US One Step Closer To Electric Grid Cyberguards 74
coondoggie writes "The US Department of Energy this week officially opened up the bidding for a National Electric Sector Cyber Security Organization that would protect the nation's electrical grid from cyber attacks. According to the DOE, the agency has set an aggressive goal to meet the nation's need for a reliable, efficient, and resilient electric power grid, as well as improved accessibility to a variety of energy sources for generation. In order to achieve this, an independent organization is needed (PDF) to provide executive leadership to facilitate research, development, and deployment priorities; identify and disseminate best cybersecurity practices; organize the collection, analysis, monitoring, and dissemination of infrastructure vulnerabilities and threats; and enhance cybersecurity of the electric grid, including control and IT systems."
InfraGard (Score:5, Interesting)
Dont we need a grid worth defending first? (Score:3, Interesting)
All I want to know is... (Score:3, Interesting)
... who will monitor the cyberguards?
Re:I have a great way to protect against cyber-att (Score:4, Interesting)
No, we should have both a secure infrastructure and an infrastructure that benefits from connecting to the public Internet. And a public Internet that benefits from connecting to the secure infrastructure.
What you're saying is like saying we shouldn't run railroads across the Wild West because it's Wild. We needed both complete railroad networks, and a governable West. And we got both. And then we got everything else that could follow on a governable, railroad accessible West.
The American Way is to do some things because not because they're easy, but because they're hard. Because those hard things yield the greatest rewards. Including proving we can do anything worthwhile we want, even when the easy cop out beckons.
Re:3 step plan (Score:1, Interesting)
The issue here is cyber-security. How else would the government cause outages to blame on pedophiles^W terrorists^W China? How else would they be able to cut the power to Michigan and Montana when the popular revolts begin?
Are you suggesting that the government should send teams to every substation to flick the switches? What is this, the dark ages?
-- Ethanol-fueled
Outsourced Government Security Monopoly? (Score:4, Interesting)
Some systems are properly a monopoly. The nation shouldn't have two Army services. In general security for a given political area, like nationwide, statewide or countywide are best (or perhaps just least badly) run by a monopoly governed by officials elected by the people. Certainly at the national level that is the case.
Outsourcing that job to a private corporation to hold the national monopoly is asking for trouble. There will be no pool of private competitors competing for that contract, because the national market supports only one vendor: the one who wins that contract. That circular setup means the benefits of competition to produce the best candidate will not.
There is plenty of room for outsourcing regional security work to vendors actually competing at that scale, if indeed there are multiple vendors of security to large power grids. Let the regional front line vendors compete to keep their contracts. But the monopoly at the top that actually manages those regions into a comprehensive, integrated national infrastructure defense should be within the government. Which is the only monopoly that has a chance to behave properly.
Re:I have a great way to protect against cyber-att (Score:3, Interesting)
Don't connect it to the internet!
"and it also doesn't mean that they can't have a private TCP/IP network that for sharing information among their various systems"
:
Knowing that boundary is becoming increasingly difficult with our interconnected society. Not to mention, things like social engineering, rogue media (flash-drives etc...) are increasingly hard to regulate internally. A lot of these security issues also stem off an even more pivotal attack vector, the human element.
The engineers, programmers, and designers may be well aware of security practices and threats, but a blue-collar operator may not be as well versed in these areas. This leads to a crossroads: Do we focus on more 'intelligent systems' that are infallible (as much as they can be, and more than they are now), with the ability to be more secure, regardless of operator skill level? Or the alternative, entailing increased operator training?
Well planned systems are always fallible in the hands of the untrained, so I imagine the best scenario falls somewhere in between, but leaning towards the automated side, for systems are easier and cheaper to maintain in the long run if they are designed solid from the onset.
Which leads to a paradox. Contract bidding usually goes the cheapest route, which is almost always not the highest of quality. With these contractors spitting out unrefined systems at minimal-effort-maximal-profit mentality, we will always be behind the power curve (so to speak).
In the end, if and when an infrastructure attack does hit us hard, I imagine there will be less regret of preventative measures, and more blame flaming, for that is what we do as a country, isn't it?
Re:Easy (Score:3, Interesting)
And then someone splices onto an ethernet connection of the trusted network and brings the whole thing down. Which is easy, since that network is all over the place.
An air-gap solution is one quick and simple line of defense, sure. But I'd rather have real cryptographically-secure authentication on all the relevant systems than an air-gap defense.
Re:3 step plan (Score:3, Interesting)
Re:I have a great way to protect against cyber-att (Score:3, Interesting)
I thought Texas was just a honeypot for Teabaggers.
Re:Easy (Score:1, Interesting)
Sigh. You just don't understand. You're right, but you don't get it. SCADA systems are STUPID. Really stupid. Most of the people that work with them, being programmers are also stupid.
Let's start with monitoring. Most of the hardware that does control has only a single port. The really expensive pieces may have a few. They communicate over a proprietary protocol that I guarantee you there is almost no standard for. Various standards *may* exist by industry, but almost nobody implements it correctly. In my particular industry, people can't agree whether to index at 0 or 1 in the documentation--it's a constant source of confusion.
Now--that one port exists for both command, reporting and control. Hooking up *one* device to it works. If you want to have one device to read, and another to control, you need an expensive wire level switch that can handle RS232/485 switching. And of course, that has to be on a control system...
The real problem is--people don't want to think or understand what they're doing. From the moment we hook up a monitoring device, most customers realize within days that we should have the capability to do control. Of course, the reporting is unsecured--primarily at the user's own request.
When they decide they want to issue remote control, they *want* to do it through the readings interface, so they can see the changes side-by-side in realtime. They want to do it in IE5 or IE6 (we support 7 and 8 these days). They want to use their username or company name as the password. I've had people complain to the CEO because we have a 'password policy' on the website now. "Come on man, we're not the CIA"--they're right--it's not the CIA--it's just the remote controls to $100,000 of compressor station available via XML interface over the internet...
You can say industry's the problem--I'm knowingly writing insecure software. But the real problem is the people buying it--don't request it, don't demand it--and won't pay even a cent extra for it. In fact, some of them won't buy secure software because it's inconvenient. My inability to immediately provide remote-control access to a type of refinery...to the telnet client on somebody's blackberry is believed to have been a major contributing factor to a lost bid.
This shit is already out there. It's not regulated, and the market won't handle it. I'm capable of writing the software, but to be honest--the clients deserve the problems they have coming. I know it's not PC to say that--but it's the truth. They've failed to contain risk at every step, cut every corner possible, gone for the lowest bid at EVERY step regardless of the loss of features.
But you should see a CEO's or the sales dudes face light up like a kid at Christmas when you show him the ability to shut off a remote site by pushing three buttons on his IPhone...
Re:3 step plan (Score:3, Interesting)