Posts Tagged ‘smart grid’
There’s no question that Critical Infrastructure (CI) was a popular topic in IT security media outlets throughout 2011. Everything from Duqu speculation to Black Hat PLC hacking, this past year was a wake-up call for the energy & utilities industry confirming that CI security is more than just a 15-foot high brick wall.
If you recall, at Black Hat 2011, a researcher was able to hack into a Siemens device because it had SCADA authentication holes. According to a recent article over at Dark Reading, the Siemens team is pushing to release a major security fix this month. While it’s still early January, we haven’t heard of the fix being pushed out yet, so if you have please let us know in the comments.
Quote from Siemens Industrial Security News about the vulnerabilities:
Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort). We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.
While Siemens is investigating their issues, various government agencies have aligned with leadership in the private sector to try and find a solution to the security woes in the energy and utilities industry.
The “Electric Sector Cybersecurity Risk Management Maturity” project is now in place to help establish a holistic security approach for the nation’s energy infrastructure. The project leaders are of varied backgrounds, which makes this all the better. It’s made up of representatives from the Department of Energy (leading agency), the White House, and DHS, with participants from the private energy and utilities sector. Odds are this project will eventually turn into a single government agency to handle all cyber security concerns, as Massachusetts Institute of Technology (MIT) has already suggested.
What can energy providers do while the aforementioned “maturity model” is put into place? Learn about Security Intelligence and how it can help mitigate many of the IT security concerns in the smart grid and for energy control systems in general.
Last week we held a webcast with our partner Accuvant and talked a bit about the state of critical infrastructure security and how security intelligence can help build a comprehensive security program – specifically in the energy and utilities industry.
Chris Poulin, Q1 Labs’ CSO, kicked it off with a creative view of the smart grid, electricity transmission and distribution systems to set the tone with a few interesting takeaways. While smart meters may not necessarily be prevalent yet, those that are deployed need to be logged and properly monitored. The advancements related to smart grid highlight the vulnerabilities and security concerns looming over our entire critical infrastructure, as the energy supply chain becomes more exposed and interconnected.
David Swift from Accuvant brought up some of the top concerns IT security professionals in the energy and utilities sector have when approaching APTs, zero day attacks, and overall compliance mandates. While sometimes we get caught up in the complexities of discovering attacks, David reinforced that for starters we need to keep a close eye on logs. Track firewall denys, IDS/IPS events, Geo IP data, etc. Patterns discovered from AV alerts or repeated, large, IM file downloads can be the key to discovering slow moving, but significant threats to an enterprise.
If you missed the live webcast, watch the highlight clip above and download the full on-demand webcast. Attending RSA Europe? Chris will be presenting live – When Refrigerators Attack! Securing the Critical Infrastructure – on 10/12 at 4:40 pm in the Windsor Suite (East Wing).
With the advent of the “Smart Grid”, the electric and power industry has been progressing through their version of the Renaissance. Historically, the biggest concern for this industry was physical security, e.g. how do we keep our physical grids secure from being tampered with? Now, they seem to be focused on service, moving towards the Smart Grid in order to help smooth the delivery of electricity to an increasing number of customers, provide new monitoring services, and reduce the frequency of blackouts. This effort has been led by states like California working closely with NIST’s Smart Grid Interoperability Panel. But have they left cyber-security out of the big picture?
Similar to SCADA systems, most smart meters are delivered and implemented with little to no security measures in place. As a result, a rapidly growing number of energy providers and critical infrastructure suppliers are implementing security intelligence solutions to help them collect, normalize, and analyze network event and device data generated by their smart grids. They are recognizing that as smart meters become more intelligent, the risk profile increases accordingly, exposing the nation’s energy grid to more advanced attacks (what Gartner calls Advancecd Targeted Threats).
In June 2011, the Obama administration released a report titled “A Policy Framework for the 21st Century Grid”, which has a task of defining the future of our nation’s energy policy. One of the goals in the report is focused directly on establishing policies and best practices for cyber-security, specifically standards and a knowledge-based culture.
The Administration is moving in the right direction by working with states and private companies to develop standards and guidelines to drive a more secure power grid, but we still have a ways to go before our critical infrastructure is adequately protected. For now, states like California are making noticeable progress on smart grid adoption, and private companies like Portland General Electric are making similar progress securing their infrastructure with security intelligence solutions. However, the vast majority of the industry is still operating in the dark, as revealed in a recent study by the Ponemon Institute, “State of IT Security: Study of Utilities and Energy Companies.” This study found that nearly half of global energy organizations did not view IT Security as a strategic initiative.
