You can't spell "grid" without "id"
Sunday, October 10, 2010 at 10:19PM Even countries that get along with Iran aren't happy about tha country getting nukes. Well, maybe North Korea, since maybe they're getting tired of always being the worst trouble-maker on the block. Anyway, there are a lot of suspects in the recent Stuxnet worm, which seems to pop up in the systems of a lot of organizations, especially power companies, but seems to be primarily targeting Iranian facilities. The speculation is that is was spawned by some party who's unhappy with the prospect of the Iranians converting spent fuel into weapons-grade uranium.
There have been all sorts of hacking attempts targeting US facilities. Many of them appear to have originated in China, which is known to recruit, train, and support professional hackers. Luckily, the same set of security standards that are meant to help protect the grid from malfeasance, stupidity, and domestic hackers also serve as tripwires against foreign threats. These standards, of course, are incorporated into NERC CIP. The first part of that is the North American Reliability Council. The second part is the brilliant stuff they cooked up to secure the electrical grid. But everybody just refers to it as NERC.
I cover NERC CIP in detail in my book, so I won't go into that here. But in a nutshell, it requires that an electric provider create an inventory of their assets, both physical and virtual, then build a perimeter around them. The perimeter includes all manner of security protocols.
In the past year I dealt with one provider that says NERC is the concern for the plants themselves, and not the main holding company, because in theory NERC only covers actual electricity generating parties. But this is incredibly short-sighted, since the main honchos will be on the hook in the event of a disaster.
My two biggest engagements in the past year were with utilities, and that's for a very good reason.
NERC penatlies are butt-ugly, worse even than financial boo-boos, such as violations of FACTA. Why? Because if somebody steals a bunch of credit card numbers, you don't find out unless you're one of the victims, or it gets on the news. But if the power goes out, EVERYBODY knows.
Here's another grid acronym: SCADA. It's essentially the interface for managing the components of the grid. According to NERC, it's one of those things that shouldn't be web-enabled. But everybody does that very thing, because everybody is web-enabling EVERYTHING. I'm in charge of the plant, so I wanna be able to check on things from home on a Sunday night. Therefore, if you're going to publish it, for all practical purposes, then you darn well better secure it.
Identity management doesn't cover all aspects of NERC, but it covers an awful lot of it. Of course, IdM encapsulates a lot of different kinds of security, not ust logins and passwords. Authentication, authorization, behavioral analysis, and so on are all in the mix. You shouldn't be able to access or modify any security assets if your IP address isn't within an acceptable geographic range.
Think about it. Screwing with the financial grid can really louse up how things work. But crewing with the power grid can do the same thing, on top of causing civil unrest. Blackouts can shut down markets, retail, healthcare facilities, travel, and can even cause morons to loot and pillage, as we've seen several times.
It's being repeated all the time: the new frontier in war is in cyber-space. A lack of power tells the general public that the guys in charge aren't necessarily going to keep them safe. A solid IdM strategy is a good place to start.
A great way to worm your way into a NERC engagement? Ask them how their last audit went. Even the successful ones really, really suck.