Thursday, April 30, 2015

A Humorous View of our Infrastructure Crisis -- I think!

For those of you who have followed this Blog these past few years you'll know that I'm very passionate about the state of the country's -- let alone world's -- infrastructure.  In particular the US infrastructure grade from the American Society of Civil Engineers remains around a D+.....a failing grade for most schools!

Well, yes, this is a crisis; however, John Oliver of Last Week Tonight on HBO recently offered a thought-provoking and (sadly) quite humorous review of the state of the US infrastructure and how even our politicians are simply not paying attention.

The link to the You Tube video of Oliver's 21-minute essay is:

Please enjoy...then write a letter to your Congressman/woman and demand some attention (and funding) to repair and sustain our infrastructure.



Tuesday, April 21, 2015

Energy Infrastructure - Major Changes Needed

Today the Obama Administration released a "first-ever" Quadrennial Energy Review.  This report is the result of President Obama's order on January 9, 2014 for the performance of this examination of the country's energy infrastructure.  The President's initiative was based on the President's Climate Action Plan and in response to a 2010 recommendation by the President's Councils of Advisers on Science and Technology.  A White House Task Force comprising 22 Federal agencies were assigned to develop the QER.

This particular release is supported by some excellent commentary and documents at the following sites:

  • Washington Post Article by Chris Mooney (Link)
  • Department of Energy Quadrennial Energy Review Web Page (Link)
  • Quadrennial Energy Review Fact Sheet (10 Pages) (Link)
The actual report is 348 pages long and the chapter organization is:

The report included the following segments of energy infrastructure for this analysis:

As with most reviews of our country's energy infrastructure the statistics are daunting.

Some noted include:

  • 2.6M miles of interstate and intrastate pipelines
  • 640,000 miles of electric transmission lines
  • 414 natural gas facilities
  • 330 ports handling crude and refined petroleum products
  • 140,000+ miles of railways handling crude petroleum
And, of course, as observed in numerous other reports (such as the American Society of Civil Engineers (ASCE) Report Card) "...there has been a lack of timely investment in refurbishing, replacing, and modernizing components of infrastructure that are simply old or obsolete."

Some of the key findings highlighted on Page 25 of the report include:
  • Mitigating energy disruptions is fundamental to infrastructure resilience.
  • Transmission, Storage and Distribution (TS&D) infrastructure is vulnerable to many natural phenomena.
  • Threats and vulnerabilities vary substantially by region.
  • Recovery from natural gas and liquid fuel system disruptions can be difficult.
  • Cyber incidents and physical attacks are growing concerns.
  • High-voltage transformers are critical to the grid..
  • Assessment tools and frameworks need to be improved..
  • Shifts in the natural gas sector are having mixed effects on resilience, reliability, safety, and asset security.
  • Dependencies and interdependencies are growing.
  • Aging, leak-prone natural gas distribution pipelines and associated infrastructures prompt safety and environmental concerns.
Finally, one of the graphics in this report was fascinating.  It included a chart showing the "...billion dollar disaster event types by year..."  Not a purely energy-centric issue but certainly a demonstration of the challenges faced by energy infrastructure.


   If If you are an "infrastructure junkie" like me, this is a terrific report to digest and for our country's energy leadership to act upon.


Wednesday, April 15, 2015

SCADA Attacks are Up - Maybe We Need an ICS-OWASP?

In its annual security analysis -- 2015 Dell Security Annual Threat Report -- Dell observed that attacks have doubled on SCADA systems since January 2012.

Dell's report noted the following:

  • SCADA attacks increased from 91,676 in January 2012, to 163,228 in January 2013, to 675,186 in January 2014.
  • The majority of the attacks targeted Finland, the UK and the US.  And, according to Dell, these countries were targeted because SCADA systems are more common in these regions and more likely to be connected to the Internet.

An interesting graphic in the Dell Report also shows key SCADA attack methods -- useful info for a defender to be aware of...

Dell continued to comment that "SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries, rather than credit card information."  They are right...SCADA is NOT where the $$ is but you can certainly do some harm under the right circumstances.

Now the Dell report drew my attention today; however, back on March 11 the ICS-CERT published its ICS-CERT MONITOR for the time period September 2014 to February 2015.  In the report's cover graphic (below) there was a major increase with the number incidents reported by the Critical Manufacturing Sector.  And, don't forget, Critical Manufacturing also uses SCADA for its larger plant control systems.

And, of course, the Energy Sector is a major user of SCADA controls due to the large geographic footprints they operate across.


So the take away from these two reports is that attacks on SCADA systems are on the increase and when you look at the Dell graphic on attack methods, the miscreants are taking advantage of software issues we've seen for years with Web applications, etc.  Perhaps we need an OWASP initiative but for Industrial Control Systems/Software?  It does appear that the vendors need a lot of assistance in making their ICS software more secure.


Friday, April 3, 2015

Cyberwarfare and Cyberterrorism - Excellent CRS Report

In my life in security I try to monitor several topics.  Two topics I'm often checking -- usually through Google News Alerts -- are cyberwarfare and cyberterrorism.  This week I came across an excellent summary report from the Congressional Research Service on this very topic.

