Privacy: A Prescription For Disaster

I have been watching the world of cyber security unfold for the last several years in a manner I would best describe as divergently focused. As a security professional who frequently engages in deep (almost philosophical) discussions with other security professionals (or more appropriately, Security Warriors) I am constantly amused at the frustrations we seem to share about privacy being the biggest driver of security in emerging technological initiatives.

I recently wrote about this on the topic of Smart Grid security, and Gib Sorebo of SAIC followed up on his blog with his opinion. Gib and I have had some long and great discussions about the issue of privacy in a world of security vulnerabilities, and the one area that seems to get us both preaching is the issue of privacy as it relates to health care. Simply put, this is a good time to shift the security discussion to something that really matters, and I am sorry to say that privacy needs to leave the room for a while.

Okay, I am sure the entire world of privacy evangelists are probably going to want to send me that nasty fruitcake (or worse) they have been holding onto for the last 20 years after reading that last statement, but please hear me out before you head over to the post office. Privacy IS important and DOES MATTER to me and probably every security professional in this world. I am a strong supporter of privacy, and consistently do all I can to protect my privacy. I refuse to give my address and phone number at stores that ask for it when I pay with cash or ask me for that information for any reason whatsoever. I refuse to share ANY information with ANY entity that requests it that I deem is not on a need-to-know list, and have held up lines in stores, banks, and other places (sorry to all of you who stood behind me) defending my rights to my own information. Privacy is indeed very important in the digital world we are now completely enveloped in.

...but it has got to stop being a part of health care security discussions, or we are probably going to end up with a lot of dead people as a result.

In fact, we already are ending up with seriously damaged patients in the age of digital health care. I read an article on The Huffington Post this morning titled "Electronic Medical Record Shift: Signs Of Harm Emerge As Doctors Move From Paper" which pointed out how either bad information or a failure in software has led to patient trauma (heart attacks, seizures). The article did not speak of security issues that led to failures in these systems, yet the failures found in these systems serve to illustrate what I have been talking about for years. If a system is vulnerable to penetration and compromise by an attacker, the attacker can cause a lot more harm than a patient would suffer as a result of a privacy breach.

Let me specifically paint a scenario based upon the Huffington Post article. The first sentence of the article speaks of hospital workers misreading medical dosage information and dispensing 10 times the normal dose of a medication, leading to a patient heart attack. Under HIPAA HITECH, if an attacker should enter a system and change a single patient record (perhaps a patient who is a political figure) for a medical dosage to purposely cause a heart attack or death, the health care organization would be in violation of a privacy law, but could not be held liable for the death of the patient due to a failure in data integrity. In my opinion (and the opinion of others I have spoken to about this issue), there is something very wrong with this.

The problem becomes even more complicated when you add medical devices to the system. Medical devices have become increasingly "smart" and are now trusted devices on health care networks. Devices perform many functions in health care, and the information some devices are trusted with gathering is often used to make life or death decisions. A device which automates the process of typing blood and then sends the information to a patient record database is indeed one type of device that would fall into this category description. If an attacker could spoof such a device he could then populate the database with incorrect information that could kill a patient. Moreover, some medical devices have firmware that can be updated (and in some cases over a network connection), which opens up the possibility of rogue firmware that could be purposely introduced to cause havoc.

I bring this up because the cost of failure due to a privacy breach simply pales in comparison to the potential cost of failure due to a failure to deliver correct information to the system. One leads to embarrassment and potential financial headaches, the other leads to death. Why is this distinction important? Well, except for obvious reasons, it is important because in a world where risks are mitigated based on costs of failure from a LEGAL perspective (i.e. a finable offense), the actual cost of failure due to a privacy breach is infinitesimally small compared to to somebody dying. A good lawyer can potentially turn a $1.5 million dollar fine (the maximum fine for a single instance under HITECH) down considerably if he or she could convince a judge/jury that the punishment does not really fit the crime.

It happens all the time, in fact, in other industries. At one time I worked for a company that dealt in motor oil who faced millions of dollars in fines from the EPA for statutory violations, but the fine was reduced to a few thousand dollars because the violation simply did not lead to anyone being harmed. The potential for harm was very high (as is true with medical record breaches), but if nobody is actually harmed then a slap on the wrist is a common punishment (especially if you have a good lawyer). Sure, it may cost you in legal fees, but if you already have a staff of lawyers anyway it is not so hard to stomach.

