Column: Google Cybersecurity, Hack or Help?

April 22, 2013 By Larry Karisny
 

Google has a perfect opportunity to be a leader in cybersecurity.
From the company's Android OS, to the purchase of Motorola and the new gigabit fiber optic network to be built in Austin, Texas, to its recent hiring of Peiter "Mudge" Zatko from the Defense Advanced Research Projects Agency (DARPA), this combination of Google intellectual property -- with the Telecom intellectual property all over Austin, Texas -- could be a perfect meeting of money and minds in creating a secure smart city.

When it comes to intelligent traffic systems sending avoidance collision warnings and keeping the power grid operating -- and everything in between -- it’s time for corporate citizens to step up to the plate and responsibly address urban cyber security. If Google plans on being the financial beneficiary of billions of devices, running millions of apps on a new gigabit fiber optic network, then it also needs to take on the upfront responsibility and expense in securing these networks, devices and apps.
And right now, the Android OS and the many apps that run on it could not be further from secure.

The New Enterprise Security Threat

From hacking to hijacking enterprise networks to apps that steal apps, the Android has become a hackers' OS and device of choice. In fact, just to make it a little easier for everyone, even network exploit kits are now available, as is a top 10 list for hacker and penetration testers. This stuff isn’t funny, though. Using tools like this to breach an enterprise network means a lot of different things to many people. It is not about the enterprise -- it is the intellectual property that is kept in an enterprise. My recent interview with professional cybersecurity investigator Tom Quilty made it clear that intellectual property, and even state secrets, may be vulnerable sitting in an enterprise network server.

Taking this one step further, if the enterprise is a control system on an aircraft, then could an Android device be used to, let's say remotely access the controls of an airplane?
Such a situation was actually demonstrated at a presentation given at the Hack in the Box security conference in Amsterdam by Hugo Teso, a security consultant at n.runs in Germany, and is still being debated. To put final emphasis on the seriousness of Android smartphones in the enterprise, the recent popularity of bring your own device (BYOD) is flooding these devices into every enterprise and control system, and already overburdened enterprise managers are sending out the security warnings. Even the Army wants to use smartphones, but has shown recent security concerns in using the devices. We need to understand the smartphone is not just a phone -- it is a PC or even a personal enterprise network device with a lot of power and capabilities.

Current Mobile Security Suites Not Enough

How is Google's Android addressing these security issues today? With another app, of course. So now we have bundled smartphone security solutions reused from old PC security solutions -- that really needed some significant improvement in the first place.
For instance, let’s look at the 2013 Best Mobile Security Software Comparisons and Review. The review refers to a list of security features with new smartphone security marketing features such as "real-time protection," "phone app scanners" and "locate and track" lost phones.

If you know how viruses and malware are detected, then you understand there are thousands of new ones found every day that are first stored and analyzed, then potentially blocked. This kind of security process defies the ability to call this feature "real time." And some also say it may be time to dump anti-virus as endpoint protection.
Scan and detect phone apps are no different from scanning a download on your pc. With 1 million available apps for Android, a security app that makes sure these apps are doing only what they are supposed to be doing is needed.
As for the locate & track lost phone feature, is it my phone being tracked or is it me? I don't even see the word firewall or encryption in the list of security protection and feature listings for of any of the mobile security software companies. I also don't see any apps that secure other apps. There are a lot of concerns with these, the first of which starts in mobile smartphone security. Ultimately, however, at least there's a recognition that these devices will increasingly become our next cybersecurity problem.

Why Are We not Secure?

Cybersecurity problems are just becoming recognized and are getting worse for two reasons.
Neither the Internet nor software was built with security in mind, so we've been trying to put Band-Aids on it since its inception. The Internet was made for global collaboration, not user authentication. Software was designed to do something, not validate what it is doing.
In fact, a recent survey by Dell Sonic Wall stated that 68 percent of all businesses reported that employees cannot identify fraudulent attacks on the corporate network. A recent survey of 165,000 employees showed 93 percent of workers knowingly violate policies designed to prevent data breaches. This is not a good start when we're attempting to interconnect our cities' critical infrastructure while adding intelligence and applications to our mobile networks at alarming rates.

We need new security architectures if we expect to effectively address these problems. These new local networks will need to support local Internet applications serving our smart communities for years to come. The applications they will run are projected to be larger in use than today’s entire existing Internet -- and legacy security solutions will not be able address the magnitude of these new security requirements.

Public-Private Secured Networks Are Needed

So how can we deploy new security architectures?
A good start would be to slice and dice our networks so we can offer priority security access and authenticated to public safety, transportation and critical infrastructure. I work with companies that have the ability of cloaking authenticated data using multiple encryption algorithms that can change in milliseconds. This would allow multi-agency multi-network authentication that could securely share a single network infrastructure supporting both the public and private sector. This is a good start, but it needed to be done yesterday. Still, authentication and network security alone will not secure authenticated human breaches or the billions of increasing software and business process application events that run on it.

Anomaly Detection Needed at the Data Input Level

To prepare and protect from the massive growth in social media, mobile applications, BYOD and multimedia files flowing through municipal control systems and enterprise networks, an entirely new technology is needed. Advanced technology such as secure anomaly event detection, audit and blocking at the data input level is required. This available technology has proven effective in not only securing at the application software level (where we increasingly find today’s breaches), but it also can audit and economically refine business process events offering tremendous efficiency savings.
In anomaly detection, security just becomes a byproduct if its capabilities. The key is we need to start understanding networks, devices, application software and business process event security in totality if we are to achieve maximum security. We are being attacked from all of these levels at staggering rates, and deploying these security technologies must be done now before we move on to building additional network and application intelligence in our critical city infrastructures.
Not addressing security was a major factor in slowing down the smart grid. We should not repeat the same mistake.

Perfect Place, Perfect Timing

Google’s recent network -- and acquisitions and hires -- in Austin, Texas, is an opportunity to do security right the first time. The days of bolt-on security are gone. We need to deploy new cybersecurity architectures upfront. We have been trying to figure out how to properly design and secure municipal networks for the last decade. Our critical infrastructure, transportation and safety will depend on these networks and network application for many years to come.

Just as Google boasts tech smarts, so too does Austin. And there are security experts waiting to help with solutions in hand. This new gigabit network could be more than just blazing fast -- it could be used as a learning tool to make our local networks rock solid secure.

So let me end with a call out to Mudge in his new job. I have the perfect project for your new position with Google/Motorola Mobility's Advanced Technology & Projects, whose mission is to "deliver breakthrough innovations to the company's product line on seemingly impossible short time frames." It is a security project with a company called Google.

Larry Karisny is the director of ProjectSafety.org, a cyber security expert, advisor, consultant, writer and industry speaker focusing on security solutions for mobility, the smart grid and municipal critical infrastructure.

