Ron Lepofsky, President, ERE Information Security Auditors

Electrical utilities are already challenged with the process of becoming certified for compliance with the NERC CIP standard for IT security.

The NERC CIP standard is evolving, thank goodness. Perhaps you haven’t noticed the innocuous sounding proposed new standard now in the creation process. To me it looks like the heavyweight in the list of otherwise fairly general standards.

It’s called CIP 011-1 BES Cyber System Protection (in draft) and can be found at the end of the NERC CIP list of standards.

In order to understand this new standard in context, it is useful to look at the other existing standards which are as follows:

CIP 001-1 Sabotage Detection
CIP 002-1 Critical Cyber Asset Identification
CIP 003-1 Security Management Controls
CIP 004-1 Personnel and Training
CIP 005-1 Electronic Security Perimeter(s)
CIP 006-1 Physical Security of Critical Cyber Assets
CIP 007-1 Systems Security Management
CIP 008-1 Incident Reporting and Response Planning
CIP 009-1 Recovery Plans for Critical Cyber Assets
CIP 010-1 BES Cyber System Categorization ( in draft)
CIP 011-1 BES Cyber System Protection (in draft)

What’s Different about CIP 011-1

NERC CIP 011-1 puts a knockout punch into NERC CIP by defining very specific control points. These control points do not contradict other CIP standards but instead are drilldowns and complementary to them.

In my opinion 011-1 control points resemble NIST security control points defined in the document: Recommended Security Controls for Federal Information Systems and Organizations. The 011-1 control points, which I have listed below for clarity, will be costly to implement and to audit but I think they are specifying critical requirements to harden our electrical security grid.

CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R3 – Cyber Security Training
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R5 – Physical Security for BES Cyber Systems
CIP-011-1 Table R6 – Physical Access Control Systems
CIP-011-1 Table R7 – Account Management Specifications
CIP-011-1 Table R8 – Account Management Implementation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R9 – Access Revocation
CIP-011-1 Table R10 – Account Access Control Specifications
CIP-011-1 Table R11 – Wireless and Remote Electronic Access Documentation
CIP-011-1 Table R12 – Wireless and Remote Electronic Access Management
CIP-011-1 Table R13 – Remote Access Revocation
CIP-011-1 Table R14 – Wireless and Remote Electronic Access Controls
CIP-011-1 Table R15 – Malicious Code
CIP-011-1 Table R16 – Security Patch Management
CIP-011-1 Table R17 – System Hardening
CIP-011-1 Table R18 – Security Event Monitoring
CIP-011-1 Table R19 – Communications and Data Integrity
CIP-011-1 Table R20 – Electronic Boundary Protection
CIP-011-1 Table R21 – System Boundary Protection
CIP-011-1 Table R22 – Protective Cyber Systems
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R23 – Configuration Change Management
CIP-011-1 Table R24 – Information Protection
CIP-011-1 Table R25 – Media Sanitization
CIP-011-1 Table R26 – Maintenance
CIP-011-1 Table R27 – Cyber Security Incident Response Plan Specifications
CIP-011-1 Table R28 – Cyber Security Incident Response Plan Testing Specifications
CIP-011-1 Table R29 – Cyber Security Incident Response Plan Review, Update, and Communication Specifications
CIP-011-1 Table R30 – Recovery Plan Specifications
CIP-011-1 Table R31 – Recovery Plan Testing Specifications
CIP-011-1 Table R32 – Recovery Plan Review, Update, and Communication Specifications

Wouldn’t it knock us all out if we find out critically important NIST standards are finally implemented by the custodians of our electrical grid?

Have a secure week. Ron Lepofsky CISSP, CISM, BA. SC. (mechanical) www.ere-security.ca

James Holler, Founder, Abidance Consulting

Last time we made the argument that advanced energy storage has a demonstrable track record of positive environmental and economic benefits. Now let’s look at some of the energy storage technologies available in today’s marketplace:

Dynamic Power Resources (DPR)

• Ramp Rate Control: DPRs monitor output from a renewable generation source on a microsecond basis and automatically responds by either absorbing renewable output or supplying additional power so that the grid receives smooth, clean power at a desired MW/minute rate.

• Firming/Shaping: Coupling a DPR with a renewable generation forecast allows the utility to organize other generation resources to meet expected demand based on its guaranteed day-ahead renewable output schedules, as well as reshape output to deliver power during peak demand times regardless if the renewable asset is generating power or not.  If a forecast is inaccurate, the DPR automatically supplies or absorbs power on a microsecond basis to ensure the day-ahead output schedule is met.

