Thursday, April 30, 2015

A Humorous View of our Infrastructure Crisis -- I think!

For those of you who have followed this Blog these past few years you'll know that I'm very passionate about the state of the country's -- let alone world's -- infrastructure.  In particular the US infrastructure grade from the American Society of Civil Engineers remains around a D+.....a failing grade for most schools!

Well, yes, this is a crisis; however, John Oliver of Last Week Tonight on HBO recently offered a thought-provoking and (sadly) quite humorous review of the state of the US infrastructure and how even our politicians are simply not paying attention.

https://www.youtube.com/watch?v=Wpzvaqypav8&feature=youtu.be&t=4m32s

The link to the You Tube video of Oliver's 21-minute essay is:


Please enjoy...then write a letter to your Congressman/woman and demand some attention (and funding) to repair and sustain our infrastructure.

Thanks!

###


Tuesday, April 21, 2015

Energy Infrastructure - Major Changes Needed

Today the Obama Administration released a "first-ever" Quadrennial Energy Review.  This report is the result of President Obama's order on January 9, 2014 for the performance of this examination of the country's energy infrastructure.  The President's initiative was based on the President's Climate Action Plan and in response to a 2010 recommendation by the President's Councils of Advisers on Science and Technology.  A White House Task Force comprising 22 Federal agencies were assigned to develop the QER.



This particular release is supported by some excellent commentary and documents at the following sites:


  • Washington Post Article by Chris Mooney (Link)
  • Department of Energy Quadrennial Energy Review Web Page (Link)
  • Quadrennial Energy Review Fact Sheet (10 Pages) (Link)
The actual report is 348 pages long and the chapter organization is:
















The report included the following segments of energy infrastructure for this analysis:



As with most reviews of our country's energy infrastructure the statistics are daunting.

Some noted include:

  • 2.6M miles of interstate and intrastate pipelines
  • 640,000 miles of electric transmission lines
  • 414 natural gas facilities
  • 330 ports handling crude and refined petroleum products
  • 140,000+ miles of railways handling crude petroleum
And, of course, as observed in numerous other reports (such as the American Society of Civil Engineers (ASCE) Report Card) "...there has been a lack of timely investment in refurbishing, replacing, and modernizing components of infrastructure that are simply old or obsolete."

Some of the key findings highlighted on Page 25 of the report include:
  • Mitigating energy disruptions is fundamental to infrastructure resilience.
  • Transmission, Storage and Distribution (TS&D) infrastructure is vulnerable to many natural phenomena.
  • Threats and vulnerabilities vary substantially by region.
  • Recovery from natural gas and liquid fuel system disruptions can be difficult.
  • Cyber incidents and physical attacks are growing concerns.
  • High-voltage transformers are critical to the grid..
  • Assessment tools and frameworks need to be improved..
  • Shifts in the natural gas sector are having mixed effects on resilience, reliability, safety, and asset security.
  • Dependencies and interdependencies are growing.
  • Aging, leak-prone natural gas distribution pipelines and associated infrastructures prompt safety and environmental concerns.
Finally, one of the graphics in this report was fascinating.  It included a chart showing the "...billion dollar disaster event types by year..."  Not a purely energy-centric issue but certainly a demonstration of the challenges faced by energy infrastructure.



·  


   If If you are an "infrastructure junkie" like me, this is a terrific report to digest and for our country's energy leadership to act upon.

###

Wednesday, April 15, 2015

SCADA Attacks are Up - Maybe We Need an ICS-OWASP?

In its annual security analysis -- 2015 Dell Security Annual Threat Report -- Dell observed that attacks have doubled on SCADA systems since January 2012.



Dell's report noted the following:

  • SCADA attacks increased from 91,676 in January 2012, to 163,228 in January 2013, to 675,186 in January 2014.
  • The majority of the attacks targeted Finland, the UK and the US.  And, according to Dell, these countries were targeted because SCADA systems are more common in these regions and more likely to be connected to the Internet.


An interesting graphic in the Dell Report also shows key SCADA attack methods -- useful info for a defender to be aware of...


Dell continued to comment that "SCADA attacks tend to be political in nature, since they target operational capabilities within power plants, factories, and refineries, rather than credit card information."  They are right...SCADA is NOT where the $$ is but you can certainly do some harm under the right circumstances.

Now the Dell report drew my attention today; however, back on March 11 the ICS-CERT published its ICS-CERT MONITOR for the time period September 2014 to February 2015.  In the report's cover graphic (below) there was a major increase with the number incidents reported by the Critical Manufacturing Sector.  And, don't forget, Critical Manufacturing also uses SCADA for its larger plant control systems.


And, of course, the Energy Sector is a major user of SCADA controls due to the large geographic footprints they operate across.

Conclusions...

So the take away from these two reports is that attacks on SCADA systems are on the increase and when you look at the Dell graphic on attack methods, the miscreants are taking advantage of software issues we've seen for years with Web applications, etc.  Perhaps we need an OWASP initiative but for Industrial Control Systems/Software?  It does appear that the vendors need a lot of assistance in making their ICS software more secure.

###

Friday, April 3, 2015

Cyberwarfare and Cyberterrorism - Excellent CRS Report

In my life in security I try to monitor several topics.  Two topics I'm often checking -- usually through Google News Alerts -- are cyberwarfare and cyberterrorism.  This week I came across an excellent summary report from the Congressional Research Service on this very topic.



This 12-page summary document is an excellent overview of these topics and also provides some comparisons between cyberterrorism, cybercrime, cyberespionage, cyberwarfare, and cybervandalism.

The document can be downloaded at: http://fas.org/sgp/crs/natsec/R43955.pdf 

A high level view of the key headings in the document (below) will give you a view of the document and its contents.

  • Executive Summary
  • Introduction
  • The Cyberwarfare Ecosystem: A Variety of Threat Actors
  • Cyberwarfare
  • Rules of the Road and Norm-Building in Cyberspace
    • Law of Armed Conflict
    • Council of Europe Convention on Cybercrime
    • United Nations General Assembly Resolutions
    • International Telecommunications Regulations
    • Other International Law
  • Cyberterrorism
  • Use of the Military: Offensive Cyberspace Operations
Overall, this is an excellent and fairly rapid read on this contemporary subject and I'd recommend it be viewed by students, policy makers and all cybersecurity professionals.

###