Identity and Access Management Framework Book

I’ve written plenty on NERC-CIP compliance, that is to say, the regulatory requirements for North American power companies. CIP doesn’t care about your financial data. It cares about operational data, and access to the systems that governs the reliability of the grid. Our communications, our commerce, health systems, EVERYTHING, all of it depends on the grid. We always say, it can’t happen here, meaning the USA, but don’t bet on it. A particular water treatment plant in the Midwest is a regular target of hackers and many municipal grids have been touched. The numbers in general are still in the low three figures, but that’s likely to rise.

Recently, Israel’s power utilities were seriously hacked. In 2015, the Ukraine’s grid was also attacked. You can only guess the source of that one. Even the screens of the admins trying to fix the situation were hacked, and their communications were taken down.

CIP specifically warns against web-enabling the SCADA systems that are used for gathering and disbursing operational data. But that one’s been roundly ignored from the beginning.

I wrote a while back about an insidious, clever, and horrifying attack against manufactures in the Midwest that relied heavily on mapping out the org charts, then spear phishing critical individuals. It wasn’t always even a matter of implanting malware, but rather using a brilliant sort of social engineering, convincing people that a malicious email was actually a friendly request for a money wire or other delivery. Although be assured, malware delivery is still a problem.

When the DoJ got his, when the Ukrainians got hit, those were the result of spearing.

In the last few months, I’ve gotten funky-looking emails from familiar people, with the usual, “You’ve gotta see this!” as the subject or body. And no other detail. And I know better than to click on those. All you have to do is hover over  those to see where those links will take you. I have often done a reply-all on those, warning everybody on the thread to steer clear.

It never fails to astound me how STUPID folks can be in clicking on these. And in a corporate environment, these can be unbelievably damaging. Spear phishing helped bring down a Canadian firm, eventually hurting their acquisition price. Spearing has a very high success rate, and sorry to say, that’s all based on sheer stupidity.

The grid is far too critical to fall prey to such weak thinking. If you’re in IT, if you’re in a critical organization, you have to be SMARTER. We already sweat EMP attacks from the sky. We don’t need the gopher attacks from the ground.