Changing Blog Title

The title is just too confusing. Switching to just my name. Find all new posts at http://patrickcmiller.blogspot.com

The Cabin Door Is Closed, Please Power Down All Electronic Devices...

I fly a lot. More than many. Sometimes over 50%. As such, I have some experience with the consumer side of the commercial aviation business. I am by no means an expert. Recently, I was asked to speak at an air traffic controller's conference on the subject of cyber security in the Next-Generation Air Transportation System. I was there to provide a perspective from the outside, more of a security technology discussion for what works in the overall CI/KR space. It was a panel, so the slide deck was short - which was good for me, because again, I'm not an expert in aviation. The panel had current and ex-FAA staffers, university professors, aviation consultants from the defense industry/sector and me. Do you remember the old Sesame Street song "one of these things is not like the other?" Throughout the event, I was constantly reaching for my smartphone to Google the acronyms that I'd never heard.

I had a similar newbie feeling when I started working in the electric power sector. Before then, I was just a consumer. I flipped the switch and expected the lights to come on. When the power went out at my house, I was the first to call my local utility and give them a piece of my mind as a paying customer. After all, us geeks can't live without our tech toys for longer than a few seconds. So the first time I actually spent more than five minutes on the Control Center floor, I was.. well.. floored. Even mild spring days in the 'shoulder months' can seem like a delicate balance of order and chaos. The electric system is interconnected, just like the aviation system. What happens in one area will quickly and directly affect other areas, some quite distant. The real-time seat-of-the-pants decisions by system operators is really what keeps the system running - not the technology. Sure, the technology is there, but it is only a tool.

I see a situation, whether it is Smart Grid in the power biz or the Next-Gen Air Transportation System in the aviation sector, where we are inserting a much wider technological distance between the human and the physical/kinetic endpoint. System operators are using ever-increasing layers of technology. Until fairly recently, they looked at some sort of analog or electro-mechanical instrumentation for operational decisions and then they would physically (manually) activate something. Today, we have operators using tools which are in turn, using other embedded tools, which may also be using further embedded tools - and so on. This can be a good thing for many reasons, but it can also be a bad thing. This trend, though perfectly natural - even expected, should be carefully monitored, carefully balanced. Especially when it involves critical infrastructure. We may even need to tip the scale toward sound security engineering instead of focusing solely the profit drivers. At least for a while.

We've ignored our critical infrastructures for so long that we are in desperate need of an overhaul. Nearly every one of the sectors in the National Infrastructure Protection Plan (NIPP) could be called brittle. Some money is starting to flow to these areas for much needed upgrades but the legacy technology and the bleeding edge enhancements need to work together in the same interconnected system. This creates a 'base of sand' problem. Legacy devices are underpinning tomorrow's technology gizmos with incredible distance between the two ends of the spectrum. We need a security engineer to put their stamp on the blueprints BEFORE they get the permit to build. When adding to or modifying an existing structure, the structural engineers factor those old trusses, supports and cracks in the foundation into the new design. I don't want to discount the great work being done here, but I think few would disagree that we have a cart-before-the-horse situation.

The most common recommendations I heard at the recent aviation conference were:
- Test bed for qualifying systems (approaching Certification and Accreditation)
- Minimizing potential of supply chain attacks
- Security Training for operators/controllers
- Situational Awareness (and integrity of decision support data)
- Information Sharing

Those of you following the power sector for the past few years should see some striking similarities. I'm willing to wager that nearly all CI/KR sectors are facing these same challenges. The only recommendation didn't see was slowing down to get security issues addressed in the design phase. I've been a security professional long enough to expect that, but I can't seem to bring myself to accept it - hence this post/rant.

Like nearly all of my posts, I am writing this as I fly home on a commercial airline. Now if only I can think of a solution to being crammed into a space smaller than my anatomical dimensions. I'm not important or rich enough for First Class seats. But every time I think I've got it bad, I remember my co-worker CJ and his 6'5" span. He's taller than most clearances at drive-thrus and parking garages. Unfortunately TSA frowns on bringing a crowbar to extract him from the seat.

The photo is from CodeProject

Is Reliability In Your Future?

