Navigant Research Blog

Cloud Security Reaches New Heights

— June 12, 2014

I have consistently taken the contrarian position that cloud computing is more secure than in-house deployments.  That’s only contrarian in terms of public opinion – to me it makes perfect sense that a cloud service provider will be more attentive to cyber security than a utility.  For a cloud provider, cyber security is a core competency.  For a utility, it is not.

This week I stumbled upon what I hope will be compelling evidence that cloud computing is secure enough for utilities.  Namely: a complete do-it-yourself cybercrime service, which even includes 1 year’s hosting.  That means: the criminal activities run in a cloud.  And don’t worry, clicking on that link will only take you a story about the DIY service, not the service itself – so you won’t end up on an FBI watchlist.

Cybercrime marketplaces have been around for years.  What strikes me about the current DIY offering is that it includes cloud-based hosting.  Now, utilities may have worries about the security of cloud computing, but criminals have much bigger worries.  While I would never say that utility control systems are completely defended, there is an awful lot of resiliency built into transmission and distribution networks.  Those networks can withstand powerful attacks, as we all learned with the Metcalf Substation Attack in 2013.  On the other hand, criminals have to worry about being caught.  Not only by law enforcement agencies, but also by other criminals, who typically have a different set of operating principles than law enforcement agencies.  So when a cloud is offered as bulletproof to this audience, we may assume that it really is strongly protected.

Good Enough for Crooks

And that’s the crux of the issue: if cloud computing can be made secure enough that criminals will use it, then it can be made strong enough for private industry – which at least has the law on its side.  Meanwhile, some of the more recent developments in smart grids, especially data analytics, almost require cloud computing to work.  In-house deployments of petabyte- and exabyte-sized databases are impractical, even before wondering where a utility would find qualified staff to maintain those databases.

So could we finally answer the question: Is cloud computing secure enough?  If it’s secure enough for criminals to risk their lives and their families’ lives with it, then maybe it will work for utilities too.  Just maybe.

I should point out that a number of the links in this blog are the work of Dancho Danchev, one of the best respected security researchers in the industry.  He will go where angels (and the rest of us) fear to tread.

 

Data Analytics Bring Integrity Challenges

— June 6, 2014

The only thing worse than making no decision is making the wrong decision.  As utilities embark into analytics-driven decisions, they must keep this in mind.  When the analytics are down and there is no data at all, utilities can go into human intervention mode, which they did for the first 100 years of their existence.  But when the data is available but wrong, that’s when havoc may be wreaked.  The increase of automation enables fast and fine-grained control that utilities have never before enjoyed.  Yet, that automation assumes accurate data.  Inaccurate data leads to inaccurate decisions.

In other words, data, like people, needs integrity.

Integrity simply means that the data has not been modified without detection.  Less frequently discussed than confidentiality and availability, data integrity suffers from a sort of middle-child syndrome.  Whether we talk about enterprise IT security or control system security, integrity sits sandwiched between confidentiality and availability.  Yet, integrity is nearly as critical as availability.

Available and Integral

To their credit, the data analytics experts that I speak with often mention security.  It’s usually the last topic they cover, but they do cover it.  That’s okay.  We security practitioners are always last on the agenda and we expect to be last on the agenda.  Unless there are auditors in the room – then they go last.

The most important security aspect of data analytics for utilities is availability.  If your data is not available when you need it, then it is useless.  Timing is critical.  Grid reliability may need to act on data generated within, oh say, the last 4 milliseconds.  On the other hand, time-of-use rate design has less strident requirements.  No matter what, the right data must be available when it’s needed.  Nearly everybody gets that.

But data integrity is nearly as important as availability.  One key to ensuring data integrity is data encryption.  Often associated with confidentiality, encryption also ensures data integrity via the use of message digests, calculations that indicate whether or not a data record has been modified.  Modern grid sensors usually have built-in encryption capability, using standards-based approaches.  However, many legacy devices (read, old) do not have the computing power to implement encryption.  Some have essentially no computing power at all.

The Devil in Legacy Devices

Yet, legacy devices remain critical to the stable operation of distribution networks.  There is no absolute protection for these devices yet.  Control system vendors sell bump-in-the-wire devices – which can be placed right next to a legacy device to encrypt its data.  But the device itself is still unprotected.  National labs and commercial vendors have launched ambitious research programs to identify new ways to ensure data integrity from legacy devices.

And therein lies the problem: data from legacy devices is every bit as important as data from modern devices.  Under the norms of cyber security paranoia, we must assume that legacy device data is compromised.  Until – if ever – we can rest assured that legacy devices are adequately protected (or replaced en masse), we need something to ensure that legacy sensor data is reasonable and unmodified.  Massive volumes of data suggest that only automated inspection can accomplish this – human intervention need not apply.

All of which means: do not overlook the data integrity solution when you assess the data analytics solution!

