Rumors that the Internet would crash on Monday brought the continuing issue of infrastructure security back into the spotlight.
As it turns out, fears that malware called DNSChanger, discovered in 2007, would cause wide-spread Internet outages on July 9 were largely the result of some facts muddled by misunderstanding and stirred by speculation, an FBI spokesperson told TransmissionHub on July 9. “If there have been issues, they have not risen to [the Bureau’s] level,” the spokesperson said.
Regardless, legitimate threats remain and cybersecurity experts continue their ongoing efforts to stay one step ahead of the “black hats,” as computer criminals are known.
To that end, more security professionals are focusing on the nuts and bolts of what works when it comes to keeping black hats at bay, according to several experts.
Cybersecurity expert Joe Weiss, the author of the book “Protecting Industrial Control Systems from Electronic Threats,” is among them. Weiss has worked in the industry for 35 years, including more than 14 years at the Electric Power Research Institute (EPRI), where he led a variety of programs, including cybersecurity for digital control systems.
He will hold his 12th annual security conference, which will focus on results, in October in Norfolk, Va., he told TransmissionHub.
Sharing of the nuts and bolts of cybersecurity among industry professionals is vital, Weiss said, because even without nefarious intent, the industry has become so reliant on cyber technology that outages are bound to happen.
“We’ve already had three major cyber-related outages, none of which the NERC [critical infrastructure protection] standards could have prevented,” he said, pointing to the northeast blackout of 2003, the Salt River Project outage of 2007, and the Florida blackout of 2008.
“Every one of those was a control system cyber incident, and every one of those could have been done maliciously,” Weiss said. “That’s the only difference: malicious or unintentional – because it was absolutely control system cyber. Period,” Weiss continued.
While an implicit objective of the conference is to foster improvements in critical infrastructure security, Weiss said, “The conference is about what works, not about compliance.”
He noted that the focus of most cybersecurity conferences is compliance with rules or standards.
That is just a small part of the overall picture, according to one chief security officer who spoke to TransmissionHub on background. “Compliancy is only about ensuring you have effective general computing controls in place to protect data,” the security officer said. “It’s a baseline only.”
Weiss said his conference will bring together the key people in control systems cybersecurity for candid discussions of current relevant industrial control systems (ICS) cybersecurity issues.
At the conference, Weiss plans an open sharing among facility operators, IT professionals, government representatives and academics, of what has happened in terms of cyber-attacks against control systems, what has worked and what has not.
Unlike many conferences that deal with security issues in the abstract, Weiss said his conference will focus on sharing lessons learned from the most recent incidents, including open information-sharing within what Weiss calls “a trusted community” of ICS users, vendors and system security vendors.
“That type of honest discussion is something that’s seldom, if ever, done,” Weiss said.
“His premise is a good one,” Jim Schinski, chief information office for PPL (NYSE:PPL) told TransmissionHub. “Most cyber experts advance their skills through a combination of experience, experimentation, tight knit networks of trusted peers and exposure to vendors and government [experts].”
At the conference, experts will discuss the work done for a domestic utility that uses control system components from a variety of suppliers. In that case study, the utility and participating ICS suppliers will share lessons learned during their project to secure legacy ICSs for reliability.
Other discussions will focus on myths and lessons learned from implementing hardware solutions for the Aurora vulnerability that, according to Weiss, affects almost every substation. Representatives from a utility that has instituted a fix against the vulnerability will candidly discuss their experience, both with the vulnerability and the measures to protect from it.
Participants will also discuss the details of a project to secure a nuclear plant overseas in a more comprehensive manner than has been done at any nuclear plant in the United States, Weiss said.
To keep the information out of the hands of computer criminals, the conference is a closed-door affair and conducted with an uncharacteristic low-tech approach.
“No presentations will be posted on line, nothing will be put out that can be shared too easily,” Weiss said.
In addition, potential conference registrants will be vetted before they’re allowed to register. “We look at who it is and ask if it makes sense,” he said.
Neither are conference sessions open to the news media.
The goal of the conference, Weiss said, is to get control system experts from different industries together to discuss the hands-on work needed to secure control systems and networks so they continue to work safely and reliably.