Andy has a couple of blog entries at the Smart Grid Security Blog on the need for security metrics related to smart grid, but you could easily extend this to ICS. There actually has been work done on this in S4 papers, INL and Ross Anderson and his students at Cambridge. There is also a great conference on the economics of information security, WEIS – unrelated to Joe. Security metrics are a work in progress, but they exist, especially for the broader IT space. The bigger issue is few seem to want to use them. FERC gave the demand response and time-of-day pricing smart grid proponents a boost with the “market-based demand response compensation rule“, read the FERC press release here. Chairman Wellinghof wrote, “we decided that the RTO/ISO should be able to accept the voluntary offer of a customer to reduce his/her demand in order to balance supply and demand on the system … it makes sense that the cost-effective demand response resource should receive the LMP, as do the other resources dispatched for that hour.” FERC also said the term “bulk electric system” needs to be redefined and their definition is to “establish a bright-line threshold that includes all facilities operated at or above 100 kilovolts except defined radial lines, and adopt a process to exclude facilities not necessary for operating the interconnected grid.” The same announcement gives the NERC board the ability to file a draft CIP standard if the electric utilities fail to approve a standard that meets FERC’s directives. Two new ICS security vulnerability bulletins were released this week by ICS-CERT. The Progea Movicon HMI has a data leak and DoS vulnerability, and the drip, drip, drip of Wellintech vuln info continues. This time with more information on a stack overflow in WellinTech KingView V6.53. Not specifically related to ICS, but security vendor RSA announced to their stockholders that they had been subject to an attack by an Advanced Persistent Threat (APT) actor. The attacker was at least partially going after information on the widely used SecurID tokens. This is not a small issue because EMC, the parent company, must have felt they were compelled to make this public by SEC rules.
Weekly Updates From Critical Intelligence
Worth Reading Articles
- FARS News Agency: Senior Iranian Commander Underscores Vulnerability of US Infrastructures
- Smart Grid Security Blog: Smart Grid Security East and the Software Security Panel
- SCADASEC Thread: What If al-Qaeda Got Stuxnet? Five entries out of a very long thread got flagged as “Worth Reading” Entry 1 with links to NIC firmware reverse engineering, modification and rootkits, Entry 2 on implementing whitelisting, Entry 3 on small company software quality, Entry 4 on the lack of a security incentive, and Entry 5 on various. DP Note: Typical SCADASEC list content where there is a gem or five in a long thread. Nice to have Critical Intelligence read it all rather than me.
New ICS Security Events on the Calendar
- Dept of Energy Information Management Conference Cyber Security Track, March 21-25 in Las Vegas
- Richard Clarke on his Book Cyber War moderated by Ralph Langner, March 28 in Hamburg, Germany
- Cyber Security for Energy Delivery, Sept 27-28 in San Jose, CA
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders. Image by TooFarNorth