Executive Order 13636 requires, among other things, the National Institute of Standards and Technology (NIST) to develop a “Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.”  There is a lot of good detail as to what is expected to be in this framework, whose requirements run to a full page.  Recently, NIST hosted its first Cybersecurity Framework Workshop to address those necessities.  This particular workshop resulted from the following specific requirement: “In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process.”  The director of NIST must deliver a framework within 1 year of the publication of the Executive Order (EO); that is, no later than February 19, 2014.

I’m not sure what a framework workshop is, or how many times the word “work” must appear in a meeting title before people will believe that you plan to accomplish something.  At any rate, over 700 people attended the workshop ‑ quite large to qualify as a workshop.  Living in the Dallas-Fort Worth area, I remember years when the Texas Rangers could barely get 700 people to attend their baseball games (unless Nolan Ryan was pitching).  Besides, here in Texas, anything with 700 members is usually called a herd.

Engaged, Considered

Whatever you call it, this event was important.  Strictly speaking, the 700 workshop attendees were allowed to comment, but the EO only requires the Secretary of Homeland Security to “engage and consider” their advice.  Based upon past experience, the likelihood of their input being ignored is very low.

I may be a bit skeptical here because I’ve watched the North American Electric Reliability Corp. (NERC) labor to adopt seemingly minor clarifications to the CIP Reliability Standards (which it then invalidates).  It has repeatedly been hamstrung by large attendee lists that include sometimes contradictory agendas.  Anyway, quoting the EO, 9 months from now we shall have:

• A prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
• Methodologies to identify and mitigate impacts of the Cybersecurity Framework … on business confidentiality, and to protect individual privacy and civil liberties

After that, quoting Section 8(a) of the EO, “The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.”

In other words, 1 year to develop a framework of non-binding recommendations for the protection of critical infrastructure.  Here in the smart grid world, we already have that.  It’s called the NISTIR 7628 series.  So maybe it’s a very good call to have NIST run this play.  But you’d have to accept that critical infrastructure owners will spend money on protection that they are not required to spend.  To date, that trend is not encouraging.

It sounds sci-fi but it really isn’t.  Los Alamos National Labs (LANL) announced that it has successfully demonstrated quantum cryptography, using a single photon to generate secure random numbers between devices.  LANL successfully tested this quantum crypto transmitter against an electric grid test bed.  (Perhaps the bigger surprise is that someone is actually developing a security solution not aimed at social networking.)

According to the press release, this marks “the first-ever demonstration of securing control data for electric grids using quantum cryptography.”  That gives me a mild case of heartburn:  cryptography is one method of protecting data, but to say that any cryptography on its own secures data is to overstate the accomplishment.  But this is genuine innovation – rare as hen’s teeth in grid cyber security – so let’s press on.

If this were just another way to encrypt data, I might say, “Neat!” and stop there.  But the most nearly intractable problem in securing smart grids is protecting legacy devices that sit side-by-side with modern IP- and Bluetooth-enabled devices.   The cryptographic transmitter, invented by LANL and called a QKarD, is tiny by comparison with other encryption devices and introduces line latency well within tolerances for a control network.  Testing was done on a 25-kilometer (15.5-mile) length of optical fiber.

New Intelligence Required

As Los Alamos points out, integrating renewable energy supplies into grids requires new techniques, and new telecommunications.  Most grids were built for the steady, predictable inputs from fossil-fired generation.  Adding variable rate inputs such as solar or wind requires new intelligence and new controls.  Those new controls assume that data received from the field is reliable and from a trusted source.

Cryptography can fulfill both of those functions.  While enterprise IT shops rely upon cryptography first and foremost for confidentiality, data integrity is more important for control networks.  Cryptography is not by itself a total security solution, but its role in preserving useful and accurate data is key.  LANL’s solution may move the industry one step closer to a painless way to protect all that data.

A recurring theme from my 3 years of research is that there is precious little innovation in cyber security.  Along with quantum cryptography, I have recently seen promising new approaches for network anomaly detection, network cleansing, and device ID protection, among other things.

Perhaps the tide is finally turning.

