Yesterday Mandiant, a security consultancy, published report “APT1: Exposing One of China’s Espionage Units.” The report details the extent and the exploits observed by Mandiant from a single entity – Chinese People’s Army Unit 61398. Mandiant analyzed the group’s intrusions against over 150 victims over 7 years resulting in terrabytes of data stolen from numerous US organizations. According to the National Public Radio (NPR), Chinese government denies any involvement. Mandiant CEO, Kevin Mandia, testified last week during the House Intelligence Committee hearing on the cybersecurity bill. 

SANS held its eighth annual North American Industrial Control System (ICS) & SCADA Security Summit at the Disney Resort in Orlando, FL this week, a venue that uses thousands of control systems every day to ensure the fun and safety of visiting families. The event was chaired by Michael Assante, formerly with the North American Electric Reliability Corporation, Idaho National Lab, and American Electric Power. The two-day event featured presentations and panel discussions on a variety of ICS and SCADA security issues. The audience heard from government, academia, utilities, global companies, product suppliers, and security consultants. The picture that emerged is encouraging and complex at the same time. Today, ICS and SCADA are connected to the Internet, through the corporate networks or through remote vendor connections. There may be legitimate business needs for these connections to provide critical control systems data to the business or to allow global companies conduct exploration activities in remote parts of the world without significant personnel commitment. These connections may also be in place due to the lack of awareness of security implications of such connections without any legitimate business reason. Sometimes these connections are secured and sometimes they are not. ICS and SCADA systems suffer from the phenomenon known as hard shell outside and the soft gooey inside – while the perimeter protection may be strong, once the attacker is inside the perimeter they pretty much can have whatever they want. Some vendors are doing great things and using secure coding practices, secure development lifecycle, and genuinely improving the security state of their products, some are not. Workforce is a serious issue, both in terms of expanding a very small number of dedicated SCADA cybersecurity practitioners, providing general user awareness for those who touch SCADA systems, and increasing technology practitioner knowledge for people who deal with technology that touches or is connected to SCADA but are not SCADA engineers.

Ultimately, it is about people and process! Technology is a distant third. If your people don’t know how to tell a phishing exploit from a legitimate email you are in trouble. Resources need to be invested into educating people and creating resilient agile processes for detection, recovery, and reconstitution, because you will be hacked!

The Summit agenda is available at https://www.sans.org/event-downloads/28439/agenda.pdf. The ninth annual event will be held in Florida March 12-20, 2014, including education sessions before the summit. Any questions about this year’s summit should be directed to Klaus Bender at Klaus.bender@utc.org and Nadya Bartol at Nadya.bartol@utc.org.

The elected board of UTC’s Smart Networks Council (SNC) met this week in Reno, NV. The SNC was formed to bring the resources and knowledge of member utilities and the vendor community together to address technical issues critical to achieving reliable delivery of our critical resources.  Membership and participation in SNC activities are included to all Core and Associate Members of UTC. 

In rapid succession, the New York Times, The Wall Street Journaland the Washington Post revealed that they were the victims of cyber attacks that originated in China.   In the case of the New York Times, the attacks began in late October, when the paper started reporting about the multi-billion dollar fortune accumulated by the family of the Chinese prime minister, Wen Jiabao. Working with security experts, the Times discovered evidence that Chinese hackers were responsible and that they were using methods associated with the Chinese military.  The hackers reportedly stole the corporate passwords for every Time’s employee and used them to gain access to the personal computers of employees. Among the targets were the paper’s Shanghai bureau chief and the former Beijing bureau chief, but there was no evidence that sensitive email files were affected. 

 APCO held its Emerging Technology Forum this week in Anaheim. The first day of the conference focused on next generation 9-1-1 and cybersecurity and the second day was spent discussing public safety broadband. Two members of FirstNet, responsible for building the public safety broadband network, provided insight into the progress of the effort to day. Kevin McGinnis and Craig Farrill, the acting general manager of FirstNet were the speakers. 

Mr. McGinnis detailed some of the applications in emergency medical services that would be enabled by the FirstNet. Mr. Farrill told the audience that the commercial services members of the FirstNet board seek to build the network as soon as possible. He stressed that FirstNet is intended to serve public safety, not a commercial effort. He said that the network has the potential to be the fourth or five largest wireless network in the country. The group has collected over 1300 requirements for the network, developed by public safety, DHS and NTIA. The architecture for the network, at a high level, will assume that FirstNet will be the primary broadband network, with as many as five wireless carriers to provide backup, followed finally by satellite services to "serve every square meter of the country."

