Monday, 19 September 2011

Security Lessons Learned From Californian Power Outage

By Professor John Walker FBCS CITP CISM CRISC ITPC

That's Technology received the following letter from Professor Walker and decided to reproduce it in its entirety as matter of public concer:-

The 9th of September 2011 saw a power outage in the US affecting 5 million people in the area of Southern California - the root cause analysis of which is said to have been one single employee switching out a piece of problematic equipment. The upshot of this single act is nevertheless extremely worrying, as it manifested in traffic chaos, cancellation of flights, the shutting down of two nuclear reactors, a widespread impact on business, and on residents.

This event does, however, raise a number of questions and points back to the long debate about the security of Supervisory Control and Data Acquisition (SCADA) systems, which are considered, in some cases, to host a soft underbelly for Cyber Attack. There is also the question of timing - whilst I do understand the public notice, let us be honest here - if this were anything other than a mistake by an employee, would the public really expect to be told?

Additionally, if a single employee's mistake, with just one piece equipment can have such a devastating consequence on what is National Critical Infrastructure, then what does this tell us about Security, Change Management, and of course, Business Continuity?

The timing of this event may not, in my opinion, be a complete coincidence, coinciding as it did with the 9/11 memorial - an event which cost the lives of many innocent, ordinary people - and an event which changed the world for ever. While it is not being suggested for one moment that this is the consequence of a cyber attack, in my mind the jury is still out and it is a concern I am not able to satisfactorily resolve. It may also be worth noting that in the UK, the time/date format is 9/9/11.

I believe this event again places focus in the frailties of an infrastructure which is subject to targeting by extremists who are seeking to cause disruption, to create chaos, and to possibly follow through with loss of life. It must also be accepted that to place a cyber warfare attack capability alongside a conventional theatre of war would seem to make a great deal of battle field sense - causing wide spread disruption, outage of power, followed by what I would expect to be opportunist public disorder.

One last point of interest here is, only last week I was sent an image by one of my many distant contacts - and as I recall the message said, "You may find this interesting" - it was a picture of New York in a blackout condition.

To conclude: no matter mistake or cyber attack, the time has arrived to reassess just what security is surrounding the various Critical National Infrastructures (CNI) around the world, and to place them, where possible, in an enhanced profile of security hardening. It may also be beneficial to revisit the standard operational practices around such areas as change management, and of course business continuity.

Last but not least, I am sure this has been considered, but if Al Qaeda can get one of their radicalised operatives into a prime position of flying an aircraft, gaining employment with a power company in some capacity should prove to be a much less onerous objective. As I have said before in many articles, it is time for the security professionals to take a more proactive stance and look at what needs to be done.

The first task must be to get serious about the landscape of security which surrounds these systems which we rely on to service the CNI. And here I don't just mean applying a few policies, and then following them with the religious contempt that we so very often see practiced in some sectors of IT Governance, in the form of tick box security and lip serviced compliance. I am talking about serious programmes that are commensurate to the potential risk and impact posed against, and by these Key Point Infrastructures and Assets.

I am asserting that the induction processes for selecting employees into these Key Point areas are both robust, and consistent throughout all organisations who supply such critical services. If not, then now would be a good time to rethink the recruitment processes.

In closing, I see a need for more Security Professionals with a willingness to go to the next level and embrace this specialist area of SCADA Systems, Applications, and Infrastructures Security. And more importantly, for these professionals to immerse themselves in learning, and specialising in these environments, in particular, relative to their foibles and challenges.  Possibly here, there may even be a future for focused Training Certification to be created specific to SCADA environments.

One thing is for sure, these systems, applications, and infrastructures are not just run of the mill. They are the very lifeblood of the global economy, business, and our communities, and they demand special treatment to secure, and govern their profiles. Nothing less will suffice.

Professor John Walker, CISM, CRISC, FBCS, CITP, ITPC
CTO of Secure-Bastion www.secure-bastion.co.uk

No comments:

Post a Comment