tag:blogger.com,1999:blog-24654648617523143952024-03-19T04:55:41.993-07:00GraniteKeyGraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.comBlogger77125tag:blogger.com,1999:blog-2465464861752314395.post-81043155686521851732015-06-20T09:14:00.000-07:002015-06-20T09:14:41.136-07:00The Cumulative Effect of Victory in Cyberwarfare<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpf_8yOhzAop6gurQ6yZnvh8eqfb_tH3mqW4jC50G6C_GUnY6C6et4K9LKNveYt52U28JpnBb99l8MS5_GVN6pr6GZSX1WsntjZofxB9QTkkjAE0ezKtx0h13ziSeZ071aD9EUbl6IwWQ/s1600/201027fbd001.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpf_8yOhzAop6gurQ6yZnvh8eqfb_tH3mqW4jC50G6C_GUnY6C6et4K9LKNveYt52U28JpnBb99l8MS5_GVN6pr6GZSX1WsntjZofxB9QTkkjAE0ezKtx0h13ziSeZ071aD9EUbl6IwWQ/s320/201027fbd001.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have to first start by stating that cyberwarfare is one of those terms that tends to evoke mixed emotions from those who see or hear the word. There are those who roll their eyes and accuse anyone who mentions it of fear-mongering, insanity, and everything short of bad breath and body odor (and perhaps there are some accused of those as well). Others pause and listen, and still others (and a growing number at that) shake their heads and say "Yup, it is real."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The recent exposure of the hack of the US OPM records serves as a clear indication to some (if not most) that, whatever you want to call it, there exists at least one person or organization out there brazen enough to take a shot at our Federal Government and walk out with whatever he, she, or they deem interesting (in this case many millions of Federal employee sensitive records). This was announced while the US was still reeling from the IRS records hack announced a few weeks earlier, which was announced a few weeks after we learned of a cyber attack on the White House, and, as many of my cybersecurity oriented colleagues like to point out to me, there are a few more peppered in between.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can call this whatever you want, but I am going to go with Cyberwarfare.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So what concerns be about warfare in general is that if you are not on the side of victorious party, you are indeed a victim, and are forced to react in a situation where the victor has gained enough intelligence and purchase to send you reeling into a temporary abyss of confusion. A determined warrior uses this moment to mount his next attack, provided he feels confident enough in his abilities to succeed. A good way to come to this determination is to start with smaller attacks, and determine how successful they are over time. A really clever way to prevail in the next battle is to ease up a bit, hoping that the target lets their guards down a bit, and then come in for the next big kill. If that proves successful, it is a good time to turn up the heat and take full control.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That, dear reader, is what I fear we are now facing in the US, and perhaps the rest of the free world. I have been working in security research for many years now, and I do not see anything that resembles progress commensurate with the mounting threats. I have had the pleasure of spending many days visiting multiple factions of our Federal government tasked with addressing cybersecurity (as in the term is in their job title) who are completely dumbfounded when I show them vulnerability data (not theory, actual data) about products they are using in government facilities. I am rather stunned to discover that the vast majority of our nation's cybersecurity government task force is unaware of the fact that we have a <a href="https://nvd.nist.gov/" target="_blank"><b>National Vulnerability Database</b></a> that contains over 70,000 entries as of 2015, and had to change the numbering system from the 4 digit format in 2013 to allow for more than 9,999 entries per year. </div>
<br />
Moreover when I point out to government officials that these known vulnerabilities are not only accumulating in the products they use in their networks at an alarming rate, but are also being delivered in the software they are receiving that accompanies the brand new shrink-wrapped systems they are currently deploying, their mouths hang open in disbelief. When I explain that the current system we have in place simply does not require any product manufacturer to assume any liability for security issues in the products they market EVEN IF THEY KNOWINGLY MARKET THEM WITH KNOWN VULNERABILTIES they simply do not believe me, until I ask the room full of lawyers I am addressing if they can cite a single case where a networking equipment or software manufacturer has ever been held liable for a cyber attack that occurred due to an unpatched cyber vulnerability.<br />
<br />
This, dear reader, is basics. Cyber researchers know this. After decades of attempting to address these issues, we still live in a world where our government lacks basic awareness at the highest levels, and are still convinced that software companies are going to voluntarily agree to pick up the slack just because an executive order tells them to "pretty please" do so.<br />
<br />
In the meantime, the attacks continue to come in, and the victories are becoming bigger, and more frequent. The victim is steadily becoming demoralized, and the victor has all the tools he needs to keep bringing home the wins. Moreover, he is far more aware of the vulnerability landscape than the victim is, and the victim remains apathetically confident that volunteerism and collaboration will somehow prevail.<br />
<br />
Let me know how that works out.<br />
<br />
<br />Mike Ahmadihttp://www.blogger.com/profile/13637537008045498708noreply@blogger.com1tag:blogger.com,1999:blog-2465464861752314395.post-37436536433360619862015-01-21T23:20:00.000-08:002015-01-21T23:20:34.831-08:00Layoffs at eBay - The Indirect Economic Impact of Heartbleed and Other Cybersecurity Issues<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-jFVsZ8kMJpN12cna6AOvVjdmAl92IuJ1n7Url326Rl2wiwOFtw6Q-HfRNA1jbzZdA-QziSR28ik_NFFbTuKpOZ0K2OxP_8RDrrqjMLjRaRsVcdFKMG0Jxft4l0Bucf9AeZCOObnnbg8/s1600/Heartbleed+Ebay.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-jFVsZ8kMJpN12cna6AOvVjdmAl92IuJ1n7Url326Rl2wiwOFtw6Q-HfRNA1jbzZdA-QziSR28ik_NFFbTuKpOZ0K2OxP_8RDrrqjMLjRaRsVcdFKMG0Jxft4l0Bucf9AeZCOObnnbg8/s1600/Heartbleed+Ebay.png" height="320" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b><span style="font-size: x-large;">???</span></b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It sometimes takes a lot longer than it should for society to fully grasp the impact of cybersecurity issues on real human lives, and just how far it extends. In fact, nobody can claim to know just how serious cybersecurity issues can be from the standpoint of a societal impact, but once it hits home, we pause for a moment and say "Wow! I get it."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Soon after we discovered the Heartbleed bug, I got a few requests (perhaps demands) from websites I frequent to change my password, and one of them was eBay, who, while they claimed they were not affected by Heartbleed, suffered a major breach of their password database due to attackers gaining access to employee login credentials.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
It is perhaps only coincidental that this happened so close to the Heartbleed discovery, but what got me thinking about this, and a potential connection, was the breach of Community Health Systems 6 months after our discovery of Heathbleed, where millions of patient records were stolen. According to a story that came out later, the breach was caused by an attacker who decrypted some traffic on an affected OpenSSL connection with an unpatched router, and then used discovered passwords and login information to access other systems. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Again, the eBay situation may be a coincidence, but keep in mind that attackers are very clever, and it does not take an enormous amount of effort to find out who works at eBay, then simply cyberstalk the person who may very well use login credentials on other sites, which may indeed be affected by Heartbleed, to access systems at eBay. We all know that, while we have all (hopefully) gotten better at choosing longer passwords with numbers, letters, symbols, and such, that we still end up reusing passwords on multiple systems. That is why password-based attacks are so scalable. You break it once, and you break it just about everywhere.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Yes, this is all theory, but certainly a reasonable hypothesis. Regardless of the verity of this, however, <b><a href="http://www.mercurynews.com/business/ci_27365139/biz-break-ebay-lay-off-2-400-could" target="_blank">eBay has announced that they will layoff 2,400 employees</a></b> (7 percent of its global workforce), and, in part (quoting the CEO, John Donahoe) "<b>The core auction site eBay runs has not recovered from the negative effects of asking all users to reset their passwords last May...eBay's loyal customers are back, but our more occasional customers have not returned, Donahoe admitted</b>."</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
That really sucks big time for eBay, and the employees. Granted, they will find new jobs in a bustling technological economy, but what is striking is that a company that is quite well established is clearly affected...as in losing significant numbers of customers affected...by cybersecurity issues. Ultimately, a growing concerned citizenry, many of whom are just beginning to emerge from under the covers because the big bad boogie man they have feared in an Internet fraught with cybersecurity challenges has caused them to panic at the mere mention of stolen financial information, are now reconsidering their emergence from the cozy comfort of their luddite-yet-secure existence.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I am reminded of some discussions I have had with friends who have worked in airline safety for many years, who spoke of the value of the FAA forcing safety requirements down aircraft manufacturers throats so early on in the growth of air travel. In the earliest days, soon after the Wright Brothers faithful first flight at Kitty Hawk, people emerged from all sorts of places with crazy ideas of how airplanes should be built...and, died trying to convince the world of their ill-conceived airborne deathtraps. If the aircraft industry had not been reigned in and forced to build safe and effective air machines, it is not likely that air travel would have become a reality. The same can be said for the nuclear industry, automotive industry, pharmaceutical industry...and many more. Safe and effective was (and is) the key to growth and adoption.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We are now at a very significant crossroad in the information age. We now rely on it for our everyday existence, and the emergence of rich applications and experiences as the Internet of Things continues to grow means that we will continue to see lots of growth...but it also means that we will have lots of choices when it comes to what we choose to include in our technologically dependent lives...and competition is good...no doubt. What the eBay layoff is now telling me (us) is that, despite being a longtime player in the world of online commerce, users will indeed drop you like a hot potato if they perceive cybersecurity risks being too high...and there are indeed plenty of choices out there...and perhaps those choices that do not have cybersecurity issues associated with them may be more enticing.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The bottom line is this: businesses cannot afford the risk of not being secure anymore. It's time to take this a lot more seriously, and perhaps it will ultimately take regulatory and legislative pressure to force businesses to get in line...and especially if it starts affecting economic matters. That is ultimately what had to happen for the airline, nuclear, automotive, pharmaceutical, and several other industries. While many try to argue that regulation stifles growth, I really have not seen any empirical evidence supporting that claim, and all of the industries I mentioned have managed to not only grow, but grow very quickly and make lots of money doing so.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I am sorry about the layoffs at eBay. Perhaps this may be the first of many hard economic lessons regarding cybersecurity.</div>
