Washington loves a good acronym, and when it comes to cyber
security, Richard Clarke has a great one: CHEW.
The renowned national security expert who served three presidents as
senior White House advisor spoke last week at ABB’s Western Utility Executive
Conference in Pebble Beach, CA, and outlined what he sees as the four main
threats in cyber security. They are, in
order: crime, “hacktivism, "espionage
and war.
On this last element, Clarke made the point that cyber war
was not merely scrambling databases in some faraway computer system, but using
digital means to affect the same ends as conventional war, namely “blowing
things up.”
That may have sounded a bit hyperbolic, but Clarke offered
numerous examples not only of potential threats but of cyber attacks already
carried out. So far, these have been
limited to less explosive, but no less effective, results such as the
presumably Russian effort to wall off Georgia’s access to the internet and
disrupt its banking system during the 2008 South Ossetia war.
Indeed, Clarke noted, breaches are happening every day and
he expressed particular concern over the power grid as “the first target
everyone talks about because everything depends on electric power.”
He also spoke plainly about what he saw as a widely held impression
in Washington that the power industry is “resistant” to dealing with the cyber
security issue, seeing it as an invitation to burdensome regulation.
Clarke’s remarks were followed by a panel discussion led by
Industrial Defender CEO Brian Ahern that included DTE Energy Division
Information Officer Mike Carlen, Commonwealth Edison Vice President of
Information Technology Mark Browning, and FirstEnergy Vice President of
Distribution Support Steve Strah.
Ahern began by seemingly confirming the Washington
consensus, at least in retrospect, by noting that the early days of his company
were spent evangelizing the importance of cyber security to a power industry
that at the time did not see it as something broken that needed to be
fixed. That was then.
Stuxnet, in particular, served as a wake-up call and now
Ahern finds a much more receptive audience in the utility C-suite. This was borne out by unanimity among the
panelists in terms of a) recognizing the threat of cyber attack is real and b)
making a financial and managerial commitment to addressing it.
“The cost of doing nothing is far too much,” said
FirstEnergy’s Strah. “Presented with
relevant facts regarding cyber security incidents, from a risk management
standpoint, we have to take it seriously.”
To be fair, what resistance there is in the industry can be
chalked up to the challenge of simply getting a large entity like a utility to
embrace change. This is culture shift on
a massive scale, and it will take time.
However, regulators have a role to play, too.
NERC’s current cyber security regime, for example, requires
some parts of the utility’s network to be secured while others are not. That could be problematic. Ahern said he expects NERC will soon extend
its Critical Infrastructure Protection (CIP) requirements beyond the generation
and energy management systems it covers today to include all aspects of utility
operations. In the meantime, though,
utilities will have to manage their compliance with an evolving standard.
Compliance and security are two different things, however,
and as DTE’s Carlen stated, “Security trumps compliance.”
“We will be compliant,” he said “but being compliant does
not guarantee you are secure.”
The three utilities represented on the panel are therefore
moving forward aggressively to propagate a culture of security, not simply
compliance, across their organizations.
Still, that won’t be enough, according to Clarke. Given how reliant all industries are now on
third party software, he encouraged the executives in attendance to look beyond
their own companies and apply the same rigor to their supply chains as they do
to their own operations. He described the need to build security into the
development process from the very beginning, and cited the financial services
industry as one sector that has done this with some success.
Clearly there is much to do on all sides, but government and
industry would be well advised to adopt a cooperative approach when it comes to
cyber security.
“Government should be rewarding the private sector for
investments in cyber security,” said Ahern, and he pointed out the importance
of safe harbor protections so companies can share information about attacks as
well as best practices without fear of legal retribution.
Leveraging each other’s experiences, he explained, is the best
roadmap to a more secure power grid.
Hi!
ReplyDeleteHow can I solid databased problem with my POS device? I got security problems with it
http://poswashington.com/
To Cole Ward
ReplyDeletePlease check this instruction:
http://pos-co.com/
It's gonna help you to tune database on my POS device! If you got any question please give me know!