Common Sense Cybersecurity

Image via Shutterstock

January 9, 2013 By Larry Karisny
 
I am now on my 27th article focusing on critical infrastructure security starting back in May of 2010, so I thought it time for a little New Year review.

I wrote and interviewed from the perspective of actually being in the business as a recognized cybersecurity expert, advisor and speaker. Digital Communities' publishing of my articles has allowed me to disclose the problems we face and work with the best in the business, which I want to share with you.
This cybersecurity summary contains comments and quotes from past articles and is a collaboration of the real problems we face with expert opinions on how we are to rapidly obtain true cybersecurity for our critical infrastructure.

 

The Problem with Securing the Internet is the Internet

Photo: Larry Karisny
We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet." The Internet was built as one big open collaboration messaging system using a series of numbers (IP addresses) as identifiers. Great for sharing information when there were a few hundred Internet users -- as in the early days -- but not the architecture you want to use with today's volume of Internet transactions. Even under this design, there were some amiable efforts toward security, but it has become kind of like putting a finger in the dam -- and the dam is ready to break. The biggest wake up call hit us after 9/11 when we started to review the security of our critical infrastructure and took an in-depth look at upgrading our power grid to smart networked technologies. The security vulnerabilities were shocking, and connecting them to the open Internet using legacy security technologies is not an option. It is broken and we need to fix it.

 

Targeted Cyber Attacks are not Hype, They are Real

 

I have been accused in my past articles of hyping the problems of smart-grid security. As I have attended conferences and closed-door meetings, what I have found is just the opposite. Frankly, many cyber breaches have not been disclosed due to business reasons or national security concerns. This stuff happening now is not some cute virus that might take your family pictures. Speaking at a panel at the RSA Security Conference in San Francisco in 2010, I quoted Matthew Carpenter, senior security analyst of InGuardian as saying, "The cost factor here is what's turned on its head. We lose control of our grid, that's far worse than a botnet taking over my home PC." Cybersecurity in critical infrastructure is a whole new ballgame with the potential of unimaginable devastation.

In a later article, Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, calculated the value of smart-grid security compared to the expense of a power-grid security breach. He compared it to plunging into the Dark Ages with the first few days being essentially inconsequential from an economic standpoint. "As you approach the fifth day, however, things change quickly. There is a precipitous drop in economic activity, and by the seventh day, the economy is at 30 percent capacity. This was quite startling… emphasizing the importance of not underestimating the consequences of a prolonged failure in the grid."

 

Cyber War has Started

 

Early on, I was reprimanded for calling this Cyber War because a real declaration of war needs to be approved by Congress. Call it what you want. It is real and occurring, and has the potential of stealing billions and killing millions. Leon Panetta earlier warned the Senate by stating, “The next Pearl Harbor we confront could very well be a cyber attack that cripples our grid, our security systems, our financial systems, our governmental systems. ... If you shut down our power grid.”
If targeted cybersecurity breaches are not war, then they certainly are the perfect weapons. Minimal collateral damage while being able to specifically target what you want to take down. You can't beat that as an offensive weapon or even as a retaliatory attack method. The super viruses Stuxnet and Flame proved this, although the capability of morphing it and throwing it back at an adversary is a bit concerning. The fact of the matter is that the first shot has been fired and retaliatory responses are occurring. Sounds a lot like war to me.

 

Stimulus Grants Vs Stimulus Smart Grid Grants

 

I followed both broadband stimulus grants and the smart grid grants. The interesting byproduct of both grants was the realization of the terrible problem we have in securing the network systems and business processes that control our critical infrastructure. Viewing our power grid was like seeing a relative you haven't seen in 50 years, finding that they're exactly the same as they were 50 years ago, and then giving them an iPad as a gift. This is the same thing that happened when hundreds of companies started to deluge power companies with their high technology solutions that could be used upgrade the power grid. Culture shock? They didn't even share the same industry acronyms.

So what did they do with all the smart grid money? They put an intelligent device (smart meter) in millions of homes with little or no concern with security for the end user or the grid network that, in most cases, were non-existent. So have we gotten smart about security? In most cases no, and sadly, from smart grid suppliers to the power companies they serve, what I have witnessed is a lot of people either sticking their heads in the sand or passing the security hot potatoes from device to chip set to software company with no one accepting responsibility for this serious security issue. So how did industry and government work on correcting this security nightmare? Compliance, standards, certifications and mandates.

 

Compliance, Standards, Certifications and Mandates will not Produce Cybersecurity

 

I have so many quotes on why compliance doesn't mean you are secure I am not sure where to start. Bob Lockhart, Pike Research; Patrick C. Miller president and CEO of EnergySec; and Eric Gunther, CTO and co-founder of EnerNex have all clearly stated to me that compliance does not mean our systems are secure. In a recent ICS Cybersecurity conference hosted by Joe Weiss, CEO of Applied Control Solutions and the 12-year conference coordinator and expert in the cybersecurity of industrial control systems, discussed the pros and cons of these well-intended oversight organizations. In his conference discussions, he recognized the value of these organizations, but also referred to a government release document that specifically disclosed the most vulnerable areas in the power grid. This is what happens when you get 1,000 eyes on things and with hundreds of meetings often requiring public disclosure.

I attended a cybersecurity conference UTC Telecom 2012 where keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in their knowledge of cybersecurity. One or two hands went up out of the more than 500 in the audience. Weatherford responded by saying we need to prepare our work force and find talent "to prepare the next generation for cybersecurity. Gaps in talent mean gaps in security." The issues of cybersecurity are clearly a public/private issue requiring absolute cooperation from both sectors if we are to achieve national security.

We even run into the problem of how to secure the intellectual property of cyber-security. In a recent interview, DC patent attorney Ted Wood, who leads the Parks IP Law Grid Industry Group, stated, “The tendency to rely only on trade secret protection for all cybersecurity and encryption innovations may be too risky. So wherever possible, companies should protect their key intellectual property by filing for patents early in the development process." He went on to say that Washington already recognizes the urgent need for effective cybersecurity. "But we must more efficiently harness American ingenuity to address the challenges we are facing in defending our critical infrastructure, especially the power grid, from cyber threats”

 

The Problems with Today's Security Solutions

 

To understand how cybersecurity works today, you need to know two security disciplines. Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS). One of the best definitions I found wasIDS vs. IPS Explained. Both systems are plagued with problems that require new security architectures. No more band aids. We need serious change in both architectures. First let's look at IPS.

