Feds Offer $20M For Critical Open Source Energy Network Cybersecurity Tools

coondoggie writes "The US Department of Energy today said it would spend $20 million on the development of advanced cybersecurity tools to help protect the nation's vulnerable energy supply. The DOE technologies developed under this program should be interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

wire cutters

easy - a pair of wire cutters and firing of those responsible for hooking up naively coded devices to untrusted networks.

Re:wire cutters

[icebike]

Given the amount of trouble I have convincing supposedly intelligent people NOT to hook things up to our control network willy-nilly, I certainly agree with this sentiment.

While that might be part of solution, remember that Stuxnet was delivered on a thumb drive.

Also remember that you need some computer system for plant management in the modern world. If not for doing actual machine control, at least for doing monitoring and reporting. And therein lies the problem. Even if you air-gap your control network from your corporate net, you have to put stuff onto the control net and take stuff off. And you still end up hooking a lot of machine controllers to your control network.

Other than physically locking the cable plant, removing USB ports, diskette drives, and wifi, you are always going to face the possibility of rogue software creeping onto your control net somehow.

Maybe it would be easier to detect, profile, and filter machine control at the transmission layer than to rely solely on preventing any future camel from getting its nose under the tent.

Re:wire cutters

[Type44Q]

While that might be part of solution, remember that Stuxnet was delivered on a thumb drive.

That's why the other half of the solution is "don't run your centrifuges with the same damp, soggy operating system that you use to connect to the Internet... :p

Re:wire cutters

[Shoten]

Check out the latest edition of the ICS-CERT journal. Replacing Ethernet with USB drives or other media...and you cannot do offsite backups without them, mind you, nor can you offload data for analytics, reporting, or support any other way...is not really an air gap. All it does is remove some degree of vulnerability while greatly hindering your ability to do things like patch management, security monitoring (are you going to put a separate Nitro Security or ArcSight instance into every power plant, with its own dedicated staff? Good luck getting funding for that...), antivirus updates (hint: this was what went wrong in the incident described by ICS-CERT because of the airgap) and remote emergency management. Oh, and also say good bye to grid balancing, AMI, energy trading, remote dispatching...what else am I forgetting, because there are a whole lot of different functions that are critical to the power grid that require data exchange.

Even nuclear power plants aren't airgapped anymore. They use data diodes to help protect themselves...but unfortunately, that solution is beyond the budgets of what power companies have for each of their environments, and a lot of what they need to do requires two-way communications as well. It's very easy to say "oh, air gap it...if you don't, you're a moron." The reality, however, is that you can't actually do that in the power industry anymore, for the same kinds of reasons why financial institutions gave up on that long ago.

Re:wire cutters

[innerweb]

I run my centrifuges on AmigaOS. No problems ever.

20 million government project?

[trdtaylor]

"interoperable, scalable, cost-effective advanced tools that do not impede critical energy delivery functions, that are innovative and can easily be commercialized or made available through open source for no cost."

Choose two.

Hmm... I can do this for a fraction of the cost...

[JimXugle]

Problem solved

Re:Hmm... I can do this for a fraction of the cost

[stewsters]

The quantity drop down only goes to 30. We are going to need a few more if we are going to secure our infrastructure in a timely manner.

Gov't Response

[alostpacket]

1) Interoperable
2) Scalable
2a) Cost-effective
2b) Advanced
2c) Does not impeded critical energy functions
2d) Innovative
2e) I.) Easily commercialized
2e) II.) Or, made available through open source
2d) No cost.

Per your request ID (#42865935), we have met your requirements and expect work to implement the product to commence immediately.

Cordially ruling in your best interest,
- The Government

(at least now we know what "step 2) ????" is)

Re:Hmm... I can do this for a fraction of the cost

[Art+Challenor]

Comments of the type "just don't connect to the Internet" are a little short-sighted. Much of the energy, water, wastewater, etc. etc. infrastructure is remote. Think substations, liftstations, pumpstations, smart switches, etc. etc. For some of these a dedicated network may make sense, but there's a huge cost saving in using the existing networking buildout, ie the Internet, to monitor and indeed control these types of facilities. Many of these are small, a controller, something that does something (pump, switch, whatever) and a small amount of monitoring.

Securing this IS a challenge, espeically since the vast majority of the equipment used in these facility was (and continues to be) designed with no inherent security, but having someone drive to a remote facility to check it, or install an end-to-end custom network is a much bigger project and is simply not possible - taxpayer would (rightly) object to the cost.

