http://uaelp.pennnet.com/display_article/334315/22/ARTCL/none/none/1/NERC-CEO-announces-plan-to-improve-response-to-cyber-security-and-CIP/
Princeton, NJ, July 15, 2008 -- Rick Sergel, president and CEO of the North American Electric Reliability Corporation (NERC), recently announced the organization's plans to improve its response to cyber security and critical infrastructure protection (CIP) concerns for the bulk power system in North America. Revealed to NERC's board of trustees and stakeholders in a letter last week, the plan outlines six specific actions that will lay the foundation for improving grid reliability by enabling faster and more effective action to protect critical assets from cyber or physical threats.
The actions arise from NERC's recent interaction with various organizations, including the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology of the House Homeland Security Committee, whose efforts have been instrumental in emphasizing the urgency and priority of this critical issue.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," said Sergel. "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
"As the Electric Reliability Organization in the U.S. and home to the Electric Sector Information Sharing and Analysis Center (ES-ISAC), we are seeking to enhance and focus our existing efforts by putting the organizational structure in place to better support a more comprehensive treatment of these critical issues," he continued. "One of our key initiatives in this area is the recent formation of the Electric Sector Steering Group (ESSG), comprised of five industry chief executives, a NERC board member, and of which I am the chairman. The group will be instrumental in guiding NERC as we execute the plans announced today."
Specific actions NERC will take include:
Increasing NERC expertise on CIP and cyber security -- NERC will formally establish the CIP program as one of NERC's program functions, alongside existing standards development, compliance and enforcement, and reliability assessment program areas. The establishment of the program will include the staffing of a chief security officer position, who will serve as the single point of contact for the industry, the ESSG, and government regulators and stakeholders seeking to communicate with NERC on cyber and infrastructure security matters.
Consider alternative standard setting process for cyber security standards -- NERC will establish a task force to review, and where appropriate recommend, a standard setting process for cyber security that will include an emergency/crisis standards setting process. The process must provide a level of due process and technical review, but also provide the speed necessary to establish standards quickly and respond seamlessly to government agencies in the U.S. and Canada.
Expedited review of existing cyber standards -- Working through the Standards Committee, NERC also seeks to accelerate the comprehensive review of its eight existing CIP standards to fully incorporate the directives from FERC, including the consideration of the extent to which elements of the National Institute of Standards and Technology (NIST) standards should be incorporated therein or within new standards.
Facilitate joint collaboration on cyber security -- NERC, working with FERC and relevant governmental authorities in Canada, will organize a briefing for the ESSG, the NERC CEO, and senior level utility executives across all stakeholder groups on cyber security threats.
Showing posts with label Energy. Show all posts
Showing posts with label Energy. Show all posts
Wednesday, July 16, 2008
Tuesday, July 15, 2008
Energy "Cyber Security: Are We Doing Enough"
We can’t afford to live in a virtual world when it comes to cyber attacks on our electric grid—this pain would be real. A disruption of our critical infrastructure would be life threatening and could cripple our economy.
U.S. utilities know this and are working around the clock to ensure the safety of their networks and systems. Yes, the electric power system is vulnerable but with constant vigilance and sound cyber security policies we can protect the grid—we just have to be sure we are doing enough.
U.S. utilities know this and are working around the clock to ensure the safety of their networks and systems. Yes, the electric power system is vulnerable but with constant vigilance and sound cyber security policies we can protect the grid—we just have to be sure we are doing enough.
Last year, the number of cyber attacks on utilities per day almost doubled, according to SecureWorks, a managed security services provider to more than 1,800 clients, including 100 utilities. From January through April 2007, the company blocked an average of 49 attackers per utility client per day, while from May through September of that year, it saw an average of 93 unique hackers attempting attacks on each of its utility clients per day.
Wednesday, June 18, 2008
UK CPNI: new SCADA guidelines available
SCADA: CPNI has recently updated their guidelines on SCADA protection. I find these are among the best guidelines I have never read on the subject, as they mainly focus on the Strategy, Processes, Organization and People.