The biggest problem with IPS is that they use encryption keys that are stored and managed. Remember what Vint Cert said about authentication. The Internet was an open architecture never really designed for authentication. Secondly, stored keys have been mismanaged for a long time and can get lost -- even stolen -- right out of the RSA and also seen on networks. Recent theft of RSA keys even put Department of Defense contractors like Lockheed Martin in jeopardy from targeted nation-state attacks. The problem with current security architectures is that they are doomed to failure due to their designs offering at best patches rather than real security.

Current IDS solutions watch data and then notify concerns of potential intrusions using historical database information. In the real-time world of data streaming, this historical approach is not adequate. Even worse is when an authorized individual takes an improper action in the business process. Current IDS solution would in most cases consider this an acceptable data input. If Intrusion detection is to be accurate, it must watch both data and human process actions. Current IDS solutions are adding limited solutions to these human actions in what they call white boarding but even these approaches are limited, expensive and based on historical data which may be too late.

In a recent Government Technology magazine year-end review, A Summary of The Top 2013 Cybersecurity Predictions, Michigan CSO Dan Lohrmann surfed the Net looking for the top blogs and articles that both recap online security trends from the past year, as well as offer new cybersecurity predictions for the coming year. The vendor responses seem to be a litany of expected breaches.
My concern is the lack of response as to solutions that will effectively detour these attacks. Actually, if these solutions were working properly, who would even care about these attacks? We need simple, impenetrable security that can, in real time, lock out and detect cyber attacks. We cannot effectively do it using current security architectures.

 

No more trick fixes

 

There is no secret that today’s security technologies are made with back doors. This has been done intentionally for years in both the public and private sectors. There are practical reasons like that time you forgot your password and had to tell which dog you liked best or try to remember the spelling of your mother’s maiden name to gain access. Back doors are also sometimes inserted purposely by the developer for debugging reasons. There are national security mandates and industry requirements that are put in all trying to find that perfect balance between security and getting in when they need to. It’s a tough balance, but we need to start somewhere, and I think machine-to-machine (M2M) applications in critical infrastructure are a good start.

The problem with back doors in security is that today’s software and even physical chip set acid baths can detect them. The magnitude and concern for these security back doors is so great that DARPA has designed software to find and fix these security hatches. The master of back doors in security -- the NSA -- is ready to release Perfect Citizen, which was designed to detect cyber assaults on things like power grids, nuclear plants and other critical infrastructure.With hundreds of smart phone apps and new Internet-of-Things devices creating new M2M applications every day, we can’t start fast enough to minimally target where impenetrable and complete security solutions must be deployed.

 

Real People, Real Cybersecurity Solutions

 

As a security consultant and advisor, I have been able to review lots of cybersecurity designs. When searching for the best solutions, I tried to keep my eyes open for new approaches rather than just putting patches on the same old stuff. The general criteria was to find an impenetrable prevention security solution that also offered real-time detection and prediction capabilities that would be inexpensive, easy to manage and easy to deploy. To keep from the faulty designs of the past, I found I needed some changes in the approach to cybersecurity. The result of my search was meeting some pretty smart people that used a combination of complexity and common sense in developing their new security architectures. Here are the pieces to the puzzle.

I earlier discuss the problems with encryption keys is viewing them on the network, theft and mismanagement. This is a big problem with current solutions that are just waiting for more problems. A start to the correction of these problems was discussed in my earlier interview Cybersecurity and 'Smart Encryption' with Prem Sobel, who solved the encryption key problem by creating what he called "a random data generator that generates-destroys-recreates keys and passwords on demand." It's kind of like giving your keys to the whole neighborhood to use, then changing the locks in milliseconds while you are asking for the keys back so your can reuse them. Try opening that door." A little common sense with a lot of math, and Sobel's solution has stunned the world of cryptography. He continued by saying that his security solutions “were pen-tested by the best -- including some noted hackers in Ukraine and Russia.”

In another recent interview article, Cybersecurity in Today's World, Curt Massey added another critical piece to security, offering the ultimate in common sense security. His company’s solution, “You can’t attack what you can’t see … or touch". So Massey's people made their security solution invisible to hackers, and invited an eclectic and diverse group of highly skilled pentesters and outright hackers to give it their best efforts to penetrate it. One shadowy hacker’s response was quite telling: “I don’t have time for fake targets, plug wire into Internet.” The "fake target" was a series of live servers sending a data-rich stream into the "wild" Internet and back; unauthorized hackers just can’t see or affect a network thus protected. Massey added that, "most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it. We refused to accept that premise."
The final piece of the puzzle was to find a real-time IDS solution detecting both man and machine security breaches simultaneously and in real time. This tough but necessary requirement to achieve cybersecurity led me to Toronto, where I found inventor and security pioneer Rajeev Bhargava.

Bhargava took a completely different look at cyber-security. In my interview article with him, A New Way of Detecting Cybersecurity Attacks, he discussed his patented invention of using anomaly detection for real-time viewing and securing business process actions not just data. "We need to stop looking at zeros and ones and recognize that a digitally enhanced action is just an extension of a human action, and they must be viewed simultaneously if we are to achieve true security," he said. "With our solution, a single event (live data element) can be checked for anomaly instantly and acted upon.... with current IDS solutions, the context is not the business process but rather the IT analyst or mathematicians who generate the rules, patterns and algorithms."

 

Conclusion

 

There is not a security publication that I have read that is not predicting an increase in cybersecurity attacks this year. Legacy security solutions are showing that they were never meant to scale to the volumes of interactions occurring in today information age. These older security solutions are becoming too complex, too expensive, can’t scale and are too difficult to manage. We must look in terms of new security architectures if we are to rapidly achieve the required cybersecurity solution we need today, especially in the protection of our critical infrastructure. It may not be as hard as you think, and is immediately available to people who are willing to listen to new approaches from very smart people who just added a little common sense to security.

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Cybersecurity in Today's World

Image courtesy of pcbdesign.org

 

December 27, 2012 By Larry Karisny
Curt Massey spent an entire 35-year career protecting our national security. His military service, civilian law enforcement, corporate security and military contracting experiences have imbued him with the unpleasant knowledge of our core vulnerabilities and a visceral drive to build a team capable of finding answers to questions most don’t even want to ask. “Look, it’s my team," Massey has said, ”they don’t see impossible, they see challenges which they are eager to overcome -- they are saving the world, I just juggle cats.”
A visionary and entrepreneur, Massey now leads STT's strategic direction. Here is what he had to say about today’s world of cybersecurity.

It seems we are suddenly being hit with all sorts of cybersecurity breaches. In general, what seems to be the problem?

Photo: Curt Massey
In my opinion, we aren’t suddenly being hit with cybersecurity breaches; they are just being reported on a much more frequent basis than in the past. With stockholders and political pitfalls to worry about, many corporations and government entities under-reported cyber attacks and losses until the effects and potential for catastrophic harm have just become too obvious to ignore. Add to that equation the fact that more and more of our critical infrastructure has moved online, and you suddenly have a great plethora of ripe targets whose value continues to increase exponentially.

