Our recent article on MidAmerican Energy Company's push for better code security brought home the dangers energy companies face in the digital age. Another recent article on the damage bad guys can do with embedded systems illustrated the same dangers on a broader scale.
A wiki called SecurityFAIL.com was recently set up to fight the problem. There is also an organization called EnergySec that hopes to build a rock-solid defense against whatever may come.
In the following Q&A, EnergySec directors Seth Bromberger and Steven Parker describe how the organization formed, who is part of it and what kinds of best practices they've developed to keep our power flowing.
Describe the origins of the organization, the number of members, what kinds of activities involvement encompasses, and so on.
Bromberger: EnergySec evolved as a not-for-profit corporation in small steps and through grassroots efforts. Its predecessor organization, E-SEC NW, was an informal group of security professionals who worked for electric utilities in the Pacific Northwest. This group met occasionally for lunch to discuss security issues relevant to their work. Over time, word spread and membership increased to the point where it was no longer a regional organization. When the group received the SANS National Cyber Security Leadership award in 2007, it was clear that our industry craved a national group to exchange security information.
Today, EnergySec has over 300 members representing almost 100 energy companies, government agencies, academic institutions, and national laboratories. The membership represents over 46 percent of the electric generation capacity in the US, and just under 60 percent of the electric distribution.
EnergySec's primary goal is to provide its members with access to timely, actionable information in an open, trusting forum. All our members are fully vetted and we have strict membership criteria. On a daily basis, the members discuss all aspects of security in the electric and energy sectors - from best practices, to real-time situational awareness, to pending legislation. For the past five years, we have held an annual conference where we can all meet face-to-face to discuss specific topics in more detail.
Is the highest priority physical threats to energy infrastructure or is your mission specifically based on the cyber danger?
Bromberger: Our members come primarily from the cyber security and risk areas within their organizations, but we do discuss physical threats, especially in the context of blended cyber/kinetic attacks.
What are some common security best practices that have been developed through everyone's collaboration in the organization?
Bromberger: Three recent examples should serve to highlight the benefits of exchanging information within our organization. The Industrial Control Systems Joint Working Group (ICSJWG) is a public/private consortium of security professionals from several sectors - manufacturing, IT, chemical, energy, and electricity among others - who are trying to determine the best way to secure current and next-generation control systems for these sectors. The private part of the ICSJWG is being managed by the North American Electric Reliability Corporation (NERC). Our secure information sharing portal is being used by the ICSJWG to coordinate and exchange information within and among the several subgroups. Since several EnergySec members are also volunteering on ICSJWG subgroups, it's a very good partnership opportunity.
Second, a couple of years ago NERC decided that it would be a great idea to leverage industry expertise when evaluating new threat and vulnerability alerts prior to formal dissemination to their constituents. Their Hydra program is designed to muster technical expertise on a moment's notice to provide rapid technical evaluation of these new threats and vulnerabilities. EnergySec saw an opportunity to help, and now hosts an information sharing portal for Hydra as well as provides over 115 volunteers to the effort.
Finally, one of our members recently developed a framework for information security within the utility sector that represents a best-in-class approach to defining and organizing the capabilities necessary to provide infosec services in critical infrastructure. Rather than keeping this knowledge to himself, he decided to share it with his colleagues on the EnergySec portal. The resulting feedback and interaction have provided benefits to everyone involved. This is the essence of what we're trying to accomplish.
What are some of the misconceptions about threats and defenses concerning the energy sector?
Parker: There is a tendency in the media to portray threats against the bulk electric system as being imminent. Although an attack could be attempted at any time, the concern is really in the long term rather than the immediate future. Current computer crime is almost exclusively financially motivated. Attacks against the electric sector will not be so motivated, since there is no easy path to monetization, and an attack against critical energy infrastructure would likely be met with an extremely aggressive government response. Security in this sector is critical over the long term to protect against possible terrorist or state-sponsored attacks, not petty crimes.
On the defense side, the actual vulnerability of the bulk electric system is often mischaracterized. It is not true that most control systems are connected to the Internet. It is now standard practice for control centers to reside on protected networks within a larger internal corporate network. This places the most critical systems behind two distinct perimeters. This is not to say that such systems are impenetrable, or that there are no electric sector cyber systems with exposure to the Internet or unsecured modems, but the situation is not as dire as sometimes portrayed.
What are some of the more overlooked aspects?
Parker: The insider threat is underappreciated. The electric industry, as a cooperative endeavor, necessarily relies on mutual trust. This creates a culture where the possibility of malfeasance by insiders is discounted.
The potential threats are underestimated. Because cyber crime garners so much media attention, many people simply gauge electric sector security against commonly reported attack scenarios. The reality is that any eventual attack against the electric infrastructure is likely to be much more sophisticated than what is commonly seen. Protections need to be designed with this in mind. For example, it is likely that private communication infrastructure (sub IP-level, non-Internet) would be a target. Blended attacks, part cyber, part physical, are also quite possible. Security protections need to consider the sophistication, motivation, and resources of potential attackers.
Confidentiality isn't much of an issue in the electric sector. Whereas current financial crimes all revolve around the acquisition and misuse of confidential information, most attack scenarios in the electric sector revolve around loss of control or loss of data integrity. Although there are legal and economic drivers for the confidentiality of some information, primarily market related, the actual operation of the bulk electric system depends on the integrity of the control systems used to operate it, and the data used in decision making processes.