Smart Grid Hacking is now officially lame.
http://www.bing.com/videos/watch/video/the-electric-suitcase/17up8ge0b
It has mainstream cred...
Maybe I'll turn my focus to having the UAVs that many police departments want to deploy!
Tuesday, February 28, 2012
Monday, February 27, 2012
Mmmmm... soft and chewy? How effective is your 'Critical Infrastructure Supplier' at managing information security?
Living on the inside of corporate InfoSec has been an enlightening experience for me. I have had the privilege of seeing some of the best, and sadly, the WORST corporate InfoSec in my career. How is that an industry responsible for the health and safety of the majority of the developed world can simultaneously demonstrate the best and worst?
"Right, what set him off NOW??", you may ask.
The genesis of this post actually comes from outside the power industry. By now, if you spend any energy on reading the news, you know that Stratfor lost a massive pile of e-mail to the Anonymous collective. Right and wrong aside, this action points out a major failing by a company that is supposed to embody the essence of InfoSec. If these guys can't get it right, how do we know that the companies in charge of our energy infrastructure are doing any better?
Sadly, we DON'T know... yet.
In my dealing with major utilities deploying AMI projects, I have worked with some very bright and knowledgeable individuals who have had the task of ensuring the security of power and gas distribution systems. Without exception, they have been what I call "True Believers". The problem, it seems, is not with the people who manage the security programs. It is with the people who manage the people who manage the InfoSec programs. Security is a funny thing when it comes to calculating business risk. Utilities have generally had to be concerned with the forces of the market and nature when building a risk model. AMI and the Internet have introduced that most fickle and insidious of actors to the risk equation, Humans, with Malicious Intent.
You see, natural disasters have been occurring with predictable regularity through out human history. There are nifty formulae developed by these brilliant folks called actuaries. Market forces are a bit less predictable, but they also have a longer term effect, and thus can be accommodated over time. People though, people are less predictable. People with a touch of the naughty in their soul even less so. In the connected distribution systems being deployed today, one intelligent malcontent, one internet literate criminal with business model based on extortion, one smart assed kids with a recent copy of Metasploit and a war dialer can bring an entire city to it's knees.
"FUD!", you say. Ahhh, but we now have an object lesson to examine!
By targeting and compromising Stratfor, the Anonymous Collective (or some subset of said same) brought the unpredictability of people who are pissed off AND technologically capable to bear. Was there any warning? Were there any indicators that were ignored? I doubt it. What I believe happened (Key words here kiddies!! "I Believe" This means I have nothing but what I have seen and heard in the media to base my opinion upon) is that Stratfor thought themselves impregnable. After all, they ARE one of the foremost organizations in security and information, right? Hubris is a bitch, isn't it?
The key mistake that Stratfor appear to have made is that they had a somewhat, although apparently not completely, adequate perimeter in place. If my guess is right, this led them to believe that not storing and transmitting all this hyper sensitive and embarrassing data in an encrypted fashion was not really a risk.
Ooooops!
The lesson here, as I see it, is that security isn't a value proposition until it fails. Too many companies, utilities included, view security as an unnecessary expense and a barrier to profit. "We have firewalls, That's what the compliance guys say we need. What heck else do you really need?"
In the utility space, we need to make sure that some effort is expended on securing more than just the meter. This will only come if systems come under scrutiny. Controlled, professional scrutiny. The only way that will happen is if the customer DEMANDS it! The utilities have started to demand it of the vendors, it's time the consumer demanded it of the utilities.
Don't think of it in terms of securing a technology.
Think of it in terms of securing the data.
Think of it in terms of securing the control of the system.
When you secure the billing information, the privacy data, and the safety and control of the entire system, you secure profit.
And isn't that why you are in business?
What are your thoughts?
"Right, what set him off NOW??", you may ask.
The genesis of this post actually comes from outside the power industry. By now, if you spend any energy on reading the news, you know that Stratfor lost a massive pile of e-mail to the Anonymous collective. Right and wrong aside, this action points out a major failing by a company that is supposed to embody the essence of InfoSec. If these guys can't get it right, how do we know that the companies in charge of our energy infrastructure are doing any better?
Sadly, we DON'T know... yet.
In my dealing with major utilities deploying AMI projects, I have worked with some very bright and knowledgeable individuals who have had the task of ensuring the security of power and gas distribution systems. Without exception, they have been what I call "True Believers". The problem, it seems, is not with the people who manage the security programs. It is with the people who manage the people who manage the InfoSec programs. Security is a funny thing when it comes to calculating business risk. Utilities have generally had to be concerned with the forces of the market and nature when building a risk model. AMI and the Internet have introduced that most fickle and insidious of actors to the risk equation, Humans, with Malicious Intent.
You see, natural disasters have been occurring with predictable regularity through out human history. There are nifty formulae developed by these brilliant folks called actuaries. Market forces are a bit less predictable, but they also have a longer term effect, and thus can be accommodated over time. People though, people are less predictable. People with a touch of the naughty in their soul even less so. In the connected distribution systems being deployed today, one intelligent malcontent, one internet literate criminal with business model based on extortion, one smart assed kids with a recent copy of Metasploit and a war dialer can bring an entire city to it's knees.
"FUD!", you say. Ahhh, but we now have an object lesson to examine!
By targeting and compromising Stratfor, the Anonymous Collective (or some subset of said same) brought the unpredictability of people who are pissed off AND technologically capable to bear. Was there any warning? Were there any indicators that were ignored? I doubt it. What I believe happened (Key words here kiddies!! "I Believe" This means I have nothing but what I have seen and heard in the media to base my opinion upon) is that Stratfor thought themselves impregnable. After all, they ARE one of the foremost organizations in security and information, right? Hubris is a bitch, isn't it?
The key mistake that Stratfor appear to have made is that they had a somewhat, although apparently not completely, adequate perimeter in place. If my guess is right, this led them to believe that not storing and transmitting all this hyper sensitive and embarrassing data in an encrypted fashion was not really a risk.
Ooooops!
The lesson here, as I see it, is that security isn't a value proposition until it fails. Too many companies, utilities included, view security as an unnecessary expense and a barrier to profit. "We have firewalls, That's what the compliance guys say we need. What heck else do you really need?"
In the utility space, we need to make sure that some effort is expended on securing more than just the meter. This will only come if systems come under scrutiny. Controlled, professional scrutiny. The only way that will happen is if the customer DEMANDS it! The utilities have started to demand it of the vendors, it's time the consumer demanded it of the utilities.
Don't think of it in terms of securing a technology.
Think of it in terms of securing the data.
Think of it in terms of securing the control of the system.
When you secure the billing information, the privacy data, and the safety and control of the entire system, you secure profit.
And isn't that why you are in business?
What are your thoughts?
Subscribe to:
Posts (Atom)
Posts
