Sunday, November 08, 2015

Having A Few Problems With This Forbes Article: The Biggest Cybersecurity Threat: The Energy Sector

I came across this article yesterday via my twitter feed.  I can't speak for anyone else but, but man, I am having some serious issues with it.

First let's establish a couple things;

1) I am not a cybersecurity expert.  My work touches on cybersecurity in some areas (i.e. vulnerability scans, hardening OSes for installation, monitoring trends, etc.)  I am not a researcher or a policy maker. I am just a grunt trying to make sure my network complies with applicable laws and regulations while preventing unauthorized access.

2) I am not an energy sector analyst or expert.  My current employer is in the energy sector and I work with guys who are involved in power distribution but my job is supporting them.  I am not directly involved.

3.)  My comments in no way reflect the opinions of any employer or agency.  They are mine alone.

4.)  I am a moron and I bring a moron's level of understanding to this article.  (Actually that may reflect the opinion of my employer and many federal agencies but let's stick with number 3)

Back to the article.  It starts accurately or inoffensively enough:
It’s cyber attacks on the energy space, not the consumer credit space, that could cripple the United States — or any country — as well as bring about a collapse of order and society that most of us associate with apocalyptical scenarios.
Actually, maybe not, we are only three sentences in and already we have a prediction of apocalypse. Continuing on the author references Stuxnet and the movie Blackhat (which he say's Wired called "the best hacker movie ever made".  They did not, they asked if it was.)  The point in these up is to show how easily energy infrastructure could be destroyed in the US, leading to widespread blackouts and economic disruptions:
But the threat currently facing the world isn’t one dreamed up by Hollywood; it’s real. A congressional commission estimated that a large-scale blackout, if prolonged, could lead to 90% of the United States’ population perishing from disease, lack of food and general societal breakdown.
90%?  Really?  That is approximately 297,000,000 people who will supposedly die if we are subjected to a cyberattack.  I was trying to find a polite way of saying this, but I can't:

Bullshit.

Pure utter bullshit.

First off the attack referenced in the source of that statistic was an EMP attack in which the entire North American continent is affect simultaneously and power is down for more than 12 months. Not a cyberattack. Even then it's utter horseshit.  Jesus, when the Russian surrounded Stalingrad and the population was reduced to eating sawdust soup, boots, and bodies 90% of the population didn't die off.

This is just the worst kind of hyperbole.

Let's assume a cyber attack does happen.  Generating or distribution stations in California get hit.  What happens.  Alarms sound and that section of the grid gets isolated, usually by automatic relays cutting power, but there are manual backups.  If necessary the regional interties get cut.  Sometimes, like in 2003, that fails, but a lot of improvements have been put in place since then specifically because of that failure.

I don't mean to sound blase here - there is still a possibility of a lot of damage from a cyberattack, but nowhere near the 90% mortality rate that the author is claiming.  I also don't mean to dismiss the idea of an EMP pulse as a potentially catastrophic event.  I firmly believe that we as a country should be making sure the grid is properly hardened.

So, given that, at least in my opinion the potential affects of a cyberattack are much less than this article predicts, and that I now find it hard to take anything this guy says seriously.  What's the purpose of the article?

CISA

It's a scare to try and get people to support CISA, which at this moment is very unpopular, and I think is headed for a defeat in congress.  This is made obvious in the deep delving article that thw author and his colleagues publish in The Legal Intelligencer.
Others have criticized CISA for not going far enough. CISA only creates a framework for information-sharing intended to allow agencies to identify how best to protect against future cyberattacks. What some expect, or hope, to follow CISA is ultimately the enactment of minimum standards for corporate cybersecurity systems. A vote on the bill is expected soon.
It's also telling that one of the major recommendations of the Legal Intelligencer paper is have a good law firm (the author is a partner in a law firm).  I guess even if 90% of the population dies the courts will still be functioning.






Post a Comment

What I am reading (or maybe watching) 10/18/2017

DefCon - ICS Village: Grid Insecurity and How to Really Fix This Shit - I tried to see this talk while at DefCon, but the room they ...