I'm hearing a new wave of disdain for the NERC Reliability Standards from the industry. This happens from time to time and it isn't just about the CIP Standards. The Order 693 stuff gets its fair share of noise too. The most common thread is how all of this effort doesn't really improve reliability of the power system. I hear it from plant and system operators. I hear it from comm-techs. I hear it from all ranks of management, from the front lines all the way to the executive level (though middle management seems to be the loudest). I even hear it from the IT staff but to a lesser extent.

Granted. The Reliability Standards are a pain. Lots of work, lots of money and lots of time spent to reach the magical state of Compliance. It deserves some of the frustrated noise that it gets, but not all.

One benefit: Accountability.

I know I'll probably take some heat for saying it, but in my opinion, holding people accountable for their actions will improve reliability of the power system. Accountability is a powerful tool for maintaining integrity. Some of the most obvious examples of accountability in action are cameras. They are aimed at cash registers while capturing POS data, watching the watchers at daycare centers and schools and even publicly scrutinizing police officer actions via headcams. No, system and plant operators shouldn't be fitted with headcams, but they shouldn't fear accountability either. I can sense a strong authority vibe coming from them and it seems that they perceive these standards to be chipping away at their ability to freely make grid management decisions. The accountability elements built into the standards will only take away your ability to make decisions anonymously. Believe it or not, this could actually help you and your system.

The photo was taken by a friend of mine who says the graffiti isn't his - and I think I believe him. And to quote his response on the subject: "no, it isn't, but hopefully it is recoverable." Thanks SHP. Please, no bathroom humor.

CSO706SDT FAIL

Dear friends in the electric power industry: this CIP-010 and CIP-011 draft baffles me. I had a heck of a time trying to audit the first one and this new one leaves me deeply sympathetic for the poor auditors I left behind (sorry guys). You have no idea how challenging it is to call a ball or strike with CIP-002 through CIP-009 as an auditor. Well you might have an idea because you had to implement it - or should have anyway. With that, I hope you see my point that inserting additional flexibility and vagueness will only make your job implementing these requirements even harder. It will also make your auditor's job more difficult. These two facts increase your risk.

So, what happens if you get this one wrong? What happens if FERC remands it? Will it cause a ripple effect that could possibly spell the end of the ERO's oversight of security for the industry? Will Congress decide that our industry can't self-regulate, therefore they need to step in and "save" the grid from the cyber-boogeyman? Sure, these are extreme cases but they are still in the realm of the possible. And if we have an incident, think ESA. Remember what happened to the airline industry. You may not be able to enter a substation unless you've gone through a full body imaging scan and your liquids and gels are all less than 3.4 ounces in a one quart clear baggie.

CSO706SDT, especially after listening to the recent Version 4 Workshop, I implore you to listen to the auditors. They are not the enemy. A few points that bear repeating:

- Define stuff. If you haven't defined your terms, you haven't written a standard. "Annual" is only one of the many words you need to clarify.

- Attackers aren't constrained by budget and time. If we are, they have the advantage.

- Remember Moore's Law. Technology will transform significantly within ten years. Consider more realistic implementation deadlines. In fact, make it simple and give us a single [sane] date.

- Write the standards in such a manner as to eliminate the need for a Technical Feasibility Exception.

- Access points matter. Allowing anything is like saying a shoji screen is equivalent to a steel door.

- Go ahead and call it a firewall.

- Terms like boundary, border, perimeter are all acceptable. Most professionals know that this means "preventive control." Removing the ESP and PSP language may do more damage than good, despite the pre-existing confusion. Require a perimeter, with a DMZ.

- Low impact systems deserve protection. Packets don't care about arbitrary labels.The way it is currently designed, "stupid" would be a compliant password for low impact systems. Minimize the potential for gaming the system and labeling everything "low."

- Be thinking, with every requirement you construct, "how would someone evidence this?"

Electric sector, just go secure your systems. It will cost you money. It will take time and resources from other projects. Accept it. Embrace it. The sooner the better. If you start securing your stuff now, you will have less work to do when someone finally hands you a security standard. The situation won't get better in the future. There aren't enough security professionals who can spell R-T-U. The Feds aren't going to let sloppy or weak security standards prevail. The economy isn't going to turn around tomorrow with lavish profits to pay for it all. The time is now. Grab a spoon and start eating the elephant.

We owe it to ourselves to step this up. We owe it to ourselves to get it right. We are engineers, operators, security professionals and generally very smart people. We can do this. We've solved harder problems before. The reality, however, is that we will only solve problems we want to solve.

Oh, and Hello World. This is my first official blog post.