As an analyst, and now as a consultant, I raise issues of digital
and physical security: let’s talk about them, in plain terms, and
collectively move to do something. As a member of the security
digerati, I think we should be helping people, and we have to either
step up with a better way forward, or get the hell out of the way.

When 60 Minutes ran its piece
on Cyber terrorism on November 6
I was among the people who was pleased that the network was revisiting
the subject. I thought producer Graham Messick and correspondent Steve
Kroft did an outstanding job of defining the problem and pointing to
specifics
without diving too deeply into the Fear, Uncertainty and Doubt
column. They raised these points, which included the statement that
hackers had attacked and disabled the power grid in Brazil, in a
manner that allowed my mom — literally — to get it.

I was saddened to see immediate backlash from amongst the
security digerati against the report. “Not Hackers!” they
shouted. It was alleged that government stooges infiltrated the
report, pushing a government agenda. Here were people who break
things for a living – people paid to highlight deficiencies in
security by bypassing it and showing how it was done – arguing that
things hadn’t been broken, and that everything is fine.

I was talking this out with Josh Corman at The 451 Group, and he said, “Fellas, what doesn’t matter is whether the particular incident was caused by hackers. What matters is the impact of an outage, and whether the attack described is in the realm of the possible.” Amen, brother.

Rather than delve into a
point-by-point rebuttal, I proffer this: whether Brazil’s blackout
was caused by soot, hackers or a misplaced dolphin, the attack described
is very much in the realm of the possible. Last year, I suffered
through eight days of no power after an ice storm slammed the
northeast; today my house has a 17KW generator, and three weeks
backup of food, water, firewood, fuel and other emergency supplies.
We could not have dialed 911 even if we had wanted to, as the storm
took down phone lines as well. At that point, did we care if it was
hackers or Jack Frost? Nope. That doesn’t stop me from putting in
basic defenses against things which are possible. And it shouldn’t
stop utilities from patching trivially exploited holes in our
critical infrastructure defenses just ‘cuz nobody’s exploited them
yet. Personally I believe that these holes have been exploited, but
the argument holds either way.

No one in the business of
network or physical security can argue that the security of our
critical infrastructure needs improvement, nor can we argue that we
deal in issues that zoom right past a mainstream audience. The 60
Minutes report’s proposed solution did seem to point towards
increased regulation, but don’t we have to
admit that the private sector has dragged its feet in taking steps to
prevent some of the most widely understood and trivially exploitable
vulnerabilities? Government has been unusually helpful and
forthcoming in its quest of late to educate, update and increase
defense of critical infrastructure (notwithstanding, as my friend Will Gragido at Cassandra Security points out,
Los Alamos Laboratories – and he’s right, too. But I’m not saying this
is a small problem, just that we should be working and using our
platforms as thought leaders to solve it)

Our industry needs open, frank
and positively-motivated discussion about these issues. We security
professionals know the state of things, the level of difficulty in
attaining knowledge and resources to effectively mount the kind of
attack that 60 Minutes alleged took place. Could my mom have gained
better insights about the context behind the threat by reading the Northrup
Grumman Report on Capability of the People’s Republic of China to
Conduct Cyber Warfare and Computer Network
Exploitation
?
Absolutely. Would she ever? Of course not. She’d be lost at the very
first sentence, which reads,

This paper presents a
comprehensive open source assessment of China’s capability to conduct
computer network operations (CNO) both during peacetime and periods of
conflict.

Mom? Mom?

Rather than attacking Messick
and Kroft for a report that brought the issue to the comprehension of
millions, and set the stage for a more informed and reasoned debate, let’s raise the level of discourse and ask the tough
questions: How hard is it to exploit vulnerabilities in our system?
How can we make it harder? What help is there for private industry to
raise its bar?

I’ve railed against the Payment Card Industry Data Security
Standard, as a ruleset meant to set a floor becoming the ceiling.
Critical infrastructure security is even more important – lives
literally hang in the balance of us getting this right. From chemical
and petro-chemical companies which depend on the grid for the
mission-critical safety processes that prevent a Bhopal on the Hudson
to the ability to care for our populace, this is important, and
important now.