What is a typical breach and why don’t current security solutions address it?

I hate to say this, but I don’t see a "typical" breach; cyber-crime and cyber-warfare (yes, we are under attack right now) attacks are now directed across all possible targets; basically any machine hooked to the Internet. The techniques used in these attacks haven’t changed, there have been new cyber-crime tools and devices that incrementally increase efficiency and the ease of use for these criminals and national enemies, but all the possible basic means of attack are known and they utilize the same attack vectors. These are the same security holes and flaws that have been with us since prior to the commercialization of the Internet. The major computer/Internet security players attempt to mitigate damage by treating the symptoms, while doing nothing to address the disease. Like prescribing aspirin for headaches while ignoring the tumor that is killing the patient.

Will standards, certifications and compliance address these problems?

No. I will accept that they are well-intentioned, but standards, certifications and compliance are part of the problem. They are the prime reason that all the industry and government experts state that you cannot stop a determined hacker from compromising your network. Standards, certifications and compliance force you to keep an inherently insecure system insecure. If you go all the way back to a nascent ARPANET and follow its incremental development from 1974 to just prior to commercialization in the early 1990s, you find that it was a trusted network, there were no "strangers" involved and it was designed to maximize redundancy during a period where computers were unreliable. The fact of the matter is that the Internet was designed from the ground up to be open, and the practical result of that is the inherent insecurity we see today. The warnings and pleas by the true pioneers of the Internet to address security flaws were completely ignored in the rush to commercialize it.

What is the newest problem that has been found in foreign manufactured chip sets?

Once again, a beast of our own making; after the vast majority of our chip-manufacturing capacity was driven overseas, China – ever industrious and ever serious about their own national security – got into the chip-manufacturing business in a very large way. Years later we find that a great many of our computers and other machines and devices that use microchips -- that could be virtually everything -- are "infected" with rogue chips. These rogue chips are malevolently hard-coded with routines that automatically begin communicating to China’s, and other countries’ cyber-warfare commands, which can also send instructions to these rogue chips. We can’t just replace these millions of chips, as we no longer have the capacity to produce them and, not so shockingly, China and others will not allow us to put inspectors in their chip-manufacturing supply chain

So, yes, we are now forced to rely on the good will of China and other foreign chip suppliers as part of our national security policy; I’m not very comfortable with that.

Are the Russians and Chinese that good or are we just that bad?

The same conditions that enable self-educated children to hack into the Pentagon make cyber-crime and cyber-war "low hanging fruit;" it’s cheap, it’s easy and, for some bizarre reason, there is a great deal of prestige attached. Anybody can acquire the knowledge and tools to penetrate systems hampered by adherence to current standards, certifications and compliance. If you just enter "hacking," or more properly, "cracking" as a search term online, you are well on your way to becoming a world-class hacker.

Have you ever been breached, in any way, by any of the penetration testers or outright hackers who have gone up against your technology?

No. You can’t attack what you can’t see … or touch.

What is so different about your security approach and why does it work?

Most of humanity seems to believe that hacking will always be with us; popular culture, movies, books -- all just accept that we will forever be afflicted with it.

We refused to accept that premise.

We devoted a huge amount of research into exactly what makes the Internet insecure and found that the answer was right there for anybody with an open mind who cared to invest a little time. We identified the inherent flaws and determined methods to fix them. Our approach was simple in concept, but excruciatingly difficult and complex in execution. We had to be able to "plug the inherent security holes" and ignore the protocols and standards that promulgate an insecure Internet. But our technology also had to still be able to function seamlessly and flawlessly within that same environment and do so in such an efficient and faultless manner so as to run unnoticed by the user and incur negligible performance hits on average computers. It needed to be redundant, self-healing and not interfere with existing network infrastructure.

We have achieved our goals. A properly configured STTealth network is impenetrable from external and internal cyber-attack. Our messaging component is orders-of-magnitude more advanced, stable and … private than any other technology in existence.

Oh, and those rogue chips? They are completely emasculated and isolated; we also identify machines thus affected.

Where do you see IPS security going in the next few years and where are the roadblocks occurring?

We will truly solve the issue for those smart and agile enough to incorporate our technology. Many, of course, will continue to keep their heads in the sand and will find that, as more networks become unassailable by virtue of our technology, they will become the focus for continually increasing attacks. Many haven’t been attacked simply because the Internet is such a target-rich environment.
As far as the road blocks, once again, standards, certifications and compliance; that and the fact that people are stuck in this "punch, counter-punch" mentality of reacting after their current, very expensive IPS is broken and then buying the next, very expensive version and on and on, ad-nauseum. This scenario certainly makes some players a lot of money, but it will never solve the problem.

I do believe that we will all look back on the era from the early 90s until today as a very strange time when we allowed the very conditions to exist that enabled widespread cyber-crime and cyber-war.

Cybersecurity and 'Smart Encryption'

December 19, 2012 By Larry Karisny
 

Paul “Prem” Sobel is a Cal Tech master of science in electrical engineering and has dedicated a 40-year career to protecting mission-critical systems.
He worked with IBM, NASA, Northrop and Intel before launching MerlinCryption LLC. He developed an exponentially stronger encryption with variable key length called the Smart-World’s Smart-Encryption.
In this edited interview, Sobel discusses encryption and other security technologies and critical infrastructure vulnerabilities.

Where are we today in encryption methodologies architecture?

Paul "Prem" Sobel, Cal Tech master of science in electrical engineering

Since World War II, increasingly sophisticated encryption algorithms have been developed with early keys sizes starting at 16 bits and growing to 512 bits. Computer speed, with use of statistical analysis, cryptanalysis, mathematical and brute force techniques have broken, and will continue to break, these encryption algorithms.

Where do you see current major legacy encryption architectures in supporting future requirements?

DES, RSA, SSL and AES algorithms produce simple key strands, which continually repeat in cyphertext.
Current encryption methods also require that keys are transmitted by known mechanisms between end points, which are easily intercepted or spoofed. These two inherent weaknesses explain why a criminal’s attack of choice is against the key. The next generation of encryption must eliminate these two major risks. The new Anti-Statistical Block Encryption (ASBE) utilizes variable-length keys that scale between 2008 bits and 2 GB, which are reinforced by variable-length passwords up to 64KB.
The ASBE method uses a random data generator that generates-destroys-recreates keys and passwords on demand, making key/password transfer between end points unnecessary. The communication and storage of encryption keys and passwords are also not needed, which circumvents criminal interception.