When asked what role utilities will have in the network, Mr. Farril acknowledged that a utility representative is on the board and the board understands the resources that utilities can provide to FirstNet, especially in rural areas. But Mr. Farril stated that the board is looking to balance speed to market with adding partners to the network and he said the board anticipates that utilities will be an important part of the network, primarily in rural areas. 

The FirstNet board is doing state consultations that will gather each state's expectations for the network, add that to the requirements, and then go back to the states for confirmation. Mr. Farril said each state will have a network operating center (NOC) with the potential for regional NOCs for emergencies like the recent hurricane Sandy disaster. 

In a speech at the Woodrow Wilson International Center for Scholars, United States Secretary of Homeland Security, Janet Napolitano likened the potential consequences of the current threat scenario for the critical infrastructure industry to the attacks on September 11, 2011:  A "cyber 9/11" could happen "imminently" and critical infrastructure, including water, electricity and gas, was very vulnerable to such a strike, she said.  The Secretary equated the effects of such a strike to the widespread power outages in the wake of last year’s Superstorm Sandy.  "There are things we can and should be doing right now that, if not prevented, would mitigate the extent of damage,"  Napolitano said, referring to the crippling effects on the U.S. of taking down the power grid, water infrastructure, transportation networks, and financial networks.  Her remarks resemble Unites States Secretary of Defense Leon Panetta’s warnings of a “Cyber Pearl Harbor” during his first major cybersecurity speech last October.

This week, the land mobile frequency coordinators met with the FCC to discuss how to handle licenses for systems in the VHF and UHF band that did not comply with the January 1, 2013 narrowband deadline. In late 2012, the land mobile frequency coordinators recommended to ignore these systems when coordinating the new systems after February 1, 2013. 

At the meeting this week, the FCC said most licenses are now narrowband compliant and that the FCC is still getting waiver requests for the narrowband deadline. The Commission staff urged licensees that may have narrowbanded but did not file an application to file it now. The staff said that the Gettysburg licensing facility has a large backlog of applications related to the deadline. The FCC will likely take until the end of the first quarter to clear some of these applications. At that time, they will consider an audit of non-compliant systems, giving those licensees one last chance to comply or cancel their licenses. The FCC would also like to establish a single point of contact at its Enforcement Bureau related to narrowband compliance issues, but has yet to do so. 

In the meantime, per FCC attorneys--the coordinators cannot just ignore those licenses. Until further notice, these non-compliant wide band systems will be considered as analog compliant narrowband with an emission designator similar to 11K2F3E. Another FCC public notice will released as soon as possible detailing FCC plans.  

 While the Smart Grid Interoperability Panel (SGIP) transitions from NIST funding to a non-profit, privately funded status in 2013, the organization continues to add board approved standards to the Catalog of Standards (CoS). This week the SGIP board called for votes to add thirteen new standards to those already approved. Included among the group are NAESB 21 and 22, dealing with the NAESB Energy Usage Information (EUI) Model and voluntary Model Business Practices for Third Party access to Smart Meter-based information. These standards are integral in the deployment of the Green Button that allows consumers to download energy information in standardized formats. Also included are the IEC 62351 series for information security for power system control operations.

Four standards are proposed related to power line carrier (PLC) technology for home area networking and other applications. ITU-T G.9960 specifies the system architecture and physical (PHY) layer for wireline based home networking transceivers capable of operating over premises wiring including inside telephone wiring, coaxial cable, and power-line wiring. ITU-T G.9972 specifies a coexistence mechanism for networking transceivers capable of operating over electrical powerlines. IEEE 1901-2010 defines a standard for high-speed communication devices via electric power lines, so-called broadband over power line (BPL) devices. This standard focuses on the balanced and efficient use of the power line communications channel by all classes of BPL devices. NISTIR 7862 - Power Line Communication (PLC) systems provide a bi-directional communication platform capable of delivering data for a variety of Smart Grid applications such as home energy management and intelligent meter reading and control.

Finally, NIST proposes adding AEIC Guidelines - SmartGrid/AEIC AMI Interoperability Standard Guidelines for ANSI C12.19 / IEEE 1377 / MC12.19 End Device Communications and Supporting Enterprise Devices, Networks and Related Accessories.  The objective was to develop a smaller set of data Tables that meet the needs of most utilities and simplify the meter procurement process.

The SGIP Governing Board is recommending a NO vote on the AEIC Guidelines, but recommending the others be added to the Catalog of Standards. We urge all SGIP members in good standing to review and cast their votes. Questions should be directed to UTC’s engineering and regulatory staff.

Source: SGIP Email, January 7, 2013