Slashdot Mirror
Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools
coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."
easy - a pair of wire cutters and firing of those responsible for hooking up naively coded devices to untrusted networks.
"interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."
Choose two.
Software solutions are all well and fine, but I find it highly ironic that the menace comes from the internet, an offspring of a DARPA grant that had reliability and redundancy at its core. Granted, the possibility of somebody lobbing H bombs has receded since the cold war, but a little physical investment would do a power of good, especially since it would cost a fraction of the subsidies sunk each year in renewable energy.
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
Problem solved
-jX
Don't you just love politics? It's like a comedy of errors.
just dont attach it to the interwebs LOL
oh my what idiot designed it all should be shot
Wasn't the cyber threat to our critical infrastructure overblown by DHS and CyberCom just to get a bigger budget? Why is DOE so concerned that they're going to spend 20 million of their current budget?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
The quantity drop down only goes to 30. We are going to need a few more if we are going to secure our infrastructure in a timely manner.
LOL! finally a true fix that gets to the root of the problem..
There isn't one word in the referenced article that is specific to energy delivery systems.
These guys are asking for the silver bullet to solve any cyber security problem in any system from any threat. The reward:, a measly 20 million.
Unplug it from the net!
Do I get my 20 million?
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
1) Interoperable
2) Scalable
2a) Cost-effective
2b) Advanced
2c) Does not impeded critical energy functions
2d) Innovative
2e) I.) Easily commercialized
2e) II.) Or, made available through open source
2d) No cost.
Per your request ID (#42865935), we have met your requirements and expect work to implement the product to commence immediately.
Cordially ruling in your best interest,
- The Government
(at least now we know what "step 2) ????" is)
PocketPermissions Android Permission Guide
As far as identifying and responding to intrusions, it seems everything is already there, just needs to be implemented with agents that can monitor controllers, which I'm sure has already been coded anyway. Mashups of current security tools like SecurityOnion http://securityonion.blogspot.com/ would be a good starting point methinks.
Namaste
Comments of the type "just don't connect to the Internet" are a little short-sighted. Much of the energy, water, wastewater, etc. etc. infrastructure is remote. Think substations, liftstations, pumpstations, smart switches, etc. etc. For some of these a dedicated network may make sense, but there's a huge cost saving in using the existing networking buildout, ie the Internet, to monitor and indeed control these types of facilities. Many of these are small, a controller, something that does something (pump, switch, whatever) and a small amount of monitoring.
Securing this IS a challenge, espeically since the vast majority of the equipment used in these facility was (and continues to be) designed with no inherent security, but having someone drive to a remote facility to check it, or install an end-to-end custom network is a much bigger project and is simply not possible - taxpayer would (rightly) object to the cost.
There are many other situation where there is a solid "business case" for having an asset connected to the Internet, remote maintenance, tracking, etc. Not necessarily as critical, but would still benefit from a secure solution.
TLDR of the whole topic: Can't prevent layer 8 malfunctions via any method at any lower level 1-7. There is NOTHING the techs can do if mgmt fails. No checkbox can save them, no silver bullet can save them...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
That's 20 times as much as for Dorner. Where is the equality?
I work for an ISP. Dedicated solutions aren't all that hard or expensive. They're just usually slow. Most cash registers have less than a 56k connection, but they never touch the internet. The problem is the government loves to overspend, and overplan. So I'm sure their plan involves full HD realtime video of the facility or some other stupid shit they don't need on their secured network. Put command and control on your private network. Put your security cameras on... well anything else.
Even if you can't justify a full rocking-it-old-school-with-our-own-private-leased-lines-from-everywhere-to-everywhere, you'd still hope that(given the truly deplorable state of the various devices in important places), you could spring for a logically isolated network running on top of your cheap internet connection.
VPNs and such add additional complexity, and aren't invulnerable by any means; but there is a middle ground between 'physically private network' and 'on the internet', which at least allows you to reduce the number of externally visible devices(and make it so that the externally visible devices are dedicated network security gear, ideally built by people who know about network security, rather than dedicated industrial control devices built by people who know about industrial controls and...less... about security).
do not impede critical energy delivery functions
Sorry but security is all about impediment. I am going to get jumped all over for saying this but its true.
