RuggedCom is the Tip of the Iceberg When It Comes to Vulnerable Power Grid Gear


As President Obama weighs the decision to issue an executive order following the failed Cyber Security Act of 2012, a security alert issued by an arm of the Department of Homeland Security (DHS) earlier this week cast a spotlight on the vulnerabilities of networking and other gear that make up the U.S. electric grid.

DHS warned that security researcher Justin Clarke of Cylance had discovered a vulnerability in Siemens-owned RuggedCom’s Rugged Operating System (ROS) which could decrypt secure traffic between RuggedCom networking equipment and end-users.  Reuters, which broke the news of Clarke's finding (his second discovery of a flaw in RuggedCom gear this year), characterized the flaw as "one that could enable hackers to attack power plants and other critical systems."

Although that contention is likely an overstatement, RuggedCom's networking gear, designed to withstand harsh environments, is indeed widely used by the nation's electric utilities to support communications to remote power stations and other mission-critical functions.  And RuggedCom's faulty security could be the tip of the iceberg when it comes to vulnerable equipment deployed by utilities.

What other vendors sell vulnerable gear to the energy industry and which vendor is likely to pop up next in a DHS alert?   "You could throw a dart at a dartboard with a list of a vendors and come up with the next one," according to Patrick Miller, President and CEO of EnergySec, an industry body focused on cyber security.

"But it's like a bell curve. Some are on the front end and are doing good things, there is a bunch in the middle and a lot of bad ones at the end," Miller said.  

In fact, there is less security testing of the components that make up the electric grid than there is for the switches, routers and other devices that make up the Internet. "If it's intended to go into a substation, depending on the type of device, there is a higher likelihood that it hasn't gone through the same security measures as have the devices that go on the Internet," according to Miller, who is also the Principal Investigator for the National Electric Cybersecurity Organization (NESCO).

Two big factors foster energy industry use of vulnerable gear.  First, secure devices are very expensive, requiring secure coding, secure supply chain procedures and other costly steps.  And state public utility commissions keep a tight rein on utility expenses, forcing utilities to cut costs at every corner.

Utility "profits are regulated.  Every step along the way in terms of expenses is regulated. Are ratepayers going to want to pay that?" Miller said.   "The commissioners pride themselves on making sure the expenditures are prudent. If it looks like you're gold-plating," they won't approve utility expenditures. 

Even if utilities were able to persuade regulators to sanction more expensive, more secure gear, any technology upgrade could trigger a chain reaction of additional costs, which would also have to be passed onto ratepayers.  "If you can economically support that kind of technology refresh, they may end up voiding the warranty on their multimillion dollar management system," because other components in the system won't have been tested and warranted for compatibility with the new gear.

If energy industry gear is so widely considered to be vulnerable (which several industry cyber security technologists have confirmed) and regulators won't allow utilities to raise rates to pay for better gear, what's the solution? 

"The solution is basically better architectures," Miller said. "You have to get past the mindset that the system is 100% secure" and instead work on ideas that teach utilities how to operate through an attack, how to operate through a vulnerable state.

Because no matter how secure or new the devices, energy sector companies will have to constantly battle device breaches from here on out.  "It's almost whack-a-mole," Miller said.  Technology breaches happen so regularly and so frequently that "there's another problem with the next device, another problem with the next device, another problem with the next device."

Image credit:  Siemens.

 

Our First Supporter at Digital Crazy Town



Digital Crazy Town is happy (and happily surprised given that I haven't been angling for supporters or sponsors on this blog) to announce our first supporter, government IT solutions provider Carahsoft.  The folks at Carahsoft have teamed with Symantec to offer a free webcast on today's cyber security threat landscape and a strategic approach to strengthening enterprise security.  

Find out more at our supporter page and sign up today.  Don't wait though - the webcast is this Thursday, August 23 at 2 pm ET.


Utility Cyber Security Hampered by Standards, Vendors, Industry Culture


Electric utilities are our nation's critical infrastructure ground zero. But the lack of standards, vendor inadequacy and the glacial pace of utility technological change are among the top challenges to keeping the grid safe from digital threats according to industry experts speaking at the Smart Grid Security Virtual Summit today.  It's very difficult for utilities to "create a process to achieve security because they are always waiting for a standard," Ward Pyles, Senior Security Analyst, Southern Company said.

Speaking of the morass of ever-changing cyber security protocols available to utilities from the government and private sector groups, Pyles recommended that each utility develop its own standard and then stick to it.  "It's hard to choose what is the best one for you but you have to look at each of them and then create your own standard.  Pick one if you can and if you can't come up with a compilation."

Utility vendors must be more attentive to, and utilities must demand in their RFPs and RFIs, stronger cyber security technologies, Ward said.  "We're seeing solutions today that have default passwords that are embedded in code," a cyber security risk that utilities must mitigate.

"There is little or no cybersecurity in the devices utilities deploy," Patrick Miller, President and CEO of utility security group EnergySec said.  "The vendors have come a long way but it is still not a pretty picture."

The utility culture is "much more resistant to change," facing technology life cycles that typically span twenty years, making the new digital era particularly challenging for utilities looking to implement adequate cyber security procedures according to John Stewart, a cyber security specialist engineer at the Tennessee Valley Authority.  IT technology is truly a "different paradigm" for most utilities, Stewart said. The IT sector is a culture of constant change and "it's definitely different from the power industry" where change is "not one of our cultural strong suits."

Moreover, utilities don't have the luxury of interrupting service to install new software or technologies, as do many IT-based businesses.  "It's hard to imagine a world where substations operate in a patch Tuesday mindset," he said.  

Stewart argues that cyber security and utility communications infrastructure be separated from core operations while minimizing the amount of "daylight" between security and core function devices.  "Longer term we will push vendors toward more modular solutions that separate security and communications from core functionality just because the two industries are so different."

Slide from presentation by John Stewart, TVA

Lieberman is Not Proud of the Senate. But Is Any Cyber Security Bill Doomed?


After two years of work, and on the eve of a month-long election year recess, the U.S. Senate failed today to move forward a controversial cyber security bill.  S. 3414, the Cyber Security Act of 2012 introduced by Senator Joseph Lieberman (I-CT) and Senator Susan Collins (R-ME), was shot down in a maneuver by Senator Majority Leader Harry Reid (D-NV) to introduce a cloture motion, ending any further debate or amendments.  The final vote was 52 Senators in favor of cloture and 46 against it; Senate rules require at least 60 votes in favor of cloture.

Two things scuttled the bill's prospects in the Senate.  First, the emergence of partisanship on the previously non-partisan issue of cyber security pitted the Administration and Senate Democrats against Republicans, a newly formed rift heightened all the way around by the Supreme Court's decision to affirm Obama's health care law.  Secondly, private sector critical infrastructure entities covered by the bill, with particularly potent representation by the U.S. Chamber of Commerce, opposed what they perceived as unnecessary government regulation of their cyber security practices, even as Senate Democrats (with an assist by the Obama administration) watered down provisions in the bill regarding mandates on critical infrastructure industries into "voluntary" reporting procedures regarding discovered cyber security threats.

Speaking before the vote occurred, Lieberman said "this is one of those days that I fear for our country and I'm not proud of the United States Senate. It's not that there is a speculative threat to our country – it's real and it's here now."

Lieberman said that "when it comes to cyber war, we are where we were in 1993 with Islamic terrorism," quoting General Keith Alexander, Head of the National Security Agency and a proponent of the bill who helped the Obama Administration lobby for it during a last-minute push.  "We pretty much all agree on that here and yet we've descended once again into gridlock. The end result of that is a lot of sound and fury that will accomplish nothing and leave our country vulnerable."

Lieberman may be right that we're in the ignorance-is-bliss phase that precedes unexpected, impending disaster when it comes to cyber security, particularly security for our most critical infrastructures, such as the electric grid.  But, like the volatile, unpredictable set of forces that gave rise to 9/11, security in the cyber age  is an elusive, ever-changing target, which is why some experts favor flexible solutions as opposed to government-defined answers.

The inherently ungraspable nature of cyber security also leads to the confusing set of often contradictory rules under which most critical infrastructure providers operate.  Electric utilities, for example, try to abide by the fluid (and often unclear) set of requirements and recommendations that flow forth from at least 27 different bodies, from the Cross Sector Cyber Security Working Group at DHS to the Critical Infrastructure Protection requirements mandated by industry group North American Electric Reliability Corporation to U.S. Cyber Command at the Department of Defense to a host of industry technical standard setting bodies.

It's no surprise, then, that the Senate came close but failed to pass a cyber security bill.  Against the backdrop of partisan fighting and industry opposition and crazy quilt rules which attempt to make sense of a highly specialized and abstract topic, it's possible that any cyber security legislation is doomed at the outset.  Lieberman says he's not "going to be petulant" and is willing to continue trying to hammer out a compromise, so don't rule out a surprise rescue.

But, as Paul Rosenzweig points out, the more likely scenario is for the Obama Administration to simply chuck the Congress and adopt many of the bill's requirements through executive order.  Senator Dan Coats (R-IN) predicted as much before the cloture vote.


Twitter Delicious Facebook Digg Stumbleupon Favorites More