Thursday, June 23, 2011

The Revolutionary War, The Civil War, and Cyber War

I watched a fascinating series on Netflix Streaming a few weeks ago (I love my Apple TV and Netflix Streaming).  The series is called "America: The Story of Us".  There were 2 episodes that I found most fascinating.  One was about the US Revolutionary War, and the other was about the US Civil War.  Both of these episodes caused me to draw parallels to our modern society, and the current state of affairs with respect to cyber security (or perhaps insecurity is more appropriate).

Let me explain.

The US entered the Revolutionary War facing off against the British.  If Vegas oddsmakers had been around back then, it is quite likely that the odds that "The Colonists" (that's the US) would have emerged victorious were something like 1 in 1000.  The British war machine was honed to a razor's edge, and they kicked butt everywhere they went.  They were organized, sharp dressers, and knew how to march like nobody's business.

Back then wars were fought in a somewhat organized matter.  Two enemies faced off in a field somewhere, and fighting ensued.  You saw your enemy before you got a chance to knock him off, or he knocked you off.  The side that had the most troops had a major advantage.  One advantage was the intimidation factor.  The other was sheer numbers.  Everyone kept shooting at each other until one side was badly beaten.  The side with more troops generally ended up with more men standing when the battle was over, and emerged victorious.

The Colonists decided to change things up a bit.  Rather than wait until the British got to where they were going an setting up a battle front, the Colonists decided to arm themselves with German style hunting rifles (with rifled barrels), and pick off troops sniper style.  The Colonists hid behind trees, rocks, or wherever they could take cover and simply waited for the nicely organized march of British soldiers to cross their path.  Additionally, The Colonists started targeting the leadership (generals) rather than the lower ranking troops, and began picking them off first.

This OUTRAGED the British.  How dare The Colonists fight in such an "uncivilized" manner?

Civility is an interesting concept.  It is civility that prevents many of us from doing what we would really like to do when someone really ticks us off.  The concept of civility is what the "upper crust" of society counts on to keep things in order.  Once the concept of civility is abandoned, all bets are off, and power tends to shift very quickly.  Generally, those at the top try to remain civil, and those who have abandoned civility end up kicking some serious butt.

What is perhaps most interesting is that those who choose to abandon civility often feel that they are not the ones who have become uncivil.  I am sure that The Colonists did not feel they were being uncivil.  They were fighting an enemy that was oppressing them, as they saw it.  As far as The Colonists were concerned, the oppression was an uncivil act.

So this brings me to the hacktivism we are witnessing lately.  Anonymous and LulzSec have decided that the time has come to take down corporatism and oppressive regimes.  What concerns me the most about this is the fact that we are currently living in a world where economic conditions have led to millions of unemployed people with intimate knowledge of the internal workings of corporate and government organizations being out on the street with an axe to grind.  Loyalty has become a foreign concept to many of these people, and "civility" is in the process of being re-defined.  When Joe Plumber decides that the actions of Anonymous (or Julian Assange, or LulzSec) are better aligned with his interests, things quickly get ugly.

Are we there yet?  I don't believe so.  However, I am very concerned about the current state of "the system", and that brings me to the US Civil War.

Abe Lincoln was a clever man.  He knew how to harness resources and technology.  The North had a vast network of railroads.  It was much bigger than what the South had.  Abe Lincoln decided that it would be a good idea to move troops using railcars rather than making them march, or ride horses.  Moreover, the owners of the railroads struck a deal with The Union, allowing The Union to take over the railways for the war effort.  This, coupled with a massive network of telegraph lines (built along the railways) allowed Lincoln to move resources (people and information) much faster than The Rebels.  It was technological warfare at its finest, and the Union became unbeatable as a result.

Circle back to the "cyber war" we are potentially facing.  The underground hactivist community is manned by quite a few "geeks" with very good knowledge of the cyber "railways".  Communication also seems to be fairly good.   I am not sure how this compares to the knowledge and communication on the other side, but I am going to assume that "the good guys" are perhaps a bit less motivated to freely share information.

I could be way off on these comparisons, and my assessment of the situation, but maybe I am not.  I think I am at least partially on point here, and that may very well be a cause for great concern moving forward.

Sunday, June 19, 2011

AMI Security 101 Workshop At Smart Grid Security East 2011

The AMI Security 101 Workshop was the most popular workshop at the Smart Grid Security East 2011 Conference held in Knoxville Tennessee on February 28th. We videotaped it for the world to enjoy. We were blessed with some of the best leaders in the AMI security space, and we sincerely hope you enjoy the presentations.