People attempt to do bad things when three forces meet: opportunity, pressure, and rationalization whether that last one is because "Dear Leader told me too" or "I deserve it" is immaterial.
There is nothing you can do in software about the last two. So that leaves opportunity as the only high ground on which to mount a defense. Guess what that means impediment is just about your only tool. Good luck upgrading all those ancient controllers to use solid authentication, and integrity protocols. Good luck tasking the folks who have been ignoring these problems for the past 20 years (best case), or doing it wrong getting lucking and thinking themselves clever (more likely). Expired certificates etc if they are actually checked will be an impediment. Offline those old EDI systems while everyone figures out how to do sftp will be a problem when nobody knows how to keep control of their know host keys; and those are just some of the easy ones.
The Feds need to pull their heads out of there ass and realize security is about doing the right thing everywhere all the time. Process Process Process. All the technology in world won't help you unless people do the right thing. The Superbowl gate crashes should have tough them that. Computer security is no different. Sure technology can help. Its wonderful today that we have the scalability to do inline IPSing and a firewall can stop things like SQL Slammer (when signatures exist). Won't do a lick of good if some admin decides to turn it off to trouble shoot and than goes "welp everythings working and i feel like headed hope now so, f**k it deal with tomorrow".
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
To add insult to injury, the power companies in my state are 100% private companies. So here we go bailing out private companies using tax payer money to fix a problem cause by their short sightedness. This again is a failure of capitalism or should I say another success of private industry externalizing the risk and privatizing the profits. I say fuck 'em. Let them use their profits to fix this problem they created.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
Warning: may have backdoors planted by People's Liberation Army.
Questions raise, answers kill. Raise questions to stay alive.
Dried dung! It's scalable and very easy to distribute. Just wash your hands after collecting it!!! Try to plug your thumb drive into that assholes!!!!
My karma is bad. Don't get too close!!!
Here's a solution -> hire a bunch of BOFHs to do your security for you. True, you have to keep them happy, but the upside is that security could never be tighter / more fatal for anyone trying to crack your network.
In other words, go find some out of work network admins, the older the better, and employ them in this capacity. They know how to make things pretty air-tight (usually), but are rarely directed to do so (because people HATE it when security is ramped up to Defcon 0; it makes getting work done somewhat difficult, but in theory, very secure). They will, in theory, employ several different strategies to secure their networks, to the insane point of watching the bits crawl across the wire with human eyes to detect patterns that shouldn't be there. There is no magic wand for network security -> if you want to keep humans (and AIs) out, you need to employ comparable assets.
I am John Hurt.
1) SCADA networks don't get to company Intranets or the Internet.
2) Disable any portable access devices, from USB ports (thumb drives etc.) to CD/DVD optical drives.
3) All software is clean room tested and deployed by technicians. Only authorized Technicians are allowed to install or change any software configuration on the system.
4) Vulnerability Testing is done in an isolated lab environment to weed out any potential problems with the system.
5) When in doubt, repeat starting at step #1
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Seriously: water, power, and other critical utility infrastructure providers are not a low density/low volume market. There are large enough economies of scale such that there should really be no discussion here. There should be a separate physical network for these industries.
Air gap the network, heck, develop and mandate totally new hardware interconnects to ensure some moronic PHM or more likely brain dead network admin isn't physically capable of connecting COTS hardware to SCADA hardware.
There is absolutely no reason for any of this stuff to be directly accessible to the public internet, the utility provider can very well have some data diode http://en.wikipedia.org/wiki/Unidirectional_network/ to provide metering information on the public internet side, but there absolutely should be no bidirectional links between the command and control network and the public internet
There would be no astronomically expensive software validation necessary if these industries were mandated to require Hardware level compartmentalization, which funnily enough a custom hardware solution would be orders of magnitude cheaper and deployable now rather than some pie in the sky (never going to happen) software based solution that the "Tube" worshiping ludites in Washington think can actually be created
-RS
How about 20 billion? They sure as shit dont mind spending that on guns. Tech can do MUCH more damage.
made available through open source for no cost."
"The US Department of Energy today said it would spend $20 million
So $20 million is free to them?
That explains a lot...
No, the obverse is true.
Connecting these gadgets to the internet is the short sighted "solution", which has caused more problems than it solved.
When building infrastructure, isn't it more intelligent to build the INFRASTRUCTURE? Run a wire out to the gadget, directly from the control station!! Not wireless, but a wire!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
(Posting anonymously for reasons that will become apparent.)
So they want to spend $20M for technology that's going to improve security? Well, here's an idea: hire more people at these critical energy companies. I work for one, and let me tell you, we're already passing up technology we could be using because none of us have the fricken time to learn it, propose a baseline configuration and integrate it into our existing processes.
I could go on, but it burns me that we're obviously short on manpower. We're not being trained in or using the technology we have to secure our systems but they'll spend money on new shiny stuff.
just make sure it is not connected to the internet and wireless and that there are no devices connected to the network with internet and I think you own 90% of the battle. the other 10% is users.... sadly!
Yea... few things wrong with this.
1) Managers will want to see the data produced from a SCADA system. From the intranet. From home. From anywhere. Small utilities don't have 24/7 control centres, so they will have people operating the system from their homes after hours. You need to get real here. You will connect it to the internet, using secure methods. SCADA networks aren't often air gapped except for the radio links.
3) Yep, usually, but sometimes see 4)
4) You have to be a pretty decent sized organisation or a wealthy one to do this. Small utilities aint got time for that.
In the real world sometimes you have to make compromises on functionality, security, effort and cost. Sometimes a risk of less security is justified. Just make sure you know what to do when shit happens.
And that's why there are exposures to hacks and other vulnerabilities. There are ways of providing data without compromising the integrity of the network and while I agree that small players may have more economic challenges in securing their infrastructure they have to have a minimum level of competency to guarantee that some damn worm, malware or an inadvertent "aw shit" from a technician doesn't take them out of operation or do permanent damage. Yes, I agree with you that management personnel are the weakest link here and while a technician may push back, if the boss says "do it" you either comply or find another job. That's precisely the reason why the problem isn't necessarily a technical one, but also one of awareness and training.
How about a piece of financial malware hitting a SCADA network because of the very convenience you mention? It's already happened.
http://www.automationworld.com/power-plant-line-three-weeks-due-malware . In this case, it was a mistake, an over zealous IT department policy and the ubiquitous USB thumb drive of death but like Chernobyl, you take one of these things out of the equation and the plant wouldn't have been offline. Also, if I were on the Board of Directors overseeing this company that owned the plant, I'd ask WTF does an IT department have domain over the SCADA system that runs the plant in the first place?
What's also coming to light is that many of the system integrators and providers of SCADA network enabled hardware build these things in closed networks and have no concept or concern for integration issues or vulnerabilities with IP based Intranets or Internets and mixed traffic scenarios. That alone means that SCADA networks must be isolated, locked in cages if necessary to prevent inadvertent tapping or cross switching between it and the company office LAN. One thing that always bothers me is that there's companies with SCADA systems deployed on common company infrastructure and the technicians who installed it believe that since it's on a seperate VLAN it's "Secure." That is until somebody crosses one of the VLANs up or they get affected by a cross VLAN problem such as an inadvertent cross VLAN route, or a network attack where the switch infrastructure is compromised and now the SCADA VLANs are susceptible.
It also doesn't have to be power plants. I've seen passenger locomotives disabled when innocuous data collection systems were introduced into a well engineered SCADA OEM system completely disabling functionality and stranding passengers. Poor design was at fault as well as poor reverse engineering and full understanding of the problem space but it happens all the time when a vendor is trying to deliver under a contract.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
[unplugs Ethernet cables]
'That will be $20 million, please.'
I agree with most of what you are saying, but I still don't see a need to completely isolate (physically) SCADA from other networks - it can be done in a pretty secure manner. For an example, in my country the National Grid System Operator provides access to its SCADA Network to distributors essentially by a giant VPN. If we didn't have this access we would be back to the days of ringing up the System Operator to do network switching by telephone.
The problem of IT running SCADA systems is a big one, I think that a lack of people skilled in all parts of a SCADA system (radio, electrical engineering, IT, networking etc) is part of the issue , which can create an opportunity for IT to take over.