Saturday, April 10, 2010

The Need For A Security Paradigm Shift

I remember years ago, when Stephen Covey's bestseller The Seven Habits Of Highly Effective People was making its rounds throughout the business world, the introduction of the word "paradigm" in my vocabulary. I was working in a resort way back then and our director of operations used to love walking around and tossing the term out like Rockefeller gave away dimes to the poor. He was a great operations director, and certainly was not deserving of the gentle ribbing he took for the liberal use of a term that nobody in my world seemed to want to care about. Frankly, most of us cared more about changes in our scheduled shifts more than we cared about "paradigm shifts".

Still, I did indeed listen intently to what he had to say. I liked him a lot, and he liked me. He convinced me to read Covey's book, and I gained a better understanding of several concepts, most importantly the concept of the paradigm shift.

To summarize my understanding of it in as few words as possible is perhaps something I am incapable of, so I defer to a definition I found while perusing the venerable Wikipedia. Here is the section I found best describes it:

the historian of science Thomas Kuhn gave paradigm its contemporary meaning when he adopted the word to refer to the set of practices that define a scientific discipline at any particular period of time. Kuhn himself came to prefer the terms exemplar and normal science, which have more precise philosophical meanings. However in his book The Structure of Scientific Revolutions Kuhn defines a scientific paradigm as:

  • what is to be observed and scrutinized
  • the kind of questions that are supposed to be asked and probed for answers in relation to this subject
  • how these questions are to be structured
  • how the results of scientific investigations should be interpreted

The bullet points capture the essence of what I believe is absolutely critical as we continue to discuss the topic of securing the smart grid.

Anyone who knows me knows that I am generally a very positive person, and generally give most people the benefit of a doubt. However, you also know that I tend to not suffer foolishness lightly. I call things like I see them, and although I am sometimes way off base, I am on target often enough to cause those I target (using my Socratic methods) to feel a bit uncomfortable. To those of you who I have made uncomfortable, my apologies for making you feel uncomfortable. My intention is not to get you to dislike me. My intention is to get you to see things differently, or to get you to shift your paradigm.

What led me to this blog posting was an article I read titled Securing The Smart Grid by Elinor Mills. This article is a combination of what I believe is sound information layered with generous doses of conjecture. I am not going to get into what I believe is conjecture at this point, since that will indeed take more time than I have this morning. What I did find worthy of calling out, however, was a quote made by Jesse Berst of Smart Grid News:

Jesse Berst, managing director of the Global Smart Energy consultancy and founder of Smart Grid News, said he didn't see any reason why the energy industry wouldn't be able to secure the infrastructure as it modernizes.

"The physical security concerns me more than the cyber security because we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet) and I think we can solve it to that same degree of safety for this one," Berst said.

Now let me preface this by saying that I believe Jesse's contributions to the entire world of Smart Grid are indeed beyond admirable. I read Smart Grid News on a daily basis, and find it to be a wealth of information. I will also be the first to admit that he is light years ahead of me (and perhaps a lot of people) in his understanding of The Smart Grid.

...however, his statement "...we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet) and I think we can solve it to that same degree of safety for this one," truly left my mouth hanging open.

Are you kidding me?

Okay, maybe CNet took that out of context. God knows the media seems to do that with more frequency than we would like to see. So I will indeed work with the assumption that this may be the case, and dissect this statement as one that may indeed be put forth by someone who may not be aware of how a security professional (such as myself) might view it.

Let's start with the first part of the statement "..we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet)".


I am not entirely sure where to start with this one. Let's just take financial to begin with, and describe how we have "solved" those issues. Despite having "solved" the cyber security issues with respect to the financial world, the financial industry still loses billions per year due to cyber attacks, and then passes these losses on to the consumer. One "solution" the financial industry put forth several years ago was PCI Compliance, which simply shifts losses to merchants, who then are forced to raise prices to cover the losses. Another "solution" is to jack up credit card fees and interest rates ("risk management" as they like to call it) to cover the losses that the financial industry cannot pass on to the merchants. Sadly, there is no way any consumer can avoid falling into this abyss. If I do not want to use credit cards I am hampered by having to write checks or use cash for anything and everything. I also must live with the cost of failure that cyber crimes impose on my merchants through higher prices.

