We have entered a brave new world in cyberspace where we are ever more dependent upon cyberspace and our electrical grid. At the same time, the energy sector is becoming more vulnerable to cyber-attack.
The energy sector’s history of vulnerability began with the Blackout of August 2003. The sector responded to that blackout by following the financial sector’s resiliency model to ensure business continuity. In their effort to defend against kinetic events like blackouts they exacerbated their cybersecurity posture. The increase of remote access and Internet facing SCADA/ICS systems opened up a proverbial “Pandora’s box” of increased risks and threats to these systems.
The situational awareness of our cyber adversaries has been greatly enhanced sometime using nothing more than publicly available tools. Now targeting of exposed SCADA systems can be achieved via Google-fu to identify embedded systems that are exposed to the Internet. In addition there a disturbing trend that is starting to pop up on Pastebin whose posts expose SCADA/ICS devices, their IP addresses, and other identifying information for sale. Not only are these systems increasingly connected and accessible: it’s increasingly easy to find them.
The risks of accessibility and discoverability are exacerbated by the advent of Stuxnet and Flame. Stuxnet ushered in a new era of weaponized code. (See: http://blog.trendmicro.com/trendlabs-security-intelligence/stuxnet-used-in-blackhat-seo-campaign/ ). But governments no longer have a monopoly on cyber weapons of war: in some cases they’ve lost control of the weapons they built only to see them fall into the hands of criminals and others. The arms bazaars of Eastern Europe and South America have now distributed asymmetric capabilities like DuQu to non-state actors. In 2013- the non-state actor community will begin to attack the energy sector for political, theological and financial purposes.
It is imperative that the energy sector learn from the gaps in cybersecurity which exist in the financial and government sectors. An over-reliance on perimeter defenses and encryption will not manage the exposures or the targeted attacks employed by our adversaries.
I believe the SANS and the NSA Twenty Critical Security Controls represent a good starting point to begin to allow offense to inform defense. (See: http://www.sans.org/critical-security-controls ).
The energy sector is embracing SCADA/ICS and smart grid technologies. These technologies allow for greater resiliency and efficiency but they do manifest greater operational and systemic risk of integrity attacks. This added risk must be managed thoughtfully. In order to close Pandora’s Box we must move beyond the energy sector’s use of the North American Electric Reliability Corporation’s (NECR) Critical Infrastructure Protection (CIP) security standards (See: http://www.nerc.com/files/CIP-002-4.pdf ) and embrace advanced threat protection technologies, virtual patching and file integrity monitoring.