Former Vice Admiral, NSA Director McConnell: 100% Certainty Cyber Attacks Will Occur

(Washington, DC)  Former Navy Vice Admiral, NSA Director and US Director of National Intelligence Mike McConnell said today that the probability of a destructive cyber attack is 100% and that without good information sharing between government and industry the loss of lives and damage to property could be high. "In my mind, there is 100% certainty that cyber attacks will occur," McConnell said at the EnergyBiz Forum on Securing Power here.

Repeating the growing mantra of current and former top government officials that Congress needs to pass a cybersecurity bill, McConnell said "we are a nation with a strategic vulnerability and we have the information to deal with the vulnerability and we must share information between the government and private sector.  [I]f we don't share [information] and share it frequently, we are going to have a major loss of life and damage of property.

"We need legislation that forces the government to provide classified information to the private sector," he stressed.  However, "it should be sanitized to make information of value available to you."

In terms of the most vulnerable critical infrastructure likely to experience a cyber attack, "I would probably choose banking or power and I would choose the hottest part of the summer or the coldest part of the winter," McConnell said. "Just imagine being in New York City in the middle of the summer with no power."

Read More

BPC Report: New Electric Sector Cybersecurity Organization Needed

The North American electric grid should establish a new, organization to advance cybersecurity risk management practices across the industry, the Bipartisan Policy Center (BPC) recommended in a wide-ranging report released today.  Against a backdrop of multiple government agencies and industry groups attempting to wrestle with the complex challenge of cybersecurity, BPC recommends that a unified group, which it calls for the purposes of discussion the Institute for Electric Grid Cybersecurity, be established "before a significant cybersecurity event occurs and requires a rapid response."

Using as its model the Institute of Nuclear Power Operations (INPO), founded in 1979 in the wake of the Three Mile Island incident to oversee risk in the nuclear power sector, BPC says the institute should develop standards and practices that complement those established by the North American Electric Reliability Corporation (NERC) and enforced by the Federal Energy Regulatory Commission (FERC).  "A centralized, industry-governed institution may be in the best position to promote effective strategies for managing cyber threats that could have broader systemic impacts," the report states.

The standards and best practices developed by the institute should cover generation, transmission,
and distribution providers and market operators in the North American power sector, including municipal utilities and electric cooperatives.  The mandatory standards established by NERC apply only to the bulk power sector, a situation that BPC says should be maintained.

The institute would pull together the wider electric industry to develop performance criteria and cybersecurity evaluations, analyze systemic risks, conduct event analysis, provide technical assistance and conduct training and accreditation.  "We believe most utilities would see clear benefits to participating in a new cybersecurity organization. Such an organization could reduce pressure on Congress or FERC to extend more aggressive or widespread regulatory measures, offer helpful technical assistance and information, and give participants the opportunity to develop new norms for cost-recovery practices."

The report was co-chaired by security and energy leaders including former NSA and CIA Director Michael Hayden and steered by an advisory group consisting of experts from top energy trade associations and companies, technology suppliers and former federal and state government officials.  During an event to launch the report, one of the advisory group members disagreed with the report's recommendation to create a separate electric sector cybersecurity institute.

"We embrace the recommendations in this report," Scott Aaronson, Senior Director of National Security Policy, Edison Electric Institute, said.  "I push back a little on a new organization" because there are already many such organizations in existence, including NERC and a group housed within NERC,  the Electricity Sector Information Sharing and Analysis Center (ES-ISAC).

One of the report's recommendations is to split off the ES-ISAC from NERC itself because of "industry’s reluctance to share data for fear of triggering regulatory non-compliance actions, violating privacy or antitrust protections, or potentially disclosing proprietary or confidential business information."

Among the report's many other recommendations, which cover a wide swath of cybersecurity-related issues including information sharing, incident response planning and regulatory cost recovery issues:

• The federal government should provide backstop cybersecurity insurance until the private market develops more fully;
• The electric power sector and the federal government should collaborate to establish a certification program that independently tests grid technologies and products to verify that a specified security standard has been met;
• The National Institute of Standards and Technology (NIST) should include guidelines for related skills training and workforce development in its Cybersecurity Framework;
• DHS should work with universities and colleges to develop engineering and computer science curricula built around industrial control system cybersecurity;
• The U.S. Department of Energy (DOE) should assist states in providing funds so that regulatory staff can participate in academic programs, more intensive training institutes, and continuing education programs

Read More

NIST Official: B2B Use of Cybersecurity Framework is the ‘Moonshot’

The real benefit of the cybersecurity framework released last week by the National Institute of Standards and Technology (NIST) will come when businesses and organizations use it with their partners and suppliers, Adam Sedgewick, principal organizer of the framework effort at NIST said yesterday. Speaking at our webinar (replay available) on the NIST framework, held jointly with the  Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), Sedgewick said “ I think people have realized more and more that this is a pretty broad ecosystem.”

“What I hope we will see is that it will be used in business to business conversations.  That’s where this approach can really scale, where it is not tied to one or two government agencies.  That’s kind of the moonshot here and what we’re really hoping for.”

Even though the water sector has developed its own cybersecurity guidance, the NIST framework should prove to be a useful “anchor” on key cybersecurity issues, Kevin Morley, Security & Preparedness Program Manager, American Water Works Association said.  “We believe that it provides a very useful anchor on some principles” even if at “an applied level it may be a little abstract.”

The electric sector, which has its own mandatory cybersecurity standards in the form of NERC-CIP (National Electricity Reliability Corporation Critical Infrastructure Protection) requirements, was pleased to see that NIST made efforts to map the framework to those requirements during the development process, Laura Brown, Manager of CIP Policy and Coordination for NERC said.  “We’re happy…that the White House and NIST acknowledge that we have these standards.”

Involving top management in use of the framework is critical to its success, Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs, said.  “It’s not something you want to do with a bunch of techies off to the side.”

Getting a realistic grip on the level of the organization’s cybersecurity maturity is likewise crucial to the framework’s success.  “Honest evaluation is critical,” Landfield said.  “You need to be accurate with where you stand today.  If you’re a one [in terms of the framework’s implementation tiers], put it as a one.  If you are not using the tool correctly, you’re not getting the most out of it.”

The implementation tiers in the framework, which “rate” an organization on how highly evolved its cybersecurity protection schemes are, could prove to be a disincentive to smaller organizations, Morley said. “We have concerns a little bit with the tiering structure.  From our perspective this may be a disincentive for action” because people are afraid their organizations will look bad if they rate lower on the scale.

From an industrial control sector perspective, the framework “is good for a number of reasons because it furthers the motion of the machinery in the U.S. public sector,” Chris Blask, chair of the ICS-ISAC said.
“For our purposes it’s helping our membership and by extension the people they are in contact with.”

Read More

NIST's Gallagher: Framework Implementation Falls to Companies, Not DHS

The implementation responsibilities for the cybersecurity framework developed and released last week by the National Institute of Standards and Technology (NIST) now fall into the hands of the critical infrastructure companies and operators, Patrick Gallagher, the head of NIST said today at a Brookings Institution event.  Despite the fact that many activities surrounding the framework now shift from NIST to the Department of Homeland Security (DHS) under the cybersecurity executive order issued by President Obama last year, "I actually don’t view the implementation responsiblities passing to DHS," Gallagher said.

"I think it’s important to keep in mind that there are three things happening here.  One is that the framework process continues and NIST continues to act as a convener so nothing has changed on that front at all."

"What DHS is doing is establishing a voluntary program that is there to support and promote adoption," he said.  "The most powerful force driving adoption are the companies themselves. This is not just about what you do internally. [I]t’s about your relationship with your vendors, your suppliers, your supply chain, the other companies you work with in your sector.  Those are actually more powerful than anything we've been discussing" [on the government side].

But the federal government, and NIST itself, will continue to play a key role in shaping further changes to the framework, although NIST has not yet announced a revision schedule for the framework.  "What we've done is deliberately create a bit of a pause…for the very reason that we don’t want to get in the way of the adoption piece. We really want companies to use this and we want the [revision] process to be informed by companies that are using the framework," Gallagher said.

And Gallagher hinted that NIST might continue to play a major role in the framework's application and development by pointing to the Smart Grid Interoperability Panel (SGIP), a non-profit organization which facilitates the use of  NIST-developed smart grid standards, as a potential model for the cybersecurity framework's governance.   "How do we set up a governance scheme where all these different companies can get work together and turn this into a ongoing routine process?," he asked.

"In smart grid, the SGIP was put together because the stakeholders felt there wasn't an existing organization that could facilitate the process," Gallagher said, inferring that perhaps such an organization could be developed for the cybersecurity framework.  NIST is extensively involved in the management and activities of the SGIP.

Read More

NIST Cybersecurity Framework Webinar Speakers Announced - Register Now for Thursday's Event

As I mentioned late last month, DCT Associates has teamed with the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), the private/public center for knowledge sharing regarding industrial control system (ICS) cybersecurity, to host a webinar on what cybersecurity practitioners need to know now about the cybersecurity framework developed by the National Institute of Standards and Technology.

The webinar is slated to begin at 1 pm EST on Thursday, February 20th and so far well over 100 people have signed up to find out what they need to know now about this unprecedented cybersecurity blueprint.

We've got a great line-up of speakers for this event, including:

• Adam Sedgewick, Senior Information Technology Policy Advisor, NIST
• Matthew Light, Cybersecurity Specialist, ES-ISAC at North American Electric Reliability Corporation
• Kevin M. Morley, Ph.D., Security & Preparedness Program Manager, American Water Works Association
• Kent Landfield, Director, Content Strategy, Architecture and Standards, McAfee Labs

Find out more about the event or just register today.  It's free and it's a chance to get a leg up on what promises to become the foundation for cyber protection initiatives across all industries and throughout the government.

Read More

Comcast-TWC Broadband Reach Could Be Twice That of Nearest Rival AT&T

For many years I spent my days endlessly examining the broadband marketplace, so when Comcast announced its deal to buy Time Warner Cable (TWC), I instinctively knew that the numbers would put Comcast very far above its nearest terrestrial rival once (and many say if) the merger is completed.  Om Malik thinks the deal was entirely driven by Comcast's desire to scoop greater market share in the high-speed Internet arena and he's right to the extent that broadband is the future of pretty much all of communications - Internet, television, mobile.

But as Comcast executives said during their analyst call to announce the deal, the merger comes down to money - a combined Comcast-TWC will yield lower costs, higher margins and greater efficiencies across the board, including in the purely high-speed arena.  Still, looking at the numbers from the end of Q3 2013 (see chart), Comcast and Time Warner combined had nearly twice the high-speed Internet customers of the second largest terrestrial broadband company in the U.S., AT&T, 31.33 mil. compared to 16.43 mil.

Even if Comcast sheds millions of those high-speed customers when it divests itself of some TWC systems serving approximately three million video customers, as the company says it would do to stay under regulatory concern caps, it would still be about 75% larger than AT&T.

From a market share perspective, a combined Comcast-TWC would reach 38% of U.S. terrestrial high-speed customers, almost double that of AT&T and well over three times that of Verizon, the third largest provider of terrestrial high-speed service in the U.S.

Despite this prospect, Comcast will still be pretty small in comparison to the world's two top wireline broadand providers.  China Telecom currently serves 90 million wireless high-speed customers while China Unicom has 63 million broadband customers.  But it looks like Comcast could top NTT, which only has around 20 million wireline broadband customers.

Read More

The NIST Framework is Out the Door. So What's Next?

Industry and government alike have praised the cybersecurity framework developed by the National Institute of Standards and Technology (NIST). So, what happens next?

As I describe in my latest piece for CSO Magazine, the ball is now in the court of the Department of Homeland Security (DHS), which promises it will carry on in the spirit of openness which served NIST so well. NIST, however, won't ride off into the sunset anytime soon - it will act as a "convener" until DHS and the sector specific agencies take over the framework's implementation.

For more, check out the article.

And mark your calendars for a webinar on the cybersecurity framework that DCT Associates is hosting with the ICS-ISAC on February 20 at 1pm EST.  It's free and will hit the high points of what you need to know about the framework.

Read More