Here is the list of the 8 available guidelines (the Title is also the link to the Guideline):
Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents
Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.
Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.
Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.
Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.
Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.
Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.
Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.
Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.
Here is the list of the 8 available guidelines (the Title is also the link to the Guideline):
Process control and SCADA security - General Guidance
An overarching summary to the following guidance documents
Process control and SCADA security guide 1 - Understand the Business Risk
The first step in improving the security of process control systems is to gain a thorough understanding of the business risk in the context of electronic security. Business risk is a function of threats, impacts and vulnerabilities. Only with a good knowledge of the business risk can an organisation make informed decisions on what should be the appropriate levels of security protection.
Process control and SCADA security guide 2 - Implement Secure Architecture
Designing a secure architecture for a control system can be a difficult exercise as there are so many different types of systems in existence and so many possible solutions, some of which might not be appropriate for the process control environment. Given limited resources it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure for its defence.
Firewall deployment for SCADA and process control networks
This guide, produced by the former NISCC, documents the pros and cons of architectures used to separate the SCADA and process control network from the Enterprise network. These range from hosts with dual network interface cards to multi-tiered combinations using firewalls, switches and routers.
Process control and SCADA security guide 3 - Establish Response Capabilities
The capability to respond to both alerts and incidents is an important part of a process control security framework. Obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimise the business impacts and their cost, possibly avoiding such incidents taking place in the future.
Process control and SCADA security guide 4 - Improve Awareness and Skills
Raising awareness is potentially the single most valuable action in the ongoing task of process control security. Raising awareness endeavours to ensure all relevant personnel have sufficient knowledge of process control system security and the potential business impact of lapses in security. Personnel need to know what to do to prevent attacks and what to do in the event of an incident.
Process control and SCADA security guide 5 - Manage Third Party Risk
The security of an organisation's process control systems can be put at significant risk by third parties, e.g. vendors, support organisation and other links in the supply chain, and therefore warrants considerable attention. Technologies that allow greater interconnectivity, such as dial-up access or the internet, bring new threats from outside of the organisation. Third parties must therefore be engaged as part of the process control security programme and steps should be taken to reduce the associated risk.
Process control and SCADA security guide 6 - Engage Projects
Process control systems are usually installed with an expectation of a long service life and minimal changes to these systems during their lifetime. However saying this for all control systems in use is probably an over generalisation. In many organisations there are often a number of process control system related projects underway at any point in time, any of which could have security implications.
Process control and SCADA security guide 7 - Establish Ongoing Governance
Formal governance for the management of process control systems security will ensure that a consistent and appropriate approach is followed throughout the organisation. Without such governance the protection of process control systems can be ad-hoc or insufficient, and expose the organisation to additional risk.
Monday, June 16, 2008
US: Is our Energy Secure?
Harvard Political Review - Is Our Energy Secure?: "Is Our Energy Secure?
Hurricanes exposed America ’s vulnerability
Hurricanes Katrina and Rita laid a one-two punch on America ’s energy infrastructure. The first blow cut daily oil production by almost one million barrels, while the second halted oil production in the Gulf of Mexico , squelching a third of the nation’s oil supply. The federal government has since begun the process of securing the U.S. energy infrastructure against further natural disasters, but the effectiveness thereof remains to be tested." [...]
Hurricanes exposed America ’s vulnerability
Hurricanes Katrina and Rita laid a one-two punch on America ’s energy infrastructure. The first blow cut daily oil production by almost one million barrels, while the second halted oil production in the Gulf of Mexico , squelching a third of the nation’s oil supply. The federal government has since begun the process of securing the U.S. energy infrastructure against further natural disasters, but the effectiveness thereof remains to be tested." [...]
