Cyber Protection of Critical Infrastructure is becoming "Imperative"

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013

The digitisation of critical infrastructures has provided substantial benefits in terms of socio-economic developments – improved productivity, better connectivity, greater efficiencies. Yet some of these attributes also carry significant risks. Always-on Internet connectivity has ushered in a new cyber-age where the stakes are higher.

Disruption and destruction through malicious online activities are the new reality: cyber-espionage, cyber-crime, and cyber-terrorism. Despite the seemingly virtual nature of these threats, the physical consequences can be quite tangible.

The cyber protection of critical infrastructure has become the most immediate primary concern for nation states. The public revelation of wide-spread state-sponsored cyber-espionage presages an era of information and cyber warfare on a global scale between countries, political groups, hacktivists, organised crime syndicates, and civilian society – in short, to anyone with access to an Internet-connected device. The focus on cyber security is becoming imperative.

While some industries have had highly advanced cyber-defense and security mechanisms in place for some time (i.e. the financial sector), others are severely lacking and only just starting to implement measures (i.e. energy, healthcare). The drivers for the market in related products and services are numerous, but in large part many will be propelled by national cyber security strategies and policies.

ABI Research estimates that cyber security spending for critical infrastructure will hit $46 billion globally by the end of 2013. Increased spending over the next five years will be driven by a growing number of policies and procedures in education, training, research and development, awareness programs, standardisation work, and cooperative frameworks among other projects.

This Market Data on “Critical Infrastructure Security” breaks down spending for eight verticals: Defense, Energy, Financial, Healthcare, ICT, Public Security, Transport, and Water and Waste Management. The data is split by region (North America, Europe, Asia-Pacific, Latin America, the Middle East & Africa), by sector (private/public) and by type (product/service).

These findings are part of ABI Research’s Cyber Security Research Service.

Securing The Smart Grid

With reports of regular cyber attacks targeting the US smart grid, should UK energy and utilities rethink their approach to security?

"With greater connectivity comes the even bigger need for better energy efficiency, from which the concept of the smart grid was born. The idea of the smart grid is to use IT to gather and act on behavioural information from both consumers and suppliers in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. However, along with higher energy consumption, greater connectivity also entices a far greater number of security risks."

Continue reading on the Guardian Media Network.

China Gets Serious about Grid Security

China announced its plans for a massive increase in smart grid security spending in an effort to contain risks that may arise from its aggressive smart grid expansion

What happened

Fears that it’s rapidly expanding electricity infrastructure may be vulnerable to security and cyber attacks prompted China to announce plans of staggering increase in smart grid security spending. Representing an annual compound growth rate (CAGR) of almost 45%, grid defense spend will grow from US$1.8b in 2011 to US$ 50b by 2020.

Background

A new report by the business analysts at GlobalData described China’s smart grid security situation as an anomaly due to the scale of expenditure when compared with that of other regions. For example, Europe and North America combined are predicted to spend a comparatively modest US$16b on cyber security during the same forecast period.

But to put things in perspective, the GlobalData research also offers the insightful observations on China’s grid security policy:

• China has a strained relationship with a number of nations in relation to cyber security.

• The United States, in particular, has on several occasions accused Chinese hackers of attempting to breach their power systems.

• China fears that these accusations may have fostered an environment of mistrust which may lead to retaliatory cyber-attacks on their own power infrastructure.

• China continues to experience rapid urbanization and expanding its smart grid, which directly results in increased exposure to cyber attacks.

And let us not forget the Stuxnet computer worm discovered in 2010. The Stuxnet example is arguably the most dramatic demonstration of the vulnerability of modern power grids to malicious cyber-attack.

According to Global Data, “the worm focused on 5 Iran-based organizations and was believed by many to be a deliberate attempt to disrupt the Iranian nuclear power program.”

