Saturday, March 21, 2009

Assante Pressing NERC Cyber Security Program Forward
-Tim Roxey appointment and NERC Alerts changes

Updated 3/29/2009
Michael Assante continues making program progress at NERC since his appointment in August 2008 into a newly formed Chief Security Officer (CSO) position. His focus- establishing Critical Infrastructure Protection (CIP) as one of the mainstream functions at NERC alongside continuing standards development, compliance and enforcement, and reliability assessment programs. Some notable developments:
  • The recent appointment of Tim Roxey as NERC as Manager of Critical Infrastructure Protection.
    - Mr. Roxey has extensive commercial nuclear power physical and cyber security program experience.
    - He instrumentally promoted and supported the commercial nuclear power industry initiative addressing cyber with NEI 04-04 Cyber Security Program for Power Reactors as a NRC endorsed “acceptable method” - well ahead of related further regulatory framework development and guidance now firming up. I had an excellent learning opportunity working with Tim Roxey and team as an active Computer Security Standing Committee member back in 2006. The focus then was getting NEI 04-04 packaged up into rollout templated, presentation form for the fall 2006 NITSL workshop.
    - He extensively helped assess and address Aurora vulnerability mitigations- working with NEI to help ensure commercial nuclear generation stepped up and robustly addressed the issue. Tim Roxey also effectively provided congressional testimony on actions taken and completion status - a stark contrast to FERC and NERC testimony.
    - Bottom Line: Tim Roxey's solid industry experience, connections, dedication and savvy add up to a very good move for NERC.

  • A new NERC CIP Alert Communication Process.
    - Communication will use specific email subject lines/levels:
    _ ADVISORY: (Title) - No Response Required
    _ RECOMMENDATION: (Title) - Response Required.
    _ ESSENTIAL ACTION: (Title) - Response Required.
    - Entities acknowledgement required in 24 hours if issue rated higher than Advisory. Grace period on this requirement extends to March 31, 2009 after which responses received after the 24-hour acknowledgement period will be noted as late or non-responsive. Additionally, more sensitive acknowledgement response information may need to be sent via paper until more secure electronic communication facilities established.
    - New alert handling signifiers will future clarify distribution restrictions.
    _ PUBLIC (Green): No Restrictions. Will be posted to NERC’s website alert page.
    _ PRIVATE (Yellow): Restrict to Internal Use and Necessary Consultants / Third-Party Providers
    _ SENSITIVE (Red): Internal Use Only (Do Not Distribute Outside Your Company)
    _ CONFIDENTIAL (Black): Limited Internal Distribution Decided Upon by an Officer of the Company
    - An “alerts manual” instructions book will be developed and released by March 31, 2009 to help entities better understand, organize, and train staff to support the alerts process.
    - More background: Alerts Distribution, Reporting & FAQ - Michael Assante & Doug Newbauer Jan 22, 2009

    - Update 3/28- On March 24th, Doug Newbauer, Manager of NERC Alerts, indicated that the deadline for mandatory 24 hours response on alerts will be extended: "In response to feed back from registered entities and because NERC is replacing the current Alerts application, NERC is delaying the 24 hour response requirement scheduled to begin April 1, 2009, until the new application is on line and operational."
    The application is expected to be prepared and released 3Q2009.

Sunday, March 1, 2009

Significant, targeted attacks even against ISPs?
-Absolutely! (just ask Time Warner)

One might think that larger financial institutions and other entities with directly exploitable financial or personal information remain the major nexus of criminal cyber problems. However, even consumer grade ISPs are increasing facing challenges. Time Warner's drawn out efforts now in the limelight represent just the latest example of an organization scrambling to address service and reputation impacts from a disrupting cyber security attack.

  • February 28, 2009

    During the past week, hackers have launched a series of attacks on Time Warner Cable's servers. Time Warner Cable is working with law enforcement agencies to resolve these crimes.

    As a result of these attacks, you may have experienced a temporary "outage" when attempting to surf the Web, including an intermittent "page cannot be displayed" error message. The outages did not result in services being 100% unavailable; and were limited to sporadic timeouts which appeared to be random events. Some users may have experienced a total disconnect, however. These types of attacks are not uncommon, especially for a network as large as ours. We suspect that the attackers are using "zombie computers," or hijacking unsuspecting subscribers' machines to perpetrate the attack without its owner's knowledge.

    All of us at TWC take these attacks extremely seriously. As previously mentioned, we are working with the appropriate law enforcement agencies that specialize in investigating these types of crimes. We will pursue prosecution of all perpetrators to the fullest extent of the law. We apologize for the inconvenience that these attacks may have caused and encourage you to report any suspicious activity. Instructions for reporting security abuse are located at

    Time Warner Cable

    More: Google News Search: Time Warner Attack

The persistent assault centers on impacting Time Warner’s domain naming system (DNS) services. Given that DNS supports domain name to Internet address resolution functions, e.g., when Internet surfing, an easy mitigation for customers is to use an alternative provider, such as OpenDNS. I've been using both Time Warner and OpenDNS in my home networking environment for years with great results. OpenDNS also helps protect users from visiting known harmful and other inappropriate Internet sites.

Much attention is put on specific, in-scope compliance issues within critical infrastructure organizations. The obvious twist is that even basic, persistent attacks increasingly are a factor in considering overall business risk to service and reputation. Additionally, cyber security problems that affect non-operational, business network settings, also increase the risk of "pivot attacks" creating more serious operational issues that regulators and senior management are acutely concerned with.

From a broader perspective, this issue saliently points out how even narrow, basic attacks can impact an organization and their customers. Critical infrastructure organizations risk even larger potential impacts steming from such issues- driving the need for ongoing cyber security improvements.