Wednesday, December 15, 2010

The Smart Grid Security Misinformation Network

It seems that a lot of the news we hear about Smart Grid security seems to focus on how we are all potentially doomed due to the lack of attention being given to Smart Grid security.  Bad news does seem to get a lot of attention, so I can certainly see how this may be a great way to attract readers.  I have a Google Alert set to "Smart Grid Security", and every evening I get an email with the latest headlines.  It seems to come in waves, but I get a lot of links to random postings where the author proclaims that not enough attention is being given to Smart Grid security.

I am not sure what "enough" really means in the eyes of many of these authors, but I will say that there are a lot of people paying very close attention to Smart Grid security.  I personally belong to 2 of 12 NIST Smart Grid Cyber Security Working Groups (http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/WorkingGroupInfo) and these groups generally meet for 1 hour per week.  Members from every corner of the energy and security industries regularly attend these meetings, and the discussions and associated tasks are certainly focused on securing our Smart Grid.  The NIST CSWG is also where the NISTIR 7628 Security Guidelines came from, which was a collaborative effort of over 400 people from the energy, security, legal, regulatory, government, educational, and general technology industries.  Many of these same people are still quite active in the efforts of the NIST Smart Grid Interoperability Panel (SGIP) and NIST CSWG.  Besides the NIST effort, several standards development organizations have become involved in working towards developing standards for securing the smart grid.  

The US Department of Homeland Security has put together a comprehensive Industrial Control Systems Joint Working Group (ICSJWG), which is open to anyone who wants to help (http://www.us-cert.gov/control_systems/icsjwg/index.html).  I am also a member of this group, and recently attended a conference (also open to anyone who wishes to attend) in Seattle Washington.  The speakers were all excellent (okay, I was one of them), and the presentations are all freely available at http://www.us-cert.gov/control_systems/icsjwg/presentations.html .

Under the UCA International Users Group (UCAIUG) there exists the vaunted and very active Open Smart Grid (OpenSG) users group, with several active Smart Grid security groups operating under their umbrella.  Literally hundreds of people (many of the same working with the NIST groups) meet regularly to discuss security, take on tasks, and publish documentation which has been utilized by NIST to help develop their special publications (including NISTIR 7628), and by both utilities and public utility commissions to guide their security efforts and regulatory efforts.

The Federal Energy Regulatory Commission (FERC) has worked with the North American Electric Reliability Corporation (NERC), who have developed critical infrastructure protection requirements (NERC CIPS), which are used by utilities for auditing the security in bulk generation and transmission.  The US Department of Energy (DOE) has granted millions of dollars to organizations who are charged with researching and developing security methods to protect our energy infrastructure.

There are several active Smart Grid and Industrial Control Systems active mailing lists, and several LinkedIN groups focused on Smart Grid security discussions and collaboration.  Several research organizations (most notably Pike Research) have invested enormous efforts on researching and reporting on the topic of Smart Grid security, and the security product and vendor community has come out in force to address the challenges that are constantly being discovered and discussed among Smart Grid security professionals.

Of course, I must take the opportunity to also give myself a shameless plug, since I created the Smart Grid Security Summit (www.smartgridsecuritysummit.com), which took place this past Summer, and this has led to the upcoming Smart Grid Security East conference (www.smartgridsecurityeast.com), where representatives from all the above mentioned organizations (and a lot more) will be presenting on nearly every Smart Grid security topic there is to talk about.  I certainly hope some of you can make it to the event.  It will be worth your time if Smart Grid security information is what you seek.  You can also freely join and attend meetings of the NIST, DHS, and OpenSG groups.  Anyone interested in helping is welcome.

Otherwise, please continue to peruse the fear, uncertainty, and doubt (FUD) driven news headlines.  If nothing else, they are quite entertaining.

Sunday, December 5, 2010

WikiLeaks and Why "Plan B" is now more important than "Plan A"

We all understand the idea of "Plan A" and "Plan B".  Plan A is the plan we put in place that is meant to work as planned.  In security, it is the plan we hope will ensure the CIA (Confidentiality, Integrity, and Availability) triad is in place.  We put a lot of effort into Plan A, and then the more intelligent among us will put some effort into a Plan B.  This is the plan we switch over to in the event Plan A fails.