Serious threats to securing the grid

A Pike Research 4Q 2011 report, entitled Utility Cyber Security: Trends to watch in 2012 and Beyond, identified the following threats to power grids everywhere:  

• One size doesn’t fit all: cyber security investments will be shaped by regional deployments. As an example, consider smart meters saturation in the US and, comparatively, versus EV adoption rates in the Middle East.

• Industrial control systems, not smart meters, will be the primary cyber security focus. Here, they refer to control systems such as transmission upgrades, substation automation, and distribution automation.

• Assume nothing: “security by obscurity” will no longer be acceptable. Using the example of the Stuxnet worm, assume attacks are a probability and not merely a possibility.

• Chaos ahead?: The lack of security standards will hinder action. No industry standards exist.

• Aging infrastructure: older devices will continue to pose challenges. While modern advanced metering infrastructure (AMI) devises have built in cyber security, some supervisory control and data acquisition (SCADA) systems are older and have no built-in security features.

• System implementation will be more important than component security. Cyber security works to protect a whole entity and attackers look for holes.

Download: Qualification Requirements for Smart Grid Roles

Exact requirements for those interested in pursuing Smart Grid roles

Smart Grid Careers recently conducted a research in conjunction with Zpryme's Smart Grid Insights, a secondary report was released today outlining the experience, skills and academic requirements for candidates seeking to secure a position in the coveted Smart Grid industry.

Based on feedback from 184 executives responsible for recruiting candidates to fill Smart Grid roles, this new report features the following key data points for both new and experienced job seekers:

• Required and preferred degrees and certifications
• Needed skill sets
• Length and type of work experience require

Access the detailed findings of this new release by downloading a FREE copy of the detailed report here (registration maybe required).

This research underscores the exacting requirements for those interested in pursuing Smart Grid roles. Potential candidates can leverage this data to guide their academic and initial career choices to ensure it leads to a path in the Smart Grid.

ENISA Report: Ten Smart Grid Security Recommendations

Smart Grids need protection from cyber attacks


The EU Agency ENISA has launched a new report on how to make smart grids and their roll out a success, in particular by making sure that IT security aspects are properly taken into account from the beginning.


A smart grid is an upgraded electricity network with two-way digital communication between supplier and consumer. The adoption of smart grids will dramatically change the distribution and control of energy for solar panels, small wind turbines, electric vehicles, etc.


By making energy distribution more efficient, smart grids give clear benefits to users, electricity suppliers, grid operators, and society as a whole. At the same time, their dependency on computer networks and Internet makes our society more vulnerable to cyber-attacks, with potentially devastating results. 


Therefore, to prepare for a successful roll-out of smart grids, this study proposes 10 security recommendations for the public and private sector out of almost 100 findings.


Some key report recommendations include:

• The European Commission (EC) and the competent authorities of the Member States (MS) need to provide a clear regulatory and policy framework on smart grid cyber security at the national and EU level, as this presently is missing.
• The EC, in collaboration with ENISA, the MS, and the private sector, should develop a minimum set of security measures based on existing standards and guidelines.
• Both the EC and the MS authorities should promote security certification schemes for the entire value chain of smart grids components, including organisational security.
• The MS authorities should involve Computer Emergency Response Teams to play an advisory role in power grids’ cyber security.

Cyber security aspects of smart grids Smart grids give rise to new information security challenges for electricity networks. Information systems’ vulnerabilities may be exploited for financial or political motivation in cyber-attacks to shut off power plants.


This study makes 10 recommendations to the public and private sector involved in the definition and implementation of smart grids. These recommendations intend to provide useful and practical advice aimed at improving current initiatives, enhancing co-operation, raising awareness, developing new measures and good practices, and reducing barriers to information sharing.


The top 10 recommendations, aimed at various European Union and member-state organizations, are: 

1. Improve the regulatory and policy framework on smart-grid cybersecurity at both the national and EU level.
2. Create a public-private partnership to coordinate cybersecurity initiatives. 
3. Promote initiatives to raise awareness of cybersecurity threats and conduct training.
4. Foster knowledge-sharing initiatives.
5. Develop minimum security measures based on existing standards and guidelines.
6. Develop security certifications for components, products and organizational security.
7. Create test beds and security assessments.
8. Develop and refine joint strategies to counter large-scale cyberattacks on power grids.
9. Involve computer security incident response teams in an advisory role.
10. Promote academic and R&D research into smart-grid cybersecurity, including through existing research programs.