• Curtailment Mitigation: if there are times when the utility needs to curtail renewable output, the DPR can take advantage of all of the as-available fuel by storing curtailed power and redistributing it at other times throughout the day, whenever the grid needs excess energy.

• Ancillary Services:  the speed and accuracy of the full four-quadrant DPR are unparalleled to that of typical generation resources.
  • Voltage Support: the DPR has the ability to supply and absorb reactive power (VARs) while simultaneously supplying real power (Watts). This allows the system to maintain a target power factor while continuing to provide other functions that require real power management such as services mentioned in this section.
  • Frequency Regulation: the DPR can respond to both AGC signals and/or frequency deviations with sophisticated control algorithms to help maintain nominal grid frequency. The DPR is capable of providing the frequency support during loss of generation or system disturbance, as well as address less severe frequency deviations due to normal grid operations throughout the course of each day.
  • Spinning Reserve: the unique sizing scheme of the DPR allows the customer to add more energy storage (MWh) and act as a back-up power reserve for extreme generation trip scenarios by providing power while offline generation units ramp up to replace lost generation.

• Transmission and Distribution Upgrade: Deferral: instead of undertaking costly T&D upgrades, utilize DPRs to supply power for incremental increases in load, as well as to enhance grid reliability for weak and/or congested T&D lines.

• Peak-Shaving/Load-Leveling: Similar to ramp rate control, but for longer periods of time, a DPR can absorb and provide power, charging during off-peak times for use during on-peak times. Peak loads are lessened, which ultimately enables traditional generation to run more efficiently.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

Advanced energy storage has proven that it delivers significant environmental and economic benefits as well as superior Bulk Electric System (BES) reliability. Let’s look at some of its key benefits:

Reduces the Need for Reserve Power Plants: Electricity storage technologies provide effective methods of responding to daily fluctuations in demand. Electricity produced at off-peak hours is now capable of being stored and used later to meet demand spikes, thereby reducing the need for expensive, aging, and carbon emitting fossil-fired reserve generation plants.

Cuts the Cost of Power Failures: As a result of the aging U.S. electricity grid, the DOE estimates that electricity outages and interruptions cost the U.S. approximately $150 billion annually.  Electricity storage technologies can provide power to the grid to “bridge” gaps and smooth out short-term fluctuations until backup generation sources can be brought online.

Boosts Renewable Energy Integration: Wind and solar power are the two largest sustainable sources of carbon-free natural resources. But both are intermittent, varying widely in the energy that they can provide at any one time during the day due to fluctuation in the wind patterns and intermittent cloud cover for solar panels. Power storage technologies can smooth out this variability and allow unused electricity to be dispatched at a later time when it is needed at peak times. In addition, paired with renewables, energy storage can provide regulation services such as ramp control, curtailment mitigation, firming/shaping of power and other grid reliability services.

Currently there are about six energy storage technologies available in the market today: pumped hydropower, batteries, compressed air energy storage, flywheels, superconducting magnetic energy storage, and electrochemical capacitors.  Solid state battery technologies are suited to quick, modular, scalable deployments with few environmental risks. We’ll survey each in our next blog tomorrow.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

I have used social engineering (SE) to gain physical access to several large facilities and then to get key passwords and login information from people. I have posed as technicians and other officials in order to gain the proprietary information I wanted. Luckily, I’m a good guy who did this at the request of clients to test their own defenses.

Unfortunately, there are a lot of bad guys out there who do this, too.

The bag of tricks that Social Engineers use allows them to lie, cheat and steal their way past your organization’s security controls. The ultimate goal, in most instances, is theft, fraud and/or espionage.

Your best line of defense: Training your people.

Fraud incidents are on the rise and many of these crimes result from social engineers pulling off their costly deceptions in person, via the telephone and through popular social networking sites.

Despite all the media hype about hackers and viruses, the greatest threats to an organization’s information security are actually the employees of the company. They’re the ones who too often, too easily, fall victim to Social Engineering ploys and open the doors wide to anyone who appears to be and act “normal”.

Bank robbers case the joint. So do Social Engineers.

When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gaining information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving.

Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to blocking these manipulations. Regular testing to ensure the effectiveness of your training initiatives is a must. Your training must allow your staff to understand social engineering methodologies, why it is the most effective tool in attacking a company and why so many people fall victim. Your staff needs to also learn how the importance of effective corporate communication and incident response planning can prevent attacks from occurring in the first place.