Surely no one will argue that this is true. So let’s start talking
about it deliberately, raising awareness of the business, health,
public safety and societal impact that a trivially exploitable critical
infrastructure raises.

While private industry may ask itself about the
cost of sensible defenses,
I pose a different question: What is the cost of wrong?

Categories: Data Breaches, Government

Comments (22)

  1. Toney Jennings
    1

    Great post Nick. I couldn’t agree more and said as much in a recent post along the same theme “Don’t miss the point of 60 Minutes grid security story – Cyber threats are real“. You rightly point out that the actuality of whether hackers caused the Brazilian outage is moot, the fact is they could have. 

    One additional thing to point out is whether cyber criminals, or warriors (sponsored by a foreign government) are motivated and skilled enough to carry out such an attack. Clearly they are. Online crime has never been more organized and sophisticated. Whether the Brazilian outage was caused by hackers or not, we can point to numerous incidents in the past year where criminals have specifically targeted organizations or governments for theft, disruption or extortion. 

    I felt that the 60 Min piece did a great job pointing out the need for attention to security across our critical infrastructure in a way all our moms can understand.

  2. Chris Noble
    2

    It’s a compelling argument Nick, but I don’t like it, personally. You appear to be saying it doesn’t actually matter whether the reporters got their facts wrong because they bought an important issue regarding the potential for damage to public notice.

    Inaccuracy in a good cause is never good. Particularly when all it takes is a statement to the effect that “Whether hackers were responsible this time isn’t clear, the event illuminates a very real threat”. 

    Without the commitment to accuracy the public may be justified in thinking that its “just another example of someone crying hacker”, leading to the importance of the actual issue getting buried under the debate over the individual story’s veracity. 

    That’s another risk we should be preventing. 

  3. Nick Selby
    3

    Chris,

    Actually I was not saying that it doesn’t matter if the reporters were inaccurate – it absolutely does. However there are a few issues around that that interfere with the larger debate.

    The first issue is that the truth is not widely known. We can argue, and I have my own personal knowledge on the subject, but neither I nor anyone else can state definitively what we know publicly. I have also seen attacks on the methodology of the CBS team, which again, no one can discuss other than CBS.

    Rather than allowing the conversation to devolve into a “Did not…Did Too!” tantrum, I thought I would elevate the discussion beyond it. I stated in the piece above that I believe that there have been attacks of the kind described in the 60 Minutes report. I wasn’t just sitting in the bathtub when I said that, this is based on research.

    So the point of my post was to say, “If we remove the controversy about whether that specific incident was an attack or an accident, we can focus on the true meaning of the report: our critical infrastructure is vulnerable and we must fix it. We’re security professionals in public and private practice. Let’s be useful and help people by having a public debate where possible, and by using all our skills and efforts to advance the discussion in private where necessary.”

    My post is not a rant on journalistic ethics. I believe that Messick and Kroft applied the highest standards of journalism in the preparation of their report. If they got a detail wrong, it was not from laziness or naievity, nor from a lack of professionalism – it was a good faith piece that can serve as the platform for a wider and more important debate.

  4. Aj
    4

    “Fellas, what doesn’t matter is whether the particular incident was caused by hackers. What matters is the impact of an outage, and whether the attack described is in the realm of the possible.”

    Going to have to disagree across the board here.

    Sure, realm of the possible… making theory into reality, blah blah blah.

    It *does* matter what caused it. At least, it does if you at all give a damn about accuracy in reporting, reporters firing off half-cocked with inaccurate and/or incomplete information.

    These things *do* matter. It’s what, in theory, divides journalists with integrity from bloggers who pass on rumours and whose “research” is done via wikipedia and other blogs.

    To say that accurately determining the cause *doesn’t* matter is so myopic as to be blind.

  5. Space Rogue
    5

    Wow, so it is OK to lie to the American public as long as you have good intentions? Damn, were is Slick Willie when you need him.

    With the erosion of jounalistic integrety giving way to entertainment we should really be holding these guys to a higher standard, not thanking them for spreading disinformation.

