This week Michael Assante, the Chief Security Officer (CSO) for the North American Electric Reliability Corporation (NERC), testified before congress about the threats facing the modern electric grid. The focus of this testimony in particular was the readiness of the systems comprising the electric grid to defend themselves against cyber attacks. At the beginning of his testimony, Mr. Assante called out the unique aspect of the dangers posed by a cyber attack and why that was so concerning to him.
“Unlike other concerns, such as extreme weather, security-related threats can be driven by malicious actors who intentionally manipulate or disrupt normal operations as part of a premeditated design to cause damage. Cyber-related threats pose a special set of concerns in that they can arise virtually anytime, anywhere and change and emerge without warning.”
He continues:
“While the industry deals with some physical security events, like copper theft, on a regular basis, other technical threats or hazards, such as electromagnetic pulse and space weather, are a concern and will require careful consideration to develop appropriate and effective mitigations. Cyber threats to control systems are still evolving and are not yet fully understood. The potential for an intelligent attacker to exploit a common vulnerability that impacts many assets at once, and from a distance, is one of the most concerning aspects of this challenge.”
One of the reasons why cyber attacks are so concerning to those who are responsible for our energy grid, is that these types of attacks simply do not fall within the design for reliability and disaster recovery that the energy systems were built for. Reliability of our energy grid has been of paramount importance since its inception and as such it was designed to be able to respond to a system failure without interruption of power to the homes they served. Unfortunately, this disaster preparedness focused on recovering from the failure of one system and using other systems to compensate during that time, this is often referred to as N-1 preparedness. In a cyber attack, there is the potential for widespread disruption of these same systems creating an N-x problem where more than one system is down and the plan for compensation by other systems will potentially not be adequate.
Mr. Assante goes onto describe that one of his top priorities is preparing the operators of the energy grid against new and not fully understood cyber attacks. To address this to some extent he has developed a notification process where operators of the grid can be immediately notified of a pending threat. He calls out their efforts around the Conficker worm:
“NERC’s recent work to alert the industry of the Conficker worm, including lessons learned on mitigation, involved the issuance of one recommendation, two advisories, and an awareness bulletin over the span of six months. These efforts significantly contributed to overall preparedness and awareness of the underlying vulnerability and cyber threat.”
Unfortunately, it has been proven time and again, that a simple after the fact notification, while helpful, can simply not defend in the long term against serious threats that can cause widespread disruption to critical systems. After the fact technology and processes simply don’t work.
More than ever it is time for protective systems that can prevent threats without ever having to know about them. This was the focus of a recent blog entry titled “Endpoint Protection – A Case For a Rational Transition to Whitelisting: Step 1 Protect.” Protecting critical endpoint systems against unknown threats is possible today with application whitelisting and should be a top priority.
It should be no surprise that adoption of application whitelisting is being led by industries who have the most critical security needs. In the case of satisfying NERC CIP requirements, application whitelisting goes beyond meeting the letter of the regulations, it accomplishes the spirit of the regulations by dramatically enhancing the protection of those systems that are critical to the continued functioning of our energy grid.
[...] See the original post here: NERC CSO Michael Assante Testifies Before Congress About Cyber Attacks [...]
[...] Michael Assante, chief security officer for NERC (North American Electric Reliability Corporation) [...]