NERC’s June 2, 2010 report identifies  potential paths to destruction of our North American Electrical Grid (www.ere-security.ca and    http://www.nerc.com/ ).  These paths include co-ordinated cyber / physical / blended attacks, pandemic illness, geomagnetic disturbances and electromagnetic pulses.

In my opinion, while  NERC (North American Electric Reliability Corporation, www.nerc.org ) has managed to accurately identify real security risks it has missed the main point.

Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005 ( http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003 ).   And yes the NERC CIP 01 – 09 security standard (http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html and http://www.nerc.com/page.php?cid=2|20 ) for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.

However, the fundamental recommendation of the report calls for better co-ordination between US power-grid providers and the government.  To me, government co-ordination is an oxymoron.  We can all see how well government co-ordination is working on the Gulf Oil Spill.

To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.

I think the path to grid deliverance is for the government to substitute co-ordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.

Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the “here and now” concerns expressed by their own SCADA IT security staff.  We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.

So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty.  Then executives can re-evaluate their security ROI business cases to include the new downside penalty.

In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means.  Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses.  Somebody with a six foot ladder and a laptop could potentially do just as much damage.

The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on  sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).

While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.

Maybe it’s time to think again.

Have a secure week.

Ron Lepofsky,   CISSP,  B.A.SC. (mech eng)

President,

ERE Information Security and Privacy Auditors

You may have read this recent survey conducted by ISACA or the article about the survey posted on CNET April 7 or the more recent article about access and authentication headaches for cloud computing published by SC Magazine April 9.

The message is clear: Remote users watch out for security and privacy threats!  Of course there is absolutely nothing new about this message.  But then again, there is very little that is new about cloud computing.  Only its name.

Forty years ago cloud computing had other names: service bureau computing, remote computing, mainframe service providers, to name a few.  Fast forward and we have similar shared services more widely accessible by orders of magnitude because of ubiquitous Internet availability and the flexibility of IP addressing.  So the concept of a remote service provider has changed not in the least; one person in their basement running a great application on an NT server with worldwide Internet access is an example of cloud computing.

The security and privacy vulnerabilities are commensurately more serious than legacy service bureau operations with remote access provided typically by dedicated lines. (Anybody know or remember what dedicated lines are?)

The ISAC survey does pose the financial rewards vs. the potential downside costs of risk, with a nifty Risk / Reward Barometer visual.  To read the article please see www.ere-security.ca RSS feed, April 7.  The idea of doing a risk analysis and BIA on any critical service is nothing new in the security business and, of course,  these tools should be used when considering the use of cloud computing.

Further, in my opinion, using a cloud computing resource is much the same as outsourcing an IT service.  Any conscientious purchaser of outsourced services should consider, review, and have in writing as part of an SLA, many issues surrounding IT security compliance monitoring, enforcement, and a mechanism for recovering financial losses due to breach of the outsourcing agreement.

For more ideas about how to deal with an IT services outsourcer, please see:  www.ere-security.com , IT Security White Papers, Risk Analysis, “IT Security Costs: Outsource vs. Self Deploy”

But I digress.

The fundamental business needs for enforcing access privileges and stringent authentication do not change whether the IT services in question are in-house or in a cloud, as pointed out in the SC Magazine article.  By the way, you can see the article at: www.ere-security.ca RSS, April 9.

The issue of who is doing the access and authentication processes is critical to its control.  I personally prefer the client retain control, and provide access to employees or users via a proxy service, again under the control of the client.  The authenticated users should then be provided VPN access to the cloud based service provider.

However, this is all for not if the security framework of the cloud service provider is not up to snuff, and essentially circumvents all the good works of access control and authentication done by the client.  Which brings us right back to the point about the degree of security agreed to and provided by the cloud service provider.

The bottom line here is: The catchphrase cloud computing is new but all its old security headaches aren’t!

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

This is the third article in this series on the Methodology of Calculating ROI for IT security

There are three components to the ROI calculation:

1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk.  This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.

Calculating the ROI

The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100

Or

ROI = % (mitigation costs) / (the cost of potential risk)

Sample ROI business case

A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance.  The incremental projected profit from the web site is estimated at $5,000 per day.

To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network.  However, the database server will reside on the corporate network.

The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event.  She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:

1. Lost profit.
2. Inability of other servers on the corporate network to continue operations.
3. Damage to corporate and brand reputation.
4. Legal consequences.

The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:

1. Lost profit:     $10,000
2. Inability of other servers on the corporate network to continue operations:     $100,000
3. Damage to corporate and brand reputation:     $800,000
4. Legal consequences:     $200,000
5. Total potential costs. $1,110,000

The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.

The CISO then calculates, per occurrence:

ROI = $50,000 / ($1,110,000 x 100%)

=  5%

Creating an Ongoing ROI Cost Justification Process

Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.

As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.

An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided.  These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.

It is recommended to communicate this material in simple graph format, showing:

1. The number of incidents ranked by severity plotted against a timeline.
2. The resulting potential losses associated with possible incidents, plotted against time.

My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditor

www.ere-security.ca