Skip to content

If You Feel Secure, You’re Probably Not Secure

June 23, 2013

As I head home from the Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Summer School, I wanted to capture some of my immediate reactions. The photo is from the Ameren Smart Grid Training Platform.

  • It is difficult for operations and IT staff to communicate because they use the same words to mean very different things. For example, in operations ‘security’ focuses on reliability while in IT it is more about preventing attacks. IT people think about communications being routable on a network but electricity is not routable in the power grid to the same extent.
  • There is a need for more personnel trained in cybersecurity specifically. People are very worried about the workforce pipeline.
  • SCADA systems are particularly vulnerable because they don’t get patched frequently (because of reliability concerns, lack of supported software, maintenance contracts etc.), have no operating system and thus can’t support anti-virus protection, and lack basic security features such as encryption.
  • AMI systems have specific vulnerabilities because the hardware is outside of a secure perimeter (thus at risk for tampering) and there is a monoculture of devices so one vulnerability could affect a lot of people. However, (luckily) it’s also not a very good pathway to a SCADA system.
  • Security is defined by three aspects: confidentiality, integrity, and availability (CIA). Different systems put more emphasis on different aspects. For example, an enterprise system is most concerned about confidentiality while a control system is more concerned about availability. Security is addressed through people, process, and technology (and policy).
  • Main defense/hygiene capabilities include cryptography (encryption), authentication (certificates, key management), and redundancy.
  • There are engineering requirements that oppose security such as latency. Encryption increases the latency of communications, which can make the difference between a large or small blackout in an emergency situation.
  • There is a lack of documentation. Most power plants rely on CAD drawings. However, there isn’t a way to capture all of the software settings in this format.
  • I started thinking about the value of freedom vs. need for secrecy in the government. I should write another post on that.
  • Corporate culture might play a big part in how well companies address cybersecurity.
  • I really enjoyed the hands-on lab experience. It’s one thing to talk about sniffing a network in an abstract sense and quite another to actually see it. I was impressed by how easy it is to learn so much information about a network with a couple simple commands.
  • There is a need for simplicity in network architecture. Utilities that have huge systems cannot keep track of complexity.
  • There are many 3rd party connections that reduce security such as contractors and vendors.
  • Defense in depth is a good strategy. Defense by obscurity is not.
  • There is an intersection between physical and cyber security. Physical security tools such as cameras can be used both to commit as well as identify cybercrime.

I also made a lot of great contacts with people at utilities, NERC, FERC, DOE, PJM, and contractors who are involved in NERC CIP compliance. In terms of my research it seems like there is specific interest in work related to:

  • Spear phishing -> it is a problem and cannot be solved with training and technology. Companies do phishing campaigns to train employees to not click links but many people still fall for them. Ultimately, these attacks prey on people’s kindness, which may be hard to train out of them. A different strategy could be more effective.
  • Insider threat -> this is a very dangerous attack vector and difficult to protect against.
  • Regulatory uncertainty -> it might be interesting to have a time component to identify how beliefs and misconceptions change as regulations change (ex. CIP v3 to v5).
  • Information sharing -> this is not incentivized and utilities don’t trust the ISAC as much because it is part of NERC (the compliance authority).

Again, these are all immediate impressions and not necessarily backed up by data.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: