Michael D. Moberly March 5, 2014 ‘A blog where attention span really matters’.
According to Homeland Security News (March 4th) there is rising anxiety over the possibility of a cyber-attack on the U.S. power grid. In other words, both the private (industry) and government sectors respectively remain insufficiently set up to effectively counter the risks – threats posed by the cyber arena.
The report was produced by a Washington nonprofit called the Bipartisan Policy Center which admittedly did not produce much interest, primarily because there are literally hundreds of such entities ensconced throughout the ever expanding Washington, D.C. circular interstate highway system, many, if not most of which consistently seek notoriety and efficacy based on their presumed expertise and/or sought after endorsements from publicly recognized experts or airplay on C-SPAN.
With respect to this particular report, what did strike me as it having a higher level of credibility was that it was reportedly led by individuals whom most would agree possess unique insights into the subject matter, i.e., Michael V. Hayden, the former NSA and CIA director and Curt Hébert Jr., a former chairman of the Federal Energy Regulatory Commission.
Readers are respectively reminded that the U.S. is one of a very few countries in which much of its infrastructure, i.e., utilities, transportation, communication, healthcare, banking, water, etc., are under private sector ownership. So what turned out to be no particular surprise in the report, but still distressing, is that a percentage of these companies remain variously reluctant to share (cyber-security, cyber-attack) information with other companies presumably inside or outside their infrastructure sector.
I understand the rationale behind most such reluctance, that is, to openly share experiential information, the basis for which has been loudly and repeatedly conveyed following the terrorist attacks of September 11, 2001, because it involves the potential for antitrust violations, or merely giving away very expensive and proprietary intellectual and structural capital that delivers competitive advantages, along with numerous other intangible assets.
That said, I am unaware of any disagreement among the more notable players and information sharing advocates (related to cyber-security and attacks) is that ‘sharing’ is essential to reducing – mitigating vulnerability which can be accompanied by the wrath, scorn, and certainly reputation risk, all of which will surely materialize and be directed to companies accused of not sharing and/or being out of compliance with cyber-security ‘rules of the day’.
Equally troubling, the report cites, are federal rules intended to safeguard, the electric/power utilities from cyber-attack, which, as one example, have a basic flaw, which is, they do not give companies sufficient incentive to continually improve and adapt to ever changing cyber risks and threats.
In my judgment, perhaps the most telling aspects of the report are…
- public utility commissions are generally well set up to address new problems, presumably risks and threat to their systems and grids for which regulated utilities can add security costs to the expenses which they bill their customers, providing the regulators determine those expenditures to be prudent and warranted. The problem lies, the report say, in the reality that many regulators lack sufficient expertise to make – distingush these types of judgments.
- the report alos raised the issue that public utility commissioners, who decide which utility expenses are prudent and eligible to be passed on to customers, have trouble determining the value of such (security) investments.
- outside experts who were not involved with the report, nevertheless, endorsed some of its findings, e.g., Samuel P. Liles, of Purdue University’s Cyber Forensics Laboratory, rather pessimistically characterized risk – threat information sharing best practices as constituting “hit or a miss” propositions.
- Nadya Bartol, a cybersecurity expert with the Utilities Telecom Council, a trade association of electric and water utilities, said the report was correct in asserting that utilities might not always come forward with helpful information. The reason, she says, is because “if utilities say, ‘I have this vulnerability,’ they may be subject to fines if the cited vulnerability turns out to be a violation. Too, this circumstance thus may prompt additional hesitation – reluctance to talk about cyber vulnerabilities because, “if a utility puts it out in the public space, it elevates the probability they may get hacked even more.”
As a side note to the general findings of this report, on the morning of September 11, 2001, within minutes of the terrorist attacks on the Pentagon, I received calls from former students who were employed in various agencies in the District of Columbia describing to me in detail, their personal observations of what was occurring. Having military experience myself, and being an ardent researcher in information asset protection strategy, I rather instinctively called an acquaintance who’s role was director of security for a super computing environment and asked her if she was observing any potential adverse activity on ‘the grid’.
My concern, and that of thousands of others, were that the attacks at the World Trade Center and Pentagon were possibly forerunners to larger secondary, but perhaps, more expansive ‘cyber attacks’ on the U.S. infrastructure.
Interestingly, the response I received from my super computer security expert was the following, ‘Mike, I don’t know if anything adverse is occurring on the grid, I’m watching CNN, I will get back to you’!