The full ENISA smart grid report can be downloaded here.

Protecting the power grid from hackers

Many of the computers running US power plants were not designed to withstand hacker attacks so AirForce researchers developed safeguards.

 

Utilities Sector Have The Poorest Governance Practices

Corporate Boards Still In the Dark About Cybersecurity


As the U.S. natural gas pipeline sector and the Department of Homeland Security square off against malicious cyber intrusions aimed at companies, along comes yet another study that highlights serious governance shortcomings of critical infrastructure companies when it comes to cybersecurity.


“The Governance of Enterprise Security: CyLab 2012 Report” [PDF], released last week by Carnegie Mellon University, offers the first side-by-side comparison of industries on governance practices and cybersecurity oversight.


Compared against the financial, IT/telecom, and industrials sectors, energy/utilities companies fared the worst. “Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices,” writes study author Jody Westby in Forbes (a co-sponsor of the survey, along with RSA).


“When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two.” The energy/utilities sector responses, as reported by Forbes, broke down as follows:

• 71 percent of their boards rarely or never review privacy and security budgets.
• 79 percent of their boards rarely or never review roles and responsibilities.
• 64 percent of their boards rarely or never review top-level policies.
• 57 percent of their boards rarely or never review security program assessments.

The energy/utilities respondents also “placed the least value on IT experience when recruiting board members,” writes Westby, the CEO of the consultancy Global Cyber Risk. Westby finds the energy/utilities results particularly troubling: “What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity,” she says.


The sector is also heavily dependent on industrial control systems (known by the acronym SCADA), “most of which were not designed for security and have no logging functions to enable forensic investigations of attacks,” she adds. The survey noted that overall, “the financial sector has better privacy and security practices than other industry sectors.”


The financial sector got the highest marks on undertaking best practices, and respondents from those companies also indicated “they are much farther ahead in establishing risk committees” on the board:


78 percent said they had a risk committee separate from the audit committee, compared to 44 percent among industrials, 35 percent among energy/utilities, and 31 percent among IT/telecom. The energy/utilities and the IT/telecom sectors were the least likely to review cyber insurance coverage—79 percent and 77 percent, respectively, said they did not do so. Meanwhile, 52 percent of financial sector boards and 44 percent of industrial sector boards said they didn’t perform a review.


But as the first round of CyLab survey findings published earlier this year revealed, governance around cyber risk is generally lacking. Despite holding extensive troves of digital assets—and bearing an explicit fiduciary duty to protect those assets—boards and senior management “are not exercising appropriate governance over the privacy and security of their digital assets,” according to the results.


These findings on board oversight dovetail with those of a 2011 study by the Center for Strategic and International Studies and McAfee, focused on power, oil, gas, and water companies around the world. That report, too, uncovered a similar dearth of preparedness.


“What we found is that they are not ready,” wrote the authors of last year’s “In the Dark: Crucial Industries Confront Cyberattacks” [PDF]. “The professionals charged with protecting these systems report that the threat has accelerated—but the response has not.” 


 Those threats, as reported by company executives, increased substantially from the previous year. In the 2010 survey, “nearly half of the respondents said that they had never faced large-scale denial of service attacks or network infiltrations,” according to the authors.


By 2011:

• 80 percent of respondents said they had faced a large-scale denial of service attack.
• 80 percent of respondents said they had faced a large-scale denial of service attack.
• 85 percent said they had experienced network infiltrations.
• A quarter of respondents reported daily or weekly denial-of-service attacks on a large scale.
• Nearly two-thirds said that, on at least a monthly basis, they found malware designed for sabotage on their system.

Yet the bottom line for corporate cybersecurity was still disappointing: “Most companies failed to adopt many of the available security measures. This means that, for many, security remained rudimentary.”


Refer here to read more details.

Whitepaper: HMI/SCADA System Security Gaps

Understanding and Minimizing Your HMI/SCADA System Security Gaps


Being at the heart of an operation’s data visualization, control and reporting for operational improvements, HMI/SCADA systems have received a great deal of attention, especially due to various cyber threats and other media-fueled vulnerabilities.


The focus on HMI/SCADA security has grown exponentially in the last decade, and as a result, users of HMI/SCADA systems across the globe are increasingly taking steps to protect this key element of their operations. The HMI/SCADA market has been evolving over the last 20 years with functionality, scalability and interoperability at the forefront.


For example, HMI/SCADA software has evolved from being a programming package that enables quick development of an application to visualize data within a programmable logic controller (PLC) to being a development suite of products that delivers powerful 3-D visualizations, intelligent control capabilities, data recording functions, and networkability. With HMI/SCADA systems advancing technologically and implementations becoming increasingly complex, some industry standards have emerged with the goal of improving security. However, part of the challenge is knowing where to start in securing the entire system.


The purpose of this paper is to explain where vulnerabilities within a HMI/SCADA system may lie, describe how the inherent security of system designs minimize some risks, outline some proactive steps businesses can take, and highlight several software capabilities that companies can leverage to further enhance their security.


Refer here to download this website. (Registration Required)

Why Cyber Security is Critical for Smart Grid?

Critical Issues for the security requirements of Smart Grid!


Power system operations pose many security challenges that are different from most other industries. For instance, most security measures were developed to counter hackers on the Internet.


The Internet environment is vastly different from the power system operations environment. Therefore, in the security industry there is typically a lack of understanding of the security requirements and the potential impact of security measures on the communication requirements of power system operations. 


In particular, the security services and technologies have been developed primarily for industries that do not have many of the strict performance and reliability requirements that are needed by power system operations. 


Security services for instance:

• Operation of the power system must continue 24×7 with high availability (e.g. 99.99% for SCADA and higher for protective relaying) regardless of any compromise in security or the implementation of security measures which hinder normal or emergency power system operations
• Power system operations must be able to continue during any security attack or compromise (as much as possible). Power system operations must recover quickly after a security attack or compromised information system
• The complex and many-fold interfaces and interactions across this largest machine of the world – the power system – makes security particularly difficult since it is not easy to separate the automation and control systems into distinct “security domains”. And yet end-to-end security is critical
• There is not a one-size-fits-all set of security practices for any particular system or for any particular power system environment
• Testing of security measures cannot be allowed to impact power system operations
• Balance is needed between security measures and power system operational requirements. Absolute security may be achievable, but is undesirable because of the loss of functionality that would be necessary to achieve this near perfect state
• Balance is also needed between risk and the cost of implementing the security measures.

In the Smart Grid, there are two key purposes for cyber security: 


Power system reliability


Keep electricity flowing to customers, businesses, and industry. For decades, the power system industry has been developing extensive and sophisticated systems and equipment to avoid or shorten power system outages. In fact, power system operations have been termed the largest and most complex machine in the world.


Although there are definitely new areas of cyber security concerns for power system reliability as technology opens new opportunities and challenges, nonetheless, the existing energy management systems and equipment, possibly enhanced and expanded, should remain as key cyber security solutions. 


Confidentiality and privacy of customers


As the Smart Grid reaches into homes and businesses, and as customers increasingly participate in managing their energy, confidentiality and privacy of their information has increasingly become a concern. 


How can security requirements for smart grid interfaces be determined?


There is no single set of cyber security requirements and solutions that fits each of the Smart Grid interfaces. Cyber security solutions must ultimately be implementation-specific, driven by the configurations, the actual applications, and th e varying requirements for security of all of the functions in the system.


That said, “typical” security requirements can be developed for different types of interfaces which can then be used as checklists or guidelines for actual implementations. Typically, security requirements address the integrity, confidentiality, and availability of data.