Future requirements will also dictate a more simple and inexpensive key management system. Today’s Public Key Infrastructure (PKI) is economically and operationally an albatross. Research shows that organizations spend between $47 and $5,921 for the creation, distribution and maintenance of each PKI key in use. PKI management involves certificates, registration authority, directory management, central key deposit, external validation and protocol. Future encryption methods must find alternatives to secure key communication and management.

Can Intrusion Prevention System (IPS) security put us on a catastrophic path of the whole security architecture collapsing?

IPS architects must secure against external attacks and insider attacks. The approach is different for each threat. External attacks can be thwarted with strong whitelisting and using advanced authentication. Two- and three-factor authentication is not enough. Airtight multi-factor requires validating both people and machines over and above the “something known,” “something physically possessed,” and “something unique” that the industry typically uses today. MerlinCryption also employs “something temporary,” which increases authentication to 10 and more factors. All authentication data (both inbound and outbound) needs to be strongly encrypted.

Sophisticated internal espionage may overcome typical two-factor authentication. Again, the use of additional factors and something temporary fortifies prevention. A stealthy security system against insider attacks must encompass data-at-rest, data-in-motion, data-in-use and data-in-change. Real-time data change can be protected with an encrypted in-memory solution. Monitoring and recording activity helps identify the source of foul play. Using strong encryption, with larger variable-length keys, derails system compromise.

What characteristics would you suggest to look for when selecting a solid IPS security solution?

An airtight security process must not only deny access, but also secure data integrity while alerting operators of foul play. Instead of requiring every smart grid node to be capable of detecting intrusion, it is recommended to use multi-factor time-varying authentication and strong encryption with larger, variable-length keys. Keys that require no transfer are most advantageous. Additionally, it is an optimal strategy to have a separate system, which monitors for and reports intrusions on the smart grid networks

Built-in whitelisting can enable which code is allowed to communicate or cause critical actions. This security measure not only prevents but also alerts of an attempted violation of the whitelist.

We are putting billions of networked applications out with little concern for security. Where is the vendor disconnect in these security needs?

Before the recent outcry, security was often regarded as merely a nice feature. However, with the $388 billion cybercrime business now as large as the international illegal drug trade, and threats of foreign espionage, encryption is no longer a choice. Today’s environment requires that developers and OEMs strategically address the use of strong encryption and multi-factor time-varying authentication in the design phase of any project. A good security system must encompass data-at-rest, data-in-motion, data-in-use and data-in-change.

Are compliance, mandates and executive orders helping cyber security?

Compliance and security are not the same. Compliance sets a minimum standard. A system can be in full compliance and still be totally at risk. The concept of “minimum standard" is an open-ended problem, which evolves along with the evolving sophistication of the attacks. Mandates and executive orders are often “too little, too late.” Systems and their architecture must be proactively designed to address future attacks.

What needs to be done today to expedite readied security technologies in support of sensitive areas such as critical infrastructure?

Protecting access to status, states, reports, machine software updates, commands and controls is paramount to critical infrastructure security. These systems have unique high-risk challenges in different network zones, automated processes and device networks, including servers, human-machine interface (HMI), intelligent electronic devices (IED), controller logic, and industrial network protocols. Adequately securing critical infrastructure requires a dynamic encryption engine, which works in tandem with strong authentication.

As example, a man-in-the-middle strives to intercept messages, change updates, block alerts, or other false data injection between meters and the utility company. This type of attack against the grid would require authentication and encryption to securely, dynamically and flexibly transmit status messages, alarms and alerts between operators, security intelligence and machines in a sub-second response. The smart-grid operator needs the flexibility to continually change all key, password and authentication parameters, on command.

Protection of our critical infrastructure is a serious and immediate challenge for security leaders, striving to thwart potential incidents. Fortunately, the new ASBE encryption technology overcomes the obstacles of older encryptions and supports a national move to dependable security.

How can manufacturers prepare for new security requirements?

It is imperative that all systems, old and new, have more memory than currently needed, both RAM and Flash. This is needed for new functionality, evolving security threats, monitoring and alerts, and perhaps things yet to be thought of.

Two simple last questions: Why is security being breached today and has your solution ever been breached?

In today’s power-grid environment, we are connecting things that were never connected before, and they were never meant to be connected to the Internet.  We are also working with old security architectures that can’t scale to today’s needs. These archaic systems do not address the complexity of SCADA control systems, and many were not built for network conductivity. The old ways won’t work. Critical infrastructure security needs a fresh look.

To answer your second question, the MerlinCryption solution has been pen-tested by the best -- including some noted hackers in Ukraine and Russia. ASBE encryption has never been broken. Encryption keys that disappear after they are used can’t be compromised. It doesn't have to be complicated.  It is a matter of using common sense.

Acronyms & Definitions DES | Data Encryption Standard RSA | a public-key encryption technology developed by RSA Data Security, Inc. SSL | Secure Socket Layer AES | Advanced Encryption Standard OEM | Original Equipment Manufacturer Cyphertext is encrypted text

Industrial Control System Security:                   a reliability Issue?

November 5, 2012 By Larry Karisny
 
Cyber Security Expert Joe Weiss has spearheaded the ICS Cyber Security Conference for 12 years, and when he calls in the troops, the best come to serve. Last month’s conference held at Old Dominion University's Virginia Modeling Analysis and Simulation Center -- VMASC in Suffolk, Va. -- was no different. I had a chance to attend the conference and talk with Weiss about Industrial Control System (ICS) security, and this is what he had to say.
 
Karisny: Your conference first and foremost reinforced that industrial control system (ICS) security is different and it is not just IT. Can you briefly explain?

Weiss: ICSs are purpose-built systems for performing specific tasks. They are built with a mix of commercial off-the-shelf systems (such as Windows) and proprietary realtime operating systems, proprietary communication protocols, and have very specific operating requirements. They were built with minimum computing resources and to operate on their own networks to maximize reliability.  They are built to operate for long periods of time (up to 10-20 years) with minimal downtime and will be replaced when they are obsolete or functional operating requirements change. Generally, they will not be replaced because of security reasons. Their primary function is to provide safe, reliable operation with computer operators and system integrators trained for reliable operation not security. From a cyber security perspective, the most important considerations are availability of the process and authentication of the devices; confidentiality is generally not important for the data "in motion." The concern is that inappropriate use of IT technologies, policies, and/or testing such as penetration testing could, and has, impacted the performance of ICSs.
 
Karisny: There were validated disclosures of targeted critical infrastructure cyber incidents in the conference. Without disclosing too much confidentiality can you explain these incidents and their significance?
 