Saturday, June 14, 2008
Chinese hackers blamed for power cuts - The INQUIRER
Chinese hackers blamed for power cuts : "Chinese hackers blamed for power cuts"
From the Inquirer
CYBER WAR CLAIMS are now getting out of hand, with US government spinners being prepared to blame everything on the Chinese.
A report in the National Journal, claims that Chinese hackers were responsible for a recent power outage in Florida, and the widespread blackout which struck the northeastern US in 2003.
In a literal game of Chinese whispers, the story quotes insecurity experts, who in turn cite unnamed US military intelligence [surely a contradiction in terms. Ed]
The story is that the People's Liberation Army may have cracked the computers controlling the US power grid to trigger the cascading 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.
Unfortunately it is not just a bit, but completely, untrue.
At the time investigators blamed 'overgrown trees' that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy.
No one suggested the trees were a Chinese plant.
But according to Wired, the recent claim is all part of a cunning plan to convince the citizens of the US that they are at grave risk from cyber terrorists.
It all started when intelligence boss Michael McConnell decided that cyber terrorism would be a wizard way of getting warrantless NSA surveillance. He claimed cyber terrorists were costing the US a $100 billion a year.
But this is the first time that the yarn has been linked to one of the most thoroughly-investigated power incidents in US history.
Next it will be found that Chinese hackers were responsible for the housing credit crunch, Miley Cyrus, television reality talent shows and other atrocities.
From the Inquirer
CYBER WAR CLAIMS are now getting out of hand, with US government spinners being prepared to blame everything on the Chinese.
A report in the National Journal, claims that Chinese hackers were responsible for a recent power outage in Florida, and the widespread blackout which struck the northeastern US in 2003.
In a literal game of Chinese whispers, the story quotes insecurity experts, who in turn cite unnamed US military intelligence [surely a contradiction in terms. Ed]
The story is that the People's Liberation Army may have cracked the computers controlling the US power grid to trigger the cascading 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.
Unfortunately it is not just a bit, but completely, untrue.
At the time investigators blamed 'overgrown trees' that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy.
No one suggested the trees were a Chinese plant.
But according to Wired, the recent claim is all part of a cunning plan to convince the citizens of the US that they are at grave risk from cyber terrorists.
It all started when intelligence boss Michael McConnell decided that cyber terrorism would be a wizard way of getting warrantless NSA surveillance. He claimed cyber terrorists were costing the US a $100 billion a year.
But this is the first time that the yarn has been linked to one of the most thoroughly-investigated power incidents in US history.
Next it will be found that Chinese hackers were responsible for the housing credit crunch, Miley Cyrus, television reality talent shows and other atrocities.
Tuesday, June 10, 2008
ISN Publishing House: Energy Security of the European Union
ISN Publishing House: Energy Security of the European Union: "Energy Security of the European Union
This paper, published by the Centre for Strategic Studies (CSS) at ETH Zurich, describes how energy security has become an important policy area for the EU. However, forging and implementing a common energy policy has proven to be difficult. The author states that because the national energy mix and energy policies vary widely, the EU member-states have struggled to agree on common priorities and specific measures. The paper explains that while some progress has been made in the field of sustainability, the realization of a common energy market and of a common external energy policy to secure supplies remains particularly challenging.
This paper, published by the Centre for Strategic Studies (CSS) at ETH Zurich, describes how energy security has become an important policy area for the EU. However, forging and implementing a common energy policy has proven to be difficult. The author states that because the national energy mix and energy policies vary widely, the EU member-states have struggled to agree on common priorities and specific measures. The paper explains that while some progress has been made in the field of sustainability, the realization of a common energy market and of a common external energy policy to secure supplies remains particularly challenging.
Thursday, June 5, 2008
Utility Automation & Engineering T&D - NERC statement on cyber security hearing
Utility Automation & Engineering T&D - NERC statement on cyber security hearing: "NERC statement on cyber security hearing
Princeton, NJ, June 3, 2008 -- Rick Sergel, president & CEO of the North American Electric Reliability Corporation (NERC), made a statement in reference to the hearing of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
'At NERC, our mission is to ensure the reliability of the bulk power system in North America. We fully recognize and appreciate the importance of the reliability and security of our continent's bulk power infrastructure to public safety, economic health, and the lifestyle we enjoy. We share the subcommittee's commitment to ensuring that consumers can continue to rely on electric infrastructure as being safe, secure, and reliable."