However, in the Smart Grid, the complexity of stakeholders, systems, devices, networks, and environments precludes simple or one-size-fits-all security solutions. Therefore, additional criteria must be used in determining the cyber security requirements before selecting the cyber security measures.


These additional criteria must take into account the characteristics of the interface, including the constraints and issu es posed by device and network technologies, the existence of legacy systems, varying organizational structures, regulatory and legal policies, and cost criteria.


Once these interface characteristics are applied, then cyber security requirements can be applied that are both specific enough to be applicable to the interfaces, while general enough to permit the implementation of different cyber security solutions that meet the cyber security requirements or embrace new security technologies as they are developed.


This cyber security information can then be used in subsequent steps to select cyber security controls for the Smart Grid.

Ernst & Young: Attacking the smart grid

Penetration testing techniques for industrial control systems and advanced metering infrastructure


The industrial control systems that provide automation for critical infrastructure have recently come under increased scrutiny, and the need to protect current infrastructure as well as integrate security into new system design is now a top priority. Penetration testing has become the latest trend in the ICS space; however, the cultural and technological differences between control systems and traditional IT systems have caused confusion around how to perform a penetration test safely and effectively. 


In this briefing, we will discuss the changing landscape in control system architecture, with special attention paid to smart grid infrastructure, and highlight the implications for security. A description of the lifecycle of a penetration test is followed by a breakdown of a typical ICS infrastructure. Specific penetration testing activities are explained for each component to provide insight for control system engineers and management into how penetration testing can benefit their organization.


Refer here to download the whitepaper.

Insufficient security controls for smart meters

Smart meters are not secure enough against false data injection attacks


False data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection; experts say current generation of smart meters are not secure enough against false data injection attacks nCircle the other day announced the results of a survey of 104 energy security professionals.


The survey was sponsored by nCircle and EnergySec, a DOE-funded public-private partnership that works to enhance the cyber security of the electric infrastructure. The online survey was conducted between 12 March and 31 March 2012. 


When asked, “Do smart meter installations have sufficient security controls to protect against false data injection?” 61 percent said “no.” Power grids connect electricity producers to consumers through interconnected transmission and distribution networks. In these networks, system monitoring is necessary to ensure reliable power grid operation. 


The analysis of smart meter measurements and power system models that estimate the state of the power grid are a routine part of system monitoring. An nCircle release notes that false data injection attacks exploit the configuration of power grids by introducing arbitrary errors into state variables while bypassing existing techniques for bad measurement detection. Smart meters vary widely in capability and many older meters were not designed to adequately protect against false data injection. It doesn’t help that some communication protocols used by the smart meter infrastructure don’t offer much protection against false data injection either. 


Together, these facts highlight a much larger potential problem with data integrity across the smart grid infrastructure. Because our nation relies on the smart grid to deliver robust and reliable power, we need to make sure that all systems that process usage data, especially those that make autonomous, self-correcting, self-healing decisions, assure data integrity.


Elizabeth Ireland, vice president of marketing for nCircle, noted, “A false data injection attack is an example of technology advancing faster than security controls."


This is a problem that has been endemic in the evolution of security and it’s a key reason for the significant cyber security risks we face across many facets of critical infrastructure. Installing technology without sufficient security controls presents serious risks to our power infrastructure and to every power user.

Smart meter hacks likely to spread

Miscreants are reprogramming meters to report less power usage, for a fee


A series of hacks perpetrated against so-called "smart meter" installations over the past several years may have cost a single electric company hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. 


The US law enforcement agency said this was the first known report of criminals compromising the hi-tech meters, and that it expected this type of fraud to spread across the country as more utilities deploy smart grid technology. Smart meters are intended to improve efficiency, reliability, and allow the electric utility to charge different rates for electricity at different times of day. 


Smart grid technology also holds the promise of improving a utility's ability to remotely read meters to determine electric usage. Advertisement: Story continues below But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorised modifications. 