Once you discover the best ways to test the effectiveness of your awareness efforts, you will then be able to learn what to do after the attack has occurred. Can you put the genie back in the bottle? Yes, if you know where the genie is likely to go next. Remember, everyone is susceptible to this kind of theft. The key is to know how to spot it so you can stop it.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

The NERC requirements might help the people at NERC and the regions get a better night’s sleep, but a sound action plan, including situational awareness, is the only true way to get there — and ensure greater cybersecurity for all.

With so much at stake, NERC is faced with a daunting challenge of locking down the nation’s cyber infrastructure as it pertains to the power grid. NERC has forced registered entities to establish programs for securing their Critical Assets and Critical Cyber Assets that includes dedicated management, oversight, accountability of corporate officers, processes for securing IT systems, and mechanisms for measuring progress.

Of course, just meeting NERC requirements doesn’t mean a registered entity is secure. NERC should recognize its shortcomings and pass a measure that will, among other things, strengthen the role of an industry recognized leader like the National Institute of Standards and Technology in shaping cybersecurity requirements.

So, why is cybersecurity such a challenge? That’s a loaded question because today’s information infrastructure is a quandary. Some of the issues are:

Advanced Persistent Threat

Cyber criminals have become more sophisticated, outpacing defensive measures. Hackers constantly exploit weaknesses in popular products and create new techniques using viruses, rogue antivirus software, keystroke loggers, botnets, and other tools, for immediate targets or time-triggered actions.

New Dynamics

Registered entities have completely changed the way they communicate, interact and accomplish their missions. They’re sharing information in new, amazing and sometimes scary ways—from portals (regional scale for the most part) to social networking websites like LinkedIn. They’re even bringing trusted third parties into the fold. And their flexible IT model is establishing technology options that could present more risks, such as mobility and cloud computing.

Shared Risk

All of this is extending NERC’s reach into the critical infrastructure. Yet, 95% of that infrastructure is in the hands of the private sector. Risk to that infrastructure, information assets and private data is rampant with potentially deep and catastrophic consequences. The fact is, registered entities are giving more and more access to data and applications, a concept that runs counter to most security type of thinking. Traditional network security that relies on reactive measures simply isn’t enough.

Pay Closer Attention To Applications

Whether off-the-shelf or home-grown, most applications are not engineered with security in mind, so you need to ensure trusted development processes to maintain their integrity. Today, that means adhering to requirements set-forth by the NERC requirements. Trusted delivery is also critical — especially with innovations like cloud computing. Protecting the perimeter around applications is not a sufficient defense and you must extend security to the application layer. In every case, you need to be able to measure an application’s ability to process and handle sensitive information throughout its deployment lifecycle.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

Having conducted numerous Mock Audits and Gap Analyses for our clients, I am beginning to see a troubling pattern. A majority of the registered entities we have visited have failed to properly include the access card reader(s) on their Critical Cyber Asset list. This post will spell out in detail what NERC and FERC expect from a registered entity and most importantly, why.

As many of you know, access cards and access card readers are one of the main devices used to protect your Critical Assets and Critical Cyber Assets from the “bad guys”. While many registered entities employ this technology, most do not properly protect the one device that shields their assets from being tampered with. We are going to look at how the IP addresses assigned to your access card readers are not being protected and what can happen as a consequence.

If you have a card reader system for your Physical Security Perimeter (PSP) that has an IP address associated with it, you must include it in your Critical Cyber Asset list. Because the devices are “IP networked”, controlled, monitored and administered they need to be included as per CIP-002 R 3.1, when that PSP protects access to a control center, critical assets or critical cyber assets. To not include these devices is a finding during an audit that WILL lead to a FERC investigation, you can bet on that. If the card readers are not protecting any of the areas mentioned, then why even label them as part of the PSP? The purpose of a PSP is to protect and monitor access to critical assets in much the same way the ESP electronically protects and monitors access to critical cyber assets. This is the reason the language in CIP-005 and CIP-006 are so very similar. Better to err on the side of caution just in case the auditor is particularly astute on what FERC wants to be considered “compliant”.

Examples of what can happen if you fail to properly protect the access card readers are:

• IP addresses can be used to fail the door or doors “open” – basically turning off the access card reader
• IP addresses can be used to turn off the alarm portion of the card reader making it easy to access the CCA area without being detected for an undetermined amount of time
• IP addresses can be used to back-track into the corporate network and do much more harm than just disabling an access card reader

You will definitely suffer a severe financial loss from the fine that will be issued when an auditor discovers this oversight.