HITECH is a good step in the right direction for better security, but it still completely fails to address the bigger issues. As we continue to build out our "internet of health care" and interconnect data sources at a national (and eventually global) level, the security risks grow at a nearly exponential rate. This is because attackers like to attack systems more as they get bigger simply because it has a bigger impact. We should not wait for theoretical dangers to manifest themselves before we address these issues. Security vulnerabilities of large infrastructures are well known enough today that a failure to pro-actively address them is simply nothing more than negligence, and the health care industry should act more responsibly.

They know better.

The Grid Reliability and Infrastructure Defense Act- Better Late Than Never

As I have discussed many times in the past, security is primarily driven by compliance.

Wait...let me back up for a moment.

While many organizations (and particularly those who are involved in The Smart Grid) are indeed elevating security on the priority scale of "things we gotta do", we can be certain that any organization that has felt the pain of an attack will do more to secure their deployments than one who has not had the displeasure of being "owned" by an attacker. While some may argue that this is not the best way to get security into a system, I will argue that it is indeed the most effective driver of security. It is human nature to react to known dangers rather than proactively defend themselves against them. Moreover, we tend to proactively secure ourselves only if the known threats are directly experienced. Simply knowing someone who has been mugged in "the city" is not enough to get most people to become exceedingly aware of their surroundings, after all.

So with the Smart Grid we are in a situation where vulnerabilities have been discovered, and many more have been theorized. While nearly everyone who is involved in Smart Grid is indeed paying attention to security, turning that into "action items" remains a bit nebulous. Utilities who are actively deploying AMI (such as PG&E and SCE) are indeed focusing what I believe are tremendous (and competent) resources on Smart Grid security, and others are paying close attention (as I have gathered from various Smart Grid groups I am involved in). Vendors have created cyber security specific positions and departments. Security consultants are now specializing in smart grid security consulting. The US Government has several groups addressing the issues (FERC, NERC, NIST, DHS, DoD) in various capacities, and the list goes on and on.

The reason I say this is all a bit nebulous is because so far we have been lacking an authoritative mandate for Smart Grid security. Sure, NERC has been working on compliance and auditing standards (NERC-CIP 002-009), but neither NERC nor any other entity has the CLEAR authority to "lay down the law" as far as Smart Grid security is concerned. Each individual state has the power to halt Smart Grid deployments (I would surmise) for any reason whatsoever, but at a national level it is still very laissez-faire. The unfortunate negative consequence of this is that states (such as California) have adopted a bit of a "hurry up and wait" mentality about security (despite the fact that California doing this with voting machines was an epic disaster). This is never a good thing, because if (and when) security issues manifest themselves, the typical response is to halt progress until a resolution is reached (again, such as happened with voting machines). This is, to say the least, very irresponsible, because as far as the Smart Grid is concerned we NEED to have it deployed NOW in order to deal with the ever increasing demand for electricity. Consider electric cars, for example. Exactly how do we expect to manage load if California has millions of electric cars plugged in and charging on a hot summer day? Our current system can barely manage the load with no electric cars on the road, with high peak air conditioning usage days leading to power outages. We NEED the Smart Grid.

I was happy to see an article on TheHill.com that spoke of the House passing the Grid Reliability and Infrastructure Defense Act (GRID) which seeks to up the ante on FERC to take control of security issues affecting the Smart Grid. I am not generally fond of Congress passing laws that serve to penalize those who do not comply, as this generally leads to more consternation and less solution (in my opinion). So I was happy to see a section of this bill which seem to instead focus on providing resources to entities that are deploying the Smart Grid. From the bill:

COST RECOVERY.—If the Commission determines that owners, operators, or users of the bulk-power system or of defense critical electric infrastructure have incurred substantial costs to comply with an order under this subsection and that such costs were prudently incurred and cannot reasonably be recovered through regulated rates or market prices for the electric energy or services sold by such owners, operators, or users, the Commission shall, after notice and an opportunity for comment, establish a mechanism that permits such owners, operators, or users to recover such costs.

Now I know this is not very specific, but it does seem to address perhaps the biggest concern businesses involved in Smart Grid deployment may have in addressing security - COST $$$$.

It is not a law yet, and it may indeed go through some changes (perhaps not for the better) as it makes its way towards becoming a law, but I have high hopes.

...and hope springs eternal.

The Need For A Security Paradigm Shift

I remember years ago, when Stephen Covey's bestseller The Seven Habits Of Highly Effective People was making its rounds throughout the business world, the introduction of the word "paradigm" in my vocabulary. I was working in a resort way back then and our director of operations used to love walking around and tossing the term out like Rockefeller gave away dimes to the poor. He was a great operations director, and certainly was not deserving of the gentle ribbing he took for the liberal use of a term that nobody in my world seemed to want to care about. Frankly, most of us cared more about changes in our scheduled shifts more than we cared about "paradigm shifts".