<br />Mike Ahmadihttp://www.blogger.com/profile/13637537008045498708noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-91158913597904630162014-04-24T07:53:00.000-07:002014-04-24T07:53:06.120-07:00Heartbleed, Pneumonia, NyQuil, and Healthcare<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWEq5HolTw9S0l_n3K4VKxYvL0Lu4FjLb8e3OKbS-NtV2NJ2kc2r0a5ynEoAV0CqWPiEDrWrJG3jcKymmejcSHGr-ZxjHCZmhwWWKATjRPPq3uF_L27vRsu85_e8p8GxxOSgzc28eZVkU/s1600/heartbleed-logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWEq5HolTw9S0l_n3K4VKxYvL0Lu4FjLb8e3OKbS-NtV2NJ2kc2r0a5ynEoAV0CqWPiEDrWrJG3jcKymmejcSHGr-ZxjHCZmhwWWKATjRPPq3uF_L27vRsu85_e8p8GxxOSgzc28eZVkU/s1600/heartbleed-logo.png" height="320" width="264" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
It has been a while since I wrote a blog post. This past Tuesday, April 22nd, I celebrated my first year with <a href="http://www.codenomicon.com/"><b>Codenomicon</b></a>. Yes, that same company that named the Heartbleed bug, created the <a href="http://heartbleed.com/">Heartbleed.com website</a>, and created the snazzy logo that we all recognize as the first logo ever created for a computer bug. It has certainly been an interesting year, to say the least.<br />
<br />
I was brought into Codenomicon because of a few reasons, and carefully considered their offer before joining. The biggest draw for me was their new focus on health care and control systems testing. One thing I immediately took note of was the vast applicability of their testing tools in the emerging medical device security space. After spending some time getting to know some of the team (mostly headquartered in Finland, but with a very significant US presence) I quickly came to the conclusion that these were some very brilliant people doing some very interesting work. I had no idea to what extent they would continue to hold my interest at the time, but I have to say that one year later they still continue to amaze me.<br />
<br />
Not long after I joined, the FDA decided to purchase our Defensics fuzz testing tools as the first tool in their planned cybersecurity testing lab. This was great news for us, as it immediately caught the attention of the medical device and hospital communities. At the time we were a relatively unknown niche player (and in fact, still are to most) that was suddenly on their radar screen. This created a lot of opportunity for us to show off what our testing tools can do, and got us into the doors of several major health care organizations, including both hospitals and device manufacturers. They all wanted to see what we could do, and we happily demonstrated how our tools could render their devices non-functional. Some like to say we broke the devices with our tools, but we really broke nothing. The devices (or more specifically the code running on the devices) was already broken. Our tools simply found where it was broken. We literally discovered zero-day vulnerabilties right in front of the prospective customer, and have to say it was often quite quick and easy to do. We saw quite a number of concerned looks.<br />
<br />
It has been a busy year...as I said. First one medical device customer bought our tools, then another, then another, then another...and it kept going like that...and is still growing almost as fast as we can keep up with it. I spent a lot of time on the road speaking at medical device events on the topic of security, contributed to article, book chapters, and the list goes on. I did a lot of traveling in the last year, and I must say that despite being very interesting, it was quite exhausting.<br />
<br />
This past March (and going into April) ended being a crazy month of travel for me. Between March 1st and April 9th I was on the road around 30 days. It was really exhausting most of the time, including several trans-contintal flights, and one trip to the Czech Republic (which, by the way, is really beautiful). All of it was business travel, except for one trip back home to Cleveland towards the end of March to deal with a family matter.<br />
<br />
Ahhh yes, Cleveland Ohio. The semi-frozen tundra I call "home". I spent 21 years there growing up, then lived in Florida for 13 years, then went back to Cleveland for 1 winter, before deciding to move to Northern California. I felt I made a wise choice...at least the moving out of Cleveland part.<br />
<br />
Don't get me wrong! I enjoyed my years in Cleveland, despite hating winter after about the age of 7. My family lives there, as well as my friends, and the wonderful Case Western Reserve University, where I attended college. Despite living in the hugely Asian populated San Francisco Bay Area my favorite Chinese restaurant is still in Cleveland. My all time favorite Kosher Half-Sour deli pickles can only be found at the famous Corky and Lenny's deli in Woodmere, and I make sure to stock up on the rare occasions I go home for a visit. I like to hang out at my favorite cigar store in Mayfield Ohio, where the 80+ year old owner (who I have known for over 25 years) still sits around with a bunch of old Italian-American curmudgeons, puffing on cigars and yelling at whatever talking head shows up on the widescreen TV, while he asks us if we would like an espresso to go with our favorite smoke. Heck! It IS home.<br />
<br />
Yet after all that business travel, I found myself going back for personal reasons. Not fun personal reasons either. It was a family death, and I was tired, a bit stressed, and it happened to be snowing when I landed. Yes, it was snowing in Cleveland at the end of March. That happens a lot. In fact, I can remember many 80 degree days in early spring that were followed a few days later with blizzards. The last one I remember was in the year 2000, about 3 weeks before I decided to move to California. It was a sort of confirmation that I had made a wise decision...or so that is how I took it.<br />
<br />
The snow was only a day long, and I was in Cleveland for only 5 days, but managed to catch a nasty chest cold while I was there. It was on the last day I was there, so I flew back home and spent the next several days downing some shots of Nyquil and sleeping. A few days later I felt much better, and was thankful because I had an upcoming trip to Boston (yet another trans-continental flight) and did not want to travel sick. All seemed well until the weekend came, and my nasty cough came back. It continued to build up over the next few days, and I found myself flying to Boston feeling very under the weather. It was while I was on the plane that I got the first message from our R&D team about Heartbleed. We were not calling it Heartbleed then, mind you. It was just an email saying our team had discovered this bug in OpenSSL while testing a new feature in our Defensics testing tools (the feature is called SafeGuard), and we were going to change all of our certificates, and we all would have to change our passwords, and to NOT change anything until they said to do so, because it would do no good until the bug was fixed. They also told us that the bug had been reported to the Finland's national CERT, which is not something I can recall having seen before in the year I had been there.<br />
<br />
Now please understand I work for a security company that literally spends all of their time finding bugs (well, almost all of their time, they also like to sit around and sweat in saunas in Finland, as I understand). We find literally THOUSANDS of bugs every year as a matter of course. So when I get an email from our company telling us of a bug that affects us, it means something more than normal daily news from the trenches. I figured this must be serious, but had no idea how serious it really was.<br />
<br />
A few hours later I got another message telling me of a website we had launched for the bug we had now dubbed Heartbleed, and was also shown the bleeding heart logo. The message announced that we were hosting this site to inform the public, since OpenSSL had gone public due to a report they had received from someone at Google. I was semi-lightheaded at the time, since my own personal bug was taking hold, so I was more than a bit confused by all of this. I dozed off with visions of bleeding hearts dancing in my head.<br />
<br />
Once I landed in Boston I had lots to do in preparation for a big meeting the next morning. I got some dinner and went to bed, at this point feeling quite nasty from the cough. I got up the next morning and took some daytime cold medicine (Dayquil as I recall) and had some breakfast. I managed to get through a day of meetings without passing out, but by the time it was all over I was feeling some chills, and knew I had a fever. This was not good. Thankfully, one of my work colleagues had some Nyquil. I took some of it back to my hotel room and also got some other cold medicine. I had a nasty cough and it was not getting any better. I got a bowl of clam chowder for dinner (after all, I was in Boston), and then decided to do a little reading and go to bed.<br />
<br />
Well, as I perused the news I started to notice all this talk of Heartbleed. It was right there front and center on every computer website, news site...it was everywhere. Again, I was partially delirious from the chest cold, but I started reading the news, our internal messages, and our newly minted website. I quickly realized that this was a lot more serious than I first imagined. Moreover, I noticed our company name showing up everywhere. Things were definitely NOT like they had been before. As I continued to read I began realizing that Heartbleed affected everything that had the affected version of OpenSSL/TLS on it, and that was a LOT of systems and devices. I read about patches being available, and other ways to mitigate, but also realized that it would be a long time before every device that is affected was fixed.<br />
<br />
I took the Nyquil and other cold medicine, and was still dealing with the nasty cough, which was making it impossible to get to sleep. Back home I remember I had some great codeine-based cough syrup which, despite making me really sleepy, was great at stopping coughs. I had nothing of the sort with me in Boston, but did have a leftover Vicodin from a prescription given to me when I had a car accident back in October (not my fault, by the way). I knew that contained codeine, and took that. It worked. The cough subsided, and I drifted away into lala land. My doctor late told me that was a wise thing to do.<br />
<br />
I was awakened soon after drifting by a phone call from a reporter with a medical journal, who wanted to know how Heartbleed could possibly affect medical devices and healthcare systems in general. I managed to deliver what turned out to be a fairly cogent interview, which he published immediately. I drifted off to sleep.<br />
<br />
The next day I had another meeting, and managed to get through it with some Dayquil. I went to the airport feeling quite ill at this point, and while waiting for my long flight home, I got the first call from one of my contacts at DHS, asking if we could do a webinar, as everyone at DHS and upward was very concerned. I said I would make it happen for them, and took my long flight home. I went to the doctor the following day and was informed that I had Pneumonia...and put on heavy doses of antibiotics, which, I am happy to say, seems to have worked.<br />
<br />
During the downtime at home I was asked to put together some informative webinars, which I and my team did very quickly. It occurred to me as I helped deliver the message that the community of those affected did not seem to all get just how serious an issue Heartbleed really is. The attack is ridiculously simple to mount, is completely undetectable, and affects EVERYTHING that is running the affected versions of OpenSSL. That means small handheld devices, phones, VPNs, routers, mesh network equipment, general networking equipment...just about everything. Again, I want to emphasize that an attack is UNDETECTABLE. Most users are likely completely unaware if they have an affected version of OpenSSL. Some users that may be aware cannot simply patch devices right away. An example of this is health care. Although the FDA allows patching of devices for security, the device manufacturer must still test the patch for any regressive behavior, and that is no small task. Once the patch is deployed all certificates must be revoked, public and private keys must be re-generated, new certificates must be deployed, and then (and only then) can users change usernames and passwords. While websites can potentially do this all quickly, any one of those steps can take a very long time in healthcare.<br />
<br />
