Hacking The Electric Grid Is Damned Hard

Hacking The Electric Grid Is Damned Hard:

Difficult isn’t the same as impossible, Suh-Lee told me. Depending on where an attack happened and how people responded, you could get the stuff of our nightmares. Lawrence repeatedly invoked the phrase “knock on wood” as he talked about the possibility of infiltrations of electric infrastructure turning into real-world blackouts. That’s why there’s a lot of effort going into research, monitoring and preparation for cyberattacks. Lawrence’s team, for instance, is gearing up for an event that’s held every other year and is sort of like war games for the electric grid. And the Department of Energy is planning a similar event, focused on figuring out what it takes to reboot after a hacker-caused blackout.

But that preparation doesn’t mean we’ll eventually solve this problem, either, Suh-Lee said. If the chances of a cinematic disaster are low, the chances of a theatrical hero on a white horse riding in to save the day are even lower. Making the grid stronger and more resilient also means making it more digital — the work that’s being done to improve the infrastructure has also created new opportunities for hackers to break in. And the risk of attack is here to stay. Security improvements are “never going to completely eliminate the risk,” she said. “The risk is out there and people will find a new way to attack.” We’ll be living with cyber threats to the grid for the rest of our lives.

(Via Features – FiveThirtyEight)

Press around the North America electrical grid and security is often hyperbolic. Maggie Koerth-Baker typically writes in a measured way so I appreciate this article adding a little bit of reason into the diaspora.

Also on:

DHS vulnerability scanning program offline after Virginia office loses power

DHS vulnerability scanning program offline after Virginia office loses power:

Two cybersecurity programs the Department of Homeland Security offers both states and the private sector have been temporarily knocked offline due to a power outage, while other services have been shifted to backup locations, multiple sources tell CyberScoop.

The National Cybersecurity and Communications Integration Center (NCCIC), the 24/7 hub for monitoring cyberthreats across the government and critical infrastructure, has shifted operations to a backup location in Florida. The move was made after the Arlington, Virginia, building that houses NCCIC lost power last week due to heavy rains.

Additionally, two other programs under NCCIC’s National Cybersecurity Assessments and Technical Services (NCATS) — Cyber Hygiene vulnerability scans and Phishing Campaign Assessment — have been offline since July 26.

The Cyber Hygiene program remotely detects known vulnerabilities on internet-facing services. The Phishing Campaign Assessment program is part of a remote penetration testing service. Both programs are used by hundreds of customers across the country. Thirty-four states have received vulnerability scans through the Cyber Hygiene program, according to a DHS presentation given at the National Association of State Election Directors summer conference.

DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra told CyberScoop that the disruption to Cyber Hygiene is temporary, and that election systems will be the first to resume service once the program comes back online. Officials expect scans to resume Aug. 6.

The building housing NCCIC suffered heavy damage on when portions of the façade ruptured due to the volume of rain that fell in the Washington, D.C., region. The roof of a restaurant on the building’s ground level failed during business hours on July 26.

… A number of DHS offices are in that building.

CyberScoop has learned that due to the water damage, the building completely lost power, which prevented server rooms used by DHS from staying cool. Once the room reached a certain temperature, a sprinkler system was activated. Those sprinklers damaged servers supporting the Cyber Hygiene and Phishing Campaign Assessment programs.

On Sunday, the NCATS office sent an email to its customers informing them that Cyber Hygiene and Phishing Campaign Assessment were offline and that contingency plans have been put in place.

“In order to minimize the operational impact, we immediately implemented our contingency plans and transferred functions to other sites, including NPPD’s facility in Pensacola, Fla.,” the email, obtained by CyberScoop, reads. “We are working to restore these services as quickly as possible. We will let you know when the service and reports will resume.”

NPPD is the National Protection and Programs Directorate, which oversees NCCIC.

The power outage has had a “minimal impact” on DHS’s cybersecurity operations, Krebs said. The incident has not, for example, affected the department’s ability to respond to cyber incidents or issue warnings to the private sector.

DHS has been at the center of the federal government’s efforts to fortify U.S. voting infrastructure following the 2016 presidential election, when Russian hackers probed systems in 21 states. Last week it was revealed that the same outfit of Russian hackers that meddled in the 2016 election appears to have targeted  Sen. Claire McCaskill‘s office.

(Via Cyberscoop)

With the DHS looking to create a central Risk Management program, seeing stories like this does not instill confidence that the U.S. Government, and the DHS in particular, are up to the challenge.