    You, like numerous other security consultants, constantly talk about how fragile the global Infrastructure is and how vulnerable SCADA systems are and NO ONE can point to one single _verifiable_ incident where an external force has disabled critical infrastructure over the Internet. There is a LOT of anedotal ‘evidence’, stories that security guys tell each other over drinks but there are never specifics that can be checked up on.

    Stories like this one aired by 60 Minutes just perpetuate the myth, and it gets told over and over again until it becomes fact. When, in fact, no such threat actually exists.

    - Space Rogue

     

     

     

     

  6. Patrick H.
    7

    Some good points raised.  Obviously, critical infrastructure should be secured.  However, given the goc’t track record of insecurity with its own sensitive IT systems, it would be naive to think that gov regulations is the way to go.  That’s just plain logic.

  7. tan
    8

    Chris is totally correct in that had this been presented as “Whether hackers were responsible this time isn’t clear, …”, then went on to highlight the dangers, this would not have turned into a fact-checking story about questionable sources and bad journalism.

    Consider if you will, the equally sensational approach of drawing us a
    “fictional story”, then revealing it was based off reality and that
    though it is “unclear if it was hackers this time”, the *fact* is that
    hackers and security experts alike claim there is no reason our story
    of fiction could not be true.

    As hackers, we’re not from a journalistic background but at least understand that facts count.  HackerNews debunked this story because that’s what HackerNews has always done – find mainstream media regarding security, that are inaccurate, then debunk them.

    I guess the lesson is that if you don’t want people to “get in the way”, you have to present fact as fact, theory as theory, and opinion as opinion.  Perhaps trying harder to resolve why the electric company and the intel community stories differ, would have revealed the facts that would be necessary to actually start dealing with this issue.  To me, the solution is to force the vendors to evolve SCADA into a new protocol that includes all the modern security mechanisms and to consider restrictions on top of that, as to how SCADA traffic is “transported”.  This way, vendors must evolve the tech. and utilities must adopt it.  I really didn’t see anything in the 60 minutes story that would tell some politician who was watching, exactly WHAT needs to be done.  It simply raises our “F”ear, “U”ncertainty, and given the questionable facts, “D”oubt.

  8. Nick Selby
    9

    I’m glad to see all the interest, and especially glad that so many people care about journalistic integrity. I do, too, but I will say again that my post is not about the right-or-wrong of the 60 Minutes report because no one can publicly prove whether CBS was inaccurate (I will explain why below). I therfore limited my post to talking about security, not journalism. 

    Here’s why:

    Those who claim to have debunked the report are guilty of doing what they say 60 Minutes did, basing their accusation on statements made by individuals and companies that are not objective. Without wading into each point, suffice it to say that aside from self-authenticating statements, there is no smoking gun, no proof either way as to whether the story is accurate. In its article that purports to “debunk” CBS, Wired refers to statements made by government regulators and spokespeople for the utility that there is no proof a hack happened – engaging in precisely what it accuses CBS of doing and conflating facts with statements:

    http://www.wired.com/threatlevel/2009/11/brazil_blackout/

    A reporting, Wired’s story is as valid as the CBS report. But it is decidedly not proof; those are statements made by people with skin in the game.

    Since neither side can prove its point, the claims that CBS was wrong are as valid as the claim (made by CBS’ airing and not to date retracting) that it is right.

    Once again, I propose transcending the argument of whether the story was right or wrong (I like Chris’ comment that all they had to do was say, ‘Whether this was a hack or an accident…’), and looking to an issue which is, to me, the greater concern: since attacks like the one described are absolutely possible, what can we as security professionals do about it?

    I’m positive that there have been editorial meetings at CBS to discuss the journalistic issues raised here, and honestly, if I were a journalist, I’d be very interested in that process as well as their outcome. Since I am in the security business, I am truly hopeful that we can advance the security conversation with at least as much vigor.

  9. Dennis Fisher
    10

    Having been a journalist for 15 years now, I’ll just say this: Don’t bet on the 60 Minutes staff having any kind of post mortem meeting on this. In many, many cases, reporters and editors simply dismiss outside criticism of their reports as noise from people or groups that have an agenda or axe to grind. I can virtually guarantee you that the CBS staff looks at all of the reaction as a good thing. To them, it’s proof that their story “stirred the pot” or “got people thinking.” Of course, no reporter wants to be wrong, regardless of what the general public thinks. But, CBS is probably looking at all of this and thinking, Well, no one can *prove* that we’re wrong, so there’s nothing to correct. It’s sad, but true.

