Tuesday, May 11, 2010

Truth AND Consequences for Critical Infrastructure: What if the Smart Grid has Stupid Security & Other Real World Answers on Energy Security

U.S. Power Grid (FEMA, 2008)

"A cyber attack could disable trains all over the country … It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out and confuse financial records, so that we would not know who owned what, and the financial system would be badly damaged. It could do things like disrupt traffic in urban areas by knocking out control computers. It could, in nefarious ways, do things like wipe out medical records." Richard A. Clarke to Terry Gross on National Public Radio (4-19-10)

Truth AND Consequences for Critical Infrastructure: What if the Smart Grid has Stupid Security & Other Real World Answers on Energy Security

By Richard Power

You are no doubt familiar with the CBS Sixty Minutes story (11-8-09) on Cyber War that highlighted the attacks on the Brazilian power grid; and you no doubt recall when CIA analyst Tom Donohue referenced declassified information on successful cyber attacks on several non-US cities via the Internet (PC World, 1-19-08).

Let’s not wait for the big power grid security story of 2010. The time for truth and consequences for critical infrastructure is already here.

To get some real world answers to real world questions on power grid security, I turned to a friend and colleague, Seth Bromberger. He has been involved in security for more than sixteen years, and in cyber security for a major utility for five years. He is also on the Board of Directors of EnergySec, “a private forum of information security, physical security, audit, disaster recovery and business continuity professionals from energy industry asset owners.”

In response to some probing questions, Bromberger and EnergySec director Steve Parker shared their vital perspectives with me.

You can find the full text of the interview in my latest CSO Magazine piece, What if the smart grid has stupid security?

But for CyBlog readers, here is a bonus question and answer that don't appear in the CSO piece:

Q: A lot of consultants, technology vendors, officials and researchers are scrambling to address issues in the energy sector cybersecurity -- what do you think is the biggest misconception?

Seth Bromberger: The biggest misconception results from some of these groups you mention coming in with the mistaken assumption that the folks who are already here don't understand security. They therefore tend to underestimate both the scope of the challenge and the real talent working on solving real-world problems. Nobody's going to be a white knight coming in to save the day - if it were that easy, we'd have solved all the security problems by now.
In my experience, the successful players are the ones who come in with specific expertise designed to solve a particular problem that the utilities are facing. They are working not to get rich quickly or make a name for themselves, but to improve the security posture of the owners and operators of our critical infrastructure by sharing their knowledge in partnership with those responsible for securing that infrastructure.

Again, for the full text of the interview, see my latest piece in CSO Magazine.