fudsec.com

Showcasing Fear, Uncertainty and Doubt from the Information Security Industry 
« Back to blog
Viewed 9943 times
Favorited 0 times
November 26, 2009

Reloading Risk Back Onto The Utilities

I'm delighted to welcome back Nick Selby, now Managing Director of Trident Risk Management, for a special fudsec Thanksgiving edition.  Thanks Nick!

Update 30th November: modified text at request of Nick re: mitigation to avoid distracting from the main point of the post - Ed

By Nick Selby

The critical infrastructure security debate has reached, well, a critical juncture. However in the United States, the debate has been limited to either more government regulation or proactive mitigation on the part of private utilities. Since I write from America on the day we Americans give thanks for that which founded our country and made it great, let's attack this issue from a third front.

Let's get the customers pissed off, so that they vote with their wallets.

Because the US' infrastructure is mainly privately owned, the only way utilities will upgrade or properly configure their systems is under pressure of market demand for it. If the US business community, armed with the understanding of the risk of utility interruption to their enterprises, demands better service - that is, they demand that their businesses are better protected by those they pay to provide them with power - then the utility markets that are the most competitive will become the safest.

There's a strong business case here: many exploits of the vulnerabilities in our electrical power grid cost little to mount and cost a lot to remediate. As security researchers, practitioners and thought leaders, we can articulate a business case to American business leaders:

  • You're being forced to accept risk. Utilities are offloading risk of an outage to their customers, by charging for power and reliability and not mitigating even obvious, well-known risks;
  • The risks are to your people, your property and your profits - that is, they are to your brand. If your business relies on power for mission-critical or safety processes, the failure on the part of utilities to remediate means your customers and your brand are at risk - on the terms of the utilities, not your business' risk managers or your shareholders;
  • Cleaning up after the risk becomes reality is a hidden tax on your business and on you. The consequence management aspect of a loss of the power grid of even 20 minutes are massively high in terms of life, safety, profits and our national sense of well-being and safety. By not remediating these risks, utilities are offloading to us taxpayers the cost of clean-up and restoration after a catastrophic failure.

With respect to the last point, I seem to recall us fighting a war over taxation without representation. I submit that this is another one. I know that some utilities will be mad at me for saying this, but as far as I can tell, they've had their chance to take action. Now it's our turn.

Some high-level context
This may be stating the obvious, but what's obvious to people who look at this problem a lot is not obvious to people who don't.

For years, public and private security researchers have been pointing out that the networks at electric utilities were reliant on the thinnest veneer of security - if that. This was not because utilities didn't care, it was because utilities built themselves for the functionality of production of electricity in an age when their networks were truly air-gapped - that is, they were physically separated from the Internet.

To further state the obvious, one big problem is that these networks haven't been truly air-gapped for years and years, but the utilities continue to behave as if they are. And there's a great deal of reliance on plain old security-through-obscurity.

The government can make recommendations and even some regulations, but at the end of the day, and here's another obvious statement, the reason the majority of electric utilities in this country haven't upgraded their security is because doing so is expensive and there's not been any publicly released information about a compelling reason to spend the money.

Hacks or DOH! - Cause Is Less Important Than The Impact
Whether a successful attack on a US utility has happened already, it will happen (not for nothing, but there are active investigations of such attacks underway now). Regardless of the cause, bringing down power networks has life-and-death consequences. Security professionals sometimes forget the 'A' part of the CIA triad (of confidentiality, integrity and availability).

I wrote recently that in 2008 an ice storm blacked out much of my county for eight days - my family spent eight days with sub-zero temperatures and no water, heat (except my woodstove) or even telephone. Life changed dramatically for us, very fast. It is, being obvious again, very important that we safeguard against attack or misconfiguration or any other event that brings down the power grid.

In a recent post on Errata Security, Robert Graham rightly pointed out two important things:

As a pen-tester, I know that our power grid is insecure...I know I can hack in from the Internet and cause power outages. However, government regulation isn't the answer.

Not only has government regulation not been the answer, but private industry has ignored, largely, government initiatives of exactly the kind I would expect would resonate with the security community and the public at large. In many cases, the guidance is specific, limited in scope to what is necessary, driven by expert analysis and input from leaders in security research, vendors, private and public employees and regulators; in short, it's the findings that come after Mr Smith went to Washington.

And still, it's pulling teeth.

A Good Example: Aurora
A perfect example is the Aurora vulnerability (See the Power Point here, page 8, for more), because it has been public knowledge for about two years, the cause is understood and the mitigation is straightforward and well-understood. There's so much great published research and congressional testimony on the problem and its solution that I cannot believe that there has been such low takeup in doing that.