The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the internet. Citing confidential sources, the FBI said it believed former employees of the meter manufacturer and employees of the utility were altering the meters in exchange for cash and training others to do so. "These individuals are charging $300 to $1000 to reprogram residential meters, and about $3000 to reprogram commercial meters," the alert states. 


The FBI believes that miscreants hacked into the smart meters using an optical converter device - such as an infrared light - connected to a laptop that allows the smart meter to communicate with the computer. After making that connection, the thieves changed the settings for recording power consumption using software that can be downloaded from the internet. 

"The optical converter used in this scheme can be obtained on the internet for about $400," the alert reads. "The optical port on each meter is intended to allow technicians to diagnose problems in the field. This method does not require removal, alteration, or disassembly of the meter, and leaves the meter physically intact." 

The bureau also said another method of attacking the meters involved placing a strong magnet on the devices, which caused it to stop measuring usage, while still providing electricity to the customer. 

"This method is being used by some customers to disable the meter at night when air-conditioning units are operational. The magnets are removed during working hours when the customer is not home, and the meter might be inspected by a technician from the power company." 

"Each method causes the smart meter to report less than the actual amount of electricity used. The altered meter typically reduces a customer's bill by 50 per cent to 75 per cent. Because the meter continues to report electricity usage, it appears be operating normally. Since the meter is read remotely, detection of the fraud is very difficult. A spot check of meters conducted by the utility found that approximately 10 per cent of meters had been altered." 

"The FBI assesses with medium confidence that as Smart Grid use continues to spread throughout the country, this type of fraud will also spread because of the ease of intrusion and the economic benefit to both the hacker and the electric customer," the agency said in its bulletin.

The hacks described by the FBI do not work remotely, and require miscreants to have physical access to the devices. They succeed because many smart meter devices deployed today do little to obfuscate the credentials needed to change their settings, according to Tom Liston and Don Weber, analysts with InGuardians, a security consultancy based in Washington, DC. 


Liston and Weber have developed a prototype of a tool and software program that lets anyone access the memory of a vulnerable smart meter device and intercept the credentials used to administer it. Weber said the toolkit relied in part on a device called an optical probe, which can be made for about $US150 in parts, or purchased off the internet for roughly $US300. 

"This is a well-known and common issue, one that we've warning people about for three years now, where some of these smart meter devices implement unencrypted memory," Weber said. 

"If you know where and how to look for it, you can gather the security code from the device, because it passes them unencrypted from one component of the device to another."

The two researchers were slated to demo their smart meter hacking tools at the Shmoocon security conference. Utilities have to be more enterprise security-aware. With these incidents at organisations of any size or age, the first reaction is to cover it up. The thinking is if we keep this kind of thing secret, nobody will find it or exploit it. But for those of us who are inside the industry, and have been at this long enough, the only way we're going to fix a security problem is to expose it.


Australia has approximately 1.5 million smart meters installed, according to telecommunications analyst Paul Budde, founder of Smart Grid Australia, an industry alliance working on Australia's Smart Grid-Smart City electricity network upgrade project. Approximately 1 million are deployed in Victoria, the state chosen as the test site for the country, he said. 


Budde said the hacking of smart meters was among the issues electricity companies would work to prevent. 

"Obviously as soon as you start adding communications to the [electricity] network there are possibilities of others getting access to it as well. It applies to everything that has to do with communications. Smart grids and smart meters are also affected by that."

But [the risk] is very well understood now; companies involved are making sure there's security in place to make it less [likely] to happen." Budde said the US was one of the first countries to rollout smart meters and learnings from the North American experience were shared among all countries working on smart grids. "Other electricity companies can learn from that," Budde said.


Refer here to read further details.

NIST Releases Final Smart Grid 'Framework 2.0' Document

Framework will provide an expanded view of the architecture of the Smart Grid

An updated roadmap for the Smart Grid is now available from the National Institute of Standards and Technology (NIST), which recently finished reviewing and incorporating public comments into the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 2.0.