Princeton, NJ, June 3, 2008 -- Rick Sergel, president & CEO of the North American Electric Reliability Corporation (NERC), made a statement in reference to the hearing of the House Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology.
'At NERC, our mission is to ensure the reliability of the bulk power system in North America. We fully recognize and appreciate the importance of the reliability and security of our continent's bulk power infrastructure to public safety, economic health, and the lifestyle we enjoy. We share the subcommittee's commitment to ensuring that consumers can continue to rely on electric infrastructure as being safe, secure, and reliable."
Wednesday, June 4, 2008
Did Hackers Cause the 2003 Northeast Blackout? Umm, No - from Wired.com
Did Hackers Cause the 2003 Northeast Blackout? Umm, No Threat Level from Wired.com: "Did Hackers Cause the 2003 Northeast Blackout? Umm, No"
I found this article appeared on Wired.com blog, quite interesting and I decided to post it after I reported an article on the suspects that the Chinese People Liberation Army could be behind some of the most important US blackouts. It provides a very different perspective on the discussion.
I found this article appeared on Wired.com blog, quite interesting and I decided to post it after I reported an article on the suspects that the Chinese People Liberation Army could be behind some of the most important US blackouts. It provides a very different perspective on the discussion.
Tuesday, June 3, 2008
China Cybarmageddon
China Cybarmageddon
The notion that Chinese hackers are noodling around blacking-out American cities at will is a truly extraordinary assertion. Makes the wildest fantasies of 1950s McCarthyism look quite tame.
"A big week for cyber security news stories. Newsbites editor Ed Skoudis put it in perspective, "Consider this NewsBites in its totality (nation state espionage, power grid vulnerabilities, nuclear facilities, radiation dispersal rumors, congressman discussing threats, and more), and you can see we're in the midst of a sea change in the willingness to discuss the threats we now face. It's not just petty cyber crime any more. Increasingly, there are national security implications and massive safety issues associated with information security vulnerabilities in our critical infrastructure. Lives are at stake."
http://blog.wired.com/sterling/2008/06/china-cybarmage.html
The notion that Chinese hackers are noodling around blacking-out American cities at will is a truly extraordinary assertion. Makes the wildest fantasies of 1950s McCarthyism look quite tame.
"A big week for cyber security news stories. Newsbites editor Ed Skoudis put it in perspective, "Consider this NewsBites in its totality (nation state espionage, power grid vulnerabilities, nuclear facilities, radiation dispersal rumors, congressman discussing threats, and more), and you can see we're in the midst of a sea change in the willingness to discuss the threats we now face. It's not just petty cyber crime any more. Increasingly, there are national security implications and massive safety issues associated with information security vulnerabilities in our critical infrastructure. Lives are at stake."
http://blog.wired.com/sterling/2008/06/china-cybarmage.html
Friday, May 30, 2008
China’s Cyber-Militia
Chinese hackers pose a clear and present danger to U.S. government and private-sector computer networks and may be responsible for two major U.S. power blackouts.
Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.
One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages.
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.
One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages.
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php
Wednesday, May 21, 2008
TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds - washingtonpost.com
TVA Power Plants Vulnerable to Cyber Attacks, GAO Finds - washingtonpost.com:
"The Tennessee Valley Authority (TVA), the nation's largest public power company, is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office report to be released today."
"The Tennessee Valley Authority (TVA), the nation's largest public power company, is vulnerable to cyber attacks that could sabotage critical systems that provide electricity to more than 8.7 million people, according to a Government Accountability Office report to be released today."
Subscribe to:
Posts (Atom)