Weiss: There were two ICS cyber incidents that occurred recently that were discussed. These two unintentional incidents are important as they have not been seen before, they represent two different control system suppliers, and there is no guidance in what to do.
In the first case, the utility was in the final stages of a plant distributed control system (DCS) retrofit. During the installation process, the view of the process (the operator displays, etc) were lost. Neither the utility nor the on-site vendor support was able to get the view of the process restored. It took a vendor link from about 2,000 miles away to get the view of the process back. It raises several questions:
1.What caused the loss of view?
2. Why were the on-site staff not trained about this situation?
3. What did the headquarters staff know that allowed them to get the process view restored?
4. What other facilities have suffered this problem?
5. Could this problem be intentionally caused?
The second case was a complete loss of logic in every plant DCS processor with the plant at power. The event occurred more than once and led to complete loss of control and loss of view. (This is well beyond what I thought was the worst case scenario.) What saved the plant were the old hardwired analog safety systems that shut down the processes. The plant has not been able to determine the cause of the loss of logic. They have documented the situation, contacted their vendor, and provided the vendor their recommendations. The utility is still waiting to hear from their vendor. The concern is this could happen to any industrial facility from any control system supplier. It is not clear if this can be done maliciously.
 
Karisny: There is a need of sharing cyber breach information but legal issues seem to be deterring this information from even private disclosure. From government intelligence agencies to private sector confidential disclosure, how can we minimally gather this information in some type of a cyber breach clearing house?
 
Weiss: My view is that end-users will share information if they feel it will help them. That means they need a venue where they feel they can get knowledgeable feedback so that all sides (the discloser as well as the attendees) get something from the disclosure. I also don’t believe private industry trusts the government so a DHS or other government-sponsored vehicle will not work. The ICS Conference works because there are smart people there that can provide intelligent feedback to the presenters and the end-users feel they will not have their information disclosed.
 
Karisny: Will the difference in ICS require a different way of developing ICS security? Were there some promising new technologies capable of addressing these differences discussed in the conference?
 
Weiss: As mentioned before, ICSs are different than IT. Generally, IT security suppliers are taking their existing IT solutions and attempting to “customize” them for ICS.  What should be done is to understand how the ICS works and what could compromise ICS reliability and/or safety. Then, develop solutions that address those specific concerns.  I know of only one technology that seems to have taken this approach. It is still in the R&D stage.
 
Karisny: A hacker can rapidly respond without recognition or requirement of following cyber security rules and regulations. This is not the case for the good guy in cyber security. With an abundance of standards, regulation, compliance and oversight in cyber security, is there a way to offer short cuts to let the good guys get in?
 
Weiss: Unlike the good guys, a hacker doesn’t have an organizational chart to follow. As best as I can tell, the only time the IT and ICS communities worked together flawlessly was the development of Stuxnet. The North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards are a good example of a compliance rather than security mindset. The NERC CIPs have made the grid less reliable and less secure as well as becoming a roadmap for hackers to compromise the grid. That is, the NERC CIPs publicly identify the size requirements to make a facility critical which allow one to determine which power plants, substations, and control centers will have cyber security requirements and which will not. With the current set of NERC CIP standards, approximately 70 percent of power plants, 30 percent of transmission substations, and all distributions systems have no cyber security requirements.  Until certain government organizations stop being more afraid of the bad guys learning something rather than educating the good guys, industry will be in trouble because the bad guys want to learn and the good guys will continue to be unaware. This lack of understanding of critical vulnerabilities was demonstrated by the Aurora discussions at the conference. These first public discussions were new to almost all conference attendees.
 
Karisny: What is it going to take to get utility senior management buy-in on understanding the possibility and consequences of a cyber attack incident and the talent required to mitigate and prioritize resources for ICS cyber security?
 
Weiss: Until utility management treats ICS cyber security as a reliability issue rather than a compliance issue, there will be less than robust utility attendance at the ICS Cyber Security Conference. The question is how to reach and educate utility management about the reliability and safety issues of ICS cyber security. The ICS Cyber Security Conference is not a utility conference but a cross-industry ICS cyber security conference. We had a significant number of end-users from water, chemicals, oil/gas, manufacturing, food, pipelines, and DOD. My belief is that the electric industry is not a leader in cyber security of control systems because of the NERC CIPs creating a culture of compliance not security. The leaders in cyber security are the oil/gas and petrochemical industry with DOD starting to take this more seriously. One would hope that after all of the power issues with Hurricane Sandy, utility executives will take ICS cyber security more seriously before it is too late.

For more a full observation summary of the conference by Joe Weiss please click here .
 
Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure

SmarTown™: Anomaly Detection: Front-Door Infrastructure Security

SmarTown™: Anomaly Detection: Front-Door Infrastructure Security

Anomaly Detection: Front-Door Infrastructure Security

Photo from Shutterstock

 

"Outlier Detection"

September 20, 2012 By Larry Karisny
 
The Digital Communities article "Have Hackers Won?" -- with Columbia Computer Science Professor and Federal Trade Commission Chief Technologist Steven Bellovin -- gave a clear explanation of security limitations because of the size and complexity of buggy software code, and limitations in authentication and encryption. "Authentication won’t do it," Bellovin explained in the article. "In most breaches, the bad guys go around the strong authentication, not through it."  He went on to say that as part of a national study, he analyzed every CERT advisory issued up to 1998 and found that 85 percent of them were code problems, configuration errors, etc., that encryption couldn’t fix.

While this may be a difficult problem to address, it is not impossible. It does, however, require a new way of looking at what real security is and how to effectively secure business process information.

Understanding True Security

While technology has delivered benefits, it has also delivered a new set of security risks and business problems, including large volumes of questionable data; vague accountabilities, and ongoing maintenance of business rules, to name a few. As we have digitally automated our business and control processes, we have reached a point of complexity from which it is impossible for a manager to see the-day-to-day actions of these processes or even detect a security breach.  New visualization tools are necessary to assist managers if they are to accurately and effectively direct these business processes.  This is where anomaly detection will help. 

Currently, data collection, buggy code, network encryption and authentication are all viewed and audited at the system output level. Real-time system data and unwanted business events could be detected too late in this type of security system. Security then must be viewed, audited and authorized at the event enterprise input level to achieve higher security levels required for critical infrastructure.

Our current security systems are collecting so many security no's at the output level that intrusion prevention and detection systems are reaching the point of overload. To date there have been over 17.7 million viruses detected.  Add bandwidth eating high-end encryption to the mix and things are eventually going to start slowing down. So how do we handle all these security no's?  The answer to this problem is simply say yes.

It's almost impossible to manually watch, detect, audit and correct all these business activities in the complexity of today’s business processes.  Even when doing this through coordinated government compliance like NERC CIP in securing the power grid, the minute we think we are done and walk away something changes.  These compliance processes cost a lot of money, take a lot of time and can’t guarantee security anyway.

So what if we could create an anomaly algorithm that could audit, detect and approve positive input events in business processes. And if we could do this then wouldn’t risk management and security actually just be a byproduct of allowing these positive business events to occur?