This is generally the "damage control" mode plan.  This is the plan we all hope we never have to go to, since by this point something very bad has happened.  This could be something like...say perhaps...all of our national secret and top secret information getting leaked on a website.

That can be a really bad thing...

By now we are all probably keenly aware that the masterminds behind the WikiLeaks website have decided that information must all be publicly shared no matter what.  Someone asked me my opinion about this several days ago....if I thought it was a good thing of bad thing...and my response was simple.  I do not have an opinion about it being a good thing or bad thing.  What I do know is that it is something that exists,  and we must now figure out a way to deal with it, because it is NOT going to go away...EVER!  It is like winter in Cleveland...deal with it.

I know this may sound harsh, but that is what we are facing.  We live in an age where information ebbs and flows (and overflows) like water in an ocean.  It comes to us as a gentle and calm breeze, or as a hurricane.  It drifts down like snowflakes, or comes crashing down like an avalanche.

Okay...enough analogies...you get the picture.  The truth is, we simply no longer have the control of information we once thought we had.  The very nature in which we communicate today has created an environment were massively scalable information storms can occur.  In the "good old days" we communicated by sending letters and talking.  Today we communicate by generating data that gets pumped into "The Cloud", and then BLINDLY trust that it will only get to the intended recipients and nobody else.

Isn't that cute...

The Plan A way of dealing with information has been to protect the confidentiality, integrity, and availability of the information for as long as information has been important to us (essentially forever, but perhaps more so today in the information age).  While we have created some absolutely fantastic systems for insuring both the integrity and availability of information over the last several decades, it seems that the very systems we have built have made it increasingly more difficult to insure confidentiality.  Through the application of Moore's Law we have created systems with insane amounts of processing power, and have driven down the cost of these systems to almost nothing (I say almost nothing because you can find computers for free these days...at least in the San Francisco Bay Area), meaning that anyone can get their hands on the tools needed to both obtain and distribute information.  There was a time when getting confidential information meant breaking encryption or applying brute force or dictionary attacks on systems.  While this is still true today, we now live in a world where there are so many people accessing systems throughout the world, we no longer need to break into systems to get a hold of sensitive information.  Today somebody who has authorized access to information either copies it or sends it into the cloud for all to consume.  What makes this so difficult to control is that there are so many who have access to information, and either through direct access or aggregation the information can be assembled into nice little information bombs.

In other words, confidentiality has become nearly impossible to both achieve and manage.

This makes Plan A an incredibly difficult plan to manage, and certainly makes our reliance on Plan A more and more difficult to justify from a due diligence/due care perspective.  We simply live in an age where we MUST assume compromise.  We must accept the fact that, at some point, confidentiality goes out the window.  Time to look at Plan B.

I am not sure what the US Government is doing with respect to Plan B.  I saw an article where the US Government is warning college students to not talk about WikiLeaks...or else.  I see some efforts to shut down the WikiLeaks site, and cut off funding sources.  I imagine these are all some valid steps to take...in an act of desperation.  Okay, maybe it is not desperation, but it certainly seems desperate.  I mean...c'mon...do we really believe this is going to do anything more that irritate a bunch of college students who already do not like our government to begin with, and who are perhaps infinitely more savvy about the information age?

I am fairly certain that Plan B has not been given the level of attention it should have been given.  It is very difficult for people who are intelligent AND arrogant (a bad but common combination) to consider the possibility that their best laid plans may have a fatal flaw.  Consequently, anything more than a cursory level of attention to Plan B is considered an admission that maybe they are not as smart as they think they are.  Perish the thought!

The truth is, Plan B has ALWAYS been more important than Plan A.  By the time you get to point where you need to use Plan B, things have generally gotten very bad.  This is now the time were you must not only figure out how to keep things operational, but also undo the damage that caused Plan A to fail.  This is the "do or die" moment.

We certainly need to continually focus on protecting information.  We do indeed have systems and methods available to us today that can buy us some time in the race between those who need to protect information and those who want to uncover it.  We simply need to understand that at some point the information we so dearly protected is likely to be become publicly available, and use that mentality to weather the information age.  It may take some time, but I am sure we will eventually get to a point where we can deal with this...much like I dealt with 21 years of Cleveland winters.