Last week in San Diego, IOActive spoke at both the Western
Electricity Coordinating Council (WECC) and NERC GridSec (GridSecCon) conferences.
WECC is primarily an auditor audience and NERC-CIP is compliance-focused,
while GridSecCon is the community and technical security authority for the
electricity industry in the U.S. There was a great turnout for both
conferences, with more than 200 attendees across three days per conference.
IOActive security researcher Eireann Leverett presented “The Last Gasp of the
Industrial Air-Gap…”at WECC and participated in a discussion panel on Industry
Best Practice for Grid Security at GridSecCon.
WECC
An auditors forum, what can I say…other than they do have a
great sense of humor [they got Eireann’s Enron corporate failure joke], apparently
enjoy a drink like everyone else and definitely need our help and perspective
when it comes to understanding the disparity between being compliant and being
secure. Day 1 was a closed session for WECC members only, where they discuss
god only knows what. Day 2 is where IOActive got involved, with the morning
session focusing on Cyber Security and explaining in a little more detail the
security challenges the industry faces which are aligned to CIP audit and
compliance programmes. Eireann, Jonathan Pollet and Tom Parker all gave great
talks which some could argue were a little too technical for the audience, but they
were well received nonetheless. More work is definitely needed with forums such
as WECC and the NERC standards council to ensure the gap between CIP compliance
and the actual state of Energy security is further reduced.
GridSecCon
The audience at GridSecCon was anything but a single area of
expertise like we saw at the WECC conference. I engaged with folk from
security, engineering, risk management, consulting, audit and compliance and
technology backgrounds. From that its fair to say the Industrial Control System
and Energy sector is a red-hot opportunity for new rules, new products, new
ideas…and new failures! Eireann was in fine form again on the panel - which was made up of consulting, product vendors and
Government - throwing in a quote from Trotsky, a Russian Marxist revolutionary.
I laughed, but not sure the rest of the crowd appreciated the irony. European
humor at work J. I didn’t see as much as I would have liked to
on the Supply Chain side of things including the term Security of Supply, which
is widely used in Europe. More work is definitely needed in these areas and is
something I will look at in 2013.
Day 1 saw some interesting talks on Social Engineering
threats and a panel discussion on Malware threats to the sector. The threat of
Social Engineering in the Energy sector in terms of awareness is clearly on the
rise. Positively, it seemed
organizations were placing more emphasis [I said more, not enough] on educating
SCADA Operations staff around Phishing and Telephony based attacks. Tim Roxy
from NERC oversaw the Malware panel as participants openly discussed the threat
of new Malware targeting the Energy sector, in particular the effects of SQL
Slammer on SCADA systems and a review of the recent attack on Saudi
Aramco (Shamoon Malware). It was unclear if the SCADA networks at Saudi
Aramco were affected but obviously there are similar challenges in store as
SCADA and Corporate networks continue to converge. The incident also triggered
an unprecedented response exercise involving reviews of up to 120 of Saudi
Aramco’s Plant sites across the Middle East region.
Day 2 was kicked off by an excellent Key Note talk by Admiral Thad Allen, [retired] US Coast Guard, on Incident Response and his view of the challenges national infrastructure security is facing in the US, which could easily be applied globally. Undeniably, Admiral Allen said complexity was the biggest challenge we face in securing existing and new national infrastructure. His talk gave examples of his experience in dealing with incidents such as hurricane Katrina in New Orleans, in particular, the importance of defining exactly what the problem is before even thinking about how to respond to it. Not correctly understanding the problem in relation to coordinating an effective response could mean an expensive and ineffective solution, which is exactly where the Energy sector sits today – “stop admiring the problem, start working on the solution.”
Technical vs. Risk Management – the age-old conundrum
It still surprises me to see after 15 odd years of our
industry coming to the forefront and an estimated 50+ billion dollar spend in implementing
technical security measures that we continue to see the topic of technical vs.
risk management come up at these conferences. If technical solutions were
security nirvana we wouldn’t be worried about anything today would we? Of
course we need both areas, and each is an important as the other. Sure, the
technical stuff may seem more interesting, but if we can’t sell the importance
of what the tech tells us in a business language the overall security of the
Energy industry will continue to struggle for traction. Likewise, the perceived
notion that compliance to standards like CIP/ISO27000 etc. etc. keep us safe at
night will continue to skew the real picture unless we can talk tech, risk and
compliance at the same time.
What are the conferences missing?
Maybe I don’t attend enough conferences, and I understand
client sensitivities in sharing this sort of information, but what these
conferences need more of is a view from the field – what is actually going on
below all the conversations about risk management, compliance and products. Again,
stop admiring the problem, admit we have one by analyzing what’s actually going
on in the field, and use this to inform programmes of work to solve the issues.
We know what good looks like; only talking about it is as useful in the real
world as a chocolate teapot…
Key Take Aways
Did I learn anything new? Of course I did, however a lot of
the core messages like “we need to talk tech and risk management” and
“sector-wide information sharing” continue to be old wine in new bottles for me,
especially while governments set strict rules on who they value information
from [who they deem as appropriate] and how it can be done [at their approval].
And it’s a little troubling if we have a whole industry sector with its
concerns around the security of national infrastructure still trying to
understand the importance of risk management or the gaps between compliance and
actual security. Saying that, WECC and NERC are clearly making concerted
efforts to move thing in the right direction.
As I see it, we need to be more vocal in participating in
the sector forums and share [in a generic fashion] what we are seeing in the
field, which should further inform organizations like WECC and NERC with a view
to continued security improvement across the sector.
No comments:
Post a Comment