The Next Hurricane Katrina: Energy Executives and Cyber Security

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://sitrep.globalsecurity.org/articles/131016920-the-next-hurricane-katrina-ene.htm

At a time when electric companies are witnessing an unprecedented rise in
cyber-attacks against their industrial control systems (ICS) and
supervisory control and acquisition systems (SCADA) that monitor and
regulate power grids, the response of industry executives has ranged from
paralysis to indifference. This stance is indefensible because it is not
attributable to ignorance: According to recent surveys, executives
understand that they face significant threats in cyberspace, but still
choose not to act to shore up their companies' vulnerabilities.


The 2010 discovery of Stuxnet malware, the 2012 Shamoon virus, and the
February 2013 unmasking of the Chinese military's Unit 61398 have all
highlighted the dangers facing energy providers in cyberspace. However, as
one board member of the U.S. National Cyber Council has observed, these
incidents represent only a few of the shots fired in a "cyber war [that]
has been under way in the private sector for the past year." Empirical
evidence bears out the extent of the threat: ICS-CERT, the Department of
Homeland Security's industrial control system cyber emergency response
team, responded to 198 cyber incidents across all critical infrastructure
sectors in 2012, of which 41% were in the energy sector. An NSS Labs report
paints an even more sobering picture: ICS/SCADA vulnerability disclosures
have increased more than 600% since 2010.


The highest-ranking executives and managers at the largest power companies
are well-aware of the persistence and magnitude of the threat they face. A
recent study prepared by the Center for Strategic and International Studies
(CSIS) and McAfee, which surveyed 200 industry executives from critical
electricity infrastructure enterprises in 14 countries, received alarming
responses: 80% of respondents claimed that they had faced a large-scale
denial-of-service attack, and 85% had experienced network infiltrations.
Two-thirds claimed that they had frequently found malware designed for
sabotage on their system. A sizeable number of attacks were cyber extortion
attempts, in which criminal enterprises threaten to shut off power unless a
ransom is paid. Most utility executives (30%) also regard the People's
Republic of China as the most threatening state actor in cyberspace.


Given the growth of the cyber threats to utilities, and their awareness of
the threat, one might expect that executives are pulling out all the stops
to secure their ICS/SCADA systems. Unfortunately, the aforementioned
CSIS/McAfee study's disturbing conclusion was that the industry's
collective reaction is best characterized as paralysis: It recognizes the
threat, but it is not acting. While 40% of the study's respondents
acknowledged that their industry's vulnerabilities had grown over the last
year, between a fifth and a third said that their company was "not at all
prepared" or "poorly prepared" for cyber-attacks. All of these companies
cited compliance with mandatory North American Energy Reliability
Corporation (NERC) cyber security standards, but most also acknowledged
that they did not comply with NERC's voluntary measures. Many industry
executives are also failing to provide adequate cooperation to the federal
government, even though Presidential Policy Directive (PPD) - 21 suggests
that it is the government's responsibility to both defend and respond to
critical infrastructure threats. More than a third of executives in the
CSIS/McAfee study said that they had no contact at all with the government
on cybersecurity, and most of the remainder said that they had "informal
exchanges" on the topic. The industry's reaction is most aptly illustrated
by its cavalier attitude towards smart grid adoption: Even though smart
grids will increase the number of "secondary access" points in SCADA
networks that can be exploited by hackers, the implementation of smart grid
technology remains the single largest priority for utilities, with global
spending set to exceed $45 billion by 2015.


The CSIS/McAfee survey is eye opening in terms of how it differs from most
companies' public statements about their SCADA vulnerabilities. The survey
begs the question: Why aren't utility companies doing more to protect
themselves? The most significant reason is that the market does not
adequately punish companies that cost their customers money and lives. The
Northeast Blackout, for instance, which affected 55 million people in the
U.S. and Canada, began with a software bug in a SCADA system. FirstEnergy,
the company operating the system, saw its share price drop from $31 to $25
in the week after the blackout, but within two and a half weeks, share
prices had climbed back up to the pre-blackout price.


Former Secretary of Defense Leon Panetta once warned that inadequate
protection of cyber infrastructure risks the possibility of a "cyber Pearl
Harbor," but Hurricane Katrina might be the better analogy. The National
Science Foundation study that investigated the levee failures found that
the design flaws, poor maintenance standards, and inadequate government
supervision and regulation of maintenance led to the catastrophe that
befell New Orleans in 2005. The parallels between New Orleans's lack of
preparation for Katrina and the power industry's failure to improve its
cyber security posture are stark. Energy executives' lack of willingness to
respond to the threat of cyber-attacks on their SCADA infrastructure could
easily lead to an outcome far worse than what New Orleans faced as a result
of its leaders' lack of preparation for a known threat.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.