You’ve heard this before – but a cyber-terrorism attack would have a catastrophic impact on the nation’s electric grid, shutting down critical businesses, slowing our ability to respond locally with law enforcement, disabling cell phones and other communication devices, and more. U.S. Defense Secretary Leon Panetta recently warned that “The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems”.
Clearly our power grid (smart grid or not) is vulnerable to attack. Hopefully, as we move closer towards broader smart grid adoption, the industry will make progress adopting security intelligence solutions to help protect our critical infrastructure assets. Do you think the electric and power industry is prepared to adequately protect itself from attacks?
The annual Black Hat conference is renowned for it’s controversial “briefings”, but one in particular has caught the attention of the industry this week. NSS Labs security researcher Dillon Beresford seems to have found more holes in industrial control systems, specifically programmable logic controllers (PLCs) from Siemens. PLCs are sub-systems of larger SCADA systems that are known to be deployed with little to no security measures, some exposed to the internet.
It’s no secret or shock that vulnerabilities exist in our industrial control systems. The health of our critical infrastructure depends on the security and stability of industrial control systems. The range of services covered by these systems is staggering. They control various services such as water treatment, water supply, electric power distribution, and oil and gas pipelines. Have I mentioned nuclear facilities? A successful attack on a single system inside any of the aforementioned services would have devastating affects socially, economically, and politically.
During his talk, Beresford demonstrated how to infiltrate and disable these PLCs, steal data, execute commands, and even lock out administrators. According to many in the industry, including Beresford, better access controls and stricter security measures are being worked on now by Siemens.
“Now” might be a bit too late though, especially since Stuxnet is just over a year old and the threat is still looming over us. Beresford also claims that these are simple attacks to execute, casually stating that “single guys sitting in their basements could pull this off”. This might be the case for a single PLC breach, but probably not as simple for a larger Stuxnet-like infection.
It’s clear there’s an increased level of concern today over new threats posed by the smart grid. For example, smart meters running on mesh networks bring in a new level of potential vulnerabilities to both consumers and providers.
From power outages to rerouting or stealing consumption to the possibility of a targeted attack at critical infrastructure – - it goes without saying that the global energy market is emerging as an industry that is facing some real security challenges
Recently, Q1 Labs partnered with Ponemon Research to present a ground-breaking study tapping 291 IT and IT Security executives that unveiled the challenges and critical perspectives global energy and utility organizations have on today’s threat environment.
What we found was over half of global energy organizations do not view IT Security as a strategic initiative across the enterprise. This was intriguing, based on the fact that physical security, as might be expected, scored higher on the priority scale.
Additionally, 76% said they suffered one or more data breaches over the course of the last 12 months. This was interesting not just because of the high percentage of those who said they were breached, but because of how recent the breaches actually occurred.
And as noted in Bloomberg, management teams are challenged in understanding exactly what they are up against in terms of external threats. Honestly, the statistics keep coming – you can read through the summary of findings from Ponemon here. (a more detailed white paper will be coming soon)
As part of the presentation, our California ISO (Independent System Operator) customer walked through how they leverage SIEM as a prescriptive measure that meets their security and compliance requirements.
One interesting comparison between research findings and what CAISO presented was the criticality of NERC/CIP compliance. The research showed that 77% of companies in the industry weren’t prioritizing compliance initiatives as part of their security programs. CAISO outlined how NERC compliance was not only the biggest driver in acquiring a SIEM solution, but also aided in integrating other best practices and key guidelines like NISTIR 7628 for the smart grid.
What CAISO also communicated was that centralizing logging was an important driver, so that they could correlate log data from multiple sources, which speaks to the breadth of integration QRadar offers to this market. And finally, he spoke to the value of flow technology in terms of monitoring ports and services running on the CAISO critical infrastructure. Again, please feel free to check out our recorded presentation for more context.
As the market continues to evolve in terms of identifying threats and vulnerable areas, so must the security industry. As the industry is seeing more targeted attacks, QRadar is helping many energy organizations counter these threats in the pre and post-exploit phases for better visibility across the network. It’s the constant evolution of threats and counter measures that drives IT Security, but within the energy industry, there seems to be an inordinate number of threats that are known by all.