This month we thought we would try something new. We are going to hold a conference call on October 1st at 2:30pm CST with our latest staff member, Randal Blanchette—the former lead CIP and ICP enforcer at FERC. For those who want to participate on this call and to ask Randal questions related to this and other CIP related subjects, please email us at james.holler@abidanceconsulting.com and put CIP Conference Call in the subject line.

James Holler, Founder, Abidance Consulting

In Part 1 of this series, we touched on some ways to make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

In this section, we’re going to address testing, maintaining and other important items that deserve your attention.

Testing

Once you have fixed all of the issues, you need to test everything to make sure it works the way it is supposed to. You must first create benchmarks in which you are testing against. Just to run a test for the sake of running a test is futile. Once the benchmark(s) have been set, you are ready to test:

• Run port scans to ensure only required ports and services are open and/or running
• Firewalls detect intrusions
• Switches and routers have only active administrator accounts
• Passwords adhere to compliance requirements etc

Be sure to document your test procedure(s) step-by-step as well as the test results. Note if the outcome of the test was expected or not. If there is anything that fails during your testing, you need to fix those issues and retest. Don’t skimp on testing…hackers are not forgiving and just like in dodge ball, there are no “do-overs”.

Maintaining

Once you have tested everything and are assured that your organization is where they need to be, you now need to create and maintain a testing program. Don’t try creating a maintenance program prior to everything being tested, as you will surely be making changes to the maintenance program, making are previous efforts null. Your maintenance program needs to have firm dates / times set for scheduled maintenance. You need to have multiple maintenance programs set up such as:

• Patch management
• Password management
• Network account management
• System management
• Applications management
• Operating system management
• Security administration etc

By setting up multiple maintenance programs you are able to create “silo’s” for each area and assign personnel who are responsible for each of these areas. This allows for a better view should there be a failure in any of these areas…and makes it easier to see where the failure occurred and to fix the area faster.

Worth Considering

There are a few tricks that you can implement on your network that will make a hacker think twice about trying anything. The more difficult you make it for the hacker to attack, the more likely it is that they will go somewhere else to attack. As someone who has spent the better part of the past quarter of a century protecting companies against attackers, I have listed a few neat tricks you can implement:

Honey Pots

A honey pot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers. These honey pots can be used to track and in some cases trap and report a hacker.

Trace Routing

Having the attacker’s IP is all well and good, but what can you do with it? The answer is, a lot more! It’s not enough to have the address, you also need to know where the attacker’s connections are coming from. You may have used automated trace routing tools before, but do you know how they work?

Go back to MSDOS and type tracert *type IP address/hostname here*

Now, what happens is, the Trace route will show you all the computers in between you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the hacker’s ISP company. It’ll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is.

Reverse DNS Query

This is probably the most effective way of running a trace on somebody. If ever you’re in a chat room and you see someone saying that they’ve “hacked into a satellite orbiting the Earth, and are taking pictures of your house right now”, ignore them because that’s just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what state/city etc.) someone resides, although it’s actually almost impossible to find an EXACT geographical location without actually breaking into your ISP’s head office and running off with the safe.

To run an rDNS query, simply go back to MS-DOS and type netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format.

DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address….which is why we can enter “www.hotmail.com” and get the website to come up, instead of having to actually remember Hotmail’s IP address and enter that instead.

Well, reverse DNS, of course, translates the IP address into a hostname (i.e., in letters and words instead of numbers, because sometimes the hacker will employ various methods to stop netstat from picking up a correct hostname).

While we’ve given you a very high level look at what needs to be done to better protect yourself from a hack attack, we believe it represents the best place to start in understanding what you need to do.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

Part 1 of a 2-part series

First, let me start with the bad news: There is no absolute way to prevent an internal or external hack-attack. With that said, there are some things that you can do that will make it so difficult to pull off a hack-attack, that the perpetrator will most likely want to go somewhere else and try their attack.

Now, there is an old saying, “cleanliness is next to Godliness.” I am sure you have all heard that line at some time in your life. This saying holds true in the security world. If your network is in total shambles (DAT files not updated, Service Packs are so far behind your need an abacus to determine how many versions behind you are, etc.) and your Intrusion Detection System (IDS) is monitored by humans only during business hours, then you have a “dirty” network that needs to either be cleaned, or as my mom used to tell me…let’s just burn your room and start over, it will be easier that way. If your network/server room looks as if a spaghetti factory has blown up, get it cleaned up by rewiring it using tags on each line so you know where each of the cables is assigned.