  10. Kevin Morgan, Arxan Technologies
    11

    Some good questions Nick: “How hard is it to exploit vulnerabilities in our system?
    How can we make it harder? What help is there for private industry to
    raise its bar?”

    Seems to me there are a couple of fundamentals needed to move things forward:

      – an assessment (measurement?) criteria for “criticality” of infrastructure

      – a set of best security practices (at the least) for different levels of criticality

      – requirements and practices for assessing actual security strength

      – a means to motivate implementation

    I’m not a fan of “regulation” and it’s a challenge to have any formal specifications or requirements from any particular party track the leading edge of security technology.  You aren’t a fan of the PCI DSS, apparently because it promotes “minimal acceptable” practices (sorry if that’s not a proper characterization).  At the highest levels, what should be the means to accomplish these three elements, given the nature of “infrastructure” computing resources, their ownership and responsible parties, etc.?  And what elements are missing?

     

     

  11. Amrit
    12

    Priorities and context are important. In theory a disgruntled employee, ex-lover, Berkeley crazy could easily post up with a sniper rifle in the parking garage across from my office and fire a single shot taking my life. This could be materially limited if we added bullet proof glass, stationed armed security guards, and added a series of additional controls into and around a 2 mile radius surrounding our office.

    Do we have evidence that a lone sniper might fire a shot – sure, lots of it, in fact the country was transfixed by the DC sniper, the Univ. of Texas tower sniper, 101 California, even locally we had a series of shootings on our freeways.

    I can even imagine a 60-minutes segment on the inherent dangers in working in a office with glass windows and the threat posed by lone snipers. I would imagine that would needlessly scare a lot of people.

    As you can guess we do not have any of these protections and I do not wear body armor nor do I exercise my “open carry” rights. Why? It is too expensive when looked at against all the other potential threats to my well-being. What does any of this have to do with the 60 minutes story or Nick’s post?

    There is almost no end to the development of common and exotic methods of failure,  exploitation, misuse, and poor design of control systems, especially legacy equipment that is predominant in energy industry, but there is definitely a limit on budget and resources. So whre do we place our bets?

    Interstingly Nick mentioned that it reallly didn’t matter what caused the black-out if you were affected – true, so I would say that a good chunk of funds should be focused on limiting the impact of down-time regardless of the cause, as opposed to building out elaborate (seeminlgy so to the uninformed) processess and tools to deal with what is not occurring in any significant or wide-spread way. Here in California there is some suggestion that we have never experienced a single power failure due to a malicious attack on the computer control system, however our power goes out 4-5 times a year due to all the yahoo’s running their air conditioners at full blast. I would expect PG&E to focus on the latter problem before they dedicate time to the former.

    Should we continue to elevate the debate of protecting our nations critical infrastructure in a way that Nick’s mom can understand – maybe, I am not sure NIck’s mom can have much impact on the energy sectors use of computer security technology and if she was in a position then it does us little good if that conversation happens in isolation of other threats and is not informed by facts.

     

  12. Will Gragido
    13

    I believe Nick’s assessment of the issues was concise and cogent.  His background and expertise diverse as it is lends itself well to the subject matter as he’s seen a great deal and experienced it not solely here in the States but abroad as well.  I feel this is important to the coversation and will expand momentarily on this point.   I also believe that Nick’s convictions and dedicaton can be seen in and through the passion he displays for this topic.   He paraphrased something we said often in my old unit when working with other Marine units or branches:   Lead, Follow or Get Out Of The Way.  I also agree that we as the digerati have an  obligation and responsiblity set forth like a mantle of authority and duty (ha! that shouldn’t appeal to anyone on this list ;), do more good than harm — professionally and personally.  It’s a tall order but someone’s got to do it. 