This slays me:

Chris Krebs, the undersecretary of NPPD, told CyberScoop that the department is “taking this opportunity to get some efficiencies into the system, but also to build resilience and redundancy.”

Those are the words uttered after every such event.

By the way for those not in the know, there is a well-known process call Disaster Recovery and Business Continuity Planning (DR/BCP) that has been around for decades to plan for just this sort of event.

Also on:

Maybe the National Risk Management Center Will Combat Critical Infrastructure Hacks

The National Risk Management Center Will Combat Critical Infrastructure Hacks:

At a cybersecurity summit Tuesday, Homeland Security secretary Kirstjen Nielsen announced the creation of the National Risk Management Center, which will focus on evaluating threats and defending US critical infrastructure against hacking. The center will focus on the energy, finance, and telecommunications sectors to start, and DHS will conduct a number of 90-day “sprints” throughout 2018 in an attempt to rapidly build out the center’s processes and capabilities.

“We are reorganizing ourselves for a new fight,” Nielsen said on Tuesday, who described the new center as a “focal point” for cybersecurity within the federal government. Nielsen also noted that DHS is working with members of Congress on organizational changes that can be mandated by law to improve DHS’s effectiveness and reach.

(Via Security Latest)

Based on the recent news from the Boston Globe about TSA wasting resources on zero value “security”, I am skeptical of how useful this will be in the U.S. Government’s security efforts. I seem to recall something similar was in the works over a decade ago.

However, Secretary Nelson seems to have said the right things in her talk:

  • Risk-based approach
  • Threat evaluation versus threat chasing
  • Focused on specific critical industries
  • Taking an agile development approach to building out capabilities
  • Working with Congress
  • Being the focal point for government

There are unanswered questions. We will get more answers as the process moves along.

I sincerely hope this isn’t another Security Theater opportunity to waste time and taxpayer resources.

Also on:

[Orin Kerr] How to Read a Legal Opinion ←

[Orin Kerr] How to Read a Legal Opinion:

A guide for new law students — and others.

With law schools set to open their doors in a few weeks to a new 1L class, it’s time for my annual posting of my 2007 essay, How to Read a Legal Opinion: A Guide for New Law Students. As the abstract explains:

This essay is designed to help new law students prepare for the first few weeks of class. It explains what judicial opinions are, how they are structured, and what law students should look for when reading them.

I’m told that some non-lawyers also have found the essay valuable as an introduction to reading cases.

(Via The Volokh Conspiracy)

This is a free to download PDF.

As more and more cybersecurity case law is established and while more and more existing case law is pressed into cybersecurity service, being able to read and understand the basics of legal opinions isn’t just the realm of compliance team any more.

Also on:

The Space Force Should Improve the Cybersecurity of Space Assets

The Space Force Should Improve the Cybersecurity of Space Assets:

President Trump offered his support last month for the creation of a Space Force within the U.S. military. In a paper released last week, my Harvard colleague Greg Falco argues that one of the first missions for this new force should be to improve the cybersecurity of space assets. This proposal is worthy of deep consideration as the cybersecurity of space assets remains a top, if underexamined, priority for national security, and the opportunity to shape the roles and missions of a new Space Force will soon pass. 

Falco does not hype the threat, but his assessment of the risks are sobering: The consequences of disrupting or degrading connectivity are striking when one considers how much of U.S. critical infrastructure relies on connectivity in or through space. His recommendations take a similarly balanced approach and offer interested policymakers a few potential steps to get started, such as modifying pertinent sections of the Code of Federal Regulations. 

One area that could benefit from future research is how to deconflict roles and missions between a Space Force (or the military in general), the Department of Homeland Security, NASA and other parts of the federal government. This specific issue is a bit beyond the scope of Falco’s paper, but it reflects a challenge that still seems to bedevil federal cybersecurity policy: Who exactly is in charge of what?  Space assets and affiliated organizations span the military, civilian government and multiple private-sector spheres. Perhaps more than any other sector of the U.S. economy and society, improving the cybersecurity of space assets really will require a whole-of-nation approach. 

(Via Lawfare – Hard National Security Choices)

It’s a stupid name. However, I generally agree that this should be job #1. The risks are simply too great to delay action in understanding, mitigating, and remediating (where possible).

Also on:

A counter argument on a government run cybersecurity “moonshot”

Evaluating a “Cybersecurity Moonshot”

For cybersecurity, however, the “moonshot” or the sometimes-interchangeable cyber “Manhattan Project” may not be the best models.