"Anomaly detection," says Wikipedia, is also called "outlier detection" and refers to detecting patterns in a given data set that do not conform to established normal behavior. The patterns thus detected are called anomalies and often translate to critical and actionable information in several application domains. 

In the workplace predetermined activities of employees, information systems and combined human and information system events produce specific desired business process results.  Anomalies are tools that can specifically detect and audit the defined patterns of these combined human and system activities.  A change in the normal pattern of these activities can offer a business manager very specific information that can assist in improving the business process or even detecting a major business or system breach.

Real-World Fix
This may seem like security fantasyland or something that is still on the drawing board but it’s not. The problem is not that it is not available or it doesn’t work. It is available.

Like most paradigm shifts it takes awhile for people to get it and human nature sometimes confuses threats with benefits. We need to start leveraging tools that can view, audit and improve business processes and improve security at the same time.

Grid Security Summit Assembles Top Security Experts

Photo by James Jhs. Creative Commons License Attribution 2.0 Generic

August 6, 2012 By Larry Karisny
I have spent the last few days moderating and recording The  Smart Grid Security Virtual Summit which will be webcast on August 9th. I highly recommend this summit. Speakers include a who’s who list of top industry experts who offer their opinions on how to correct the real issues related to securing the power grid.  From what we have done to what we need to do, summit sessions are real eye openers disclosing problems and providing answers to critically needed smart grid and critical infrastructure security questions.

I moderated the panel discussion “Smart Grid Security, Past, Present and Future” which include industry professionals I have previously interviewed for Digital Communities. Bob Lockhart -- a senior research analyst contributing to Pike Research’s smart-grid practice with a focus on cyber security markets -- co-authored a white paper with Research Director Bob Gohn on the Seven Trends to Watch in Utility Cyber Security.  From market projections for this new multi-billion dollar cyber security business to the current state of near chaos in securing the power grid, the discussion was packed with reality checks of where we are and where we need to be in securing the grid.

The panel discussion continued with outspoken industry leader Patrick Miller who views the need for cyber security from both the public- and private-sector sides. Miller is president and CEO, EnergySec and principal investigator of National Electric Sector Cybersecurity Organization (NESCO), a public-private partnership between the U.S. Department of Energy and EnergySec to enhance cybersecurity in the electric sector. Miller suggested less talk and more action in addressing security breach concerns and discussed a high-level view of power grid security.


Ending the panel discussion was Ted Wood , director at Sterne, Kessler, Goldstein & Fox. Wood's job is the discovery and protection of intellectual property in things like smart-grid security. From international cyber security espionage to plain old American ingenuity, Wood offered a unique view to the realities of cybersecurity. Wood leads the firm's Grid Industry Group, where he focuses on helping innovators involved with ensuring power grid resiliency in an evolving smart-grid infrastructure.  His discussion focused on how small business ingenuity can protect intellectual property while fast tracking creative solutions through the bureaucracies of big business and big government.

I spoke in the second panel discussion,  Is Current Legacy IPS And IDS Security Enough For The Smart Grid And Critical Infrastructure?  My presentation focused on how current security solutions may be too costly, too complex and too inefficient for critical infrastructure requirements.  From securing Intrusion Prevention Systems (IPS) that now must securely encrypt the new end point of nano sensors chip sets to Intrusion Detection Systems (IDS) that must now be able to view real time event anomalies and business processes, this discussion showed the need for security technology change. The subject of why we need to look at smart-grid security differently was first discussed in my recent article, Smart-Grid Security Will Force New Ways of Thinking. This presentation expanded on this article and discussed proof points of why new security solutions are required for smart grid and critical infrastructure security.

The second session speaker was Phil Smith, founder and president of TLC Secure who has had a long and illustrious career with senior technical and managerial roles at HP, Cisco, NASA, Lawrence Livermore National Lab and others. He is the innovator, architect and developer of several implementations of mobile devices as well as the cryptographic libraries and identity management components. Smith has worked with critical infrastructure encryption security used in wireless sensors in atomic power plants and Department of Defense applications.  His time tested applications of Intrusion Prevention System (IPS) security showed how true end-to-end security can be achieved for the smart grid.

The last prerecorded panelist, Rajeev Bhargava, is CEO of Decison-Zone and an expert in the information management field that has architected, developed and built next-generation cyber security, risk, fraud and privacy solutions. In 2010, Rajeev Bhargava received a U.S. Patent for the world’s only technology capable of 100 percent fraud and system security protection. Bhargava discussed a completely new way of addressing Intrusion Detection System (IDS) security through the prediction, detection and correction of event anomalies in realtime business processes.  This discussion revealed why current IDS solutions are not enough for smart grid system security.  
Additional session discussions included:


1. Identifying and Mitigating Cyber and Physical Threats to Smart Grid SCADA Systems , William Lawrence, chief technologist; Energy & Cyber Security Lockheed Martin;
2. A Utility Perspective on Smart Grid Security Status and Challenges, Ward Pyles, senior security analyst, Southern Company;
3. Regulators' Role in Smart Grid Security: What They Want to Know, Alan Rivaldo, cyber security analyst, Public Utility Commission of Texas;
4. Recent TVA Experiences and Insight on Smart Grid Cyber Security,John Stewart, specialist engineer, Power Control Systems, Tennessee Valley Authority and
5. Security Issues Surrounding Cloud Computing and Big Data in the Smart Grid, William Souza, manager - Security Integration, Reliability Services Division, PJM Interconnection. 

Click here for more information on the conference which will be web broadcast Thursday 9 a.m. to 5 p.m. EST.

Flame Virus, a Controlled Burn?

Don't Play With Fire

May 31, 2012 By Larry Karisny
 
In Florida I have a friend who is a park ranger who does controlled burns in hope of curtailing any large park brush fires.  This may be similar to how the new virus Flame is being used. Like any controlled burn, however, there are risks of the fire getting out of control.

We need to come to a consensus on cyberwar. It has officially started and the weapons are improving. The new computer virus nicknamed Flame, also known as Flamer, sKyWIper and Skywiper and Stuxnet 20, is many times worse than its predecessors. It has the capability of specifically attacking its targets and evading detection.

Based on its predecessors Stuxnet and Duqu, Flame can spread to other systems over a local area network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.

These data, along with locally stored documents, are sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.

Taking away the sociological and political ideologies of whose side we are on in cyberwar, the recent cyber attacks demonstrate the current vulnerability of our legacy security solutions. What Flame is doing in targeted Middle East attacks can be done in other countries, even the ones releasing the attack. There is a first response advantage but the technical nature of computer virus propagation could leak the virus to unintended areas as did Stuxnet. Playing with these vulnerabilities is like playing with fire.  