The story goes that a group of business people were stranded on a desert island with a bountiful supply of canned and therefore imperishable food, but no way to open the cans.  As the group struggled to find a solution the lone economist in the group piped up, “Assume a can opener…”

Sometimes it seems that’s how we approach industrial control systems (ICS) security.   “Assume a secure perimeter…”  It’s not fair to expect any single product or any single vendor to provide complete security for ICS networks, and yet we seem stuck in a world of point-solution purchases and security without any overriding architecture.   It’s as if we’re saying, “If I can just get me some [insert technology of the week], then I’ll be secure.”

Barely 3 weeks into the new year, I have already had wonderful briefings from companies whose products lock down privileged IDs, ensure clean networks by detecting attacks at network chokepoints, heuristically identify attacks though behavior analysis rather than signatures, protect control networks from the lawless jungle that is enterprise IT, and so on.

All of these approaches are good, and all of them are necessary.   But in isolation, none protects an ICS network.   Cyber security still begins with risk assessment, not product purchase.  Every utility is a business, and every business is unique.   So before you go ask for this year’s cyber security budget, do a little planning.   Skip the shortcuts.

Call for Help

To the utilities that have a shopping list of security products but no overarching plan how to use them: You might be amazed how much you can save in deployment and ongoing maintenance with just a little thought.   Over the years I’ve seen countless companies purchase a less expensive product without planning how it would be supported.   A bargain is no bargain when it requires an excess staff of 10 full-time employees for 10 years to support it.

To vendors happy to show up at a utility and sell only their product: think about your customer as a business, not an account.   If you don’t see enterprise security planning going in, bring in some help.  Maybe that help is a systems integrator, maybe it’s just a single security assessor.  Maybe it’s collaboration with other cyber security vendors or even – gasp! – a competitor.  No matter what, understand the whole problem, not just the problem that your product will fix.

There is some cause for encouragement.   Compared to 2 years ago, vendors are much more likely now to tell me that they are part of a full cyber security solution.  Utilities have become much more methodical in their approach to cyber security – especially as OT teams have become savvy and made their reliability requirements part of cyber security projects.

If you’re a Robert Redford fan, you probably remember 1992’s crime drama, Sneakers.  The opening scene of the movie depicts a ragtag team of security experts expertly hacking and breaking into a bank, nabbing $100,000 in cash.  The group, consisting of Dan Aykroyd, River Phoenix, and Sidney Poitier, are actually good guys who make a living by being hired by banks to test the vulnerabilities of their security systems.

It turns out that today’s U.S. government has enlisted similar services to that of Redford’s band to test for vulnerabilities on the U.S. electricity grid.  A newly released, highly redacted report shows that the National Security Agency (NSA), along with defense contractor Raytheon, has assembled a team of 28 engineers tasked with hacking into the U.S.’s electricity grid.  And, much like Robert Redford’s team in Sneakers, Raytheon has been successful in gaining access to secure systems and infrastructure throughout the nation’s electric grid.

One would hope that the team of NSA and Raytheon “penetration testers” represents the very best hackers in the world and that unwanted attacks on electric grid are highly unlikely.  Unfortunately, countries like Iran and China, along with groups like Anonymous, have shown an increasing willingness and capacity to hack into both private and public websites and networks.  Countries and groups like these have found cyber-espionage a relatively easy and cost-effective way to implement physical and financial damage on the United States.  In fact, the Department of Homeland Security said it responded to 95 attacks against energy utilities’ systems in fiscal year 2012.

What are Utilities Doing?

Pike Research’s Bob Lockhart has evaluated how utilities are protecting against cyber-attacks on their industrial control systems.  Control systems, which are the backbone of distribution and substation automation systems, are increasingly reliant on IT-enabled devices.  Unfortunately, Pike Research has shown that these embedded IT systems’ “threats and vulnerabilities are many and well known.”  Despite yearly revenue of $369 million for 2012, Pike Research’s Industrial Control Systems Security report adds that “technology innovation for the smart grid ICS security is stagnant.”  Clearly, a well-functioning electricity grid is a vital part of the U.S.’ economy, security, and livelihood.  While the report mentions that utilities are becoming more proactive in protecting their infrastructure and assets, in the meantime, it doesn’t hurt to have the NSA using a variety of innovative tactics to keep the grid secure.  The Sundance Kid probably wouldn’t hurt either.