyber security while thinking we can manipulate these vulnerabilities in targeted cyber attacks. This could and has already backfired.  We have to minimally overlay new security protection or wipe the slate clean and look for new ways of addressing cyber security or this controlled Flame may get out of control.

Larry Karisny is the director of Project, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.


Smart Grid Security: An Inside View from Patrick C. Miller

Patrick C. Miller

Security is bolted on, not baked in.

May 14, 2012 By
Patrick C. Miller is president and CEO of EnergySec, a 501(c)(3) nonprofit organization formed to support organizations within the energy sector in securing their critical technology infrastructures. A March survey by EnergySec of 100 energy security professionals revealed that two-thirds think smart-grid projects do not adequately deal with security threats. Larry Karisny, director of Project, interviewed Miller about the survey and the subject of smart-grid security.

Karisny: Your survey results from top industry professionals seemed to clearly demonstrate a real concern with the lack of security in today’s power grid. Is this what you expected?

Miller: Yes, it isn’t far from what I’ve heard from them over the past few years as we’ve ramped up the grid modernization efforts. Overall, the grid itself is highly resilient, but we are implementing new technologies and new connections without fully understanding the emergent issues that arise with this degree of innovation and complexity.

You stated that we are moving so fast with smart-grid innovation that rather than baking in security we are bolting it on. Does this mean that we will be adding modules or maybe recall retrofits to insure security to some even recently deployed power-grid equipment and devices?

Yes, I speculate there will need to be some unexpected retrofits or replacements for early technology or components. Without question, more security modules, shims or wrappers will need to be employed. Utilities have an expectation that these digital devices will have a life-span somewhat similar to the older analog elements they replaced. For discussion’s sake, let’s say they think the new digital meter will last 15-20 years. How much will the digital technology surrounding the meter change in that same span? How will the attacker landscape change during this timeframe? To give a general comparison, how many new smartphones will you own between now and when this meter is replaced with the “next generation?”

Are personal security concerns legitimate and are you seeing safeguards to protect personal privacy in the smart grid?

This isn’t a hard problem to solve. For example, opt-in/out programs for any data beyond what is necessary for operations could be one solution. Such an approach would provide those who are sensitive to the matter an option that doesn’t immediately involve going backward and ripping out the smart meters. There are some cryptographic protections for the data, depending on the implementation, but the areas of concern often seem to reside in the ownership of the data and how the data may be used beyond the operational needs of the utility (either by the utility or any third party).

One of the positive responses to the survey was a user acceptance of security for online utility payments.  Is this a false sense of security or could the power companies maybe learn something form banks when it comes to cybersecurity? 

Many of the utilities use already existing financial clearinghouses to process payments. I think those that are familiar enough with securing an electric utility know that payment, or lack thereof, doesn’t directly [immediately] affect the flow of power. Power can still be delivered, even if the payment, billing or end-point metering system isn’t perfect.

Standards are necessary in developing industrywide technologies but they also delay solutions from being deployed.  How can we expedite security standards while keeping pace with smart-grid technology deployments?  

Take a page from Nike and “Just Do It.” We can move as quickly as we want. Moving too fast isn’t the best approach, but neither is moving too slow. My personal belief is that we’re past due for standardization. I think some of the churn has been around governance of the standards and not the standards themselves. Maybe some flexibility in this area might let everyone feel more comfortable, resulting in more substantial movement.

Can you give examples of some of the security innovations that you are currently reviewing and testing?

Our organization does not do this research directly, but we are involved in many security-related conversations on the subject of grid modernization software and hardware. I know many vendors are at least thinking about the problem and how to solve it. A much smaller number of vendors have solid traction and are implementing security at a pace that equals innovation of new features. Even fewer are at the tip of the sword with a holistic model that balances cutting-edge innovation with proven security development approaches such as thorough code review and rigorous supply-chain management.

How can we “architect” a sustainable power grid without having as you said a “spare power grid” to test and deploy fixes?

Infrastructure isn’t inexpensive. Building a full-replica spare is as costly (or more) as building the original. The most cost-effective approach is to use representative platforms, virtualization, simulators, emulators, etc. I think everyone understands that “testing in production” is at the edge of the risk spectrum. It may or may not go wrong for any one specific test, but if it does, the consequences may be severe. For any new system deployed, a portion of the project budget should be allocated to include a satsifactory test (or quality assurance) environment. This is an unpopular position to take in such a tight economic landscape because it can add significant cost to any endeavor.

We talk about security in the power grid because that is our focus. Isn’t there a lot more “smart” that needs to be secured in other industries and the smart grid may be just the start?

This is an area of interest for me. I think we are ultimately seeking a modernized power system that is somewhat self-aware, self-healing and self-managed. This implies an emergent intelligence much like a flock of birds or school of fish. They are all unique individual organisms (devices), but they can operate with a collective, emergent intelligence as a single unit when dealing with threats, obstacles, food (fuel) sources. Securing the entire environment in a utility will be profoundly different when we achieve this state.

It is far too expensive to entirely replace the legacy grid components with the newer “smarter” elements, so there will still be a fairly substantial base of analog, electromechanical and “old” or “dumb” devices in the grid. This aging equipment will be working alongside tomorrow’s amazing new intelligent gadgetry, maybe even in the same rack. Securing this breadth of historic and future technology will be our greatest challenge for the security profession in the electric sector.

Larry Karisny is the director of Project, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.