Still, I did indeed listen intently to what he had to say. I liked him a lot, and he liked me. He convinced me to read Covey's book, and I gained a better understanding of several concepts, most importantly the concept of the paradigm shift.

To summarize my understanding of it in as few words as possible is perhaps something I am incapable of, so I defer to a definition I found while perusing the venerable Wikipedia. Here is the section I found best describes it:

the historian of science Thomas Kuhn gave paradigm its contemporary meaning when he adopted the word to refer to the set of practices that define a scientific discipline at any particular period of time. Kuhn himself came to prefer the terms exemplar and normal science, which have more precise philosophical meanings. However in his book The Structure of Scientific Revolutions Kuhn defines a scientific paradigm as:

• what is to be observed and scrutinized
• the kind of questions that are supposed to be asked and probed for answers in relation to this subject
• how these questions are to be structured
• how the results of scientific investigations should be interpreted

The bullet points capture the essence of what I believe is absolutely critical as we continue to discuss the topic of securing the smart grid.

Anyone who knows me knows that I am generally a very positive person, and generally give most people the benefit of a doubt. However, you also know that I tend to not suffer foolishness lightly. I call things like I see them, and although I am sometimes way off base, I am on target often enough to cause those I target (using my Socratic methods) to feel a bit uncomfortable. To those of you who I have made uncomfortable, my apologies for making you feel uncomfortable. My intention is not to get you to dislike me. My intention is to get you to see things differently, or to get you to shift your paradigm.

What led me to this blog posting was an article I read titled Securing The Smart Grid by Elinor Mills. This article is a combination of what I believe is sound information layered with generous doses of conjecture. I am not going to get into what I believe is conjecture at this point, since that will indeed take more time than I have this morning. What I did find worthy of calling out, however, was a quote made by Jesse Berst of Smart Grid News:

Jesse Berst, managing director of the Global Smart Energy consultancy and founder of Smart Grid News, said he didn't see any reason why the energy industry wouldn't be able to secure the infrastructure as it modernizes.

"The physical security concerns me more than the cyber security because we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet) and I think we can solve it to that same degree of safety for this one," Berst said.

Now let me preface this by saying that I believe Jesse's contributions to the entire world of Smart Grid are indeed beyond admirable. I read Smart Grid News on a daily basis, and find it to be a wealth of information. I will also be the first to admit that he is light years ahead of me (and perhaps a lot of people) in his understanding of The Smart Grid.

...however, his statement "...we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet) and I think we can solve it to that same degree of safety for this one," truly left my mouth hanging open.

Are you kidding me?

Okay, maybe CNet took that out of context. God knows the media seems to do that with more frequency than we would like to see. So I will indeed work with the assumption that this may be the case, and dissect this statement as one that may indeed be put forth by someone who may not be aware of how a security professional (such as myself) might view it.

Let's start with the first part of the statement "..we've solved the cyber (security issues) for other big consequential infrastructures (like financial and Internet)".

Really?

I am not entirely sure where to start with this one. Let's just take financial to begin with, and describe how we have "solved" those issues. Despite having "solved" the cyber security issues with respect to the financial world, the financial industry still loses billions per year due to cyber attacks, and then passes these losses on to the consumer. One "solution" the financial industry put forth several years ago was PCI Compliance, which simply shifts losses to merchants, who then are forced to raise prices to cover the losses. Another "solution" is to jack up credit card fees and interest rates ("risk management" as they like to call it) to cover the losses that the financial industry cannot pass on to the merchants. Sadly, there is no way any consumer can avoid falling into this abyss. If I do not want to use credit cards I am hampered by having to write checks or use cash for anything and everything. I also must live with the cost of failure that cyber crimes impose on my merchants through higher prices.

Such is life. Do I get by despite this mess? Certainly! Is the problem "solved"? Nope! In fact, I am not sure it can ever be solved. What I am sure of is that we seem to be able to live with this particular cost of failure in cyber security, and that may indeed be good enough (for now).

It is the second part of the statement "I think we can solve it to that same degree of safety for this one", however, that got me to bolt out of bed and start writing. Here is where the entire world of Smart Grid security "apologists" need to go through the mother of all paradigm shifts. Solving the security issues to "the same degree of safety" where The Smart Grid is concerned does not quite seem to cut it, now does it? Let me explain.

Let's consider the cost of failure.