Such is life. Do I get by despite this mess? Certainly! Is the problem "solved"? Nope! In fact, I am not sure it can ever be solved. What I am sure of is that we seem to be able to live with this particular cost of failure in cyber security, and that may indeed be good enough (for now).

It is the second part of the statement "I think we can solve it to that same degree of safety for this one", however, that got me to bolt out of bed and start writing. Here is where the entire world of Smart Grid security "apologists" need to go through the mother of all paradigm shifts. Solving the security issues to "the same degree of safety" where The Smart Grid is concerned does not quite seem to cut it, now does it? Let me explain.

Let's consider the cost of failure.

While we live in a world of hyperbole in the world of cyber insecurity, we now also live in a world where some of the inherent weaknesses in the Smart Grid security arena have made the transition from theoretical to proof of concept. Perhaps the most famous of these is the infamous Aurora Attack seen on 60 Minutes (that was when my phone started ringing). What that showed us was that the cost of failure in security could lead to power being shut down in some areas for months. Now I know that some of you are going to want to attack this by telling me that we can simply redirect power from elsewhere, and that is indeed true, but what you would probably leave out of that statement is the fact that redirecting power during the middle of a blistering summer heat wave is next to impossible, and I am quite sure that a malicious attacker (not just a script kiddie) is keenly aware of that.

...and there is more. A lot more in fact. Utilities are keenly aware of the issues, and so is our government, and they do indeed care A LOT about security. Way more than the media is willing to give them credit for. In fact, I have never seen an industry embrace the importance of security with such fervor as the power industry has in the last year. In California both PG&E and SCE have invested considerable resources in dealing with these issues. One member of the cyber security team at PG&E sent me a message at 10:50 PM several nights ago in response to a question I had (regarding a conference I am planning). I was surprised that he replied so late and he informed me he was still at work! When I asked him why, he told me that he (and others on his team) often work late. When I see this level of dedication from security professionals I do indeed feel quite comfortable about the work being done towards securing our grid, and so should others (in my opinion).

Nonetheless, there is a dire need for a paradigm shift in the discussions surrounding Smart Grid security. We cannot use examples where the cost of failure truly pales in comparison to the cost of failure when we have no electricity. Imagine, if you will, a scenario where someone hacks your bank account and takes all of your money. You contact that bank and it can take several weeks to get your money back. I know this to be true because I know someone who went through such a nightmare. Nonetheless, she did not go hungry or die. She had food in her house, and credit cards, and family and friends. It really amounted to a nasty inconvenience, and she got all of her money back eventually. The "degree of safety" built into the system was indeed more than adequate to deal with this situation, but nobody who has their nose to the grindstone in the world of Smart Grid security would consider this to be a valid presumption of having the situation under control. We are fortunate enough to have only a small (yet significant) fraction of our power infrastructure on The Smart Grid, and everyone involved is working hard to deal with the issues at hand.

Let us avoid out of context statements making their way into the public consciousness, which will inevitably lead to a loss in credibility for those who are working hard to resolve these issues. The public loves to dwell on the negative even more than the media loves to talk about it.

In other words, let's not fuel the naysayers.

1 comment:

Robert Cragie said...

I think in some respects Jesse is right with regard to the fundamental technologies being used to secure the Internet and in financial transactions. The use of TLS, IPSec, PKI etc. have all contributed to a pretty safe transactional environment. There is no doubt that these technologies will also be used in the Smart Grid. However, you are right to point out that in spite of these secure technologies, banking fraud does indeed take place to the extent where banks just set aside a certain amount of money to deal with it. What you have to look at is what is behind banking fraud. It is not the failure of TLS, IPSec or PKI etc., it is the traditional problems of phishing, weak security credentials, skimming, trojans etc. So the important exercise for the Smart Grid is to undertake a diligent and comprehensive threat analysis and defense-in-depth approach. Whilst there may not be the problem of a circuit breaker clicking through to a malicious website, there will be other problems concerned with M2M transmission on such a large scale.