Monday, February 22, 2010

The Evolving Compliance Landscape Of Cyber Security

Security, as it turns out, is largely about compliance. Anyone who has spent any significant amount of time working in security knows this all too well. Years ago my business partner and I worked on a very sophisticated health care project which involved cryptographically authenticated peripherals. The business model was such that a peripheral attached to a device was to be used once (and only once) on a patient, and then discarded. The doctor would then have to buy another (or have a stock of more peripherals) for another treatment.

We were brought in because the first generation product used a weak security solution, and it was hacked and counterfeited in 3 weeks (3 weeks from launch to counterfeits on the market)!

Bye bye business model.

So, having miserably lost the first battle in their own little cyber war, they decided it was a good idea to bring out the big guns, and they created a security solutions team (which essentially consisted of me, my partner, and the chipmaker we were working with) and we put together a very secure solution. It cost them more than their first solution, but they knew all too well the cost of failure, so it was easy for them to justify the increased expenditure.

Wouldn't it be nice if all security engagements worked out that way? Certainly for the security provider, I suppose.

We began focusing on health care security, feeling empowered by our previous engagement, and soon discovered that it was not a easy as we suspected. We touted the battle scars of our client as an indicator of the need to securitize their products, but failed in our attempts to generate revenue. It was frustrating, to say the least.

In all this, I learned quite a bit about the health care industry, and soon realized that everything in health care is compliance driven. Since the extent of security requirements for health care providers essentially falls under HIPAA regulations, all a health care organization is interested in doing is complying with HIPAA. Doing so essentially requires a security policy, and something as simple (and low tech) as requiring a 4 digit PIN to enter a system. It certainly is not something my company could sell into, since most of what is required by the client falls under the security audit, which is generally handled by the IT team medical clients already have. Since the requirements are so non-stringent, this is usually a 10-15 minute conversation.

Do you think I am exaggerating? I assure you I am not. One of the "side" jobs my company has been focusing on is iPhone applications for health care, and I can assure you that when the subject of HIPAA compliance comes up it NEVER lasts more than 15 minutes, and usually ends up with an agreement to enforce a 4 digit PIN (and a few other minor security additions). As developers who have worked in security development for quite some time, we do indeed build our software with an eye on security from the beginning, and our clients do indeed get a lot of security "freebies" because of that, but it is not because we are compelled to do so by any forces outside of our own need to not fall on our own swords as security professionals. In other words, we have chosen to self regulate our process, and our clients benefit from that.

While this is all good, and certainly makes us feel like we are doing the right thing from a due diligence perspective, it is only a small dent in the underlying battle. We know this from even further forays into working with cyber security challenges. The most interesting, perhaps, is with voting machines. Despite the bad press voting machine vendors received after many security professionals discovered gaping security flaws, they were indeed complying with requirements set forth by the election commissions in the states they sold into. In fact, the states themselves "ate" the cost of the insecure machines because of this, while the vendors got the black eye. Some vendors we worked with were indeed QUITE aware of how to build secure voting systems, and told us that such systems were unsellable because the states simply did not want to pay for them. All the vendors had to do was comply and then offer the best ROI to the clients in order to win the bid, and they did just that. It was not until after the security exploits were discovered that the US Elections Assistance Commission began taking security seriously.

Imagine that!

That does not mean that security was not considered...it certainly was. It is just that the deployment of security was weakened by a low threshold for compliance. What is even more important to realize is that the threshold is nearly impossible to determine without a proof of concept (moving from theory to reality).

Fast forward to cyber security, and specifically as it relates to the Smart Grid. Early deployments on the smart grid did indeed include requirements for security, and ALL vendors took it quite seriously (some more than others, as it appears). But this was not necessarily due to compliance issues, it was because (as one utility security expert put it), no utility company in their right mind is going to deploy something that is not secure.

...and yet, we now know that the grid has some fairly major security issues. How can this be?

Well, we have to consider security in the context of the perceived threat. For example, I can easily be shot while walking down the street of the bad part of town in any city, but that does not prompt me to invest in body armor (or even a bulletproof vest). Body armor is expensive and not very comfortable to wear, and since I have never been shot at while walking in the bad part of town, I am more than willing to rely on simpler and more cost effective security solutions (such as perhaps walking on better lit streets) to keep me safe. Moreover, I may very well get shot at and STILL decide not to get body armor. It simply takes a certain level of perceived danger for anyone to elevate their security requirements, and we really do not know what that level is until it happens.

So we stand in the presence of a smart grid deployment that is going pretty strong in the USA (on the order of 10's of millions of meters), and we have not borne witness to any major catastrophes yet. We have indeed proven that the threat is very real, and we are now working towards lowering the risk. The Department of Homeland Security, NIST, and NERC have enlisted the public and private sectors in the activities (and I have indeed joined in on the fun), and there are many smart people working on the challenges at every level you can imagine. Michael Assante of NERC co-authored an EXCELLENT article in the January/February 2010 issue of IEEE Security and Privacy magazine titled "No Grid Left Behind", and he methodically lays out the challenges and proposed solutions, and everything in the article is quite cogent. I have personally spoken to MANY members of the security community ranging from vendors, utility companies, PhD Scientists, meter manufacturers, crypto algorithm providers, and everyone in between. Everyone is working hard on the project.

Yet we have to understand that despite all the efforts to win the war (something that will never happen, as the war will never end) and prevent casualties, we are not going to come through this unscathed. Smart Grid deployments are vital to our existence because the energy savings have been proven. In a conversation I had with Echelon (a maker of AMI products) they have shown an energy savings on the order of 70% in some cases!!! That is a VERY significant number. When we consider the impact of energy savings on anywhere near that level, it certainly makes the case for Smart Grids a no brainer. I mean, think about that for a moment...saving energy by simply being smarter about where and when it is being used.

To me, as an energy consumer who spends over $500 per month to meet my energy needs (when you include fossil fuels), that hits home.

So what we have to understand that sometimes the missteps on the battlefront do indeed lead to things getting better. We have to understand that the fact that the various regulatory entities that are working towards solidifying and continuously evolving the standards (which vendors are indeed paying close attention to) are well aware that they are stakeholders in this ecology, and an insecure smart grid affects them on a very personal level. Michael Assante of NERC is a security whiz, but he is also well aware of the fact that the decisions he makes affect the outcome of this nation AND his personal life in a VERY profound way. Just like America came together to fight the enemy during World War II, after we had felt the attack at Pearl Harbor, we too can expect cooperation as we fight the ever evolving cyber security enemy.

After all, we are all on the front line.

No comments: