Recent Posts

BPC Report: New Electric Sector Cybersecurity Organization Needed

The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

  • The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
  • The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
  • The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
  • DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
  • The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

NIST Official: B2B Use of Cybersecurity Framework is the ‘Moonshot’

The real benefit of the cybersecurity framework released last week by the National Institute of Standards and Technology (NIST) will come when businesses and organizations use it with their partners and suppliers, Adam Sedgewick, principal organizer of the framework effort at NIST said yesterday. Speaking at our webinar (replay available) on the NIST framework, held jointly with the  Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), Sedgewick said “ I think people have realized more and more that this is a pretty broad ecosystem.”

“What I hope we will see is that it will be used in business to business conversations.  That’s where this approach can really scale, where it is not tied to one or two government agencies.  That’s kind of the moonshot here and what we’re really hoping for.”

Even though the water sector has developed its own cybersecurity guidance, the NIST framework should prove to be a useful “anchor” on key cybersecurity issues, Kevin Morley, Security & Preparedness Program Manager, American Water Works Association said.  “We believe that it provides a very useful anchor on some principles” even if at “an applied level it may be a little abstract.”

The electric sector, which has its own mandatory cybersecurity standards in the form of NERC-CIP (National Electricity Reliability Corporation Critical Infrastructure Protection) requirements, was pleased to see that NIST made efforts to map the framework to those requirements during the development process, Laura Brown, Manager of CIP Policy and Coordination for NERC said.  “We’re happy…that the White House and NIST acknowledge that we have these standards.”

Involving top management in use of the framework is critical to its success, Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs, said.  “It’s not something you want to do with a bunch of techies off to the side.”

Getting a realistic grip on the level of the organization’s cybersecurity maturity is likewise crucial to the framework’s success.  “Honest evaluation is critical,” Landfield said.  “You need to be accurate with where you stand today.  If you’re a one [in terms of the framework’s implementation tiers], put it as a one.  If you are not using the tool correctly, you’re not getting the most out of it.”

The implementation tiers in the framework, which “rate” an organization on how highly evolved its cybersecurity protection schemes are, could prove to be a disincentive to smaller organizations, Morley said. “We have concerns a little bit with the tiering structure.  From our perspective this may be a disincentive for action” because people are afraid their organizations will look bad if they rate lower on the scale.

From an industrial control sector perspective, the framework “is good for a number of reasons because it furthers the motion of the machinery in the U.S. public sector,” Chris Blask, chair of the ICS-ISAC said.
“For our purposes it’s helping our membership and by extension the people they are in contact with.”

NIST's Gallagher: Framework Implementation Falls to Companies, Not DHS

The implementation responsibilities for the cybersecurity framework developed and released last week by the National Institute of Standards and Technology (NIST) now fall into the hands of the critical infrastructure companies and operators, Patrick Gallagher, the head of NIST said today at a Brookings Institution event.  Despite the fact that many activities surrounding the framework now shift from NIST to the Department of Homeland Security (DHS) under the cybersecurity executive order issued by President Obama last year, "I actually don’t view the implementation responsiblities passing to DHS," Gallagher said.

"I think it’s important to keep in mind that there are three things happening here.  One is that the framework process continues and NIST continues to act as a convener so nothing has changed on that front at all."

"What DHS is doing is establishing a voluntary program that is there to support and promote adoption," he said.  "The most powerful force driving adoption are the companies themselves. This is not just about what you do internally. [I]t’s about your relationship with your vendors, your suppliers, your supply chain, the other companies you work with in your sector.  Those are actually more powerful than anything we've been discussing" [on the government side].

But the federal government, and NIST itself, will continue to play a key role in shaping further changes to the framework, although NIST has not yet announced a revision schedule for the framework.  "What we've done is deliberately create a bit of a pause…for the very reason that we don’t want to get in the way of the adoption piece. We really want companies to use this and we want the [revision] process to be informed by companies that are using the framework," Gallagher said.

And Gallagher hinted that NIST might continue to play a major role in the framework's application and development by pointing to the Smart Grid Interoperability Panel (SGIP), a non-profit organization which facilitates the use of  NIST-developed smart grid standards, as a potential model for the cybersecurity framework's governance.   "How do we set up a governance scheme where all these different companies can get work together and turn this into a ongoing routine process?," he asked.

"In smart grid, the SGIP was put together because the stakeholders felt there wasn't an existing organization that could facilitate the process," Gallagher said, inferring that perhaps such an organization could be developed for the cybersecurity framework.  NIST is extensively involved in the management and activities of the SGIP.

NIST Cybersecurity Framework Webinar Speakers Announced - Register Now for Thursday's Event

As I mentioned late last month, DCT Associates has teamed with the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), the private/public center for knowledge sharing regarding industrial control system (ICS) cybersecurity, to host a webinar on what cybersecurity practitioners need to know now about the cybersecurity framework developed by the National Institute of Standards and Technology.

The webinar is slated to begin at 1 pm EST on Thursday, February 20th and so far well over 100 people have signed up to find out what they need to know now about this unprecedented cybersecurity blueprint.

We've got a great line-up of speakers for this event, including:

  • Adam Sedgewick, Senior Information Technology Policy Advisor, NIST
  • Matthew Light, Cybersecurity Specialist, ES-ISAC at North American Electric Reliability Corporation
  • Kevin M. Morley, Ph.D., Security & Preparedness Program Manager, American Water Works Association
  • Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs
Find out more about the event or just register today.  It's free and it's a chance to get a leg up on what promises to become the foundation for cyber protection initiatives across all industries and throughout the government.

Comcast-TWC Broadband Reach Could Be Twice That of Nearest Rival AT&T

For many years I spent my days endlessly examining the broadband marketplace, so when Comcast announced its deal to buy Time Warner Cable (TWC), I instinctively knew that the numbers would put Comcast very far above its nearest terrestrial rival once (and many say if) the merger is completed.  Om Malik thinks the deal was entirely driven by Comcast's desire to scoop greater market share in the high-speed Internet arena and he's right to the extent that broadband is the future of pretty much all of communications - Internet, television, mobile.

But as Comcast executives said during their analyst call to announce the deal, the merger comes down to money - a combined Comcast-TWC will yield lower costs, higher margins and greater efficiencies across the board, including in the purely high-speed arena.  Still, looking at the numbers from the end of Q3 2013 (see chart), Comcast and Time Warner combined had nearly twice the high-speed Internet customers of the second largest terrestrial broadband company in the U.S., AT&T, 31.33 mil. compared to 16.43 mil.

Even if Comcast sheds millions of those high-speed customers when it divests itself of some TWC systems serving approximately three million video customers, as the company says it would do to stay under regulatory concern caps, it would still be about 75% larger than AT&T.

From a market share perspective, a combined Comcast-TWC would reach 38% of U.S. terrestrial high-speed customers, almost double that of AT&T and well over three times that of Verizon, the third largest provider of terrestrial high-speed service in the U.S.

Despite this prospect, Comcast will still be pretty small in comparison to the world's two top wireline broadand providers.  China Telecom currently serves 90 million wireless high-speed customers while China Unicom has 63 million broadband customers.  But it looks like Comcast could top NTT, which only has around 20 million wireline broadband customers.

The NIST Framework is Out the Door. So What's Next?

Industry and government alike have praised the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). So, what happens next?

As I describe in my latest piece for CSO Magazine, the ball is now in the court of the Department of Homeland Security (DHS), which promises it will carry on in the spirit of openness which served NIST so well. NIST, however, won't ride off into the sunset anytime soon - it will act as a "convener" until DHS and the sector specific agencies take over the framework's implementation.

For more, check out the article.

And mark your calendars for a webinar on the cybersecurity framework that DCT Associates is hosting with the ICS-ISAC on February 20 at 1pm EST.  It's free and will hit the high points of what you need to know about the framework.

Government, Industry Embrace NIST Cybersecurity Framework

One year to the date since it was first assigned the challenge, the National Institute of Standards and Technology (NIST) today released its final version of a framework for improving critical infrastructure cybersecurity.  President Obama, whose February 2013 executive order mandated that NIST formulate the framework, praised the collaboration that went into the effort, citing all the work by public and industry participants as "a great example of how the private sector and government can, and should, work together to meet this shared challenge."

Although the framework itself consists of multiple and complex parts, and references hundreds of existing standards and practices, Lisa Monaco, Assistant to the President for Homeland Security and Counterterrorism boiled it down to its basic elements at a White House-organized event with top government and industry executives. "It provides for lack of a better phrase a common language to discuss cybersecurity. The framework core is really a set of common cybersecurity activities that [e]very organization should carry out in order to minimize cyber risks."

Another element of the framework, its profiles feature, helps "organizations to align what they’re doing with their own business requirements."  The final essential element, the tiers of implementation, "will allow companies to identify how well they’re doing to develop their own risk management practices," Monaco said.

Department of Homeland Security (DHS) Secretary Jeh Johnson officially unveiled the name for the DHS program that will continue refining the framework and promote its use among critical infrastructure asset owners.  The Critical Infrastructure Cyber Community (C3 or C-Cubed) Voluntary Program will give asset owners direct access to cybersecurity experts in DHS for advice and assistance in the event of a cyber attack or simply to provide guidance to organizations as they evaluate their cybersecurity strengths and weaknesses.

Joe Rigby, CEO of electric utility Pepco, praised the framework for providing a blueprint for his industry, which still is grappling with the challenges of cybersecurity.  "Our industry is actually pretty good at restoring power," he said.  But "we haven’t built the muscle yet for responding to cybersecurity.  We’ve been thinking about this for ten years but we’ve been acting on it for four or five years."

Telecom companies, on the other hand, have been forced by the market to stay apace with cyber developments.  "We unfortunately live, eat and breathe this," AT&T CEO Randall Stephenson said.  "It’s obviously just central to what we do.  Nobody has got this thing licked.  We think we’re pretty good at it but you’re only as strong as your weakest link."

The real benefit for AT&T will be in extending this "minimal" level of cybersecurity efforts to the company's supply chain and service providers.  "When you have all this interconnectedness [t]he weakest connection to your network is obviously an exposure point to your network. We look at this as a good piece of work but we view it as a minimum level."

As DHS continues to work on developing incentives for companies to use the framework, the focus should be on small companies that don't devote the effort to cybersecurity that large, well-financed players do, Marilyn Hewson, CEO of Lockheed Martin said.  "To the extent that we can look for incentives for the smaller and medium sized companies, that’s what we should do."

President Obama and virtually all of the government and industry officials stressed the need for congressional legislation to clear away the legal impediments that currently discourage cybersecurity information-sharing.  "I again urge Congress to move forward on cybersecurity legislation that both protects our nation and our privacy and civil liberties," he said in his statement.

One of the key elements that makes this [framework] viable in the long run is information sharing," AT&T's Stephenson said.  "There needs to be very robust protect and indemnification in place.  If you don’t have those in place, it’s all for naught."

Note: I will write a more in-depth piece on the framework's release as part of my series for CSO Magazine. Stay tuned.

NIST Official: Won’t Be Many Surprises in Cybersecurity Framework Release on Wednesday

(Washington, DC)  The National Institute of Standards and Technology (NIST) will release on Wednesday its final version of a comprehensive cybersecurity framework mandated by President Obama’s February 2013 cybersecurity executive order, with the final version containing few surprises, a NIST official said yesterday.  “Hopefully there won’t be many surprises,” Adam Sedgewick, NIST’s chief organizer of the framework process told attendees at the winter meeting of the National Association of Regulatory Utility Commissioners (NARUC) held here.

Since its fifth workshop on the framework in early November, NIST has fielded 2,500 separate comments on a preliminary version of the framework and posted a mid-January update on the changes the agency will incorporate as a consequence of the feedback.  The release of the framework at a White House event on Wednesday (with publication in the Federal Register on the 13th) comes exactly a year to the date following the executive order, an intensely compressed time frame given the magnitude of the topic.

“We went in without a net without thinking about what the framework would look like at the end of the day,” Sedgewick said.  Although the framework is “final,” NIST and government officials refer to it as the 'framework 1.0,' signifying the need for continued evolution as the framework is used by critical infrastructure owners. "From my perspective, there will always be more work to do on this issue.”

Once NIST puts the framework out, the Department of Homeland Security (DHS) will be primarily responsible for promoting its use, mostly through a public-private working group known as the voluntary program.  “The voluntary program will be our primary vehicle for promoting the framework,” Bob Kolasky, Director of Strategy and Policy, Office of Infrastructure Protection at DHS said.  “It is our key next step for how we're going to work with folks like you on how to use the framework.”

One critical infrastructure player, electric utility Pepco, already plans to change its procedures as a result of the framework, Susan Mora, Director of Federal Regulatory affairs at the utility said.  Specifically Pepco will reorganize its core cybersecurity functions to match those contained in the framework (which are Identify, Protect, Detect, Respond, and Recover).  Pepco has also volunteered to become one of the first utilities to which the framework will be applied.

Although the framework and the rest of the executive order are positive steps, a major stumbling block to better cyber protection is Congressional inability to pass a cybersecurity bill which would enhance information sharing among government entities and critical infrastructure owners, Mora said.  “I think the executive order is a great piece.  It checks box one which is standards and practices.  [But] there are other boxes that need work.  I can't tell you how disappointed I am on the information sharing front.”

State regulators play a key role in how the framework is used by utilities, primarily through the approval of cybersecurity expenses in public utility rate-making proceedings.  But “rate cases appear to be a dysfunctional pathway for appropriate cybersecurity,” industry consultant Andy Bochman told the utility commissioners in a presentation.  The adversarial culture surrounding the approval of rate increases can derail the reality of better cybersecurity, which both utilities and regulators seek as a shared goal.

Verizon PCI Report: Only 24% of Breached Organizations Compliant With Authentication Requirements

Verizon pre-released today its 2014 PCI (payment card industry) compliance report, which highlights the trends of compliance with the Payment Card Industry Data Security Standard (PCI DSS), which merchants, banks, credit card processing and other institutions follow to ensure the security of their cardholders' data. The release of this report follows yesterday's revelation by Brian Krebs that Target's massive security breach likely stemmed from network credentials that were stolen from a third-party HVAC vendor, which had been given external network access.

As it turns out, the PCI DSS has an entire requirement (section 8) devoted to authenticating users and a particular sub-requirement (8.3) devoted to authorizing access to users, such as vendors, outside the network.  According to the Verizon report, only 24.2% of organizations that suffered a security breach in 2013 were compliant with Requirement 8 at the time of the breach.

The report states that over 80% of these breaches used single-factor username and password credentials and could have been avoided had two-factor authentication been used (two-factor authentication requires two methods to gain access to prove a user's identification - one is usually a physical token such as a card and the other is usually a password).  Section 8.3 of the PCI DSS does indeed require two-factor authentication for users outside the network.

Still, the picture for the payment card industry overall is improving - 62.2% of companies covered in the report met all the demands of Requirement 8 in 2013, an increase of 39.6 percentage points on 2012.

FCC's Wheeler: We Can't Sit Around and Suck Eggs

Federal Communications Commission (FCC) Chairman Tom Wheeler today reiterated his view that the Commission must work quickly to assess the impact of radical changes in the communications landscape due to the rapid adoption of  Internet Protocol (IP) technology by communication network providers. Speaking at an event hosted by the National Journal following the FCC's launch of a series of trials aimed at measuring the impact of that transition, Wheeler said "if we sit around and suck eggs as the FCC did when it was sitting around saying 'should we use spectrum for cellular?' we will have incredibly adverse results for our economy."

Collecting real world data through research and trials before sanctioning the end of the old twisted copper-pair, analog-based public telephone network is crucial because "the thing I learned is that you get one shot," he said, referring to his long history in dealing with FCC policies. "The trials are going to give us the opportunity to collect the information that will help us to put together the components on that one shot.  You can’t do a Gilda Radner on this [and say] 'oh never mind.'

Wheeler also made a case that the current state of communications competition, in which most markets are served by only two dominant network providers, leaves a lot of room for improvement.  "IP means choices…vast choices in services.  There needs to be competition in the infrastructure that delivers those services," he said.

"While building IP networks is a highly capital intensive activity, operating IP networks [is] essentially cost-less. How do we make sure there is competition out there?  By having multiple choices for consumers [in] terms of facilities-based infrastructure."

Fostering competition in communications is a crucial economic issue as well as a consumer choice matter. "In order to have choice and competition in services it really helps to have choice and competition in the networks.  You can’t have an opportunity economy without having opportunity networks," he said.

Twitter Delicious Facebook Digg Stumbleupon Favorites More