Well, I continue to deliver webcasts, as well as field lots of inquiries, and review multiple requests to sit on panels and in meetings to discuss Heartbleed. I never expected to be part of the team that discovered what some have called the biggest bug to ever hit the Internet, but here I am, and I have to say I expect things to get more and more interesting as time goes on.<br />
<br />
Perhaps I might also consider building a sauna. When in Rome...as the saying goes.Mike Ahmadihttp://www.blogger.com/profile/13637537008045498708noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-78605552878581949962013-08-15T06:27:00.003-07:002013-08-15T06:27:52.623-07:00Fuzzing Medical Devices...The FDA Certainly Will BeIn August of 2012 the US Government Accountability Office (GAO) released a report titled "<b><a href="http://www.gao.gov/assets/650/647767.pdf">Medical Device - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices</a></b>", which essentially stated that the FDA should do something to address the growing cybersecurity issues researchers had uncovered in medical devices. While the Food and Drug Administration (FDA) was essentially told what they were expected to do, they were not told how they had to do it.<div>
<br /></div>
<div>
While it may seem, to some, that the FDA was falling short in their need to address cybersecurity, it is important to note that the FDA does indeed provide guidance (and has for many years) related to cybersecurity from a functional perspective. In fact, with all issues related to safety (and we are talking about cybersecurity as it relates to safety here), the FDA is quite thorough in addressing safety as it relates to unintentional misuse of functionality. What is different today is that the FDA is now tasked with addressing intentional misuse...and that is where things become complicated.</div>
<div>
<br /></div>
<div>
The reason this is so complicated is because intentional misuse (or all the ways something can be used incorrectly...malicious or otherwise) is infinite. That is why hackers, researchers, or malicious actors have so much to work with. Moreover, hiring a hacker to constantly try to constantly hack away at your medical devices during the 18 month to 2 year development phase can become quite cost prohibitive.</div>
<div>
<br /></div>
<div>
In conversations I had with the FDA, who happen to be a very busy and underfunded agency, it was clear to me that they wanted to figure out a way to shrink this infinite space into something reasonably manageable, and they began seeking the advice of the security community...and the security community was happy to help. What is particularly great about having discussions with the FDA is that they are, by and large, scientists. Security researchers...despite the rather underground nature they have worked in for so long...are also scientists. While some may argue against that assertion...others will agree.</div>
<div>
<br /></div>
<div>
Scientists like empirical evidence, and are driven more by curiosity than by dollars. I am not saying they are not budget conscious...because they must be in order to conduct research. What I am saying is that they are more concerned with "what if" than "how much does it cost". This, as many of us our painfully aware, differs from the corporate world. If you talk to a hacker for any length of time, you will see the similarities to scientists pretty quickly.</div>
<div>
<br /></div>
<div>
In late April of this year I joined <b><a href="http://www.codenomicon.com/">Codenomicon</a></b>, which is a company that is arguably the world leader in fuzzing technology. For those who do not know what fuzzing is, I strongly suggest you do some "Googling" and read about it. In short, it is the practice of exercising (some may say bombarding) a target with malformed data until it produces an error...or simply dies. The malformed traffic that causes the error is thereby deemed a vulnerability. A good fuzzing tool keeps track of what causes the error, and allows it to be replayed as needed to help developers remediate the error. </div>
<div>
<br /></div>
<div>
So let's get back to the FDA. Codenomicon demonstrated their fuzzing tools (known as Defensics) to the FDA, and they were more than a little impressed. As we were informed, they had decided to build a cybersecurity testing lab, and wanted to bring in our fuzzing tools as the first of many tools to come. It took a while to get from the initial conversation to the final award, but on July 12, 2013 the FDA posted a <b><a href="https://www.fbo.gov/spg/HHS/FDA/DCASC/FDA-13-1120705/listing.html">solicitation</a></b> for Codenomicon Defensics, and we were awarded the contract on August 13th, 2013. </div>
<div>
<br /></div>
<div>
Needless to say, this has certainly generated a lot of buzz in the medical device industry. The FDA released draft guidance in June, 2013 stating they are expecting vulnerability assessments as part of the documentation submitted to the FDA, then states they are building a test lab, and will incorporate fuzzing into their lab. This, of course, is part of the answer to how they are going to address cybersecurity.</div>
<div>
<br /></div>
<div>
I look forward to working with the FDA in making sure our medical devices are secured. This is a great first step toward that goal.</div>
Mike Ahmadihttp://www.blogger.com/profile/13637537008045498708noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-90675711372971575542013-05-10T21:02:00.000-07:002013-05-10T21:02:37.150-07:00The Archimedes Medical Device Security GroupThe illustrious and ever so articulate <a href="http://web.eecs.umich.edu/~kevinfu/" target="_blank"><b>Kevin Fu</b></a>, who has emerged as the premier academic in the world of medical device security in the past several years, held his first Archimedes workshop at the University of Michigan this past May 9th and 10th.<br />
<br />
This invitation-only event (which I was proudly invited to participate in) brought together 65 top security professionals, medical device manufacturers, health care system representatives, academics, doctors...and just about everyone else who has a stake in medical device security (except regulators and patients). I do not recall ever having been around so many PhD's in my life.<br />
<br />
The purpose of this event was to have an open discussion of the challenges associated with securing medical devices, and what we might all do to help resolve the issues.<br />
<br />
<b>The key points that came out of the event are as follows:</b><br />
<b><br /></b>
<br />
<ul>
<li><b>Health care organizations and medical device manufacturers are making assumptions about the issues without looking at the whole picture.</b></li>
<li><b>We simply do not have enough data about what the real issues are and what everyone is doing to address the issues to determine how serious the problem may be...or how far along we are...or are not.</b></li>
<li><b>Trying to come up with new ways to address security may not be as prudent as re-purposing what others have already done in other industries (particularly the Industrial Control System space).</b></li>
<li><b>It is difficult to get anyone to take responsibility for the issues. Everyone hands it off to someone else (some more than others...some not at all...to be fair).</b></li>
<li><b>Viewing security in terms of return on investment is pure folly...and will get nowhere.</b></li>
<li><b>Vendors are not ready to provide what customers (health care providers) are not demanding, and health care providers are not ready to demand anything.</b></li>
</ul>
<div>
There were certainly others that came out, but most importantly the people at this event REALLY cared about talking about the issues...and were fully engaged. This is what I found most important, because I have been working on medical device security for nearly 6 years, and for at least 4 of those 6 years I was often the only person in the room who had anything to say about the subject, and had to deal with a lot of blank stares, or comments like "Oh yes, privacy is very important in health care." It is finally dawning on the health care community at large that we are NOT talking about privacy any more. We are talking about safety.</div>
<div>
<br /></div>
<div>
Did we solve any problems? Probably not...except for the problem of open and honest communication, which seems to have been resolved for at least this small event.</div>
<div>
<br /></div>
<div>
I'll take my baby steps and be quite content with them, and thank Dr. Kevin Fu (and company) for making something like this happen. Getting smart people who really care together in a room with a common goal is often not a bad thing, and can move things forward in untold ways.</div>
<div>
<br /></div>
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-28389994905493073752012-10-13T11:01:00.000-07:002012-10-13T11:01:36.080-07:00Why Huawei and ZTE Are Potential Red HerringsA Red Herring can be described as a distraction or scapegoat to divert attention from bigger issues by focusing on a smaller issue. Sometimes those who try to divert the attention to the Red Herring issue do so intentionally, sometimes it is done out of ignorance. In any case, it generally has the same net effect of prolonging the solution.<br />
<br />
In a recent 60 Minutes episode, Huawei was portrayed as a massive Chinese networking equipment manufacturer that was making great strides in the marketplace globally, initially in Asia and Europe, and working their way towards our shores in the USA, with some early market wins in the American Breadbasket. The 60 Minutes story talked about how Huawei was very secretive about what they do, and because they build the communication equipment that will ostensibly be the backbone of global communications, that gives them free range to potentially put in back doors, or otherwise take control of global communications.<br />
<br />
This was followed by a <b><a href="http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-ZTE%20Investigative%20Report%20(FINAL).pdf" target="_blank">US House Intelligence Committee Report</a></b> that articulates that Huawei and ZTE (another Chinese networking equipment maker) are bonafide threats to our national security. It pulls no punches as it lays out the gory details.<br />
<br />
I have to say that all of this is true, in my opinion, but by no means addresses the much bigger issue at hand. Consider, if you will, that nearly ALL communication equipment used globally today (certainly in the US) is made in China, and ALL of it can be provisioned with the same back doors. That popular smartphone you and all your friends carry around and carry on conversations with, send emails with, submit documents through is likely made in China. That wireless router that your laptop, tablet, desktop, phone are all communicating with, attached to that switch in your office or home network are all likely made in China. We have literally MILLIONS and MILLIONS of communications devices where we have little to no visibility of the supply chain. Even the "US Makers" of networking equipment have significant (and often ALL) components made and provisioned in China.<br />
<br />
I bring this up because I have worked on projects to address some of these security issues with companies that provided components to communication equipment manufacturers. While some manufacturers have taken some steps to address these issues (mostly ones who have been breeched and shamed), others have done nothing at all. In at least one case I am aware of a major manufacturer only addressed a very small subset of their equipment, which was essentially their high end networking equipment, and all but ignored their lower end (and far more popular and prevalent) devices.<br />
<br />
The American public, not knowing any better, may indeed believe that the US Government is doing us a great justice by performing this study, issuing this report, and taking some steps to address this issue. I would have to say that this may be a good first step, and an eye opener, but we are FAR from addressing the real issue.<br />
<br />
Let's hope we all wake up and take notice.GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-44955392585494510092012-06-06T06:44:00.000-07:002012-06-06T06:44:42.299-07:00Our Government, The TSA, and Medical Device SecurityLet's face it...we deal with security in a very reactive way, and we often end up with some real progress on the security front, along with some very real screwups.<br />
<br />
I want to step back to 9/11 for a moment. It is vivid and clear in most (if not all of our minds). After the 9/11 attacks happened, we witnessed a time when our government had a lot of power (and most of it remains today) to do almost anything they wanted to do in the name of securing our nation. For the first time in my life I witnessed a Congress the passed sweeping laws that created a somewhat muted police state, cloaked as "The Patriot Act". Those that chose to defy our leaders were labeled as miscreants (in some cases), or told that they were being unpatriotic.<br />
<br />
Some things that came out of 9/11 were pretty good. Locking of cockpit doors is one of them. Another is a heightened sense of awareness by airline passengers, who are not likely to sit idly as terrorists attempt to mess around on an airplane. <br />
<br />
Other things...not so much.<br />
<br />
Anyone who travels today must now be subject to the circus we know as the security line at any major airport, which is a barricade often manned by everything from well experienced and concientious agents, to agents that find their absolute power quite satisfying, and not in a good way. We are forced to relinquish event the tiniest pocket knife, but are permitted to carry our laptops on the plane, which has a glass screen that could easily be broken, leaving us with a razor sharp length of glass that could do far more damage in the hands of a would be terrorist. There have been instances of agents who have become so attentive of water bottles, that they miss handguns in carryon items. Elderly people in wheelchairs are often forced to go through lengthy searches, and in at least one case I have personally witnessed several agents taking someone out of a wheelchair who could not stand up, and forcing him to go through a search while he totters on the brink of falling.<br />
<br />
One would hope, after more than a decade of dealing with security issues post 9/11, that we would be better at this than we are, and I certainly do not feel more secure. I am simply more annoyed. I don't fear terrorists at the airport. I fear TSA agents who routinely search checked bags, and sometimes steal the contents. I saw a story last week about a TSA agent who routinely stole iPads out of checked bags. The TSA response was something like "We are looking into it." Try as you will, but you are not likely to win an argument or case against the TSA. They are, after all, supremely powerful in this day and age.<br />
<br />
This brings me to the issue of medical device security. I am seeing a lot of news stories lately where our government is being pressured to do something about medical device security. Without question, it is an issue that has to be addressed. The FDA is currently being pressed upon to act on cybersecurity issues, and it remains challenging, to say the least.<br />
<br />
We face a situation today where Congress is likely to require the FDA to take a more active role in cyber security, and I am concerned that if this is done in a reactive and hurried manner, we face the possibility of overreaction. Cyber security is not complicated, but it is a constant learning process that requires immersion to fully understand. The FDA is currently one very busy agency, and in my conversations with the FDA, I have discovered that they are very challenged in keeping up with the workload they are presently facing, which would lead me to conclude that they are going to be very challenged in properly consider all the nuances of any cyber security decisions they may be forced to make. As someone who has worked with (and continues to work with ) medical device manufacturers, I have learned that patient safety, reliability of therapies, and ease of use are of utmost importance to manufacturers and patients alike, and decisions made about how to implement security must be tested to the nth degree before proceeding with implementation. Congress must understand that if anything is mandated, there will indeed be manufacturers who will focus more on compliance over creating a security culture, and what the FDA (and Congress) should focus on is first understanding what a security culture should look like, and how the risk profile changes with any security related decision made by a device manufacturer.<br />
<br />
It is important to understand that, as a traveller, I often have alternatives to dealing with air travel, and the repercussions of the inconvenience are generally limited to a specific instance (a trip). The repercussions of bad decisions made on the medical device front are far more serious in nature.<br />
<br />
I am off my soapbox.GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-69579353647945411222012-03-15T17:32:00.001-07:002012-03-15T18:02:31.844-07:00Ethical Hacking, Health Care, and IrrationalityAs a security professional, I am often intrigued and frequently fascinated by some of the clever things that security researchers come up with. I remember hearing of one presentation where a researcher was able to tunnel into a laser printer that was exposed to the internet, and stop a print job, causing the paper to catch fire in the fuser (at least I believe that is how he did it).<br />
<br />
Another interesting discussion I was made aware of was someone who could remotely access cars parked in a parking lot and set off the car alarms. Very clever indeed.<br />
<br />
Another researcher showed how he could attack an ATM and get it to spit out cash. Fascinating!<br />
<br />
The fact is that people who build these devices and add features that allow creative ways to access them build them for functional purposes. The functionality is complex enough to build, so it is not very likely that they consider non-functional uses of such devices when building them. Even if they did, someone is likely to give them some blank stares and furrowed brows if they spend too much engineering time considering how not to use the device.<br />
<br />
This, of course, is completely at odds with the way security researchers (hackers, if you will) look at things. They do not spend much time looking at what makes something work, but instead on what makes it not work...or work in a way that was not intended by the designer. As luck would have it (for the hackers), there are literally infinite possibilities in the non-functional world.<br />
<br />
This, of course, leads to a lot of ways to potentially entertain and certainly alarm more than a few people. In many cases, there are ways to mitigate some of the risk associated with these findings. In the case of the laser printer, simply segregating the network is fairly straightforward. With ATMs, we can always go back to tellers (until we find a fix). We can always disable the network features of automobiles as well. These "fixes" may inconvenience us, but at least they do not diminish our quality of life in any major way. As humans, we cope well.<br />
<br />
From an ethical persecutive, one can argue that the work of security researchers is completely necessary to move secure design and development forward. Let's face it...good security happens in a reactive manner close to 100% of the time. Going back to my earlier point, engineers are primarily tasked with building functionality into products. There are ways to do it with security built in from the ground up, but we are still a long way from getting the engineering world to embrace that. We will eventually get there, but not likely until the public consciousness is raised.<br />
<br />
Nonetheless, I had the opportunity to review an excellent document recently titled <b>"The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research"</b> (<a href="http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf"><b>http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf</b></a>) which <i>"...proposes a framework for ethical guidelines for computer and information security research, based on the principles set forth in the 1979 Belmont Report, a seminal guide for ethical research in the biomedical and behavioral sciences."</i> This report really hit home with me, and I want to explain why, but first let me tell you a couple of stories.<br />
<br />
I want to start with a story about flu shots. Back in the 1980s I worked at a resort in Florida and one day I heard that a nice old chap who was one of the dock masters had gone to his doctor for a flu shot (his first ever) and had an allergic reaction to the vaccine, went into anaphylactic shock, and died.<br />
<br />
Wow!!!<br />
<br />
That sealed the deal for me. Despite all the prodding I had gotten from those around me as I grew older, I decided that there was no way I was going to get a flu shot. I mean...c'mon...I DON'T WANT TO DIE OF AN ALLERGIC REACTION!<br />
<br />
This sat well with me for many years...until I got the mother of all flu attacks in 2004. I remember laying in bed in sheer misery for two weeks, first fearing that I was going to die of all the pain and inability to breathe...and then, towards the end, almost wishing I would just die. Let me tell you, a cold is NOT the flu. I have had bad colds, and this was the flu, and it was utter HELL.<br />
<br />
It occurred to me, once I was feeling better again, that the one instance in my entire life of anyone having a severe reaction to the flu vaccine was not a rational justification for that two weeks of misery, which was likely to happen (and perhaps even kill me as I got older) again. I certainly like to think of myself as being intelligent, but I have a way of rationalizing things to suit my purpose outside of global empirical information...and sometimes it bites me in the you know what.<br />
<br />
What is perhaps even more alarming is that, prior to my awakening to the benefits of vaccination, I almost prevented my first child from getting vaccinated because of all the hysteria surrounding alleged incidences of autism from vaccinations. Were it not for the calm and patient persuasion of the vaccination nurse at the local medical center, who explained to me that the likelihood of devastating childhood maladies was indeed quite high for my baby if he did not get vaccinated, I may have exposed him to several diseases that came back in the last decade (namely polio and whooping cough), no doubt at least in part from the irrational fears brought about by vaccination naysayers.<br />
<br />
Fear and uncertainty has a way of getting us to do things outside of the realm of reason at times. It is the essence of propaganda, marketing hype, and political circuses. After watching "Jaws" in the 1970s it was not until I had spent over a decade living in Florida, where the waters are literally thick with sharks, that I realized that the likelihood of getting attacked by a shark was FAR smaller than the likelihood of getting skin cancer...which several of my Florida friends and associates did contract. Media hysteria and Hollywood stunts have a way of tugging at our hearts and warping reality...indeed they do.<br />
<br />
So this brings me back to the point I am trying to make (and thank you for being patient). Lately, there have been more than a few media-rich and Hollywood-like stunts portraying some of the dangers of security flaws found in medical devices, and this is simply not sitting well with me. Unlike printers, ATMs, and automobiles, medical devices are currently causing patients that need them to experience a much better quality of life than they would have without them...and in many cases they are keeping them alive. If one looks at sections C 3, 3.1, 3.2, and 3.3 of the aforementioned report, some very salient points emerge:<br />
<br />
<b><i>C 3 Beneficience</i></b><br />
<i>"...the Beneficence principle reflects the concept of appropriately balancing probable harm and likelihood of enhanced welfare resulting from the research. Translating this principle to ICTR demands a framework for systematic identification of risks and benefits for a range of stakeholders, diligent analysis of how harms are minimized and benefits are maximized, preemptive planning to mitigate any realized harms..."</i><br />
<i><br />
</i><br />
<b><i>C 3.1 Identification of Potential Benefits and Harms</i></b><br />
<i>"...researchers should identify benefits and potential harms from the research for all relevant stakeholders, including society as a whole, based on objective, generally accepted facts or studies..."</i><br />
<i><br />
</i><br />
<i>"...One helpful approach to identifying harms is to review the laws and regulations that apply to an ICTR activity, and analyze the underlying individual and public interests that the research might negatively impact..."</i><br />
<i><br />
</i><br />
<i>"Because laws may be unclear or open to interpretation, a narrow focus that only considers acts impacting the integrity or availability of information and information systems might overlook a broader range of harms that may not be explicitly protected by law."</i><br />