First, both the moonshot and the Manhattan Project were relatively focused, short-term efforts aimed at a single and clearly defined objective—land on the moon, explode an atomic bomb. We do not have the same clarity and focus for cybersecurity. Project Apollo, delayed by a tragic fire, took seven years to put people on the moon while the Manhattan Project took three years to build the atomic bomb. Both were well-resourced. It may be possible to match these speeds if the technological objective of the cybersecurity moonshot was clearly defined and if the United States is willing to make the needed investments, but the construct we call cyberspace is the most complex creation ever built by humans. There are entrenched interests fearful of any change, and the politics of a cyber moonshot will be much more daunting.

A cyber moonshot could increase its chances of success if it could identify technologies that would provide wide-ranging improvements for cybersecurity.

(Via csis.org)

This article raises some excellent concerns. Indeed, in order for this kind of thing to be successful (or like the Solarium Project I wrote about the other day) we need to define clear goals and objectives.

And we need fresh thinking, something VCs, the cybersecurity industry, and the US government largely lack at the moment. Everyone seems to be iterating the same concepts.

What do you think? Is this a space where a government run or sponsored project could, assuming the best conditions, make a noticeable impact?

Also on:

A Glimpse into Private-Sector Cybersecurity in Japan

A Glimpse into Private-Sector Cybersecurity in Japan:

Many Japanese government agencies and corporate actors are discovering the importance of cybersecurity as a set of national policies (the selection of Tokyo for the 2020 Olympics has been an impetus). But Japan’s role in the global economy means that government, business, policy, and academic actors outside of Japan need to understand the current policy stances and policy processes for their own economy and cybersecurity. “Business Management and Cybersecurity” provides an excellent entry into Japan’s changing understandings and its roles in global cybersecurity.

… Another example of the value of the book’s comparative approach is its description of the different expectations the chief information-security officer (CISO) role in corporations in Japan and overseas. Only 63 percent of Japanese companies assign a CISO, whereas the ratio is 95 and 85 percent in the U.S. and Europe respectively. While CISOs are “dual-hat” positions in 35 percent of Japanese companies, the ratio is only 17 percent in the U.S. and 18 percent in Europe. Since Japan does not have many long-term cybersecurity professionals as the U.S., and since Japanese business culture does not usually recruit C-suite executives externally, “Business Management and Cybersecurity” expresses doubt that an American or European approach of hiring and assigning a CISO would work in Japan. Instead, the book suggests that cybersecurity team building would be more effective given Japan business culture and patterns of Japanese corporate governance.

(Via Lawfare – Hard National Security Choices)

The review definitely echoes my observations working here for the past 30 months. Looks like I found my next book! I just hope there is an English edition that doesn’t lose too much in translation.

Also on:

Summary: The Supreme Court Rules in Carpenter v. United States

Summary: The Supreme Court Rules in Carpenter v. United States:

On Friday, June 22, the Supreme Court issued its much-anticipated opinion in Carpenter v. United States, holding that a warrant is required for police to access cell site location information from a cell phone company—the detailed geolocation information generated by a cellphone’s communication with cell towers. As predicted, Chief Justice Roberts authored the majority opinion, reversing the Sixth Circuit’s decision. He was joined by Justices Ginsburg, Breyer, Sotomayor and Kagan. The remaining four justices, Justices Kennedy, Thomas, Alito, and Gorsuch each filed separate dissenting opinions.

(Via Lawfare – Hard National Security Choices)

There has been a ton of coverage about this in the US. As per usual, Lawfare does a great job of reviewing this without hyperbole. Give it a good read as it has far reaching potential implications.

Also on:

Washington Needs a New Solarium Project To Counter Cyberthreats

Washington Needs a New Solarium Project To Counter Cyberthreats:

Sometimes the most significant legislative measures get the least attention at the time of passage. That may be the case with the Cyberspace Solarium Commission mentioned in the National Defense Authorization Act that was passed on June 18 by the U.S. Senate. Tucked into the bill crafted and sponsored by Sen. Ben Sasse (R-Neb.), the commission may not garner many headlines, but it could galvanize a strategic paradigm shift.

If the idea survives the House-Senate conference process and gets signed into law — and we very much hope it does — it could lead to the creation of the institutions, doctrines, resources, and strategy that the United States needs desperately in the realm of cybersecurity. As New York Times national security correspondent David Sanger argued in a recent essay, the United States is woefully unprepared for the age of cyberconflict.