In a recent conference in Orlando Florida, UTC Telecom 2012, the consensus of those who were somewhat involved in cyber security was that there clearly is no 100 percent capability of securing even our critical infrastructure. This concern was further emphasized when keynote speaker Mark Weatherford, deputy undersecretary for cybersecurity for the National Protection and Programs Directorate (NPPD) at the Department of Homeland Security, asked who felt competent in knowledge of cyber security. One or two hands went up out of 500 in the audience. Weatherford responded by saying we need to prepare our workforce and find talent "to prepare the next generation for cybersecurity. Gaps in talent means gaps in security."

Even the Department of Defense is recognizing the need for forging private-industry partnerships on cybersecurity. This makes sense when the Internet and much of the experience behind it will be found in the private sector. There is a clear issue though, for those who have pursued DOD cyber security jobs or partnerships. That issue is secret and top secret clearance.  There needs to be a better way to address needed background checks than the current clearance procedures.

A person with secret or top secret clearance may have little experience in cyber security or tremendous experience in cyber security but no ability to quickly and economically obtain secret or top secret clearance.

We are faced with some tough decisions as they relate to cyber security with few if any quick decisions. With a limited cyber security workforce and clear cyber security vulnerabilities it seems time to look for new security solutions rather than playing with the appropriately named Flame virus. We can’t continue to patch cyber security while thinking we can manipulate these vulnerabilities in targeted cyber attacks. This could and has already backfired.  We have to minimally overlay new security protection or wipe the slate clean and look for new ways of addressing cyber security or this controlled Flame may get out of control.

Larry Karisny is the director of Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.

Smart Grid Security: An Inside View from Patrick C. Miller

Patrick C. Miller

Security is bolted on, not baked in.

May 14, 2012 By Larry Karisny

Patrick C. Miller is president and CEO of EnergySec, a 501(c)(3) nonprofit organization formed to support organizations within the energy sector in securing their critical technology infrastructures. A March survey by EnergySec of 100 energy security professionals revealed that two-thirds think smart-grid projects do not adequately deal with security threats. Larry Karisny, director of Project Safety.org, interviewed Miller about the survey and the subject of smart-grid security.

Karisny: Your survey results from top industry professionals seemed to clearly demonstrate a real concern with the lack of security in today’s power grid. Is this what you expected?

Miller: Yes, it isn’t far from what I’ve heard from them over the past few years as we’ve ramped up the grid modernization efforts. Overall, the grid itself is highly resilient, but we are implementing new technologies and new connections without fully understanding the emergent issues that arise with this degree of innovation and complexity.

You stated that we are moving so fast with smart-grid innovation that rather than baking in security we are bolting it on. Does this mean that we will be adding modules or maybe recall retrofits to insure security to some even recently deployed power-grid equipment and devices?

Yes, I speculate there will need to be some unexpected retrofits or replacements for early technology or components. Without question, more security modules, shims or wrappers will need to be employed. Utilities have an expectation that these digital devices will have a life-span somewhat similar to the older analog elements they replaced. For discussion’s sake, let’s say they think the new digital meter will last 15-20 years. How much will the digital technology surrounding the meter change in that same span? How will the attacker landscape change during this timeframe? To give a general comparison, how many new smartphones will you own between now and when this meter is replaced with the “next generation?”

Are personal security concerns legitimate and are you seeing safeguards to protect personal privacy in the smart grid?

This isn’t a hard problem to solve. For example, opt-in/out programs for any data beyond what is necessary for operations could be one solution. Such an approach would provide those who are sensitive to the matter an option that doesn’t immediately involve going backward and ripping out the smart meters. There are some cryptographic protections for the data, depending on the implementation, but the areas of concern often seem to reside in the ownership of the data and how the data may be used beyond the operational needs of the utility (either by the utility or any third party).

One of the positive responses to the survey was a user acceptance of security for online utility payments.  Is this a false sense of security or could the power companies maybe learn something form banks when it comes to cybersecurity? 

Many of the utilities use already existing financial clearinghouses to process payments. I think those that are familiar enough with securing an electric utility know that payment, or lack thereof, doesn’t directly [immediately] affect the flow of power. Power can still be delivered, even if the payment, billing or end-point metering system isn’t perfect.

Standards are necessary in developing industrywide technologies but they also delay solutions from being deployed.  How can we expedite security standards while keeping pace with smart-grid technology deployments?  

Take a page from Nike and “Just Do It.” We can move as quickly as we want. Moving too fast isn’t the best approach, but neither is moving too slow. My personal belief is that we’re past due for standardization. I think some of the churn has been around governance of the standards and not the standards themselves. Maybe some flexibility in this area might let everyone feel more comfortable, resulting in more substantial movement.

Can you give examples of some of the security innovations that you are currently reviewing and testing?

Our organization does not do this research directly, but we are involved in many security-related conversations on the subject of grid modernization software and hardware. I know many vendors are at least thinking about the problem and how to solve it. A much smaller number of vendors have solid traction and are implementing security at a pace that equals innovation of new features. Even fewer are at the tip of the sword with a holistic model that balances cutting-edge innovation with proven security development approaches such as thorough code review and rigorous supply-chain management.

How can we “architect” a sustainable power grid without having as you said a “spare power grid” to test and deploy fixes?

Infrastructure isn’t inexpensive. Building a full-replica spare is as costly (or more) as building the original. The most cost-effective approach is to use representative platforms, virtualization, simulators, emulators, etc. I think everyone understands that “testing in production” is at the edge of the risk spectrum. It may or may not go wrong for any one specific test, but if it does, the consequences may be severe. For any new system deployed, a portion of the project budget should be allocated to include a satsifactory test (or quality assurance) environment. This is an unpopular position to take in such a tight economic landscape because it can add significant cost to any endeavor.

We talk about security in the power grid because that is our focus. Isn’t there a lot more “smart” that needs to be secured in other industries and the smart grid may be just the start?

This is an area of interest for me. I think we are ultimately seeking a modernized power system that is somewhat self-aware, self-healing and self-managed. This implies an emergent intelligence much like a flock of birds or school of fish. They are all unique individual organisms (devices), but they can operate with a collective, emergent intelligence as a single unit when dealing with threats, obstacles, food (fuel) sources. Securing the entire environment in a utility will be profoundly different when we achieve this state.

It is far too expensive to entirely replace the legacy grid components with the newer “smarter” elements, so there will still be a fairly substantial base of analog, electromechanical and “old” or “dumb” devices in the grid. This aging equipment will be working alongside tomorrow’s amazing new intelligent gadgetry, maybe even in the same rack. Securing this breadth of historic and future technology will be our greatest challenge for the security profession in the electric sector.

Larry Karisny is the director of http://www.projectsafety.org/home.html Project Safety.org, a smart-grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.