<i><br />
</i><br />
<i><b>C 3.2 Balancing Risks and Benefits</b></i><br />
<i>"...the researcher should systematically assess risks and benefits across all stakeholders. Researchers should be mindful that risks to subjects are being weighed against the benefit to society, not to to either the research subjects or the researchers themselves. Researcher actions should be measured using a standard of a reasonable researcher, who exercises the knowledge, skills, attention, and judgment that the community requires of its members to protect their interests and the interests of others.</i><br />
<i>When ICT is involved, burdens and risks can extend beyond “the human subject,” making the quantification of potential harm more difficult than with direct intervention. It can be difficult to balance risks and benefits with novel research whose value may be speculative or delayed, or whose realized harm may be perceived differently across stakeholders. If there are plausible risks, researchers bear the burden of showing specific, evidence-based consideration that they can manage those risks."</i><br />
<i><br />
</i><br />
<i><b>C 3.3 Mitigation of Realized Harms</b></i><br />
<i>"Despite appropriate precautions and attempts to balance risks and benefits in ICTR, research may cause unintended side effects that harm stakeholders."</i><br />
<br />
Please understand that I have taken excerpts out of the report, and I expect the reader of this blog posting to look at the entire article.<br />
<br />
The point should be relatively clear by now. The work of security researchers is invaluable, but prior to the hacking of medical devices, the societal risks have not hit home quite at the level they are now. The fact is that any patient who chooses to minimize their risk of having their device hacked as a result of the media hype is likely to make a decision that is likely to cause them far greater harm than the likelihood of the device being criminally hacked.<br />
<br />
It is my hope that security researchers delving into medical device hacking take this under serious consideration, because (as Peter Parker - The Amazing Spiderman's uncle once said) with great knowledge comes great responsibility.GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-46613490742156169912012-02-10T17:27:00.000-08:002012-02-10T17:27:39.310-08:00First Smart Grid Documentary Ever !It's an interesting ride...so hang on!<br />
<br />
I am fascinated by reality much more than I am fascinated by anything in the world of fantasy. I mean, think about it for a moment. In my life I have watched us go from phones with rotary dials and coiled cords that always got bizarrely tangled, tethered to walls via mysterious outlets, to handheld computers that allow you to place video calls, and allow you to have conversations with them as they reply to your commands with a sexy voice.<br />
<br />
It seems like humans are capable of building anything if they see a need for it to be built, and that is the most fascinating story ever told...and it has been told many times in all of our lives, and as far as time goes back.<br />
<br />
We all build things...create things if you will...for our own reasons, or for those who employ us. It seems to me that the most interesting things built are built by those who driven by a desire to make something great, or make something better, and not necessarily for a paycheck.<br />
<br />
Don't get me wrong...a paycheck is nice, and definitely a necessity in life, but it is rarely the driver to those who want to build great things. What drives people to build great things is the human need to prove to themselves (and others) that they can create great things, or make other things better.<br />
<br />
It's a fascinating story to watch unfold, if you will take the time to discover it. If you like your iPhone, you really should get yourself a copy of Steve Job's biography, and understand what drove him to create the device that literally changed the way we consume information, navigate, and communicate.<br />
<br />
Besides reading books, my favorite way of consuming these fascinating tales of how things came to be as they are today is through watching documentaries...and lot's of them. I remember the first time I discovered that through Netflix streaming services I could watch literally hundreds of documentaries on nearly as many topics...and so I did (much to the behest of my small children). It seems like I cannot get enough of them. There are so many interesting stories to be told, and the documentarians seem to do a fine job of getting past the hype, marketing spin, and myths surrounding so many subjects worth exploring.<br />
<br />
So let's fast forward to my security conference. Back in 2010 my company was hired by a company (a silicon vendor) to produce a whitepaper that outlined the Smart Grid security landscape. I dove right in, as I normally do, and attempted to capture the essence of the Smart Grid as quickly as I could. What I soon discovered is that, although the Smart Grid was rapidly evolving, our understanding of the Smart Grid was changing with every passing moment. The issue of Smart Grid security was particularly challenging to grasp, since the topic is very sensitive in nature to most, and those involved in the Smart Grid security ecosystem still had a lot to learn. While I discovered pockets of knowledge here and there (e.g. NIST, OpenSG, DHS ICSJWG), there was no place I could go to truly immerse myself in the dialogue that I felt needed to happen. There were lots of Smart Grid conferences out there, but they covered the topic of Smart Grid security at a very minimal level at best. There were also lots of security conferences out there, but Smart Grid was only a tiny portion of the event. I felt that we needed a Smart Grid security event, and created the first Smart Grid security conference that I knew of in the United States. I was shocked to have around 100 people show up for the first event, and it led to two more after that (and my 4th event is coming up at <a href="http://www.GridSec.com/">www.GridSec.com</a>, which is focused on not only Smart Grid, but also energy infrastructure security).<br />
<br />
As someone who was working within the ecosystem, I was able to bring in some great speakers, and gain the trust and support of some very key players. I always sought to evolve the conference as the industry evolved, and decided that the next event (upcoming March 27-29 in Irving, Texas) should involve people at the CxO level, and went on a quest to find at least one utility CxO who would speak on the sensitive topic of security. I have to say, it was a lofty goal and was not easy, but persistence pays off, and I was put in touch with Dave Hallquist, the CEO of the Vermont Electric Cooperative, who agreed to speak. That, in and of itself, was absolutely fantastic.<br />
<br />
What happened next (a few days later) became even more interesting. Dave's son, Derek Hallquist, is a documentary film maker, and contacted me asking if he could film his father at my upcoming conference, since he had partnered with documentary film producer Aaron Woolf (of "King Corn" fame), and they were going to follow Dave Hallquist around the country as he went from conference to conference interacting with people in the Smart Grid world. It was to be the first Smart Grid documentary ever created, and they planned to submit it to the Sundance Film Festival.<br />
<br />
Needless to say, I was flabbergasted. Not only was the story of the Smart Grid going to be told in a documentary (and we are still in the very early stages of the Smart Grid), but it was going to break ground at my conference.<br />
<br />
This has, of course, unleashed a storm of interest and support from everyone I know in the industry. Utilities are all thrilled, vendors are all thrilled, and all those who have helped me make this happen are all thrilled. I was wondering when a Smart Grid documentary was going to come to fruition.<br />
<br />
...now I know.<br />
<br />
<div style="text-align: center;"><b>Please Attend This Seminal Event!</b></div><div style="text-align: center;"><b>Sign Up At <a href="http://www.GridSec.com/">www.GridSec.com</a></b></div>GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-21758028980538342962011-12-05T03:39:00.000-08:002011-12-05T03:39:41.052-08:00Humbled By The Outpouring Of SupportThis past week I discovered that an <b><a href="https://www.issa.org/Library/Journals/2011/December/Ahmadi-Oh%20Hackable%20You.pdf" target="_blank">article</a></b> I submitted to the Information Systems Security Association (ISSA) Journal had been selected for publication, and made the cover. Although I am part of the editorial board (the shark tank, as we call it), I submitted it anonymously, and made the cut. Needless to say, I was thrilled.<br />
<br />
The article was about medical device security, and I have a Google Alert set up for medical device security. The day after my article was published, I saw a Google Alert that pointed to an article with a similar title. My article is called "Oh, Hackable You!" and the similarly titled article was "The Hackable You." Interesting.<br />
<br />
When I went to the website, I realized that the author of the article had, quite literally, completely plagiarized my article. He changed the introduction a bit, copied and pasted the entire rest of the article WORD FOR WORD, and then changed the conclusion a bit. It was obvious and willful fraud, and I was livid.<br />
<br />
I immediately posted this on my Twitter feed, and what happened next truly reminded me why I absolutely love working with the information security community. My dear friend Travis Goodspeed (who has over 2700 followers) re-tweeted it and then embarked on a quest to find out more about this person, who, as it turns out, is a serial plagiarist. He quickly discovered that dozens of members of the infosec world had been plagiarized by this person, and let them all know that this had happened, which unleashed a Twitter storm like nothing I had ever witnessed. Within hours the organization he works for had pulled the blog, issued a public apology, and called me (and at least one of the other writers) and personally apologized for the incident(s).<br />
<br />
What amazes me about the information security community is that it has evolved into a very tight brotherhood, independent of any "official" regulatory body. Every member of the community is charged with the duty of policing even other member, and NOBODY gets a pass go. Anyone who tries to enter the infosec world and attempt to sell snake oil is immediately smacked down by the community. It took me years of hard work to get to the point in my career where the community accepted me as one of their own, and I have to say that I am completely overwhelmed by the support, and knowledge that by brothers (and sisters) in the information security world are there for me...and I for them.<br />
<br />
Thank you!GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-91368411827351709072011-11-05T09:06:00.000-07:002011-11-05T09:06:00.464-07:00The SCADA Within UsI have been saying this for quite some time now, and I was absolutely thrilled when someone from the health care industry came up to me and said "We are running SCADA systems in health care." For those who do not know what the acronym stands for, it is "Supervisory Control and Data Acquisition".<br />
<br />
Let's examine this for a moment.<br />
<br />
<b>Supervisory</b> - Medical systems are indeed used to supervise patients. That is exactly what they do.<br />
<br />
<b>Control</b> - Medical systems are indeed used to control patient procedures at many levels. That is exactly what they do.<br />
<br />
<b>Data Acquisition</b> - Medical systems record patient data constantly, and use this information to make decisions. That is exactly what they do.<br />
<br />
Yup! They are SCADA systems.<br />
<br />
I just returned from the Amphion Medical Forum in Minneapolis, home of Medtronic (the largest medical technology company in the world). Medtronic is very concerned with medical device security, and they are now beginning to understand the potential impact of mounting interest among the attack sector in hacking SCADA systems. Rest assured they are taking this VERY seriously, and this is an absolutely fantastic bit of news for the health care community, because they are the most likely organization to make an impact on health care security. I applaud Medtronic executives for their decision to aggressively address these issues.<br />
<br />
