Department of Energy Invests $50 Million To Improve Critical Energy Infrastructure Security

Orome1 shares a report from Help Net Security: Today, the Department of Energy (DOE) is announcing awards of up to $50 million to DOE's National Laboratories to support early stage research and development of next-generation tools and technologies to further improve the resilience of the Nation's critical energy infrastructure, including the electric grid and oil and natural gas infrastructure. The electricity system must continue to evolve to address a variety of challenges and opportunities such as severe weather and the cyber threat, a changing mix of types of electric generation, the ability for consumers to participate in electricity markets, the growth of the Internet of Things, and the aging of the electricity infrastructure. The seven Resilient Distribution Systems projects awarded through DOE's Grid Modernization Laboratory Consortium (GMLC) will develop and validate innovative approaches to enhance the resilience of distribution systems -- including microgrids -- with high penetration of clean distributed energy resources (DER) and emerging grid technologies at regional scale. The project results are expected to deliver credible information on technical and economic viability of the solutions. The projects will also demonstrate viability to key stakeholders who are ultimately responsible for approving and investing in grid modernization activities. In addition, the Department of Energy "is also announcing 20 cybersecurity projects that will enhance the reliability and resilience of the Nation's electric grid and oil and natural gas infrastructure through innovative, scalable, and cost-effective research and development of cybersecurity solutions."

Re:$50 million = half an F-35 Fighter Jet

[pntkl]

Of course, energy security isn't nearly as important to Americans as.......

Energy security should be among the top items of the list of critical needs. We could certainly afford to invest heavily. A great crux of the problem is that it requires adapting to its realities, after we hit key milestones/plateaus. With optimal handling of energy markets, we could likely diminish corruption and more importantly diminish difficult to measure discrepancies in reporting, without providing a broken vacuum that requires immediate fulfillment. It could even provide an outlet for abandoning fiat currencies and fractional reserve banking. However, such changes would likely require drastic changes for much of the status quo. People would have to put aside many ideas they've hurt one another over, time and time again.

Hard to believe our leaders collectively plan for our survival beyond a few fleeting moments with such abysmal investment in things like energy security--it seems largely left to the fortunes or misfortunes of the market. Natural monopolies that last longer than the limitations of technology dictate them being natural end up asking us to call their great depletion a favorable gain (bah). And apparently, we are still collectively okay with our state of being. We all seem to quickly forget what we see each time we walk away from a mirror.

Well

[buss_error]

I'm all for that. But how expensive is it to block port 23 and changing the BIOS of SCADA systems so that the first thing to be configured is a password?

I have seen power, water, sewer, and traffic systems put into production with an internet gateway that had telnet open, with default admin credentials that are well known.

I have a few "go to" things for the rare occasions I'll take a consulting gig on.

1. nmap the device. Secure the open ports.
2. No default passwords, and it's best if you can change the admin account name to something non-standard.
3. patch patch patch
4. Secure SSH so that only ssh key access is allowed. No username/password.
5. Create a key for each device. Best if you create the key with a password - I usually use the serial number of the device obfuscated. So if the serial number is 123, then the password for that key would be zyx or some simple transposition. I usually use a 10 letter word whose letters don't repeat. INTRODUCES, BLOCKHEADS, CORNFLAKES - and I usually say order them so it doesn't spell a word. EG: BLOCKHEADS to ABCDEHKLOS. And change the key based on the third or second to last number.
6 firewalls, firewalls firewalls. Limit port access to only those IP's you know and control.
7. Trust nothing completely. Defense in depth.
8. Construct "alarm" data and configure deep packet inspection to look for those alarm data and trigger an alert.
9. Ensure you have a panic button to shut down the network.

There are other things, a bit more subtle to go into.