The 2.0 Framework lays out a plan for transforming the nation's aging electric power system into an interoperable Smart Grid—a network that will integrate information and communication technologies with the power-delivery infrastructure, enabling two-way flows of energy and communications.

The final version reflects input from a wide range of stakeholder groups, including representatives from trade associations, standards organizations, utilities and industries associated with the power grid.

Refer here to read further details or here to download the document.

US-CERT - Control Systems Security Program

Cyber Security Evaluation Tool

Overview

Critical infrastructures are dependent on information technology systems and computer networks for essential operations. Particular emphasis is placed on the reliability and resiliency of the systems that comprise and interconnect these infrastructures. NCSD collaborates with partners from across public, private, and international communities to advance this goal by developing and implementing coordinated security measures to protect against cyber threats.

The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS National Cyber Security Division (NCSD) by cybersecurity experts and with assistance from the National Institute of Standards and Technology.

This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems.

Download CSET Assessment Fact Sheet

Purpose

CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls.

CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as National Institute of Standards and Technology (NIST), North American Electric Reliability Corporation (NERC), International Organization for Standardization (ISO), U.S. Department of Defense (DoD), and others.

When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment.

Key Benefits

• CSET contributes to an organization's risk management and decision-making process
• Raises awareness and facilitates discussion on cybersecurity within the organization
• Highlights vulnerabilities in the organization's systems and provides recommendations on ways to address the vulnerability
• Identifies areas of strength and best practices being followed in the organization
• Provides a method to systematically compare and monitor improvement in the cyber systems
• Provides a common industry-wide tool for assessing cyber systems

How to Obtain it

CSET is available for download at the following link: Download CSET here

Alternatively, the Control Systems Security Program also offers onsite training and guidance to asset owners in using CSET during onsite assessments. These assessments are conducted at no cost to the asset owners. To assist an organization in planning and organizing for an assessment using the CSET, the following actions and items are recommended:

• Identify the assessment team members and schedule a date.
• Become familiar with information about the organization’s system and network by reviewing polices and procedures, network topology diagrams, inventory lists of critical assets and components, risk assessments, IT and ICS network policies/practices, and organizational roles and responsibilities.
• Select a meeting location to accommodate the assessment team during the question and answer portion of the assessment.
• Work with CSSP for onsite or subject matter support.

To request onsite assistance, please send mail to cset@dhs.gov.

ZigBee Architecture Basics

Zigbee Networking Architecture

This training video is intended to explain the ZigBee mesh networking architecture at a high level. It discusses basic topics such as:

What is mesh networking?

Overview of ZigBee Home Automation and Smart Energy Profiles

Security is a key concern for Zigbee

Ember training curriculum video about Home Automation (HA) and Smart Energy (SE) application profiles.

Explains the basic intentions of these profiles and covers (for each profile):

Smart grid cybersecurity strategy – industry proposals

Smart grid security challenge highlighted in report

Government plans to create a smart grid for energy networks will require a coordinated focus on cybersecurity as communication networks play a key role, according to a report from The Energy Networks Association (ENA).

The ENA published the report for the Department of Energy and Climate Change (DECC), which is responsible for the energy smart grid. The findings of the research, which was carried out by consultancy KEMA, revealed that the government and network providers need a more "coherent and joined-up approach" to secure the smart grid.

Security a top priority in smart grid development

The report outlines how the smart grid will affect networks and describes how cybersecurity should be an important consideration when developing the smart grid's architecture, technology and management systems.

For example, the report says: "ICT security, along with computing system reliability, safety and maintainability, are critical attributes for smart grid implementation and operation, and need to be considered as part of overall risk management for this critical national infrastructure."

Coordinating the smart grid project

Last week, the IT sector, under the wing of Intellect, got involved in the smart grid debate with the launch of cross-industry organisation SmartGrid GB. This group brings together IT companies, environmental organisations, government, regulators and consumer groups. It will coordinate the multiple stakeholders and advise the government.