    I was torn when the piece came out as Nick and I discussed but at the same time happy that it was being discussed (finally), for several reasons not the least of which was its cultural and literal relevance to and each and everyone of us.   Unpleasant topics are typically not well received by large, uneducated mass audiences so I applaud CBS for doing what they did however, as I have mentioned before I feel that was not their best effort but I’ll save that for another time and another post (I’ve already addressed it a few but it may come up again ;).  I think it was terribly important and good that the concept was brought to the masses as again, it affects all of us.  Without descending into the mirky waters of whether or not they got all the facts straight or they represented everything they could’ve, I think they accomplished the initial and perhaps most important aspect of the mission: they informed those who were otherwise uninformed and destined to remain so. 

    Fear, Uncertainty and Doubt has it’s place and I am a firm believer that FUD coupled with Fact equals FUDF which is good :). My mom watched and she also got it which was great by the way ;)! Was there backlash from the security digerati regarding report?  Yes, there was and I was one of those who felt torn about the piece.  I felt (and applauded them for it publicly), that it was wonderful to get the message out to the public, brining Adm.McConnell into the mix didn’t hurt either ;) However, I felt that they also squandered a phenomenol opportunity to engage publicly, industry experts who have both theorhetical and practical  (not theorhetical in the absence of practical), experience in securing critical infrastructures.   That was my only real issue and one which I hope quite soon to remedy. I believe Nick’s assessment of the piece was sound as was his criticism of some of our peers with respect to the campaign of misinformation (nothing’s broken everythings fine) and curious dismissal of the realities we face given the historical evidence on the matter.   I feel and believe — just as I did during the “Black Ice” and “Blue Cascade” exercises and others, that the issues were great and the remedies were slow in coming, if they were coming at all.  I believe this is still the case and would support that position via fact without repentence.   

     

    As Nick pointed out though, government has been unusually helpful and forthcoming of late in addressing their deficiencies and scrutinizing themselves.   Engaging in self-assessment is not an easy task especially when you’re the government and often the butt of jokes rooted in mediocrity (rightly or wrongly).  We, as Nick stated, need to have frank, open and positively-motivated conversations related to this and other equally important challenges we face within our industry. 

     

     

    I think that Nick posed a wonderful question at the end of his pose: While private industry may ask itself about the
    cost of sensible defenses,
    I pose a different question: What is the cost of wrong?

     

  13. Brian M. Ahern
    14

    One fact that failed to emerge in the 60 minutes broadcast is that 85 percent of our nation’s critical infrastructure systems are owned by the private sector. If the Obama administration wants to make real progress in the cybersecurity realm, it needs to encourage partnerships between the private and public sectors that will ultimately provide incentives (in addition to penalties) for these private stakeholders. That said, the government should strongly consider the concept of Safe Harbor Protection to encourage the sharing of cyber vulnerabilities and incidences with the appropriate authorities. Incorporating these proposals will allow for increased cybersecurity protection through real time situational awareness, allowing also for the support of future needs, including the roll out of a national Smart Grid.

  14. Nick Selby
    15

    <!–
    @page { margin: 0.79in }
    P { margin-bottom: 0.08in }
    –>

    This is great. Thanks to those who have
    replied here, and those who’ve replied privately. To reply to some of
    the recent comments and hopefully further the conversation:

    Brian, absolutely positively where I
    was going with this, and thanks for your point. I mentioned that the
    private sector was dragging its feet but you’ve filled in what I
    didn’t – that it’s almost ALL about the private sector. And the safe
    harbor protection? Right on. That is a highly useful point and one
    that I hope is echoed by more than just me.

    Kevin, one clarification, it’s not that
    I am against minimal acceptable practices per se, but I am against
    them when the effort to get to an arbitrary standard said by an industry group to be
    “minimum” requires intensive activity that exhausts budgets
    sufficiently to make it a de facto maximum standard. That’s what I feel PCI
    does. I love some of your suggestions including the establishment of
    requirements and practices for assessing actual security strength,
    though, and would love to hear (probably privately) from some serious
    pen-testers and security researchers who have some ideas about this.

