The complaint is that 60 Minutes didn’t do their homework and that there is no proof that the actual outage was caused by hackers. I won’t get dragged into that dispute here, but I would like to address the conclusion that some have made that hacking in general is overstated.

To those who work in the security industry and say that the cyber threat to both Government and private systems is over hyped, my answer is have they even been paying attention? Both foreign governments and organized online crime have been carrying out attacks with specific purposes with increasing frequency and the evidence is all around us.

Here are some examples:

• From 60 Min story – U.S. Government loses over a terabyte of sensitive information:

  “In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor,” Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information.”

• Hackers steal over 130 million credit card numbers online – In August Albert Gonzales was indicted for stealing over 130 million credit card numbers from Heartland and other online businesses.

• Clampi trojan steals bank login information – Cnet posted a good article on the organized use of trojan horses to monitor our online activity and steal our credentials when we visit one of over 4600 banking sites.

• Bahama botnet used to drive online click fraud – From a recent eWeek article:

  Click Forensics, which has been reporting on click fraud data and trends for over four years now, released its figures for Q3 2009 this week. According to the latest figures, botnet-driven traffic accounted for 42.6 percent of all the empty ad traffic between the beginning of July and the end of September 2009.

  The results represents a significant increase in such activity, more than doubling botnet-driven click fraud compared to the same period in 2007 and gaining from the 27.5 percent reported for the same quarter in 2008.

These aren’t random infections from worms. This is organized hacking with a purpose. These are just a few real examples of our systems under attack and there are far more that simple searches will reveal. Our online systems are targets plain and simple and the security of our power grid is serious business.

If there is one thing that I hope people get from the 60 minutes story it’s that we need to understand the threats that exist out there and take the steps to mitigate that risk before a serious attack takes place. We have to remember that all significant threats can be considered FUD before they happen. When it comes to protecting our critical infrastructure I hope we don’t stick our head in the sand.

Watch CBS News Videos Online

The story begins with an interview of Admiral Mike McConnell, former chief of national intelligence, who has this to say:

“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker,” McConnell explained.

“Do you believe our adversaries have the capability of bringing down a power grid?” Kroft asked.

“I do,” McConnell replied.

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, “No. The United States is not prepared for such an attack.”

As someone who has worked in the computer industry for over 20 years, it is often easy to simply look at compliance requirements as a necessary evil that brings very little real value to business. In the case of regulations governing security on the Internet, like the North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) guidelines, their goal is nothing short of our National security.

In general, this was a very thorough piece that not only deals with grid security, but also highlights recent Internet based attacks and provides details of how important it is to defend all of our critical systems. If you have some time today this segment is certainly worth watching.

“Unlike other concerns, such as extreme weather, security-related threats can be driven by malicious actors who intentionally manipulate or disrupt normal operations as part of a premeditated design to cause damage. Cyber-related threats pose a special set of concerns in that they can arise virtually anytime, anywhere and change and emerge without warning.”

He continues:

“While the industry deals with some physical security events, like copper theft, on a regular basis, other technical threats or hazards, such as electromagnetic pulse and space weather, are a concern and will require careful consideration to develop appropriate and effective mitigations. Cyber threats to control systems are still evolving and are not yet fully understood. The potential for an intelligent attacker to exploit a common vulnerability that impacts many assets at once, and from a distance, is one of the most concerning aspects of this challenge.”

One of the reasons why cyber attacks are so concerning to those who are responsible for our energy grid, is that these types of attacks simply do not fall within the design for reliability and disaster recovery that the energy systems were built for. Reliability of our energy grid has been of paramount importance since its inception and as such it was designed to be able to respond to a system failure without interruption of power to the homes they served. Unfortunately, this disaster preparedness focused on recovering from the failure of one system and using other systems to compensate during that time, this is often referred to as N-1 preparedness. In a cyber attack, there is the potential for widespread disruption of these same systems creating an N-x problem where more than one system is down and the plan for compensation by other systems will potentially not be adequate.

Mr. Assante goes onto describe that one of his top priorities is preparing the operators of the energy grid against new and not fully understood cyber attacks. To address this to some extent he has developed a notification process where operators of the grid can be immediately notified of a pending threat. He calls out their efforts around the Conficker worm:

“NERC’s recent work to alert the industry of the Conficker worm, including lessons learned on mitigation, involved the issuance of one recommendation, two advisories, and an awareness bulletin over the span of six months. These efforts significantly contributed to overall preparedness and awareness of the underlying vulnerability and cyber threat.”

Unfortunately, it has been proven time and again, that a simple after the fact notification, while helpful, can simply not defend in the long term against serious threats that can cause widespread disruption to critical systems. After the fact technology and processes simply don’t work.

More than ever it is time for protective systems that can prevent threats without ever having to know about them. This was the focus of a recent blog entry titled “Endpoint Protection – A Case For a Rational Transition to Whitelisting: Step 1 Protect.” Protecting critical endpoint systems against unknown threats is possible today with application whitelisting and should be a top priority.

It should be no surprise that adoption of application whitelisting is being led by industries who have the most critical security needs. In the case of satisfying NERC CIP requirements, application whitelisting goes beyond meeting the letter of the regulations, it accomplishes the spirit of the regulations by dramatically enhancing the protection of those systems that are critical to the continued functioning of our energy grid.