In just two days of scouring open source, unclassified documents I was able to put together a basic mitigation strategy sheet (and to scare the crap out of myself about how easy and inexpensive it would be to mount an Aurora attack). Yet, anecdotally, it seems that only a really small percentage of substations have been protected against this well-known vulnerability. By the way, I don't charge customers to see this remediation sheet.

What Is To Be Done?
After consulting with a number of people in and out of governments, I've decided that the best way to use this information is, at no charge to them, telling businesses which depend for mission critical processes on the public power grid. The at-no-cost part is important to me, because I believe that this is an issue too important not to share.

It's my hope that in sharing this information, outlining the issues and explaining to business leaders how they can and should raise them with their utilities, the utilities will see that there is in fact customer demand for mitigation, and come at this from the market side.

I had asked for a debate and a discussion, so here's my contribution: I'm suggesting all pen-testers and consultants who've looked at this to get vocal - find something within the field that raises your level of concern, something that can be mitigated rather easily.

Then, as opposed to trying to monetize that knowledge directly, help your customers articulate concern in a way that matters to the private utilities: "We, your paying customers, find this to be a risk that you should mitigate. Please do so." We should also help the utilities find federal money to contribute to their effort to help mitigate these risks. Hell, if they're going to throw all that money around on "infrastructure" projects let's at least get some in this area - the government has made it clear that it would like to.

If many of us who have the ear of the customer and the knowledge of the issues do this in a constructive way, we can go a long way to raising the bar. In the end, the real questions remain,

  • How hard is it to exploit vulnerabilities in our system?
  • How can we make it harder?
  • What help is there for private industry to raise its bar?

Many have said that action is not that important, because "no attacks have happened yet on American soil." Arguments about whether attacks have happened are for another forum, but if your main argument against mitigation is justifying the cost with evidence of an attack, I'll ask you this question:

What is the cost of wrong?

Loading mentions Retweet

Comments (3)

Nov 27, 2009
Nick Selby said...
Two clarifications:
Debate going on Twitter from @gattaca taking issue with my statement on Aurora mitigation: I said, "The cause is understood and the mitigation is as straightforward and relatively inexpensive as a trip to the dentist for a routine cleaning."

Okay, that's creative license, untrue and, I admit, flippant. What I meant was that the cause is understood and the mitigation procedures are known - that it's not a black box problem or a mystery. Hopefully my wise-assery won't stand in the way of the larger point. @shrdlu is trying to get a debate going at an IANS event, and I'm all for it.

My friend Tara also points out that while temperatures did go sub-zero Fahrenheit during the ice storm, they were not sub-zero for eight days. It was really f&@&1n cold.

Nov 27, 2009
wgragido said...
I think that until the federal regulation in the case of critical infrastructure is not an entire waste of time. Some would and do disagree however, having assessed, audited, scolded, pleaded, been outraged by, and driven away screaming into the night by more than one utility player I think that an authoritative body for governance is good. Especially when considering what is at risk and the interconnectivity which exists not only between corporate enterprise and SCADA environments in many of these environments (a giant no no according to the FERC / NERC board and CIP accreditation body), but also amongst many utility providers (in some cases providers which should never touch one another in utilities services not related to one another. It's slippery slope my friends and one we're all positioned precariously on.

Do we need to have total compromise for this to be deemed a 'real' point of concern? No, not in my opinion. Do we need to see catastrophic ends occur before we're willing to acknowledge the importance of these environments? Again, I argue no. Many are opposed to regulation due to the abuse and in some cases lack of value provided by those parties responsible for governance and those tasked with enterprise stewardship. However, though that might be the case in some industries, in some verticals, I don't know that we can ignore the importance of having a stable baseline for something as critical as our critical infrastructure. Black boxes can be subverted and bypassed, people can be compromised and led astray or worse yet not empowered -- monetarily, politically, culturally by their respective employers though they know what is right and needs to occur. Business subscribers have little choice but to deal with those utilities responsible for supplying their environments but to Nick's point, that doesn't mean they need to or have stand by idly waiting for someone to do the right thing. They can influence change and should look to do so.

My two cents,

Will

Nov 30, 2009
Andy Ellis said...
"Follow the money" is always a good model. Going after the consumers - even large enterprises - isn't really a winning model. Even if you can convince them to care, and spend the resources to drive utility behavior, the utilities are quite often effective monopolies, which means the power of a consumer to go elsewhere is tightly limited.

An alternate approach would be to find the errors & omissions (E&O) insurers for the utilities, who have a vested interest in the utilities not being held liable for failures such as this, and educate them. This may cause them to alter their risk calculations, driving up the cost of E&O insurance for providers who do not mitigate the vulnerabilities.

Leave a comment...

 
Got an account with one of these? Login here, or just enter your comment below.
Posterous-login    twitter