… If properly led and implemented, the Sasse proposal for a Cybersecurity Solarium Commission could make a similarly timely and consequential contribution to national security. The NDAA provision self-consciously draws inspiration from President Dwight D. Eisenhower’s iconic Project Solarium exercise in 1953.

… Today, it seems like everyone is using cyberweapons, but not enough policymakers are thinking about them.

To be sure, there is a fair degree of strategic analysis and thinking in academia, in think tanks, and in the relevant Cabinet departments and agencies. But this thinking has not accumulated into definable strategies that have buy-in from the White House or that have aligned roles and responsibilities across department and agency lines.

… Neither the Obama nor the Trump administration has gone so far down the decision path, and so this commission may prove to be an enabling and action-forcing exercise, as Congress reasserts its Article 1 constitutional responsibility to “provide for the common defense.”

The United States cannot afford to wait. It is already clear that U.S. adversaries are willing to stage attacks in the cyber domain and believe they can do so with impunity: Witness Russia’s successful deterrence of the Obama administration from retaliating in 2016.

Advanced cyber capabilities and a willingness to run risks to use them are the common features of every major national security challenge facing the United States today, whether it is Iran, North Korea, Russia, or China. As a result, cyberthreats cast a long shadow over the full range of national security and foreign-policy issues, including trade, regional conflict, terrorism, and new great power rivalries.

Americans struggled to understand the nuclear threat from the Soviet Union. In an effort to overcome bureaucratic stovepipes and to catalyze fresh thinking, Eisenhower convened the Solarium exercise to help him assess and respond to an unprecedented national security challenge. With this new provision in the Senate version of the fiscal 2019 NDAA, Sasse has given the U.S. government the opportunity to make a similar landmark assessment and response.

(Via Foreign Policy)

Peter Feaver’s and Will Inboden’s article is an eye opener for me. I totally missed this somehow when I was learning about the NDAA. Based on recent actions in the Executive Branch of the US government, this looks like reasonable and better-late-than-never action by the Legislature. That is assuming it makes it makes it in to the final NDAA language, of course.

Read the whole article for the historical parallels and context.

What do you think?

Also on:

Holes punched in hull of maritime security

Crappy IoT on the high seas: Holes punched in hull of maritime security:

Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking and worse.

A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt the shipping industry. Weak default passwords, failure to apply software updates and a lack of encryption enable a variety of attacks.

(Via The Register – Security)

Vulnerable ship systems: Many left exposed to hacking:

 

“Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems,” Pen Test Partners’ Ken Munro says, and points out that the advent of always-on satellite connections has exposed shipping to hacking attacks.

 

 

(Via Help Net Security)

Maritime navigation hack has potential to wreak havoc in English channel:

 

As reported by the BBC, security researcher Ken Munro from Pen Test Partners has discovered that a ship navigation system called the Electronic Chart Display (Ecdis) can be compromised, potentially to disasterous effect.

 

Ecdis is a system commonly used in the shipping industry by crews to pinpoint their locations through GPS, to set directions, and as a replacement to pen-and-paper charts.

 

The system is also touted as a means to reduce the workload on navigators by automatically dealing with route planning, monitoring, and location updates.

 

However, Munro suggests that a vulnerability in the Ecdis navigation system could cause utter chaos in the English channel should threat actors choose to exploit it.

The vulnerability, when exploited, allows attackers to reconfigure the software to shift the recorded location of a ship’s GPS receiver by up to 300 meters.

 

 

(Via Latest Topic for ZDNet in security)

I’ve been talking with companies in this space about these types of issues. While Munro’s research is telling, this is not shocking.

It does very nicely illustrate the real values in good penetration testing: challenging assumptions, taking nothing for granted, and divorcing motive from threat.

For example, the 300 meter location discrepancy could have nothing to do with the shipping company or the ship itself. It could be used by a crypto mining concern looking to delay the arrival of new GPUs for a rival firm. This type of attack could be part of a larger series of attacks, subtile enough that further investigation would be unlikely (as opposed to the English Channel scenario in the ZDNet article), and could reap substantial benefits for the crypto mining concern.

I believe it to be a war of pretexts, a war in which the true motive is not distinctly avowed, but in which pretenses, after-thoughts, evasions and other methods are employed to put a case before the community which is not the true case.

DANIEL WEBSTER: Speech in Springfield, Mass., Sept. 29, 1847