There is much to talk about in regard to Duqu, but for now I'll leave you with some initial thoughts. If you want to know more, be sure to attend Monday's (10/24/2011) McAfee and National Electric Sector Cybersecurity Organization Webinar.

By 10/19/2011, at least three variants had been identified. Whether or not Duqu has any relation to Stuxnet is largely irrelevant from an asset owner's perspective. Additionally, if the targets were Certificate Authorities, there similarly isn't much to do from an asset owner perspective beyond monitoring for news of certificates to revoke as they become known. If the targets were ICS manufacturers, however, the data stolen from them could possibly include customer design information, application/firmware source code, support staff login credentials, or other information sensitive to asset owner operations. Beyond knowing which vendors were attacked and what data may have been stolen, there is not much to do with regards to specific responses to this incident. That said, it serves as a great example of just how important supply chain security is.

Before you engage in a business relationship with a vendor/manufacturer, make sure your expectations around security related to your systems and data are clearly spelled out in contract language. Additionally, verify and validate vendor commitments in response to those expectations as part of Factory Acceptance Tests (FAT) and/or Site Acceptance Tests (SAT) or other contract audit functions.

References:

Symantec Whitepaper
McAfee Writeup
DHS ICS-CERT Alert

Some time during the flight my stream of consciousness turns to pondering what it will take to make some real progress in the area of cybersecurity. I have seen and heard thousands of brilliant ideas but most seem to whither away before they get finished or funded. It occurred to me that maybe one of our problems is that we have the cart before the horse. It is difficult to implement solutions to problems that people don’t recognize or understand.

Before we can successfully implement our grand ideas we need to raise the level of consciousness of the public at large to a point where they acknowledge there is a problem, agree that it needs to be fixed, and understand that they will have to help fund the solution. Companies respond to the requests of their consumers, the ideas of their employees, the guidance of their boards, and directives of their state regulators. If we want to change how a company operates we must reach these groups with our message as well.

In a world of electronic media overload I would venture to say one of the best ways to reach people may actually lie in our daily interactions with friends and strangers. I am reminded of my vague answer shortly before and wonder if it was a missed opportunity. Mind you, being an introvert by nature I am not enthusiastically embracing this concept as it unfolds. But the more I think about it the more I have to begrudgingly admit that there is probably no one better equipped to tell the story than those who live it every day.

So just to be clear, I am not going to suddenly be preaching loudly about cybersecurity in airports across North America. But I will say, that maybe the next time someone asks me what I do I will actually tell them. If they aren’t interested I will get to return to my work, and if they are interested then I might have an opportunity to do something more important.

[insert dead silence here]

Then...the barrage of disbelief began.

"I bet you didn't establish role-based access management in their EMS." Yes we did.

"You couldn't have possibly locked down the ACLs on the firewall properly." Ratcheted down to only two necessary ports.

"I'm guessing you don't have a functional security logging system." Guessed wrong.

"They won't let you scan for vulnerabilities though." Yes they do. Multiple times a day as a matter of fact.

After exhausting their list of couldn't-have-happened remarks, there was a sigh and then someone asked. How'd you do it?

Her answer: I used the secret sauce. To my chagrin, she let that just hang there. Obviously she was enjoying this banter as much as I was.

What was the secret sauce? None other than a powerful mix of ingredients designed to open up the communication channels between IT and operations. The magic was in listening, talking, finding common ground and listening some more. She was a master of encouraging people to be open to new ideas and different ways to accomplish what was perceived to be impossible. She insisted that each department participate in job shadowing so that they could spend time first hand in the "world" of the other group. A lexicon was agreed upon that bridged the gap in understanding. And the list went on. 

Bottom-line: Continued conversation and determination to solve a problem led to success.

It isn't important about the details (to be frank, I can't recall them anyhow), what is important is that walls can be broken down and that solutions can be reached by way of learning about each other’s working environments and not just concluding that the others are jacked up on some new drug.

• Strict compliance with traffic control signals is not always necessary to be safe.
• It is possible to be strictly compliant with traffic control signals, yet still drive recklessly.
• The presence of police officers perceptibly alters driving behavior in ways that do not always increase safety.

First, in many situations a complete stop at a stop sign ("complete" meaning all forward motion has fully ceased) is not necessary.  Most drivers perform “rolling stops” at intersections with clear visibility, and no cross traffic.  This is perfectly reasonable.  It is also non-compliant.  Similarly, before becoming legal in many cases, it was common practice for drivers to make a right turn at a red light if no traffic was oncoming from their left.  This is also reasonable, and thankfully, now legal in many areas.

Second, Even the most compliant drivers are capable of being unsafe.  It is possible to be driving at the speed limit and not see a child running into the street.  It is possible to be mentally distracted and react too late to a vehicle stopping in front of you.  One might continue the use of tires that have legal tread depth, but are unsafe for given conditions.  There are many ways to be reckless with an automobile without running afoul of written laws.

Third, it is a frustrating reality that most people drive differently in the presence of police officers.  This is often a bad thing.  Slamming on the brakes while driving at speed in highway traffic is generally not a good idea, but this occurs often at the sight of a police car, or the beep of a radar detector.  Most people will not exceed the speed limit when being followed by an officer, even if driving “the limit” would impede the normal flow of traffic potentially causing issues later due to congestion or road rage.

To put this in the context of security regulations, let me restate the original points:

• You can be reasonably secure and still be non-complaint.
• You can be compliant, yet still be insecure
• Compliance enforcement programs can lead to unnatural and detrimental actions on the part of the regulated.

For illustration, I will refer to the security standards with which I am most familiar, NERC CIP.  There are common complaints about the CIP standards that relate to these points.  On many requirements, even a strong security program can have violations based on one oversight.  In other cases, weak security controls can be deemed compliant because they meet the letter of the standard.  And finally, there are numerous examples of entities removing functionality or relocating equipment, possibly to the detriment  of reliability, just to avoid compliance obligations.

The point of this post is not to disparage the NERC CIP standards.  I’m actually going to defend them in this case, not because I believe they are particularly good, but simply because I believe they are misunderstood.  A key problem around the CIP standards is the perception that they are intended to achieve security for the bulk power system.  See above.  Security standards don’t make people secure any more than traffic laws make people safe drivers.  Such standards, like traffic laws, exist for three reasons:

• Provide awareness of situations requiring diligence
• Provide guidance on acceptable performance relative to such diligence
• Provide accountability and liability in the event of an incident

Do the NERC CIP standards meet these objectives?  Additionally, like traffic laws, security standards should be monitored and enforced with sufficient flexibility to allow for prudently incurred, minor violations that do not impact the overall objectives.  Are the NERC CIP standards enforced in this manner?  These might be questions the SDT could ask itself as it embarks on the next phase of standard development.  I’ll be attending the SDT meeting in Columbus, OH on Jan 18-20, and will be interested in learning their direction for the next phase of development.  If you’re there, say hi, otherwise I can be reached at steve at energysec dot org.

It is all the more puzzling then, why someone would take this opportunity to single out two EnergySec directors for comments made in April 2008 near the time of the CIA's initial public disclosure that several cities outside of the U.S. were affected by intrusions through public networks.

In a post to the SCADASEC mailing list, Joe Weiss from Applied Control Systems attempted to take two of our directors to task for comments that were at best misunderstood, and at worst deliberately misrepresented. The issue at hand is whether Tom Donahue's statement in 2007/8 - that the CIA had knowledge of cyber attacks impacting power grids in other countries - was worth a public disclosure. The opinion of this organization continues to be that, due to the lack of any specific actionable details, it was not.

As it appears that several current and former government officials with knowledge of the specific events have elected to publicly disclose more information than was in Mr. Donahue's original statement, we offer the following explanation for this opinion.

Notwithstanding Mr. Weiss's statements to the contrary, there was no new information provided by Mr. Donahue at the 2008 SANS SCADA summit. The information he discussed (as described above) had already been disclosed to the electric utility community over a year before the public statements were made.

The issue at hand is not the accuracy of the information - as to which there is no question: the organization for which Mr. Donahue works is a leader in the gathering and assessment of such intelligence - but, rather, the actionability of the information provided. That is, to what extent could electric utility asset owners use the information to take specific additional actions to protect our infrastructure?

The short answer is that the information that was provided in the closed briefings and subsequently disclosed by Mr. Donahue wasn't actionable and was therefore of use only as another data point when examining other potential threats to the systems.

Here's what we were told prior to the public disclosure in 2007/8:

• That an unknown organization in a specific set of countries had succeeded in disrupting power in some metropolitan areas;
• That no motivation was known, but that extortion was suspected;
• That the method of the attack was not disclosed; and
• That specific indicators that would evidence this type of attack were classified or unknown.

To date, this is effectively still all that has been publicly acknowledged.

In the absence of key information (the last two bullets), there is nothing to do, and no action to take beyond what is already being done, to mitigate whatever unknown vulnerability allowed this attack. The net effect of Mr. Donahue's public statement was to provide interested media a platform to decry the state of security within the North American electric sector, while simultaneously denying those with a stated responsibility to protect this critical infrastructure any new information that would help us to do so. To the extent that the vague public disclosure and Mr. Weiss's continued insistence in using this as an example of the security failings within the electric sector divert resources of security professionals to defending their actions at the expense of continuing to improve the security of these critical systems, both statements are detrimental to the mission of securing the grid.

As with most industries and organizations, measures taken to address security concerns are often not public knowledge. Statements that imply a lack of action and diligence based on the absence of public knowledge serve to distract from legitimate issues that must be addressed. It is unfortunate that Mr. Weiss chose to malign two of our founding directors - people who have done as much to further the understanding of how to secure critical assets as any we know. Patrick Miller and Stacy Bresler were the driving forces behind organizing Energy Security Northwest, the information sharing group from which EnergySec grew. You can rest assured that they understand that securing the electric grid takes far more than just meeting regulatory compliance requirements.

The organization that Patrick and Stacy founded and fostered now has representative members from companies comprising over a third of the nameplate generation capacity in the U.S. and over half of the residential distribution customer base. Those members hail from all facets of the industry - physical security, control systems engineering, control systems operations, information security, and many other disciplines. They participate on an all-volunteer basis and recently helped us to achieve our most successful conference to date, with over 150 attendees - nearly two thirds of which were from electric utility asset owners with the rest hailing from DOE, DHS, FERC, NERC, and other industry partners. We know of no other private critical infrastructure that has an information sharing organization as robust as the one that exists within the energy sector.

This reality certainly contradicts any claim of the industry's "reprehensible job of securing the critical electric assets and hiding behind the NERC CIPS…." While the industry has made strides in securing this important critical infrastructure, we still have work to do. Security is, after all, a journey, not a destination, and the industry is working to achieve the goal of ensuring grid security and resiliency within the framework of regulatory compliance. Those who truly care about securing our critical infrastructure ought to support and encourage efforts that are succeeding in doing so.

We’re sharing actionable information every day within EnergySec.

We close with a quote that seems as appropriate today as it did when President Roosevelt uttered it in 1910:

"It is not the critic who counts, nor the man who points how the strong man stumbled or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena; whose face is marred by dust and sweat and blood; who strives valiantly...who knows the great enthusiasms, the great devotions, and spends himself in a worthy cause; who, at best, knows the triumph of high achievement; and who, at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who know neither victory nor defeat."

I'll post here from time to time, but if you work for an asset owner and are not yet an EnergySec member, head on over to the registration page and sign up for the portal where the peer-level collaboration starts.