While we live in a world of hyperbole in the world of cyber insecurity, we now also live in a world where some of the inherent weaknesses in the Smart Grid security arena have made the transition from theoretical to proof of concept. Perhaps the most famous of these is the infamous Aurora Attack seen on 60 Minutes (that was when my phone started ringing). What that showed us was that the cost of failure in security could lead to power being shut down in some areas for months. Now I know that some of you are going to want to attack this by telling me that we can simply redirect power from elsewhere, and that is indeed true, but what you would probably leave out of that statement is the fact that redirecting power during the middle of a blistering summer heat wave is next to impossible, and I am quite sure that a malicious attacker (not just a script kiddie) is keenly aware of that.

...and there is more. A lot more in fact. Utilities are keenly aware of the issues, and so is our government, and they do indeed care A LOT about security. Way more than the media is willing to give them credit for. In fact, I have never seen an industry embrace the importance of security with such fervor as the power industry has in the last year. In California both PG&E and SCE have invested considerable resources in dealing with these issues. One member of the cyber security team at PG&E sent me a message at 10:50 PM several nights ago in response to a question I had (regarding a conference I am planning). I was surprised that he replied so late and he informed me he was still at work! When I asked him why, he told me that he (and others on his team) often work late. When I see this level of dedication from security professionals I do indeed feel quite comfortable about the work being done towards securing our grid, and so should others (in my opinion).

Nonetheless, there is a dire need for a paradigm shift in the discussions surrounding Smart Grid security. We cannot use examples where the cost of failure truly pales in comparison to the cost of failure when we have no electricity. Imagine, if you will, a scenario where someone hacks your bank account and takes all of your money. You contact that bank and it can take several weeks to get your money back. I know this to be true because I know someone who went through such a nightmare. Nonetheless, she did not go hungry or die. She had food in her house, and credit cards, and family and friends. It really amounted to a nasty inconvenience, and she got all of her money back eventually. The "degree of safety" built into the system was indeed more than adequate to deal with this situation, but nobody who has their nose to the grindstone in the world of Smart Grid security would consider this to be a valid presumption of having the situation under control. We are fortunate enough to have only a small (yet significant) fraction of our power infrastructure on The Smart Grid, and everyone involved is working hard to deal with the issues at hand.

Let us avoid out of context statements making their way into the public consciousness, which will inevitably lead to a loss in credibility for those who are working hard to resolve these issues. The public loves to dwell on the negative even more than the media loves to talk about it.

In other words, let's not fuel the naysayers.

Bravo PG&E! The Proactive Approach Always Wins

I am once again making my way through comments to the CPUC, and was extremely pleased to find a comment made by PG&E:

PG&E AGREES WITH THE CUSTOMER PRIVACY GOALS AND POLICIES RECOMMENDED BY CONSUMER PRIVACY ADVOCATES

A number of consumer groups have provided specific recommendations regarding customer privacy goals and standards in this proceeding, including the Center for Democracy and Technology, Electronic Frontier Foundation, Consumer Federation of California, TURN and the Division of Ratepayer Advocates.5 These recommendations generally urge the Commission to move cautiously and very carefully in updating or revising its existing rules on customer privacy, particularly third-party access to customer data. In addition, the consumer privacy advocates point out that there are certain sources of national “best practices” for protecting consumer privacy in all industries that the Commission should consider and endorse, such as the “Fair Information Practices Principles” developed over the years and cited by various federal agencies, such as the Department of Homeland Security.6

As PG&E pointed out in its opening comments, we adhere to existing, strict and precise Commission and statutory rules and standards providing for protection of customer privacy, and do not see the need to dilute or reduce those protections. However, after reviewing the comments and presentations by consumer privacy advocates, PG&E agrees that it is timely in

this proceeding for the Commission and all parties to “benchmark” the existing customer privacy protections in the Public Utilities Code and utility tariffs against the national consumer privacy standards and goals applicable to other industries and consumer services. This is particularly important to the extent that the Commission will need to establish and be able to enforce these privacy protections and cyber-security protocols against third-parties who may be granted access by customers to sensitive or confidential personal information. For this purpose, we agree that the Commission and interested parties should start with review of the “Fair Information Practices Principles” and other national consumer privacy laws and guidelines, and evaluate whether enhancements or improvements in current Commission and utility practices should be considered in light of those national guidelines. PG&E recommends that this “benchmarking” effort be an integral element of the utilities’ SB 17 deployment plans.

My take on this is that PG&E is indeed committed to not only dealing with security issues head on, but is also sensitive to the concerns of the various agencies who are voicing their concerns. Moreover, they are willing to voice their commitment directly with the CPUC and essentially tell the CPUC that the ball is in their court.

I look forward to other key players in Smart Grid coming forward with this level of commitment! PG&E has been a leader in Smart Grid since day one, and leadership is what drives excellence.

I anxiously await the CPUC's decision on this.