 

Honeypots Teach Us About Attackers

— April 11, 2014

Security researchers will try almost anything to find out who is attacking their clients and how.  One of their best-loved and most effective techniques is a honeypot.  First developed about a decade ago, a honeypot is a decoy system or network – a tempting target for attackers that is not really a target at all, but a trap.  The objective is to lure attackers into the honeypot and then watch how they work.  Attackers’ methods are almost like fingerprints; researchers who are familiar with a number of attackers can often identify the attackers simply by watching their step-by-step process of discovery through the honeypot.  Researchers do have other methods as well, such as tracing IP addresses or even fingerprinting the attackers’ browser – adding source code to the attackers’ browser that reveals more about their identity.

Attackers are, of course, aware that honeypots exist, so preparation of an effective honeypot must be extremely detailed.  To set up a honeypot requires a fair bit of planning to make the target look as realistic as possible.  Eventually, the attackers will realize that they’ve been had, so the objective is to keep them in the honeypot as long as possible to gather as much information as possible about their methods and their identity.

One security researcher described one of his honeypots in a talk at the SANS 9th Annual ICS Security Summit.  Kyle Wilhoit of Trend Micro described a scenario in which he set up juicy but fake targets on five continents and then watched them be attacked.   Each was a model of a control system for a small municipality water pump.  Connected directly to the Internet and with insufficient protection, this water pump looked like easy pickings, and it was attacked nearly 100 times.  Again, the attackers were not attacking an actual water pump but were instead sending commands to a simulation of a water pump – the honeypot.

Disturbing Motives

Perhaps most disturbing to me is that most of the attacks that Wilhoit reported were attempted sabotage, not data exfiltration.  Nearly all of my recent research indicates that large-scale persistent attacks against control networks have been data exfiltration for competitive advantage.  In this case, however, data exfiltration attempts were a minority of all attacks.  Even some well-known attack teams supported by hostile nation-states attempted to disable the water pump, not simply exfiltrate its data.  For me, this requires a rethink:  Is all that data exfiltration really just for competitive advantage or are attack plans being prepared?  As ever, only the attackers know, but this one project suggests that there may be more attack planning than has been assumed.

You might think that attackers seeing a control device connected directly to the Internet would say, “Nah, this is too good to be true.”  And then seeing a control device directly connected to the Internet with little or no security – “It just has to be fake, right?”  Sadly, no.  Attackers are accustomed to discovering real systems like this all day long – directly connected to the world and with no protection.

My conclusion is mixed.  Honeypots are an effective tool for learning about our adversaries.  Yet, honeypots work because the unprotected systems that they mimic are commonplace in our industry.

 

Cyber Security Community Finally Faces Reality

— April 8, 2014

It’s springtime, so the Navigant Research team is on the road again, speaking at conferences.  This spring’s cyber security conferences have confirmed what I’ve said in this blog for some time now:  the hype is over; the hard work is here to stay.

At SMi’s European Smart Grid Cyber and SCADA Security conference in London, traditionally a showplace for vendors to hawk their wares, there was a decidedly more technical focus this year.  Enel of Italy gave a detailed description on the various projects running in its lab in Pisa, describing how cyber security is integral to each.  It was inspiring to see cyber security integrated at the outset of a project, rather than after a bad audit.  Equally instructive was the description of Enel’s experimental area in Livorno, where many of the company’s new technologies first see public adoption.  Other speakers at this conference continued the technical thread, with topics such as descriptions of self-learning network anomaly detection, and traditional devices such as firewalls and intrusion detection that have been specifically reengineered for control networks.  The unmistakable message that I brought back from London: cyber security vendors have finally accepted that the utility industry is like no other.

Future at Risk

The SANS ICS Cyber Security Summit in Orlando, Florida offered similar but more technical fare.  Adam Crain and Chris Sistrunk described their eponymous vulnerabilities.  They have demonstrated how to disable a utility substation or control console via the serial protocol DNP3.  This is critical because DNP3, which is non-routable, had been previously considered immune to attack.  Another safe assumption bites the dust.  Eric Byres of Tofino Security gave a surprisingly accessible description of deep packet inspection in control networks – a topic normally best saved for researchers and PhDs.  There was also a fascinating Trend Micro report on a control network honeypot deployment, which will be the subject of my next blog.

The unifying theme at both conferences was that protecting control networks is hard work that is never really finished.  Our reports, including Industrial Control Systems Security, have been saying this for 4 years now.  Utility cyber security vendors are finally getting the message.  And to be fair, a few vendors have always understood.

Nonplussed

But challenges remain.  At both conferences, my remarks described the existential threat facing many utilities.  One U.S. utility CEO declares that the grid’s days are numberedThe Economist reports that European utilities have lost half a trillion euros of market cap since 2008.  Reactions to that news were often blank stares or utter confusion – as if the financial health of utilities has nothing to do with their deployment of cyber security.

This too must change.  Security vendors are not competing with each other, so much as they are wrestling with the future of the industry.  Just as understanding settles upon the community, the odds become daunting.

 

Blog Articles

Most Recent

By Date

Tags

Clean Transportation, Electric Vehicles, Energy Storage, Policy & Regulation, Renewable Energy, Smart Energy Practice, Smart Energy Program, Smart Grid Practice, Smart Transportation Practice, Utility Innovations

By Author


{"userID":"","pageName":"Smart Grid Security","path":"\/tag\/smart-grid-security?page=1","date":"7\/29\/2014"}