What's on first: insights in NISTs

Never will one mistake the complexities of the Smart Grid, and of undertaking the improvement of its protections, for a straightforward task in security and engineering. It presents an Augean stable of issues, and NIST has waded in with a legion of contributors, to first make sense of it all, and then to start handing out shovels.

In the first draft of their analysis, announced during Grid Week, Annabelle Lee and team have created a dense, but readable tome, numbering some 236 pages at present, entitled, Smart Grid Cyber Security Strategy and Requirements. I encourage you to read it, either on its own, or as an adjunct to the more general draft of NIST's Smart Grid guidance on interoperability. In the event that you are interested in some sense of where the emphasis was put, and are more engaged by the higher level issues of focus and risk, I did a bit of data reduction and reached some pretty interesting, if unintended ( and definitely scientifically questionable ) conclusions.

One of the techniques that NIST uses in creating a better means of discussing cyber security for the grid is to categorize the areas of likely risk and their impacts. This is very helpful, as there are myriad instances of connection between systems within the Smart Grid and some higher level abstraction helps to make the issues digestible. These 15 categories are defined within the document, as are the potential impacts to them ( Confidentiality, Integrity, Availablity ), and their levels ( High, Medium, Low ) using established definitions from the venerable FIPS Publication 199. This exercise, and the tables contained within the draft, permits a reader with a spreadsheet (me) to draw two conclusions about priorities in Smart Grid Security.

Conclusion 1: Integrity is the most important attribute

In reviewing the definitions of the categories, and the impact that was most highly rated, the answer was unanimous. Integrity, as opposed to confidentiality or availability, was rated as a "High" in every single instance. (NB: In categories 10-12, there is a range of impact level, but each included "High" for Integrity ) Whether because corrupted data could degrade the operation of the grid, or because it could be used to defraud customers, suppliers, or the market, integrity showed up as the Number 1 concern, with no exceptions, according to the NIST results.

Conclusion 2: B2B and control system connections are riskiest

There were only two categories which ranked with "Highs" across the board, for Confidentiality, Integrity, and Availability, and both could be described as connections between different kinds of systems. The categories are numbers 6 and 7, relating to B2B and control/non-control systems respectively. This feels right intuitively, but it also represents a potential area of rapid growth in both members and risk for the Smart Grid. It describes the connections that are both most likely to be leveraged by new entrants and which are most likely to use either IP, or actual Internet-based, networking. As we have written about before, the Soft Grid is probably the next big area of investment and expansion, as organizations form to leverage the new infrastructure and public enthusiasm to deliver more interesting and likely complicated applications.

In the remarkable depth and detail of the NIST report, it is very possible to become discouraged by the references to "hundreds of standards" and by the complexity of the diagrams it contains. It is important to have a sense for where to start, as the NIST process will necessarily be a lengthy one, and time ( and Smart Grid Investment Grants ) are waiting for no one. If, as contributors to the Smart Grid, or as advisors to organizations which seek to connect, we can help them focus on these few issues from the start, it's possible that they will be far better prepared for the new documents, threats, and requirements that are certain to follow.

Islands No More - except from a blog

For full article visit:  http://smartgridsecurity.blogspot.com

In a bracing report from Australia, we learn from the Sydney Morning Herald that Integral Energy was inundated with a virus on non-critical systems, but at such a penetration level that they chose to rebuild 1000 desktop machines to eliminate the problem before it "spreads to the machines controlling the power grid."

The security consultant interviewed, Chris Gatford from HackLabs mentions that there is ample evidence that the networks may well have been connected despite the efforts of the utility to separate them. This is particularly problematic because there are not only power control systems to worry about, but also online payment, user account management, and other relatively advanced functions at Integral Energy.

His comments seemed familiar, so I went back through my notes, to a report from the team at Riptech in 2001 (Bought by Symantec) called " Understanding SCADA System Security Vulnerabilities ", where the authors describe a very similar disconnect between assumptions and reality in these internal networks:

MISCONCEPTION #1 - "The SCADA system resides on a physically separate, standalone network."

Most SCADA systems were originally built before and often separate from other corporate networks. As a result, IT managers typically operate on the assumption that these systems cannot be accessed through corporate networks or from remote access points. Unfortunately, this belief is usually fallacious.

In reality, SCADA networks and corporate IT systems are often bridged as a result of two key changes in information management practices.

For remaining post, visit  http://smartgridsecurity.blogspot.com

Author the Author

Mr. Jack Danahy is a Security Executive, Office of the CTO, IBM Rational, and was the former Chief Technology Officer and Founder of Ounce Labs, acquired by IBM in July 2009.  Mr. Danahy is one of the industry's most prominent advocates for data privacy and application security. He is a holder of five patents in a variety of security technologies and is a contributor to industry and national security working groups on data privacy, security, and cybersecurity. His blog can be read at http://smartgridsecurity.blogspot.com.