Smart Grid Security: The Google Attack and What It Means for U.S. Utilities

.

There are changes coming, but the sky is not falling. Our cyber defenses are in need of more attention and more focus, but they are generally pretty good. The Smart Grid is clearly a new chapter, and ensuring we get as much of the required security designed and deployed correctly up front will save all of us a great deal of time and trouble later on.

As they get more sophisticated, they are very interested in source code and ways to find new vulnerabilities in software companies' products.

.

So you see, one feeds the other. Zero-day vulnerabilities are very hard to find. Most popular software packages have been around for a while, and have been well wrung-out in the market. Finding something new and vulnerable in them is neither common nor simple. With the source code, however, it becomes much more straightforward. Looking from the inside out, it is like having a map to the functionality, and weaknesses are revealed that would be very hard to find just searching from the surface. The fact that one of these vulnerabilities was found and then used to steal more source code leads to a conclusion that this is a pretty well-thought-out approach. The attack has been described as sophisticated, and using its spoils to sow the seeds of future attack vectors is equally so.

The Curtain Pulls Back
The big news, however, isn't so much that these events are happening, but rather that they're being discussed so openly. According to Atlantic journalist Marc Ambinder, we have Google to thank for that:

.

Google's revelation that they'd been hit was deemed a "watershed" moment by security industry analysts, but the other 32 companies who were hit have not followed suit and have begged the government to keep their identities a secret. The government has no choice but to protect their identities -- even as policy encourages greater transparency about the scope of such attacks.

.

Two weeks ago events reached fever pitch with Secretary of State Clinton speaking out in Washington against nation-supported (if not sponsored) cyber attacks by China and Iran, among others. Basically, she's calling out a new opposition axis, only this time it's isn't an Axis of Evil, it is an Axis of Cyber Threats.

On the Cyber Defensive
In case you didn't know it, U.S. companies and government organizations have long been victims of and targets for cyber attack. This doesn't make the U.S. unique, by any stretch, but recent increases in the frequency of damaging attacks is surprising, given the presence of some excellent cyber security defense programs on our side, and with the increasing instances of public regulation and legislation on the topic. The main culprit appears to be the seemingly innumerable Internet connection points that present attackers with unexpected access to both flaws in software and system configuration errors. These deliver the necessary opportunities for getting to other applications and to sensitive data. With U.S. companies, there is little recourse, little ability to hit back. That's our policy. Again, Mark Ambinder:

.

[These are] the U.S. network security rules of engagement. Defend, don't attack.... For example, if a U.S. site comes under attack [from a foreign site], the victim -- assume it's an intelligence agency -- can defend it by trying to block the attacks, and it can offensively attempt to figure out who's behind them -- but once that threshold is crossed, it cannot attack the sites. [Most attackers] have no such rules. In fact, [some governments] teach attack techniques to a large group of state-sponsored hackers, and part of the classroom work is for them to conduct actual attacks on sites around the world, including the U.S.

.

U.S. companies are only obligated to disclose the loss of customers' private information, and they don't have to be very specific about how the loss occurred, so there isn't much improvement in protection as a result of understanding how a successful attack transpired.

Take Aways for Utilities
Smart Grid initiatives are driving a huge increase in Web connectivity for utilities at this very interesting point in the evolution of cyber offense and defense. A big part of that increase comes in the form of new online energy applications and services being built by Google and dozens of start-up companies including Silver Spring Networks, GridPoint, Grid Net, Tendril and demand management veteran EnerNOC. Are all as forward minded re: security as Google? Time will tell.

We know utilities in other countries have come under cyber attack ... at least one incident induced significant outages. We also know that malicious code has found its way onto U.S. utility computer systems. But there is lots more we don't know and there are many questions to consider while we're still in the formative stages of the Smart Grid build out:

·       Will large U.S. utilities become targets for big cyber attacks similar to those that just hit Google?

·       Will they have the defenses in place to protect customer data and maintain reliability as well as it appears Google did?

·       Especially as they rely so heavily on enormous amounts of reliable, high quality power, will Google and other more mature cyber security victims be willing to share their best practices with the utility community?

·       What obligations do utilities have for disclosing cyber attacks they endure, especially ones that cause tangible damage? And if they do disclose this info, to whom do they disclose it: FERC, NERC, NSA, each other, or the general public?

.

Despite repeated warnings from experts and the press since the Google breach headlines appeared, progress on disclosure from other affected organizations, forensics on the actual mechanisms, and informed recommendations have been slow. That must change. Utilities and their software/service providers should be pressing for information and for assistance, because this kind of data and experience can educate and invigorate utility CIOs and CISOs so that they can err on the side of over-preparation when performing security planning on behalf of their companies and their customers. Nothing could more fundamentally weaken our nation and our competitiveness than an organized and successful attack on our power infrastructure, and these incidents present an uncommon opportunity to learn.