One of the most interesting discussions I had with a member of the Medtronic engineering staff, who seemed very familiar with SCADA systems, was the very unique challenges the medical device industry is facing. One challenge is that they cannot easily address physical security of many medical devices, since they are frequently found in patients (e.g. insulin pumps, pacemakers) or in their homes (e.g. monitors). While it is possible to educate patients about this, it is nearly impossible to control physical security. Another issue is that, even if devices are designed with firmware that can be updated, there is no easy way to update the firmware in devices implanted in the human body, and for several reasons. One obvious reason is...well...because it is implanted in a human body. Another reason is because many of these devices operate on coin sized batteries, and many of you know that firmware updated dramatically decrease battery life. Let's not forget, by the way, that a failed firmware update on an implanted device that puts it in a DOS state is also very serious. <br />
<br />
On the subject of power, if you think that the "traditional" SCADA systems have resource constraints, you are not even close to the resource constraints of some of these medical devices. Let's not forget the need for reliability as well.<br />
<br />
The health care industry is taking this very seriously, but there are some major challenges to address...and this is very high priority.<br />
<br />
Health care touches each and every life on Earth. I look forward to working with the health care industry to get this under control.GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com1tag:blogger.com,1999:blog-2465464861752314395.post-43484792801607673192011-10-14T09:54:00.000-07:002011-10-14T09:54:12.248-07:00What We Really Want Is A Hot Meal, Good Health, And ElectricityThose of you that know me are perhaps aware that I have have spent large portions of my life working in 3 somewhat distinct areas: Food Service, Health Care Security, and Smart Grid Security. All 3 disciplines have taught me a few things that I carry with me every day.<br />
<br />
I am no longer in the Food Service industry...thank God! If any of you have ever watched Hell's Kitchen on TV, trust me...it is not far from reality. Working in high technology means better pay, less heavy lifting, and weekends and holidays off (more or less).<br />
<br />
Still, I learned some things in the Food Service industry that serve as valuable lessons to this very day. One thing I learned is that regardless of how hard you work, you are inevitably judged for the last good (or bad) deed you accomplished, often irrespective of your history. Memories are short, and you always have an opportunity to either redeem yourself, or fall flat on your face. The choice is yours.<br />
<br />
Another thing I learned about the Food Service industry is that they have 2 objectives:<br />
<br />
<ol><li>Make Food</li>
<li>Get Paid For The Food</li>
</ol><div>Hey! What can I say? I am nothing if I am not perceptive.</div><div><br />
</div><div>As it turns out, this carries over into both the Health Care and Energy industries. The Health Care industry wants to deliver health and get paid for it. The Energy industry wants to deliver energy and get paid for it.</div><div><br />
</div><div>We can apply this logic to just about any industry we choose, as it turns out :-)</div><div><br />
</div><div>Okay, so I am here to talk about security. What does all of this have to do with security?</div><div><br />
</div><div>As it turns out, security is essentially about safety (or perhaps safety is really about security). The two go hand in hand...and perhaps can be conflated in some (if not all) cases.</div><div><br />
</div><div>So let's go back to my life in foodservice for a moment. Having spent many years working as a chef in restaurants, I noticed a few things about safety that were recurring themes. One was that every single restaurant I worked in had a fire safety system installed by a competent installer, and (most importantly), the fires safety system itself was built by a competent manufacturer. After this was done, the fire inspector would perform an inspection and make sure it satisfied the requirements for fire safety, and the fire inspector would periodically return to make sure all was in order. Eventually, we saw the arrival of the <a href="http://www.nfpa.org/categoryList.asp?categoryID=395&URL=Training/Certification%20programs/CFPS"><b>National Fire Protection Association's Certified Fire Protection Specialist Certification Program, which is ANSI accredited</b></a>. Additionally, UL has a program in place for approval of fire safety systems (e.g. sprinklers) in use today.</div><div><br />
</div><div>Having worked in a restaurant where the fire safety system has triggered, I have to admit that it is very effective. However, in retrospect, the fact that I find most interesting is that not one restaurant, hotel, or resort (and I worked for some big resorts) had any staff on board who was responsible for the design, implementation, and maintenance of the fire safety system.</div><div><br />
</div><div>They simply hired someone to put on in, got it inspected, and then went on with the business of making and serving food. I have to say, it works splendidly.</div><div><br />
</div><div>Imagine that!</div><div><br />
</div><div>So let's take this back to the Health Care and Energy industries for a moment. We need to understand that what we have to do in the security world is get to that point where health care and utility staffs can focus as much of their time as possible on delivering what they are in the business of delivering. We are currently living in an environment where we have place nearly all the burden for securing health care and energy systems on those who are ill suited for the job. Sure, they are getting better...by hiring staff to help get them up to speed, and reaching out to professionals, but is this necessarily the desired end state.</div><div><br />
</div><div>I fully realize that the food service industry is not saddled with the enormous burden of protecting their network stack from intrusion, and that no level of cyber attack is likely to mess with the integrity of their signature dish covered with delicious Béarnaise sauce. Yet the threat of fire is very real, generally quite devastating, and ever present. Nonetheless, we have managed to create a management system that is both extremely effective and extraordinarily simple to live with.</div><div><br />
</div><div>...and let's look at the health care industry for a moment.</div><div><br />
</div><div>We are all familiar with the FDA (the Food and Drug Administration). Hospitals use health care equipment and use drugs that are FDA approved...and absolutely do not use any health care equipment or drugs that are not FDA approved. Okay...at least they better not...or face stiff fines and immediate shutdown (believe me, the FDA is hardcore about their rules). Although it is a US organization, FDA approval is so highly regarded globally that most nations accept FDA approval as a "green light" for use in their own countries. Health care providers do not have to manage staff to ascertain the safety in using FDA approved products. They simply stick with the FDA approved products and (ostensibly) use them to deliver good health care.</div><div><br />
</div><div>I fully believe that we will eventually come to terms with cyber security issues, as we have come to terms with fire, and as we have come to terms with "snake oil" health care solutions of the past. As Paul Kocher of Cryptography Research indicate during his excellent keynote at my Smart Grid Security Summit this past month, security today is still struggling with the same "snake oil" issues that health care had to deal with in the past. As we continue to move forward with addressing cyber security issues, we all need to keep in mind that a lot of what we hear is going to be "snake oil", and we should look towards how other safety issues have been addressed in the past, and perhaps learn some valuable lessons.</div><div><br />
</div><div>Okay...now I'm hungry.</div>GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-49268229037307564452011-10-10T09:45:00.000-07:002011-10-10T10:20:38.872-07:00Upcoming Event: Amphion Medical ForumI have been invited to moderate a panel at the <b><a href="https://mocana.com/newsletter/amphion-medical-15.html">Amphion Medical Forum </a></b>on November 3rd, 2011 in Minneapolis, Minnesota. This fantastic event features security experts who specialize in studying, understanding, testing, and addressing security issues related to connected medical devices.<br />
<br />
What you may or may not know is that nearly every piece of medical equipment that collects and records data today (heart monitors, X-Ray machines, MRIs, IV Monitors...and the list goes on and on) has a communications stack of some built in, or will have one soon. Recent <a href="http://www.cbsnews.com/8301-501465_162-20088598-501465.html"><b>demonstrations at Blackhat</b></a>, for example, have re-awakened our consciousness to the seriousness of security issues surrounding medical devices (if <b><a href="http://www.secure-medicine.org/icd-study/icd-study.pdf">this attack in 2008</a></b> was not enough).<br />
<br />
If this is of interest to you, join me at the Amphion Medical Forum on November 3rd, where you will have an opportunity to listen to some of the most brilliant minds in the world of medical device security, as well as meet them face to face.<br />
<br />
Oh...and by the way...IT'S FREE !<br />
<br />
See you there!<br />
<br />
Mike Ahmadi<br />
<br />
P.S. To guarantee yourself an invitation, use priority code "GraniteKey"GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-67949079669132954342011-10-10T07:49:00.000-07:002011-10-10T07:49:55.129-07:00My Sally Field MomentMy third Smart Grid Security Summit has drawn to a close. This past week in San Diego was a seminal event in my life as a conference chairman. For the last 3 weeks I have been working out a hundred plus details that no amount of advance preparation ever prepares you for. Anyone who has ever put on a conference is keenly aware of that. For those who have not, I would describe it as something akin to the excitement of the descent from the peak of a roller coaster coupled with the fact that you decided to finish you children's corn dogs.<br />
<br />
When I stated the Smart Grid Security Summit my intention was to build my network and get some like-minded people together to chat about what was, and continues to be, an important topic. We had around 100 people show up, and 1 sponsor (SAIC). We were so proud of that event, and I still harbor fierce loyalty for those who helped make that event what it was. We knew we had something, and built on it. The second event was held in Knoxville in early 2011, and we had around 10 times the sponsorship, and double the attendance. Most importantly, we had asset owners coming to the event to both participate as speakers and join the crowd of attendees. We were sure we had something of value at this point. Let's face it, Knoxville is a really nice place, but it is certainly not a "conference boondoggle" location. People showed up because they had a thirst for knowledge and because they wanted to communicate with people who understand what they need, and we delivered that.<br />
<br />
The third event say us partner with the Energy Sector Security Consortium (EnergySec), and we were blessed with lots of great sponsorship, and perhaps the finest selection of speakers and attendees to date (although that is a tough call, since both of our other events had fantastic speakers and attendees). It just seems to keep getting better and better as time goes by. I tried to take the time to speak to everyone I ran into at this event, with around 15 sponsors and around 250 attendees, but found myself nearly overwhelmed by the outpouring of interest in the event, the massive amount of networking going on, the fantastic sessions, and the constant outpouring of love from all who took the time to come up to me and tell me what a fantastic event our little conference has grown into.<br />
<br />
I cannot help thinking about that famous <b><a href="http://en.wikipedia.org/wiki/Sally_Field">Sally Field moment</a></b>, when she accepted the Oscar for her starring role in the 1984 drama "Places In The Heart". She took the stage after receiving the Oscar and gushed <i><b>"I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it, and I can't deny the fact that you like me, right now, you like me!"</b></i><br />
<br />
