NERC « SecureThinking

Posts tagged NERC

Thursday, July 22, 2010

Is a hack into our nation’s domestic infrastructure possible?

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The National Security Agency recently unveiled a program to help secure the networks of crucial domestic infrastructure, including the networks of electrical companies and nuclear power plants. Called “Perfect Citizen,” the program is geared to bring attention to the possibility of grid hacking.

Interestingly, a recent Wired article asked, “…if it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?” According to the article (“Hacking the Electric Grid? You and What Army?” (July 13, 2010):

Your average power grid or drinking water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the U.S. What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country? They don’t want to fiddle at the edges, mind you. They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like: Where are the power plants? What kind of plants are they? What sort of fuel do they use? Who built them and when? What sort of materials and technology were used when they were built? Who manufactured the generators, turbines and other key equipment? Whose SCADA software are they running? Who runs the plants? How does fuel, people, supplies get into or out of the plant? What sort of security do they have? And perhaps most importantly: which plants supply power to which parts of the country?

While the Wired article included a lot of questions that are interesting, we ask: Are foreign attacks on our nation’s crucial infrastructure possible? Our answer is absolutely. This is a real security threat and one that shouldn’t be taken lightly.

In fact, The New York Times reported last week that a new virus targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. While the SCADA systems that run the software are not typically connected to the Internet, this specific virus spreads when an infected USB stick is inserted in the computer.

To assist these organizations, BT Managed Security Solutions Group offers a multi-layered, holistic approach to secure critical network infrastructure (CNI) and organizational monitoring. This offering enables any organization to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.

The fast and accurate detection of security-related events is an organization’s first line of defense against security intrusions. This can only be achieved through a holistic solution that provides enterprise-wide security by aggregating and correlating information from both critical network infrastructure and enterprise networks, providing organizations transparency into their security posture.

Tuesday, July 20, 2010

CISOs to the Rescue!

By Jill Knesek, Chief Security Officer, BT Global Services

There aren’t many times I check in on the trade publications and see an article that really hits on the issues faced by the C-level audience in the security sector. Frankly, we’re an unusual bunch, with very specific interests, issues, and concerns. But recently, I saw an article by Ernie Hayden at searchsecurity.com that got to the heart of some of the compliance issues that I know I face and I’m sure you grapple with, too.

Approaching compliance from the standpoint of managing processes, Hayden outlines five key propositions that can help guide decision-making and apply as equally to PCI as to NERC. His top picks are:

Your fundamental obligation to the company is to protect data and prevent loss
You should know the ins and outs of the regulations your organization is held to
View training and awareness as key components of your compliance strategy
Understand the root cause of any issues related to compliance
The organization should be kept under constant pressure to be in compliance

To read Hayden’s entire article – “How to manage compliance as Chief Information Security Officer (CISO)” — click here.

And if you’re a C-level or senior security officer in the Chicago area and would like to continue this conversation over dinner, I’ll be hosting a BT Security Roundtable in Chicago on July 28. To learn more about the dinner, please contact our Chicago-area managed security solutions specialist, Kurt Luporini.

Wednesday, March 24, 2010

Proven Security Practices for Smart Grid Security

Part #2 – Second in a Series on Smart Grids

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

In my last post, “Will the future of Smart Grids include smart security?,” I talked about the impact of the Smart Grid (SG) and asked if Smart Grid’s inventors’ have learned the lessons of the Internet age and built security into the technology from the start.

The fact is, if security is not in the fabric of SG technology, it could be highly disruptive to the core of our energy systems.

So what proven security practices can help ensure we’re moving in the right direction?

Vulnerability and penetration testing – Although SG is using many standardized technologies, there are some unique attributes in implementation that represent new forms of vulnerabilities. Everything needs to be tested on a regular basis — applications, protocols, infrastructure, firmware, and hardware all need to be reviewed for security flaws.
Security event monitoring – Today, monitoring information systems is typically associated with servers, security systems (e.g., firewalls, IDS, etc.), databases and applications. Not only must this be replicated in the SG environment, but must include embedded systems. This means vendors of SG products and solutions must incorporate the means to produce information relative to the operational nature of the devices so that we can gain visibility into potentially undesirable activities.
Application security – No security discussion is complete without discussing application security. Although akin to testing, application security is about sound development practices with security deeply ingrained in the development lifecycle. Today’s web-applications are complicated and sophisticated and, regrettably, complexity is often security’s nemesis, forcing developers to take a hard look at functionality versus stability. Although, there have been some advancements in secure SDLC, it is likely this will increase rapidly in the SG space.
Identity and access management – Having a mechanism to identify, authenticate and authorize users and systems interacting with the SG environment will be critical to its overall success. Just as much as you don’t want someone logging into your bank account, you don’t want unauthorized people interacting with how power is being delivered to your home.
Risk assessments and threat analysis – The introduction of information systems, especially when connected to the Internet, establish a broader threat profile. Risk management within the utility sector is far more complicated than in other industries because risk appetite is relative to a very broad community. It isn’t simply protecting the business, but protecting citizens and the sound delivery of an essential. Therefore, comprehensive risk assessment that includes an acute focus on threats will need too be performed regularly and through every step of implementation.
Security governance and standardization – Unlike Internet security regulations, like SOX and GLBA, which surfaced quickly to ensure consistency in the protection of public and private information — there are few security standards and requirements that vendors must follow in the design and implementation of SG, which can spell disaster. The silver lining here is that based on the Energy Independence and Security Act (EISA) of 2007, NIST has become far more involved in producing such materials, and making reasonable progress with the first Smart Grid Cyber Security Strategy and Requirements standard to be finalized in the spring of 2010. We should expect NIST to become the center point for security standards in this sector, thanks in part to the American Recovery and Reinvestment Act (ARRA) of 2009, which has clearly helped establish the organization as the source for standards behind developing regulation in the federal government and industry regulators, such as NERC.

As we have experienced with the Internet, what is done today for security during the embryonic stages of SG development will resonate for decades in ways we cannot fully appreciate right now. Those involved in the development and implementation of SG, from vendors and providers to the government and standards bodies, are aware of the importance of security and are working to create a solid foundation. However, there is still a lot more work that needs to be done and the best way forward is to learn from the past.

Thursday, September 17, 2009

Protecting Our Nation’s Most Critical Infrastructure and Assets

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

If you lived in Cleveland, New York or Baltimore in August 2003, you probably remember the large scale power outage. While the major blackout was not caused by cyber terrorism, this event, along with the terrorist attacks on September 11, 2001, brought the possibility of attacks against critical infrastructure into sharp focus and accelerated the implementation of standards to provide a cyber security framework that would identify and protect critical cyber assets. By defining critical assets, these standards are intended to support the reliable operation of bulk electric systems in North America.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards provides guidelines covering a variety of areas related to cyber security for bulk power system owners, operators and users. However, due to the rapidly changing security landscape of the Industrial Control Systems (ICS), companies are failing to adequately secure their systems.

Industrial Control Systems (ICS), which includes Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS), controls systems that provide operators automated direct and indirect control over the functions throughout the power grid. These systems, used within CNI, provide unique security challenges to organizations. As business requirements change and the demands for real-time information increase, the need for securing CNI networks and their process control systems is paramount for organizations.

Organizations have typically addressed compliance and security in silos, which results in an incomplete picture of the cyber threat. Addressing security in isolation only provides an organization the perception of security, but does not provide an organization with an organizational view of its risk due to gaps in information.

To assist these organizations, BT Managed Security Solutions Group and Industrial Defender have partnered to offer a holistic solution in critical network infrastructure (CNI) and organizational monitoring. This offering enables organizations to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

With a holistic approach, the footprints of an attack may be discovered across multiple systems or even across multiple operating areas. As organizations merge to achieve economies of scale, disparate geographic operating regions become interconnected via common enterprise environments. In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.