This 12-page summary document is an excellent overview of these topics and also provides some comparisons between cyberterrorism, cybercrime, cyberespionage, cyberwarfare, and cybervandalism.

The document can be downloaded at: 

A high level view of the key headings in the document (below) will give you a view of the document and its contents.

  • Executive Summary
  • Introduction
  • The Cyberwarfare Ecosystem: A Variety of Threat Actors
  • Cyberwarfare
  • Rules of the Road and Norm-Building in Cyberspace
    • Law of Armed Conflict
    • Council of Europe Convention on Cybercrime
    • United Nations General Assembly Resolutions
    • International Telecommunications Regulations
    • Other International Law
  • Cyberterrorism
  • Use of the Military: Offensive Cyberspace Operations
Overall, this is an excellent and fairly rapid read on this contemporary subject and I'd recommend it be viewed by students, policy makers and all cybersecurity professionals.


Tuesday, February 17, 2015

Executive Order Promoting Private Sector Cyber Info Sharing

On February 13, 2015 -- a year plus one day after the President's Executive Order directing NIST to build the new Cybersecurity Framework -- President Obama issued an Executive Order entitled Promoting Private Sector Cybersecurity Information Sharing.

There are seven sections to the four-page Order including:

  1. Policy
  2. Information Sharing and Analysis Organizations (ISAO)
  3. ISAO Standards Organization
  4. Critical Infrastructure Protection Program
  5. Privacy and Civil Liberties Protections
  6. National Industrial Security Program
  7. Definitions

The fundamental aspect of the EO is to emphasis that "...entities must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible."  

The EO also notes that information sharing must:
  • conducted in a manner that protects the privacy and civil liberties of individuals
  • ...preserves business confidentiality
  • ...safeguards the information being shared, and
  • ...protects the ability of the Government to detect, investigate, prevent and respond to cyber threats...
Certainly commendable policy and something the industry has needed/wanted for years.

Information Sharing and Analysis Organizations (ISAOs)

The Order directs the Secretary of the Department of Homeland security to "...strongly encourage the development and formation of..." ISAOs.

The Order offers some details on how the ISAOs should be organized and how their membership can draw on public or private sectors, and offers the option for the ISAOs to be formed as for-profit or nonprofit entities.

The National Cybersecurity and Communications Integration Center (NCCIC) is ordered to engage in "...continuous, collaborative, and inclusive coordination with ISAOs on the sharing of information..."

ISAO Standards Organization

The Secretary of DHS is orderd to "...enter into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization (SO), which shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order."

Observations and Questions

It is commendable that President Obama has stepped forward -- again -- to help raise awareness and take action relative to the issue of cyberthreats to our country, economy and its businesses and citizens.  However, a question continues to be raised with this Executive Order.  That question really is ... "Aren't we already doing this with Information Sharing and Analysis Centers (ISACs)?"

ISACs have been around since May 1998 and were established under the auspices of Presidential Decision Directive 63 (PDD-63) signed by President Clinton.  If you look at the National Council of ISACs website you will note that the definition of an ISAC is:

ISACs are trusted entities established by Critical Infrastructure Key Resource (CI/KR) owners and operators to provide comprehensive sector analysis, which is shared within the sector, with other sectors and with the government. ... Services provided by ISACs include risk mitigation, incident response, alert and information sharing.  The goal is to provide users with accurate, actionable, and relevant information.

And in another white paper on the subject, a description of an ISAC includes the following:

By definition, an ISAC is a trusted, sector-specific entity which performs the following functions: 
  • provides to its constituency a 24/7 secure operating capability that establishes the sector’s specific information sharing/intelligence requirements for incidents, threats and vulnerabilities; 
  • collects, analyzes, and disseminates alerts and incident reports to it membership based on its sector focused subject matter analytical expertise; 
  • helps the government understand impacts for its sector; 
  • provides an electronic, trusted capability for its membership to exchange and share information on cyber, physical and all threats in order to defend the critical infrastructure; and 
  • share and provide analytical support to government and other ISACs regarding technical sector details and in mutual information sharing and assistance during actual or potential sector disruptions whether caused by intentional, accidental or natural events. 

Isn't an ISAC filling part of the role of the ISAO discussed in the Executive Order?  Can't ISACs continue with their current roles and capture the essence and elements of the Executive Order?

The idea of establishing a new bureaucracy and hierarchy of ISAOs that essentially parallel the current ISAC structure and functions does not appear to be very efficient and could lead to more confusion, increased bickering and "turf wars" and finally not help or encourage effective information sharing to better protect our country, economy, businesses or citizens.  At a minimum it is highly recommended that the Department of Homeland Security take time to compare the efforts of the ISACs to the Executive Order and build upon current efforts and not try to push through a distracting, parallel effort.


Tuesday, February 10, 2015

CIP-014 Implementation Update from NERC

On February 9, 2015, NERC posted an email regarding implementation of CIP-014-1, Physical Security.