The first thing you need to understand in preparing to get your network in top form is to not only determine what is wrong with it, but to also be open to criticism from experts. Put away the ego (one of the top reasons why networks are in shambles to begin with) so that you can listen and learn from your internal experts or external consultants – you hired them, now listen to them.

In Part 1, we’ll look at network discovery issues, vulnerability assessments, and discuss ways to fix some of these challenges.

Network Discovery

Before you can determine what’s wrong with your network, you must first know what your network looks like. You will want to conduct a thorough network discovery since you are going to need to know not only what devices are on your network, but also where they are. Please don’t think that you are going to run a piece of software that will show you everything. If you have a wireless or dial-up modem hanging off of your network and the power button is off, you may never discover it. You may need to do a physical inspection of your entire facility…look up in the ceiling…those pesky tiles can support the weight of a modem and even an old sandwich from 4 years ago. I personally use an iPaq handheld device that is capable of “sniffing” out these modems, even when they are turned off. Now that you have a true and correct picture of your network, you will need to conduct a vulnerability assessment to determine what areas are weak and are in need of attention.

Vulnerability Assessment

To ensure that there are no “cover-ups” by your staff, it is recommended that you have an outside consulting firm come in and conduct the assessment for you. Depending on the size of your organization, the fee’s for this could be $15k to $30k or more. The final report to be delivered should be comprehensive in nature. Be sure to ask for sample reports prior to awarding a contract or project to anyone. There are areas that must be looked at closely. Make sure whoever you assign the project to gives you a list of the services they are going to run. My only word of caution here is that you do not allow a penetration attack be made against your Primary Domain Controller (PDC). Once the assessment is completed, make sure that you not only address the issues, but fix the issues.

Fixing The Issues

When you do get the final report, there are going to be a lot of errors that need to be fixed. Don’t worry; the “bark” of the report is much worse than the “bite”. Depending on how bad your network was when the assessment was conducted, you may have a few pages of issues to as much as a thousand pages of issues – one assessment we did a few years back yielded almost 7,000 pages (a government agency…need I say more). When you are reading your final report, one of the first questions you need to ask yourself is, “Where do I begin”? Not to worry, your security staff/consultants should prioritize what needs to be done and at what point in the project does it need to be done. The point at which a certain task is completed is very important since everything has a logical order of semblance to it…you wouldn’t put the seats in a car before you laid down the carpet. Your staff and/or consultants should know this and be able to build out a project plan with a scope of work, keeping you (the stakeholder) in the loop at all times. Never be afraid to ask questions or challenge something if you feel it isn’t the right thing to do or you don’t understand why something is or isn’t being done.

To save time and money, you have to look at all of the different compliance issues you have to deal with (NERC, EPA, OSHA etc) and cross-walk your efforts to all of these compliance requirements. Doing this will ultimately save yourself time and money by not overlapping efforts.

Next time, we’ll look at testing, maintaining, and some other important issues that merit your attention.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

According to the Wall Street Journal (WSJ), computer hackers have designed a virus that targets the industrial control systems, to include power plants, built by German engineering giant Siemens AG. The virus apparently activates a kind of malicious software that analysts say represents a growing corporate-espionage threat. This type of threat has been talked about for years — and it is now a reality.

The virus, Stuxnet, is spread by USB devices plugged into the physically unsecured USB ports on the machine(s) hosting the SCADA systems used by power plants and other types of facilities. The virus is programmed to steal data from computer systems that are used to monitor power plants built for anything from manufacturing to power generation to water treatment.

Researchers analyzing the virus say that they are now seeing several thousand infection attempts daily, though the virus is only activated if it lands on a computer running the Siemens systems software. Analysts warn that the attack on the Siemens’s systems marks an escalation in hackers’ efforts to use viruses for industrial espionage or sabotage purposes. This attack will surely make the NERC CIP regulations become even tighter more quickly than before this story broke.

Smaller, more isolated virus attacks have been attempted before on SCADA systems, but this is the first such infection where a virus is searching specifically for SCADA systems to attack on such a large-scale basis. The worry among security analysts should be that such viruses will, at some point, be used by criminal organizations or even terror groups to sabotage power plants.