Peer acceptance is what we all crave in our careers, regardless of what we may think or say about the subject. I am humbled by everyone's acceptance and love, and will continue to deliver the quality you have all come to expect.<br />
<br />
Kindest Regards,<br />
<br />
Mike Ahmadi<br />
Conference ChairmanGraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-24298539263069095782011-09-15T20:22:00.000-07:002011-09-15T20:22:30.454-07:00Smart Grid Security East 2011: AMI Vendor Roundtable<br />
This is the video taken of the AMI Vendor Roundtable panel at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East</a></b> conference in March 2011.<br />
<br />
The presenters were:<br />
<br />
Edward Beroset, Director of Technology & Standards, Elster Solutions Inc.<br />
Stephen Chasko, Principal Security Engineer, Landis+Gyr<br />
Walter Sikora, VP of Security Solutions |Industrial Defender<br />
Ido Dubrawsky, Principal Software Engineer/Security, Itron<br />
<br />
We hope you will join us at the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit West 2011</a></b> conference from October 3-5 in San Diego, California.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="284" src="http://www.youtube.com/embed/_uC0r3iRJik" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="284" src="http://www.youtube.com/embed/PevKe31jF6E" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="284" src="http://www.youtube.com/embed/1nhCf4m3-ew" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="284" src="http://www.youtube.com/embed/dfjdaB0wvY8" width="500"></iframe><br />
<br />
<div style="text-align: center;">
<b><span class="Apple-style-span" style="font-size: x-large;">See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></span></b></div>
<br />
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-82386026538369073032011-09-11T13:59:00.000-07:002011-09-11T13:59:05.149-07:00Smart Grid Security East 2011: Panel - How Utilities Are Managing Security<div>
This is the video taken of the "How Utilities Are Managing Security" panel at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. </div>
<div>
<br /></div>
<div>
The presenters were:</div>
<div>
<div>
David Batz, Manager, Cyber & Infrastructure Security, Edison Electric Institute (EEI) </div>
<div>
Ward Pyles, Senior Security Analyst, Southern Company </div>
<div>
James Sample, Director of Enterprise Information Security, Tennessee Valley Authority (who has recently been promoted to CISO of Pacific Gas & Electric)</div>
<div>
Robert Humphrey, Senior IT Security Analyst, Duke Energy</div>
</div>
<div>
Moderator: Bob Lockhart, Senior Analyst, Pike Research</div>
<div>
<br /></div>
<div>
I am pleased to report that all of these panelists (and more) will be returning to the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit West</a></b> conference from October 3-5 in Sand Diego, California. We hope to see you there!</div>
<div>
<br /></div>
<div>
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/wKdXAPgYlSI" width="500"></iframe></div>
<div>
<br /></div>
<div>
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/wnlJfC2Agrk" width="500"></iframe></div>
<div>
<br /></div>
<div>
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/gaVKY40-Juc" width="500"></iframe></div>
<div>
<br /></div>
<div>
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/k4YZ7Tsqn5k" width="500"></iframe></div>
<div>
<br /></div>
<div style="text-align: center;">
<b><span class="Apple-style-span" style="font-size: large;">See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></span></b></div>
<div>
<br /></div>
<div>
<br /></div>
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-82489784215541372312011-09-09T20:34:00.000-07:002011-09-09T20:34:49.928-07:00Smart Grid Security East 2011: NISTIR 7628 - Progress Report<br />
This is the video taken of the NISTIR 7628 Progress Report session at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. <br />
<br />
The presenters were:<br />
Annabelle Lee, Technical Executive - Cyber Security, EPRI<br />
William Hunteman, Senior Advisor For Cyber Security, US Department of Energy (DOE)<br />
Daniel Thanos, Chief Cyber Security Architect, GE Digital Energy<br />
Sandy Bacik, Principal Consultant, EnerNex<br />
Mike Coop, ThinkSmartGrid<br />
Moderator: Mike Ahmadi<br />
<br />
Please join us for the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit</a></b> from October 3-5, 2011 in San Diego, California.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/r5SdQqce_Is" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/jTT6NNy0X_4" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/wmKWoDytNeU" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/dLcWSl1Iu2k" width="500"></iframe><br />
<br />
<div style="text-align: center;">
<b><span class="Apple-style-span" style="font-size: large;">See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></span></b></div>
<br />
<br />
<br />
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-60182566372992622252011-09-08T16:45:00.000-07:002011-09-08T16:45:03.485-07:00Smart Grid Security East 2011: Keynote Address - Annabelle LeeThis is the video taken of Annabelle Lee's fantastic keynote at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. Please join us for the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit</a></b> from October 3-5, 2011 in San Diego, California.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/Q4O0s4l6wsc" width="500"></iframe><br />
<br />
<div style="text-align: center;">
<b><span class="Apple-style-span" style="font-size: large;">See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></span></b></div>
<br />
<br />GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-47082829560617643072011-09-08T16:38:00.000-07:002011-09-08T16:38:59.379-07:00The Importance of Context When Discussing Smart Grid Security<i>This letter was originally posted on the excellent <a href="http://smartgridsecurity.blogspot.com/"><b>Smart Grid Security Blog</b></a>. It is a letter from former NERC CSO Michael Assante to the global community of stakeholders who are working diligently to keep our critical infrastructure safe from attackers.</i><br />
<br />
<br />
I recently had an opportunity to learn about the importance of context. I tried to help someone understand the challenges of regulation and cyber security in the context of smart grid technology deployments and electric infrastructure, and learned once again how polarized this topic can become. Certainly many can appreciate the challenge of communicating with clarity on this topic, as it can be nuanced, highly-technical, process-laden, and mired in the details of a little-followed piece of history and U.S. federal and state law.<br />
<br />
Let me begin by providing some of the context, or background, that explains why I work hard to help develop a better understanding of how cyber security impacts operational technology in critical infrastructures. As a boy I was fascinated with the engineering required to generate and deliver electricity. To me, the power system represented a grand achievement that demonstrated what dedicated men and women could accomplish.<br />
<br />
My father worked for a utility and was rightfully proud of the public service his company delivered to homes, schools, manufacturing plants, and hospitals. He worked with impressive machines that excavated coal, and cutting edge control centers with analog light displays. But the thing that made the biggest impact on me was the dedication with which my father and his colleagues performed jobs, and their uniform sense of mission, as they clearly understood that what they did made people’s lives better. I was quick to appreciate the vision, investment, and effort that enabled vast natural resources like coal and hydro-power to be turned into electricity, which was then transported and delivered over vast distances to every household and business.<br />
<br />
The success of the electricity industry in designing, building and maintaining an incredible system of systems, continues to inspire children and adults alike. It has grown to become a critical infrastructure that underpins modern society. The delivery of highly-affordable and reliable electricity has paved the way for the industrial and technological revolutions that have transformed global economies. It is ironic that over the last forty years of progress, we have also created a significant set of challenges that need to be addressed as a consequence of our continued innovation.<br />
<br />
The rapid advancement and application of digital technology has improved electric system operations, reliability, and process efficiency. But it carries with it a heavy responsibility. We must now safeguard this increasingly ubiquitous element of the grid from those who would seek to disrupt technology and cause harm.<br />
<br />
This dilemma of digital technology is that, like electricity, it enables great things but can cause great damage if not managed properly. There is one very important difference, though. The nature of electricity is understood sufficiently to prudently manage the risks it can present, whereas cyber threats are constantly evolving and are co-adaptive (the threat will consider the protections you have employed and find ways to circumvent or compromise them). This has led me to conclude that many of the difficulties we experience addressing cyber security come less from how the electricity industry behaves, and originate more from the complex nature of digital technology and the unique risks it engenders.<br />
<br />
Many of you know that I have often shared my thoughts on the difficulties of managing cyber risk in the complex and vast systems that comprise power grids. There are a number of necessary constraints, such as the golden rule of “first, do no harm” (do not negatively impact system reliability and safety). Other challenges have more to do with state of industrial control system technology and the tough job of keeping up with the rapid changes in technology and the evolving capabilities of would-be cyber attackers.<br />
<br />
NERC and the industry have pioneered the use of mandatory reliability standards as one tool to manage risks to reliability across the complex weave of entities that comprise the bulk power system in North America. I am confident that progress will continue to be made by NERC and the industry, but it takes time to learn what works well when dealing with the scale of the bulk power system and specifically, when trying to address the difficult-to-bound risk that comes from cyber threats. I, like many others, understand that we must continually evaluate the processes we use to develop and manage the CIP standards. We must consider the effectiveness of the standards requirements when compared to how digital systems are being compromised by current cyber attackers. Cognizant of the risks of unintended consequences, we need to fully understand the behaviors we are promoting by using standards that require strict compliance. Finally, we need to be mindful of the spirit and goal of the standards and the importance of providing enough flexibility so that utility security programs can adapt to best confront the threats they face.<br />
<br />
I have had the pleasure of working alongside of some of the most gifted experts in power engineering and industrial control system security over the years. The power industry has a rich collection of experts often passionately inclined to work together as a community to solve complex problems. Their expertise is essential in determining how to best apply cyber defenses in the highly-specialized environments of power generation, transmission, and distribution. We would also, however, benefit from the experience and learnings of other industries’ cyber professionals who themselves labor to defend highly-targeted networks. I have grown to appreciate the adaptive nature of cyber threats and importance of maintaining a current understanding of how systems are compromised. NERC has engaged with the U.S. government to benefit from its understanding and should continue to look for opportunities to learn from government and cyber security experts from other industries bent on tackling this common problem.<br />
<br />
Context matters in how we think about these problems, in how we frame our concerns, and in how we formulate new approaches so that we may attain the many benefits of new technologies while managing the risk. I am confident that we will begin to engineer away the worst consequences, continually find more effective practices and develop the necessary skills to better address sophisticated and ever changing cyber threats. This is a difficult task that will continue to require our best efforts, to include regulation. It is a task that demands a prudent approach as the effectiveness of our investments needs to be measurable and demonstrable. We must continue to innovate if we're to fully enjoy the many benefits of affordable and reliable electricity.<br />