There are many other situation where there is a solid "business case" for having an asset connected to the Internet, remote maintenance, tracking, etc. Not necessarily as critical, but would still benefit from a secure solution.

TLDR

[vlm]

TLDR of the whole topic: Can't prevent layer 8 malfunctions via any method at any lower level 1-7. There is NOTHING the techs can do if mgmt fails. No checkbox can save them, no silver bullet can save them...

Hmm the part that bothers me is

[DarkOx]

do not impede critical energy delivery functions

Sorry but security is all about impediment. I am going to get jumped all over for saying this but its true.

People attempt to do bad things when three forces meet: opportunity, pressure, and rationalization whether that last one is because "Dear Leader told me too" or "I deserve it" is immaterial.

There is nothing you can do in software about the last two. So that leaves opportunity as the only high ground on which to mount a defense. Guess what that means impediment is just about your only tool. Good luck upgrading all those ancient controllers to use solid authentication, and integrity protocols. Good luck tasking the folks who have been ignoring these problems for the past 20 years (best case), or doing it wrong getting lucking and thinking themselves clever (more likely). Expired certificates etc if they are actually checked will be an impediment. Offline those old EDI systems while everyone figures out how to do sftp will be a problem when nobody knows how to keep control of their know host keys; and those are just some of the easy ones.

The Feds need to pull their heads out of there ass and realize security is about doing the right thing everywhere all the time. Process Process Process. All the technology in world won't help you unless people do the right thing. The Superbowl gate crashes should have tough them that. Computer security is no different. Sure technology can help. Its wonderful today that we have the scalability to do inline IPSing and a firewall can stop things like SQL Slammer (when signatures exist). Won't do a lick of good if some admin decides to turn it off to trouble shoot and than goes "welp everythings working and i feel like headed hope now so, f**k it deal with tomorrow".

Re:Silver Bullet Bargain

[bill_mcgonigle]

These guys are asking for the silver bullet to solve any cyber security problem in any system from any threat. The reward:, a measly 20 million.

It's a government contract - you don't actually have to deliver. /snark

But, yeah, for $20M my company could coordinate one hell of a automated crypto system (hardware & software) to layer on top of SCADA gear that would protect it from unauthorized use and of course it would be open source. I can think of a dozen grants that need to happen immediately on various open source networking and crypto software packages to make them better suited for the task. It would not be perfect (it cannot be) but it would be tremendously better than the status quo and it would all be free for deployment on commodity hardware or from an ecosystem of willing cooperators.

The trouble is, the requirements for government contracting self-select for companies that can't even do the paperwork for less than $20M.

Re:Hmm... I can do this for a fraction of the cost

[penix1]

To add insult to injury, the power companies in my state are 100% private companies. So here we go bailing out private companies using tax payer money to fix a problem cause by their short sightedness. This again is a failure of capitalism or should I say another success of private industry externalizing the risk and privatizing the profits. I say fuck 'em. Let them use their profits to fix this problem they created.

Allow me

[lightknight]

Here's a solution -> hire a bunch of BOFHs to do your security for you. True, you have to keep them happy, but the upside is that security could never be tighter / more fatal for anyone trying to crack your network.

In other words, go find some out of work network admins, the older the better, and employ them in this capacity. They know how to make things pretty air-tight (usually), but are rarely directed to do so (because people HATE it when security is ramped up to Defcon 0; it makes getting work done somewhat difficult, but in theory, very secure). They will, in theory, employ several different strategies to secure their networks, to the insane point of watching the bits crawl across the wire with human eyes to detect patterns that shouldn't be there. There is no magic wand for network security -> if you want to keep humans (and AIs) out, you need to employ comparable assets.

Two Words: Air Gap

[rsagris]

Seriously: water, power, and other critical utility infrastructure providers are not a low density/low volume market. There are large enough economies of scale such that there should really be no discussion here. There should be a separate physical network for these industries.

Air gap the network, heck, develop and mandate totally new hardware interconnects to ensure some moronic PHM or more likely brain dead network admin isn't physically capable of connecting COTS hardware to SCADA hardware.

There is absolutely no reason for any of this stuff to be directly accessible to the public internet, the utility provider can very well have some data diode http://en.wikipedia.org/wiki/Unidirectional_network/ to provide metering information on the public internet side, but there absolutely should be no bidirectional links between the command and control network and the public internet

There would be no astronomically expensive software validation necessary if these industries were mandated to require Hardware level compartmentalization, which funnily enough a custom hardware solution would be orders of magnitude cheaper and deployable now rather than some pie in the sky (never going to happen) software based solution that the "Tube" worshiping ludites in Washington think can actually be created

-RS