We will hold the AMI Security 201 Workshop at the EnergySec Smart Grid Security Summit West 2011 on October 3rd, 2011.  The AMI Security 201 Workshop will take a more in depth and more technical approach in discussing AMI Security.

Saturday, June 18, 2011

Travis Goodspeed at Smart Grid Security East 2011

I am finally getting around to posting videos of the Smart Grid Security East conference presentations.  Among the most interesting (and undoubtedly the most popular) were the stylistic exploits of Travis Goodspeed.

Travis is a very interesting person.  He is quite young, quite brilliant, and is one of the most polite individuals I have ever met.  Please take a look at these videos, and be thankful that he is well intentioned in his research.

Saturday, June 4, 2011

A Utility CEO Who Is Talking About Security

Wow!  It truly amazes me to hear that the CEO of a large utility is speaking up about the importance of cyber security in the Smart Grid.  Tom Fanning of Southern Company has made the news in the past few days with his declaration that "cyber security issues must be resolved before a so-called smart electricity grid can be fully built" and "Southern Co. hires hackers to identify vulnerabilities" and "the power company gets attacked frequently."

Okay, now let's be fair here.  Southern Company is not the only utility that cares about security, and they are not the only utility that hires hackers to identify vulnerabilities. They are, however, the ONLY utility I am aware of where the CEO has decided to come forward and speak out about their security posture publicly.

Why is this so significant?  Simply put, this is a declaration at the highest level in an organization that security has not been relegated to a lower position.  It is a declaration that "the buck stops here" with respect to security.  You got my respect, Mr. Tom Fanning!

So what else has Southern Company done to back this security stance?  Well, let me tell you.

Southern Company is the FIRST utility I know of in the entire USA to force a vendor to CERTIFY the security of their product through a third party.  Yes, you heard that correctly, they essentially told their AMI vendor (SENSUS) that if they wanted to do business with Southern Company, they had to submit to the Wurldtech Achilles Practices Certification (APC) process.  SENSUS went through this process, and achieved Bronze Level Certification.  The Wurldtech Achilles Practices Certification is a certification program originally designed to certify vendors for the Gas and Oil industry, and the requirements are outlined in a document known as the WIB, which is a set of security evaluation requirements originally initiated in The Netherlands by Wurldtech and Royal Dutch Shell.  Wurltdtech worked with Southern Company to scope a set of certification requirements that could be applied to the electric industry, and SENSUS immediately went to work.  The rest is history.

Wurldtech did not stop there, however.  Nate Kube of Wurldtech and Ted Angevaare of Shell Oil worked with standards veterans Dennis Holstein and Tom Phinney, who have submitted the WIB requirements to the International Electrotechnical Commission (IEC) as a proposal known as IEC 62443-2-4.

Upon learning about this, I decided to get involved.  I have been working closely with NIST, OpenSG, and the DHS ICSJWG for the better part of two years in trying to get some baseline security standards in place for the Smart Grid.  When I learned about what Southern Company had done, and that it had led to a proposed international standard, I knew this was significant.  I immediately communicated this information to Marianne Swanson of NIST (who is currently chairing the NIST Smart Grid Interoperability Panel Cyber Security Working Group), and she asked me if I would be willing to take the lead in aligning the IEC requirements with the NIST IR 7628 security requirements.  I agreed to do so, and was immediately joined by several of the most active members of the NIST CSWG in building this task force.  I was also selected as a member of the US Technical Advisory Group for TC65 (the working group for the IEC 62443-2-4 proposed standard).  Since then, I have managed to engage several large AMI vendors, silicon producers, security product vendors, and consultants in the process.  According to Ward Pyles, Security Analyst at Southern Company, and Nate Kube of Wurldtech, several other utilities in the USA and overseas have now become involved in the process.

What is so significant about this is the fact that it took the EXTRAORDINARY leadership of Southern Company to plant a stake in the ground, and demand that their vendors go the extra step towards assuring that a security baseline had been met.  What we all must understand is that the utility is the customer to the Smart Grid product vendor, and the vendor WILL build security into their products if the utility demands it, and forcing a vendor to certify to a third party audit is the only true assurance that a baseline is being met during procurement.  It is still critically important for a utility to perform their own security validation (which Southern Company does), but knowing what the baseline is up front saves the vendor, the utility, and the rate payer (you and I) a lot of time and money.

I hope other utilities follow the lead that Southern Company has established.