    Amrit, I agree that risk-benefits
    analysis must be conducted to determine just where to place our bets
    - prevention or backup-recovery measures to speed the time to
    restoration. Either one would be more than we currently see, and
    either would serve as a great starting point for a serious
    discussion. The point about framing the debate – at least in the
    mainstream media – in terms my mom understands is that my mom votes
    and pays taxes and deserves to have at least a high level
    understanding of the general issues. After all, her money is going to
    be used by the people she elects to fix or clean up after these
    problems occur. I’m not saying that the entire debate should be
    framed for her understanding, but if she gets enough of an idea as to
    what is going on, she can ask her representative for more
    information. That in turn requires the representative to get smarter
    on the issue, and take a position – all this furthers the
    conversation.

    Will, thanks very much for your
    comments, which I appreciated, and I like that the “What is the
    cost of wrong?”
    question resonated with you.

    Who can take this to the next step?
    We’re doing a lot of talking about electricity grids here and leaving
    out other networks – transportation (including, appropriately for
    today, air traffic control systems), cellular telephony, water. Safe
    harbor for Cyber Whistle-Blowers; determining the criticality of
    critical infrastructure; framing the debate for purse-string holders
    and policymakers, utilities/operators and the general public? How do
    we balance the fact that our government can regulate but the private
    operators ultimately can drag their feet in addressing even
    inexpensive-to-mitigate risks, under the banner of, ‘It hasn’t
    happened yet so why should we fix it?’

    I look forward to more!

  15. Bob Radvanovsky
    16

    I like the myth that – because security folks can’t comprehend something, or can’t explain what happened from an ‘event’ – they decide to blame it either on ‘terrorists’ and/or ‘computer hackers’.  This mindset continues to plague the various security industries (read up on a term called “force protection doctrine”), and has now bled over to the critical infrastructure protection (CIP) community, as I am an active CIP researcher with this community, and have noticed this trend since 9/11.

    As the owner and operator of the SCADASEC mailing list (http://scadasec.infracritical.com), the issue has been discussed quite heavily with no evidential conclusion that it was an intentional cyber-related attack.  Until there is sufficient evidence to state to the contrary that it was an intentional cyber-related attack, the blackout/power outage in Brazil will remain a mystery.  Other groups or organizations, who have access to classified data *may* have information that may indicate that it was an intentional cyber-related attack; however, using OSINT thus far, has indicated nothing (as of November 20th).

    Additionally, it should also be noted that ’60 Minutes’ did NOT present current efforts underway to ensure that our critical infrastructures (in this, the North American power grid) is safe and secure.  One such group is the Energy Sector Security Consortium, representing the power generation and transmission industries, is implementing strategic initatives to protect the power grid.  Another group, the Industrial Control Systems Joint Working Group (ICSJWG), represents the technological effort and implementation of protecting the power grid; this group works with private sectored organizations, DHS, DOE, and INL, to provide technical solutions.

    Until someone can provide substantiated proof (audit, network or server logs that are attestable) that the ‘event’ occurred, then we have no way of determining of whether or not the accusations are accurate…or not.

    -rad

  16. Bob Radvanovsky
    17

    One more thing that should be pointed out is that – presently – there are NO methods of accurately determining if an ‘event’ were ot occur through standard cyberforensic methodologies for SCADA/control systems.  However, myself and several others from the SCADA/control systems community, are attempting to initiate an initiative that will ensure that – in the future – we can determine (at least) the *last* person to “close the barn door”.

    -rad

  17. Neil Roiter
    18

    I have to take issue Nick. This is the worst kind of tabloid journalism–claiming as fact that the outages were caused by hackers when there is no evidence either way, was 60 Minutes willing to do anything for “a better story.” They get one shot to shine some light and they go for “the sky is falling” instead of, “looks like the roof needs fixing.” It brings public attention to a real cause for concern, but not in a constructive way.

    One has to ask:

    If there were attacks, why did no one claim credit? Even if they were purely malicious, there would have been some chatter on the net, and terrorists certainly would want their role known.

    CYber criminals are profit driven–they have other things to do.

    Government-sponsored attacks risk reprisal, and if it’s a true cyber Pearl Harbor against critical infrastructure, a shooting war

     

     

  18. LonerVamp
    19

    Disclaimer: I side with anyone who points at the glaring holes in our business, organizations, and critical infrastructure. There *are* big problems! With that out of the way….

