Monday, November 8, 2010

Smart Grid Hackenomics

I recently attended (and presented at) the Department of Homeland Security Industrial Control Systems Joint Working Group (DHS ICSJWG) meeting in Seattle Washington. It was a interesting event, and STUXNET seemed to be the hot topic everyone was discussing. Most of the sessions were quite good, and many were informative.

When I attend these types of events, I often find the side conversations I have with attendees more interesting than the conference itself. I had the opportunity to chat with people who work at DHS, FBI, NRC...and just about any other 3 letter agency seeking to get a handle on cyber security issues. It does my heart good to know that our government is indeed serious about cyber security, and truly seeking knowledge.

The most interesting discussion I had, however, was on the last day. It was during a lunch break with one of the attendees, and we started a discussion on the economics of attacking the Smart Grid. Essentially, we agreed that "hobbyist" attackers and "nation-state" attacks are perhaps not the types of threats that should (or do) cause great levels of concern at the C-level's of stakeholder companies. At the highest decision making level of any organization directly affected by security threats, the only issue that consistently keeps them awake at night is money...or rather the loss of money. In fact, when we talk about security, we must constantly understand that an enterprise's chief (and arguably exclusive) security concern is in securing their ability to keep making money (and not lose money).

In other words, if security does not lead to more $$$, expect some rolling eyes. Likewise, if a lack of security leads to a loss of $$$, expect some wide eyes. This is the beginning of my Theory of Hackenomics.

In our discussion, we used the financial industry as an example of an economic model that makes a lot of sense to organized criminal enterprises. In the former Soviet Union, there are criminal enterprise organizations that provide tools and support services (for a fee) to criminals who want to make a career out of exploiting security holes in the financial industry. This is a very popular target for criminals because it is both large in size, and the direct result of a successful attack is immediate access to cash. So as part of my theory I want to state the following: The quicker an attack leads to cash for the attacker, the greater the likelihood that the attack moves from theory to reality.

This is, however, only part of the theory. The other part has to do with volume. For organized crime to get involved, the volume needs to be big enough to take the risk. Remember, organized crime is just as concerned with risk as corporations are (some will argue that corporations are the "new" organized crime anyhow). Therefore a quick path to cash that does not include a large enough volume is not necessarily a win for organized crime.

Another important issue to consider is keeping the attack as "clean" as possible, in order to make collecting and retaining the cash as easy as possible. A good example of this is how financial firms created Credit Default Swaps as a way to hedge high risk investments. This instrument allowed the potential for a large return on the chance that those who took out those crazy loans on overpriced homes (and such) would default. Well, as it turns out, those who purchased Credit Default Swaps seem to have done quite well. It was essentially a low risk method of shorting the entire financial system, and it is perfectly legal under today's laws.

So now this brings me to what became an interesting part of the lunch discussion. I postulated that if a large stakeholder in the Smart Grid ecosystem (in other words, a large publicly traded utility or AMI product vendor) was vulnerable to a major Smart Grid related attack, and an attacker held onto a 0-Day vulnerability, he could potentially sell the 0-Day vulnerability for a lot of money to a large criminal enterprise, who could then short the stock of the utility or product vendor, and then publicly announce the vulnerability. Granted, this would require some coordinated effort, but if done correctly, one could make a killing when the stock plummeted on the bad news. The news alone would probably drop the price enough to make a lot of money with a high enough volume. The news immediately followed by an actual attack would probably lead to a very big win for the criminal enterprise.

As we continue to have lunch, we discussed a few more ideas, and I thought of a few more over the last several weeks (I am not going to go into them here), and I came to the conclusion that Smart Grid Hackenomics may indeed be an interesting discipline for criminal organizations to investigate...and they probably already are.

Hopefully, the C-Level people at stakeholder organizations have thought of this as well.


No comments: