"We lose control of our grid, that's far worse than a botnet taking over my home PC."
I am now on my 27th article focusing on critical infrastructure security starting back in May of 2010, so I thought it time for a little New Year review.
I wrote and interviewed from the perspective of actually being in the business as a recognized cybersecurity expert, advisor and speaker. Digital Communities' publishing of my articles has allowed me to disclose the problems we face and work with the best in the business, which I want to share with you.
This cybersecurity summary contains comments and quotes from past articles and is a collaboration of the real problems we face with expert opinions on how we are to rapidly obtain true cybersecurity for our critical infrastructure.
Photo: Larry Karisny
We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet." The Internet was built as one big open collaboration messaging system using a series of numbers (IP addresses) as identifiers. Great for sharing information when there were a few hundred Internet users -- as in the early days -- but not the architecture you want to use with today's volume of Internet transactions. Even under this design, there were some amiable efforts toward security, but it has become kind of like putting a finger in the dam -- and the dam is ready to break. The biggest wake up call hit us after 9/11 when we started to review the security of our critical infrastructure and took an in-depth look at upgrading our power grid to smart networked technologies. The security vulnerabilities were shocking, and connecting them to the open Internet using legacy security technologies is not an option. It is broken and we need to fix it.
I have been accused in my past articles of hyping the problems of smart-grid security. As I have attended conferences and closed-door meetings, what I have found is just the opposite. Frankly, many cyber breaches have not been disclosed due to business reasons or national security concerns. This stuff happening now is not some cute virus that might take your family pictures. Speaking at a panel at the RSA Security Conference in San Francisco in 2010, I quoted Matthew Carpenter, senior security analyst of InGuardian as saying, "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC." Cybersecurity in critical infrastructure is a whole new ballgame with the potential of unimaginable devastation.
In a later article, Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, calculated the value of smart-grid security compared to the expense of a power-grid security breach. He compared it to plunging into the Dark Ages with the first few days being essentially inconsequential from an economic standpoint. "As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day, the economy is at 30 percent capacity. This was quite startling… emphasizing the importance of not underestimating the consequences of a prolonged failure in the grid."
Early on, I was reprimanded for calling this Cyber War because a real declaration of war needs to be approved by Congress. Call it what you want. It is real and occurring, and has the potential of stealing billions and killing millions. Leon Panetta earlier warned the Senate by stating, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems. ... If you shut down our power grid.”
If targeted cybersecurity breaches are not war, then they certainly are the perfect weapons. Minimal collateral damage while being able to specifically target what you want to take down. You can't beat that as an offensive weapon or even as a retaliatory attack method. The super viruses Stuxnet and Flame proved this, although the capability of morphing it and throwing it back at an adversary is a bit concerning. The fact of the matter is that the first shot has been fired and retaliatory responses are occurring. Sounds a lot like war to me.
I followed both broadband stimulus grants and the smart grid grants. The interesting byproduct of both grants was the realization of the terrible problem we have in securing the network systems and business processes that control our critical infrastructure. Viewing our power grid was like seeing a relative you haven't seen in 50 years, finding that they're exactly the same as they were 50 years ago, and then giving them an iPad as a gift. This is the same thing that happened when hundreds of companies started to deluge power companies with their high technology solutions that could be used upgrade the power grid. Culture shock? They didn't even share the same industry acronyms.
So what did they do with all the smart grid money? They put an intelligent device (smart meter) in millions of homes with little or no concern with security for the end user or the grid network that, in most cases, were non-existent. So have we gotten smart about security? In most cases no, and sadly, from smart grid suppliers to the power companies they serve, what I have witnessed is a lot of people either sticking their heads in the sand or passing the security hot potatoes from device to chip set to software company with no one accepting responsibility for this serious security issue. So how did industry and government work on correcting this security nightmare? Compliance, standards, certifications and mandates.
I have so many quotes on why compliance doesn't mean you are secure I am not sure where to start. Bob Lockhart, Pike Research; Patrick C. Miller president and CEO of EnergySec; and Eric Gunther, CTO and co-founder of EnerNex have all clearly stated to me that compliance does not mean our systems are secure. In a recent ICS Cybersecurity conference hosted by Joe Weiss, CEO of Applied Control Solutions and the 12-year conference coordinator and expert in the cybersecurity of industrial control systems, discussed the pros and cons of these well-intended oversight organizations. In his conference discussions, he recognized the value of these organizations, but also referred to a government release document that specifically disclosed the most vulnerable areas in the power grid. This is what happens when you get 1,000 eyes on things and with hundreds of meetings often requiring public disclosure.
I attended a cybersecurity conference UTC Telecom 2012 where keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in their knowledge of cybersecurity. One or two hands went up out of the more than 500 in the audience. Weatherford responded by saying we need to prepare our work force and find talent "to prepare the next generation for cybersecurity. Gaps in talent mean gaps in security." The issues of cybersecurity are clearly a public/private issue requiring absolute cooperation from both sectors if we are to achieve national security.
We even run into the problem of how to secure the intellectual property of cyber-security. In a recent interview, DC patent attorney Ted Wood, who leads the Parks IP Law Grid Industry Group, stated, “The tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key intellectual property by filing for patents early in the development process." He went on to say that Washington already recognizes the urgent need for effective cybersecurity. "But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats”
To understand how cybersecurity works today, you need to know two security disciplines. Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). One of the best definitions I found wasIDS vs. IPS Explained. Both systems are plagued with problems that require new security architectures. No more band aids. We need serious change in both architectures. First let's look at IPS.