<br />
<div style="text-align: center;">
<b>Michael can be reached at <a href="mailto:michael.assante@nbise.org">michael.assante@nbise.org</a></b></div>
<div style="text-align: center;">
<b><br /></b></div>
<div style="text-align: center;">
<b>Michael will also be speaking at the <a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit West</a> in San Diego, California, October 3-5, 2011.</b></div>
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-58205142424873949032011-09-07T21:44:00.000-07:002011-09-07T21:45:31.012-07:00Customer Data: Authorization, Privacy and Security - Smart Grid Security Summit East 2011This is the video taken of the Customer Data: Authorization, Privacy and Security session at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. The presenters were:<br />
<br />
<br />
Sandy Bacik, Principal Consultant, Enernex<br />
Megan Hertzler, Director of Data Privacy, Xcel Energy Services<br />
Boris Segalis, Partner, Information Law Group<br />
Moderator: Chris Kotting, ThinkSmartGrid<br />
<br />
<br />
Please join us for the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit</a></b> from October 3-5, 2011 in San Diego, California.<br />
<br />
Due to the extreme popularity of the Privacy in the Smart Grid, we will be hosting a pre-conference workshop. Please make sure you sign quickly as space is limited. You can sign up at <a href="http://www.smartgridsecuritysummit.com/Info/RegistrationInfo.aspx">http://www.smartgridsecuritysummit.com/Info/RegistrationInfo.aspx</a>.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/6BGcUNcO0Xw" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/NITTAX24Zwc" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/3pzgrtv8iug" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/WcwCe2QaPg0" width="500"></iframe><br />
<br />
<div style="text-align: center;">
<b>See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></b></div>
<br />
<br />GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-45644899375822132852011-08-29T22:30:00.000-07:002011-08-29T22:32:23.308-07:00Michael Assante Keynote - Smart Grid Security Summit East 2011This is the video taken of Michael Assante's fantastic keynote at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. Please join us for the <a href="http://www.smartgridsecuritysummit.com/"><b>EnergySec Smart Grid Security Summit</b></a> from October 3-5, 2011 in San Diego, California.<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/i7X_dv_UUYU" width="500"></iframe><br />
<br />
Michael will be joining us at again from October 3-5 in San Diego.<br />
<br />
<div style="text-align: center;"><b>See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></b></div>GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-84532688422571316622011-08-23T14:53:00.000-07:002011-08-23T14:53:57.634-07:00DOE Smart Grid Security Grant Recipients - Smart Grid Security East 2011<br />
This is the video taken from the DOE Smart Grid Security Grant Recipients session at the <b><a href="http://www.smartgridsecurityeast.com/">Smart Grid Security East Conference</a></b> in March 2011. Please join us for the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit</a></b> from October 3-5, 2011 in San Diego, California.<br />
<br />
<div style="text-align: center;"><b>Panel: The US Department Of Energy (DOE) Smart Grid Security Grant Recipients</b></div><br />
The DOE has allocated substantial funds to both private enterprises and non-profit agencies in their quest to improve the security of our power grid. This public/private partnership is intended to capture the best and brightest and drive Smart Grid security to level it needs to be in order to ensure a smooth transition to a smart and stable infrastructure. Join this panel of DOE recipients and DOE sponsor representatives in a discussion of what we can expect as a result of this partnership.<br />
<br />
Moderator: Mike Ahmadi<br />
<br />
Panelists:<br />
<br />
William J. Hunteman, Senior Advisor For Cyber Security, US Department of Energy<br />
<br />
Seth Bromberger, Executive Vice President, Energy Security Consortium<br />
<br />
Craig Miller, Project Manager, National Rural Electric Cooperative Association (NRECA)<br />
<br />
Dr. Hal Aldridge, Director of Engineering, Sypris Electronics<br />
<br />
Annabelle Lee, Technical Executive – Cyber Security, Electric Power Research Institute (EPRI)<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/Y-Iy756rPSU" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="311" src="http://www.youtube.com/embed/M2VcMMDlnKs" width="500"></iframe><br />
<br />
<div style="text-align: center;"><span class="Apple-style-span" style="color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;"><b>See you at the next event - <a href="http://www.smartgridsecuritysummit.com/" style="color: #d52932; text-decoration: none;">www.smartgridsecuritysummit.com</a></b></span></div><br />
<br />
<br />
GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-52913577522792704942011-08-04T09:18:00.000-07:002011-08-04T09:18:32.984-07:00Panel: DOE, FERC, NERC - Smart Grid Security East 2011This is the video taken from the DOE, FERC, NERC session at the <a href="http://www.smartgridsecurityeast.com/"><b>Smart Grid Security East Conference</b></a> in March 2011. Please join us for the <b><a href="http://www.smartgridsecuritysummit.com/">EnergySec Smart Grid Security Summit</a></b> from October 3-5, 2011 in San Diego, California.<br />
<br />
<br />
The Department of Energy, Federal Energy Regulatory Commission, and North American Electric Reliability Corporation are unquestionably three of the most watched Federal agencies in the Smart Grid deployment world today. Join this in an interactive discussion about how they are working together to secure our grid.<br />
<br />
Moderator: Andy Bochman, Security Lead, IBM<br />
<br />
Panelists"<br />
William J. Hunteman, Senior Advisor For Cyber Security, US Department of Energy<br />
<br />
Jason Christopher, Technical Project Lead for Smart Grid Security, Federal Energy Regulatory Commission (FERC)<br />
<br />
Mark G. Lauby, Vice President, Reliability Assessments and Performance Analysis North American Electric Reliability Corporation (NERC)<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/rwS3ZEdDdQM" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/TdAkQFWCMFE" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/HB0nuz_jung" width="500"></iframe><br />
<br />
<div style="text-align: center;"><b>See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></b></div>GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-21053104603537790392011-07-29T20:52:00.000-07:002011-07-29T20:52:18.818-07:00Smart Grid Security East 2011 - Harmonizing Federal and State PUC GuidelinesThis is the video taken from the Harmonizing Federal and State PUC Guidelines session at the <a href="http://www.smartgridsecurityeast.com/"><b>Smart Grid Security East Conference</b></a> in March 2011. Please join us for the <a href="http://www.smartgridsecuritysummit.com/"><b>EnergySec Smart Grid Security Summit</b></a> from October 3-5, 2011 in San Diego, California.<br />
<br />
While Federal agencies may indeed have jurisdiction of some parts of the Smart Grid, a large part of the Smart Grid falls directly under State jurisdiction, and certainly most of AMI. This session will present the perspectives of State Public Utility Commissions in various stages of deployment.<br />
<br />
Panelists:<br />
<b>Alan Rivaldo, Cyber Security Analyst, Public Utility Commission Of Texas </b><br />
<b><br />
</b><br />
<b>Christopher Villarreal, Regulatory Analyst, California Public Utility Commission (CPUC) </b><br />
<b><br />
</b><br />
<b>Craig Miller, Project Manager at National Rural Electric Cooperative Association (NRECA)</b><br />
<br />
<b>Moderator: Chris Kotting - ThinkSmartGrid</b><br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/ob8e0Hk6V5k" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/RKK6277TuPw" width="500"></iframe><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="314" src="http://www.youtube.com/embed/c1jCpn8XD3U" width="500"></iframe><br />
<br />
<div style="text-align: center;"><b>See you at the next event - <a href="http://www.smartgridsecuritysummit.com/">www.smartgridsecuritysummit.com</a></b></div>GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0tag:blogger.com,1999:blog-2465464861752314395.post-4323260407717009172011-07-14T07:28:00.000-07:002011-07-14T07:28:25.283-07:00The NRECA Cooperative Research Network Security StrategyIt was through a conversation I was having with Christopher Villarreal, Regulatory Analyst with the California Public Utility Commission (CPUC), that I was first made aware of Craig Miller, who is the Project Manager for the National Rural Electric Cooperative Association (NRECA). Chris is generally a soft spoken guy, and that makes me pay a bit more attention to him when he talks. He told me that I really needed to reach out to Craig Miller and include him in my Smart Grid Security Summit as a speaker, since Craig seemed to know what he was talking about with respect to cybersecurity.<br />
<br />
It took me a while, but I finally got through to Craig (he is a busy guy). I have to admit, being someone who has had a lot of conversations with "the big boys" in the world of Smart Grid security, I was not expecting the level of knowledge and professionalism that the NRECA exhibited. Suffice it to say, the members of the NRECA are well served by the organization.<br />
<br />
Let me explain.<br />
<br />
Craig was a panelist at my S<b><a href="http://www.smartgridsecurityeast.com/">mart Grid Security East</a></b> conference in Knoxville, TN this past March, 2011, and he was easily one of the most popular panelists at the event. He does not mince words when he speaks. He is a consummate straight shooter in every sense of the word, and gets down to business right away. When asked about what the NRECA is doing to help their COOP network address security, he will tell you that they are defining a "process of continuous improvement", and goes on to explain that rather than telling their members what to do, they offer detailed and ACTIONABLE guidance, as well as continual educational programs. It reminds me of the saying "Give a man a fish and he can feed himself for a day. Teach a man to fish, and he can feed himself forever.".<br />
<br />
Back in March, it was all great talk, and I (and many others) left the event wondering how this program worked. It did not take long to find out. In May of 2011 (2 months after my conference) the NRECA released <b><a href="https://groups.cooperative.com/smartgriddemo/public/CyberSecurity/Pages/default.aspx">A Guide to Developing a Cyber Security and Risk Mitigation Plan</a></b>, and made it publicly available for all to see. It is a fantastic collection of materials, put together with the assistance of Cigital, and besides providing an fantastic collection of well referenced cybersecurity guidance (much of it based on the NISTIR 7628 guidance document), it provides templates and plenty of "getting started" materials and templates.<br />
<br />
Why is this so important? I'm glad you asked...<br />
<br />
It may come as a surprise to many of you, but the fact is that most facilities that generate power in our great nation are not staffed with massive IT departments, and much less security experts. This is true in general, and certainly true in the COOP world. Providing guidance is important, but providing ACTIONABLE guidance is far more important. This is important because cybersecurity is quite daunting to the uninitiated. Showing someone how to do it (rather than telling them what to do) is what the NRECA CRN program focuses on. They do not dictate to the COOP network (remember, the NRECA works for the COOP network, and not the other way around). They offer well researched guidance and continual support.<br />
<br />
Craig Miller will be returning to my conference in October, 2011 (www.smartgridsecuritysummit.com), and if you get a chance to read the NRECA documents prior to that event, please do so, and make sure you make it to my conference, where you can meet the man himself, and I am sure he will be happy to answer your questions.<br />
<br />
Just be prepared for straight answers...he does not mince words.GraniteKeyhttp://www.blogger.com/profile/16651541705914029500noreply@blogger.com0