The Stuxnet virus specifically exploits an unpatched vulnerability in the Microsoft Windows operating system, allowing it to spread through all USB devices. Once the virus has infected the Siemens system, it uses default passwords that are hard-coded into the Siemens software to upload false control-system data to a remote server. In an advisory that Siemens posted on its website, the company said Microsoft was working on a patch to fix the vulnerability at the USB interface. In its own website advisory, Microsoft has provided a workaround fix to offer some additional protection until a patch, or update, is ready.

Siemens said it expects to approve the updated virus scanners this week and also plans to provide customers with a diagnostic tool to check if their systems have been infected. In the meantime, the company’s website advisory urges customers not to use any USB storage sticks.

Siemens, Microsoft and other security analysts haven’t determined where the virus originated. Many of the infection attempts have originated from India, Indonesia and Iran. The virus likely was created in Asia, given the pattern of attacks and technology used.

James Holler is founder of Abidance Consulting.

James Holler, Founder, Abidance Consulting

A recent Wall Street Journal article (July 7, 2010, “U.S. Plans Cyber Shield for Utilities, Companies”) did a good job telling some of the story about this important, and potentially chilling, American initiative. However, I feel the journalist could have, and should have, gone farther with the article. This blog will deconstruct the article and add some important perspective.

First off, I want readers of this blog to understand that I have worked for many government agencies in and around cyber security and was one of the many team members that helped to create the FBI’s cyber snooping system called Carnivore.

Let’s look at some key sections of the article, followed by my thoughts and comments:

• 2nd paragraph – “The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.” The vast majority of networks in this country already have monitoring systems implemented that monitor for unusual activities. Compliance requirements such as FERC 706, PCI, CFATS, HIPAA and many others require these monitoring devices. Devices such as Host-Based Intrusion Detection systems (HID’s) and Network Intrusion Detection systems (NID’s) are on most, if not all, networks in this country, so there is no need for the NSA to implement these items.
• 6th paragraph – “The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security.” Raytheon secured an initial $100 million contract for this project but never stated that it was a good idea…only that the Government wants to ensure that the critical infrastructure is protected…but I suggest an audit would do this. Maybe that’s why FERC and NERC are requiring audits to make sure registered entities are securing their networks and critical assets.
• 8th paragraph – “A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.” The fact that the military compares snooping on a company’s network which would give them access to payroll, financial and other sensitive information that could be used against them for the benefit of a politically motivated attack to a traffic camera is just plain silly. The military also says it is pertinent so as to prevent the physical attack on the critical infrastructure…I fail to see how snooping on a corporate network has anything to do with protecting from a physical attack.
• 9th paragraph – “U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.” The reason that the U.S. Intelligence Officials can’t describe the problem because they have had limited abilities is exactly right. However, the way this paragraph is worded would make it seem that the limited abilities are because companies are not cooperating. The truth is that there are too many opinions on how this should be done…including from those who have no idea of what they are doing or saying (politicians). The Government needs to hire a group of hackers like the Chaos Computer Club, Brazil Boys or Masters of Deception to come in and solve these problems. What? You have never heard of these guys? There’s a reason for that. The best guys/gals are never caught, therefore, they are not widely known. Companies like McAfee and Symantec keep dozens of hackers on staff to fight against viruses.
• 13th paragraph – “With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.” Are you kidding me? The NSA and many other agencies to include the CIA, FBI, NASA and most other government agencies have been successfully hacked so many times that this argument has more holes in it than a slice of Swiss cheese. These people can’t protect against “60 Minutes” reporters from obtaining sensitive information, how in the world can they protect against a cyber terrorist?
• The article states in the 2nd to last paragraph – “While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.” Personally, I always get a little nervous when a regulatory body talks about incentives. That is Government speak for “Do what we say or the President will invoke an emergency on your facility under the GRID Act and take your facility from you.

The “Perfect Citizen” project is, in my opinion, just one more way the politicians will attempt to grab control of a private company all in the name of national security. There are only two groups who will benefit from this – Government agencies and consulting firms like Abidance Consulting. The Government needs to take a few steps back and reassess their position. A good recommendation would be to complete audits on all critical infrastructure facilities and determine their state of readiness for a cyber attack based on best practices created by organizations such as NIST 800-53 or ISO-17799. After the audits have been conducted, the Government should issue “warning citations” stating, in detail, what the shortcomings are of that facility and to give them an opportunity to make amends. If they fail to comply, then implement stronger measures against them.

By doing this, the Government will make friends, keep friends and will ensure that companies will do what they need to do for fear that they could lose everything. If you just come right out and force this on a company, there is no incentive on their part to cooperate.

James Holler is founder of Abidance Consulting.