The biggest problem with IPS is that they use encryption keys that are stored and managed. Remember what Vint Cert said about authentication. The Internet was an open architecture never really designed for authentication. Secondly, stored keys have been mismanaged for a long time and can get lost -- even stolen -- right out of the RSA and also seen on networks. Recent theft of RSA keys even put Department of Defense contractors like Lockheed Martin in jeopardy from targeted nation-state attacks. The problem with current security architectures is that they are doomed to failure due to their designs offering at best patches rather than real security.
Current IDS solutions watch data and then notify concerns of potential intrusions using historical database information. In the real-time world of data streaming, this historical approach is not adequate. Even worse is when an authorized individual takes an improper action in the business process. Current IDS solution would in most cases consider this an acceptable data input. If Intrusion detection is to be accurate, it must watch both data and human process actions. Current IDS solutions are adding limited solutions to these human actions in what they call white boarding but even these approaches are limited, expensive and based on historical data which may be too late.
In a recent Government Technology magazine year-end review, A Summary of The Top 2013 Cybersecurity Predictions, Michigan CSO Dan Lohrmann surfed the Net looking for the top blogs and articles that both recap online security trends from the past year, as well as offer new cybersecurity predictions for the coming year. The vendor responses seem to be a litany of expected breaches.
My concern is the lack of response as to solutions that will effectively detour these attacks. Actually, if these solutions were working properly, who would even care about these attacks? We need simple, impenetrable security that can, in real time, lock out and detect cyber attacks. We cannot effectively do it using current security architectures.
No more tricky fixes
There is no secret that today’s security technologies are made with back doors. This has been done intentionally for years in both the public and private sectors. There are practical reasons like that time you forgot your password and had to tell which dog you liked best or try to remember the spelling of your mother’s maiden name to gain access. Back doors are also sometimes inserted purposely by the developer for debugging reasons. There are national security mandates and industry requirements that are put in all trying to find that perfect balance between security and getting in when they need to. It’s a tough balance, but we need to start somewhere, and I think machine-to-machine (M2M) applications in critical infrastructure are a good start.
The problem with back doors in security is that today’s software and even physical chip set acid baths can detect them. The magnitude and concern for these security back doors is so great that DARPA has designed software to find and fix these security hatches. The master of back doors in security -- the NSA -- is ready to release Perfect Citizen, which was designed to detect cyber assaults on things like power grids, nuclear plants and other critical infrastructure.With hundreds of smart phone apps and new Internet-of-Things devices creating new M2M applications every day, we can’t start fast enough to minimally target where impenetrable and complete security solutions must be deployed.
As a security consultant and advisor, I have been able to review lots of cybersecurity designs. When searching for the best solutions, I tried to keep my eyes open for new approaches rather than just putting patches on the same old stuff. The general criteria was to find an impenetrable prevention security solution that also offered real-time detection and prediction capabilities that would be inexpensive, easy to manage and easy to deploy. To keep from the faulty designs of the past, I found I needed some changes in the approach to cybersecurity. The result of my search was meeting some pretty smart people that used a combination of complexity and common sense in developing their new security architectures. Here are the pieces to the puzzle.
I earlier discuss the problems with encryption keys is viewing them on the network, theft and mismanagement. This is a big problem with current solutions that are just waiting for more problems. A start to the correction of these problems was discussed in my earlier interview Cybersecurity and 'Smart Encryption' with Prem Sobel, who solved the encryption key problem by creating what he called "a random data generator that generates-destroys-recreates keys and passwords on demand." It's kind of like giving your keys to the whole neighborhood to use, then changing the locks in milliseconds while you are asking for the keys back so your can reuse them. Try opening that door." A little common sense with a lot of math, and Sobel's solution has stunned the world of cryptography. He continued by saying that his security solutions “were pen-tested by the best -- including some noted hackers in Ukraine and Russia.”
In another recent interview article, Cybersecurity in Today's World, Curt Massey added another critical piece to security, offering the ultimate in common sense security. His company’s solution, “You can’t attack what you can’t see … or touch". So Massey's people made their security solution invisible to hackers, and invited an eclectic and diverse group of highly skilled pentesters and outright hackers to give it their best efforts to penetrate it. One shadowy hacker’s response was quite telling: “I don’t have time for fake targets, plug wire into Internet.” The "fake target" was a series of live servers sending a data-rich stream into the "wild" Internet and back; unauthorized hackers just can’t see or affect a network thus protected. Massey added that, "most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it. We refused to accept that premise."
The final piece of the puzzle was to find a real-time IDS solution detecting both man and machine security breaches simultaneously and in real time. This tough but necessary requirement to achieve cybersecurity led me to Toronto, where I found inventor and security pioneer Rajeev Bhargava.
Bhargava took a completely different look at cyber-security. In my interview article with him, A New Way of Detecting Cybersecurity Attacks, he discussed his patented invention of using anomaly detection for real-time viewing and securing business process actions not just data. "We need to stop looking at zeros and ones and recognize that a digitally enhanced action is just an extension of a human action, and they must be viewed simultaneously if we are to achieve true security," he said. "With our solution, a single event (live data element) can be checked for anomaly instantly and acted upon.... with current IDS solutions, the context is not the business process but rather the IT analyst or mathematicians who generate the rules, patterns and algorithms."
There is not a security publication that I have read that is not predicting an increase in cybersecurity attacks this year. Legacy security solutions are showing that they were never meant to scale to the volumes of interactions occurring in today information age. These older security solutions are becoming too complex, too expensive, can’t scale and are too difficult to manage. We must look in terms of new security architectures if we are to rapidly achieve the required cybersecurity solution we need today, especially in the protection of our critical infrastructure. It may not be as hard as you think, and is immediately available to people who are willing to listen to new approaches from very smart people who just added a little common sense to security.
Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.