Robert McNamara, energy and environment programme manager at Intellect, is SmartGrid GB's manager. He welcomed the report: "A lot of data will be transported on the smart grid and through smart metering. It is absolutely imperative that security is the number one priority."

IT suppliers invited to bid for smart grid contracts

The DECC has already put a notice out to IT suppliers informing them to be ready to bid for work. A new company will be set up to manage the data that smart meters send and receive. The central data and communications company (DCC), as it is known, will require services from IT and communication service providers.

The smart grid project involves using smart meters in the home to help consumers control their energy usage. But a survey, which was commissioned by smart meter technology provider T-Systems and carried out by the Economist Intelligence unit, revealed antipathy towards the government's plans to roll out smart meters to 30 million homes by 2020. Consumers are more concerned about the financial costs of using smart meters than the environmental costs of inefficient energy use.

Security analysis of Dutch smart metering systems

Smart metering must offer a security level as high as for money transfers - Dutch minister of Economic Affairs

Smart meters enable utility companies to automatically readout metering data and to give consumers insight in their energy usage, which should lead to a reduction of energy usage. To regulate smart meter functionality the Dutch government commissioned the NEN to create a Dutch standard for smart meters which resulted in the NTA-8130 specification.

Currently the Dutch grid operators are experimenting with smart meters in various pilot projects. In this project we have analyzed the current smart meter implementations and the NTA using an abstract model based on the the CIA-triad (Confidentiality, Integrity and Availability). It is important that no information can be attained by unauthorized parties, that smart meters cannot be tampered with and that suppliers get correct metering data.

It was concluded that the NTA is not specific enough about the security requirements of smart meters, which leaves this open for interpretation by manufacturers and grid operators. Suppliers do not take the privacy aspect of the consumer data seriously. Customers can only get their usage information through poorly secured websites. The communication channel for local meter configuration is not secured sufficiently: consumers might even be able to reconfigure their own meters.

Also, the communication channels that are used between the smart meter and gas or water meter are often not sufficiently protected against data manipulation. It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

Refer here to download the full report.

Videos to Understand NERC CIP Requirements for Smart Grid Security

Smart Grid Security East 2011 NERC CIP compliance pre-conference workshop

The North American Electric Reliability Corporation (NERC) enforces electric reliability standards under the authority of the Federal Energy Regulatory Commission (FERC). A large part of these enforcement efforts include Critical Infrastructure Protection (CIP), which is currently a key area of cyber security enforcement for NERC, and the set of guidelines are referred to as the NERC CIP guidelines. Organizations who are subject to enforcement under NERC CIP face fines of up to 1 million dollars per day for failing to comply with set requirements. This workshop will focus on the following:

• Understanding NERC CIP Requirements
• How to prepare for a NERC CIP Audit
• Tips and Findings from organizations that have experienced a NERC CIP Audit
• Overview of the direction NERC CIP is heading

Cyber Threats To Critical Infrastructure Spike

80% Critical Infrastructure companies faced large-scale DOS attacks

As cyber threats and vulnerabilities for critical infrastructure continue to rise, more than 40% of U.S.-based critical infrastructure companies still have no interaction with the federal government on cyber-defense matters, according to a survey of more than 200 critical infrastructure executives.

In 2010, according to the report, which was conducted on behalf of McAfee and the Center for Strategic and International Studies, 80% of critical infrastructure companies faced a large-scale denial of service attack, and almost 40% of respondents saw them monthly.

However, the global survey found that, even as these attacks rise worldwide, the U.S. government lags significantly in working closely with industry on cybersecurity issues as compared to some other countries. As compared to 40% in the United States, only about 5% of Chinese executives, for example, said that they had not worked with their government on network security.

The deficits extend from the frequency of contact to the depth of that contact, as well. In Japan, every company surveyed had been subject to a government audit of their security, whereas the number of companies in the United States subject to government audits hovered at close to 15%.