     

    It actually makes a big difference whether an attack is theoretical or whether it has already been perpetrated before. Business security deals with this constantly. Are you able to convince stakeholders to spend money defending against a theoretical attack? Are you able to convince them when the attack has just occured? What if the attack is highly difficult and technical and creates major work? What if it is trivial and gaining bad press?

    In the case of our power grids, it is simply convenient that it is relatively easy for attackers to get into systems and plow through gaping holes once they look in the correct spot. It is convenient that there are low, low standards in place and things have been built before security was even considered. But what if this had been a more esoteric topic? Theory vs reality makes a big difference.

    If someone in security goes to their CEO and talks up an attack and uses examples in the news, only to find out those examples were not as true as perhaps thought, the CEO is going to end up having to weigh rumors vs economics (or good stewardship). Too often, the security geek gets told to stop spreading FUD and accept the risk.

    In a way, if someone told 60 Minutes to stop spreading FUD, in the context of their story, they’d have a valid point.

    Likewise, security will never be done or perfect or fixed. So…you have to draw a line somewhere that ends up sounding like, “This is good enough.” You have to be able to base that on something. Whether hackers took down a grid or not is a valid point on that metric scale.

     

    @Brian: Unless you spend money to achieve as close to 100% covered risk as you can, then you *have* to look at probability. Things like security and safety are really never that black and white. Even with someone like defense efforts for Hurricane Katrina, at what point can you sit back and say we’ve spent enough? And would that prevent you from crying foul when an incident that tops your defense by a hair? There’s no win there, ever. I’d probably feel ok challenging anyone to point out a security or safety purchase or decision that *wasn’t* based on some probability.

    Reactionary vs proactive is also a root problem. But that’s not new and has been the case for centuries in security. And I don’t think it will ever be possible to fix that, by nature of what security is in relation to insecurity.

  19. Anonymous
    20

    Sir, the only thing the would solve your problem would be to outlaw computers, there is no way to completely secure a computer, and there is always a unknown and I repeat UNKNOWN hole. We cannot fix what we do not know about and security people make a great effort to fix any holes that arise.

  20. Anonymous
    21

    I’m no security expert, just a nervous victim. However, it seems to me that most attacks could be avoided by simply shutting down Microsoft systems from ANY access to any “Notified” Server and using some NSA funds to pay people to switch to Linux.

    A friendly hacker demonstrated to me how easy it is to walk in to ANY IIS Server and how easy it is to recruit zombies providing they are using Microsoft products.

    It was very impressive.

    Is this the real “Elephant” that nobody wants to talk about?

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  21. Brian M. Ahern
    22

    Applying the laws of probability to purchasing decisions will some day come back to haunt the nation.  Having just returned from another week on the Hill, i’m encouraged by the increased sense of urgency in both the house and senate with regards to critical infrastructure security.  Much of the hold-up in DC is jurisdictional based.  Consensus exists for the need for additional policy, and, unlike many other issues in Washington, this is not bi-partisn issue.  The concern I have with the current draft legislation is that it is very “reactionary” in nature vs. “proactive” in nature.  The bills speak to granting emergency authorities to address “known threats” as well as actual incidences, however, falls short on driving proactive initiatives to address the existing vulnerabilities and threats.  Probability + Reactive = Highly Vulnerable.  Public Sector/Private Sector collaboration, both in terms of financial incentives and bi-directional information sharing, must be achieved if we are going to significantly reduce the risks to this nations critical infrastructure.  The government has just released nearly $4B in Smart Grid Stimulus, which I believe is representative of the beginning of public/private collaboration, however at the end of the day, the potential threat to the Electric Grid moves from foreign nation state threats to include domestic threats.  The good news is the Smart Grid will be more secure out of the box than the current Bulk Power System, however, what good is fully automated, secure “distribution and consumption” infrastructure with insecure “supply and transmission” infrastructure.  If Washington is so concerned about the vulnerability of the bulk power system why wasn’t some of that stimulus appropriated to offset the private sector costs on securing the bulk power system???  This would have been a positive step in the direction towards public/private sector collaboration…..

Comments are closed.