In its email NERC offered three links to items of interest.  They included:
And, for the reader's reference, here is the link to CIP-014-1.  Also, I wrote a blog about CIP-014 back on July 22, 2014.

CIP-014 Memo to Industry

The memo to the industry is from the NERC Compliance Assurance organization.  The specific focus of the memo is on CIP-14 Risk Assessment and Third-Party Verifications.  Notably the memo's purpose is to highlight acceptable approaches when implementing Requirements 1 and 2 of CIP-014.

Requirements 1 and 2 required Transmission Owners to perform a risk assessment and third-party verification process to identify Transmission stations and Transmission substations that will ultimately be subject to a physical security assessment (Requirement 4) and the implementation of subsequent physical security plan(s) (Requirement 5).

Per the CIP-014 implementation plans, each applicable Transmission Owner must perform its Requirement 1 risk assessment by October 1, 2015.

Then, within 90 days of completing the R1 risk assessment (i.e., by December 30, 2015) the Transmission owner must ensure that the third-party verifier completes the verification.

Within 60 days of completing the verification the Transmission Owner must either 1) modify its risk assessment to be consistent with the recommendations of the verifier, if any, or 2) document the technical basis for not modifying its risk assessment in accordance with any recommendations.

The memo does need to be read in its entirety; however, a key comment at the end that is probably most useful is that applicable Transmission Owners "...are expected to demonstrate effective application for NERC and the Regional Entities to be able to fully understand, for example:

  • Why certain stations or substations are identified to meet the criteria in Requirement 1
  • Similarly, why certain stations or substations were not identified by Requirement 1
  • What are the defining characteristics of stations and substations identified by Requirement 1
  • How the third-party verifying the risk assessment meets the qualifications in Requirement 2 and the mean the third party used to ensure effective verification."

This document was prepared by the North American Transmission Forum (NATF) and issued on January 19, 2015.  The NATF is headquartered in Charlotte, NC and its members include investor-owned, state-authorized, municipal, cooperative, US federal, and Canadian provincial utilities.  The NATF "...promotes the highest levels of reliability in the operation of the electric transmission systems."

The intent of the document issued by NATF is to provide a general guideline for the risk assessment identified in R1 of CIP-014.  

The guideline offers five suggested steps for the Transmission Owner to follow to accomplish Requirement 1.  A high-level summary of the steps include:
  • Step 1:  The Transmission Owner identifies stations to be analyzed based on criteria in CIP-014-1, Section 4.1.1
  • Step 2:  The Transmission Owner identifies cases/system conditions to be analyzed.  Some cases could include -- summer vs winter peak load levels, shoulder peak load levels with system transfers, alternative generation dispatch assumptions or alternative load models.
  • Step 3:  The Transmission Owner defines the nature of the initiating event and how it will be modeled in the transmission assessment
  • Step 4:  The Transmission Owner is responsible for development of criteria/proxies for instability, uncontrolled separation or Cascading.
  • Step 5:  The Transmission Owner performs appropriate steady-state power flow and/or stability analysis.
There are substantially more details provided under each step in the Guideline.

NERC Physical Security Web Page

A third link in the NERC announcement is for their Physical Security web page (a screenshot is shown below).

This page appears to be an excellent resource for those focused in CIP-014 implementation and compliance.


This blog does not offer adequate details on the contents of the referenced documents, therefore, taking time -- and having your power engineers taking time -- to read the CIP-014 requirements and the guidance from NERC and NATF will be worthwhile.


NIST SP800-82 R2 (2nd Draft) Out for Comment

NIST SP800-82, Guide to Industrial Control Systems (ICS) Security, has been a key, seminal guide for those of us working in ICS security.  The original guide was published as a "final" version in June 2011.  Revision 1 to the 800-82 series went final in May 2013.  In May 2014 the Initial Public Draft of Revision 2 was promulgated for comment.  I wrote a blog about this initial public draft on May 20, 2014 and encouraged interested parties to submit their comments.

Brief History of SP800-82

A few months ago I wrote an article for SearchSecurity on the Evolution of SP 800-82.  As part of this article I researched the history of this document and its development and ultimately prepared the Visio timeline shown below.  One thing I was sure to do was to obtain Keith Stouffer's (principal author of SP800-82 series) approval on the timeline accuracy.

(Apologies for the overlay with the right margin; however, if the chart goes too small then it is hard to read.  Thanks for understanding.)

What are the Revisions?

The new document out for comment is the second revision to NIST SP800-82.  From the NIST Website, updates in this new revision include:

  • Updates to ICS threats and vulnerabilities
  • Updates to ICS risk management recommended practices and architectures
  • Updates to current activities in ICS security
  • Updates to security capabilities and tools for ICS
  • Additional alignment with other ICS security standards and guidelines
  • New tailoring guidance for NIST SP800-53, Revision 4 security controls including the introduction of overlays, and
  • An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High Impact ICS.

When are Comments Due?

The public comment period is from February 9th to March 9th, 2015 (on month).  You can email your comments to  You are encouraged to use a comment template form (Excel File) to collect your feedback for submittal.

Your comments are requested to make this a better, more thorough document for the industry.  Thank you!