2010 Blasts in with Regulatory Cybersecurity Bar Raising- NERC CIP-002-4 (Project 706 Ph II) and NRC RG 5.71- both with NIST Enhancements

Last updated 1/24/2010
As 2010 opens, beefed up regulatory scope and rigor around cybersecurity on both the Bulk Electric System (BES) and commercial Nuclear Power Plant (NPP) fronts are forming up- even as expanding regulatory scrutiny has been focusing on assessing the status of current requirements and programs.

Draft NERC CIP-002-4 Released. Now in Phase II, NERC Project 706 (to address FERC Order 706-A), released draft standard CIP-002-4, Cyber Security - BES Cyber System Categorization (16 pages, w/VSLs) in December for an informal comment period through February 12th. This version calls for significantly more extensive risk assessment process:

• Substantially addresses concerns raised in Assante’s April 2009 letter – see Assante Throws Down the Gauntlet on CIP-002 - DigitalBond.com.
• Rather just focusing what to include, requires a complete inventory list of BES Cybersecurity systems for determinations to be made.
• Getting NISTy (more) with graded BES impact assessment and commensurate controls- high, medium, low (catch all) impact ranking
• Emphasizes functional assurance, not just security around functions.
• Specific Violation Severity Levels (VSLs) penalties called for if mis-categorization is determined to have taken place.
• NPP applicability- structures, components, equipment and systems of facilities within a nuclear generation plant not regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety.
• More- effective date is two years after approval (“eighth calendar quarter”), bottom up conservative approach with granular assessment/engineering evaluation expectations, various impact categorizations for assessment addressing inadvertent/adverse changes, example fishbone diagramming dependencies- see Draft Guidance Document (10 pages)
  
  Updated 1/24/2010
• On Feb 3rd, 2010 at 1pm EST, NERC is scheduled to host a webinar "Proposed Revisions to CIP-002-4" (register)

NRC RG 5.71 Released. Following the November 23, 2009 deadline for NPPs to file required Cyber Security Plans for review and approval (per NRC Reg 10 CFR 73.54), the NRC released regulatory guide RG 5.71, Cyber Security Programs for Nuclear Facilities (copy, 100+ pages, including template/appendixes) earlier this month, source: NRC Regulatory Guides - Materials and Plant Protection (Division 5). This now public regulatory guide formally expands and supersedes prior NRC endorsed NEI 04-04 developed by the industry. Some argue it’s like going back to a blank piece of paper to stand up a new program – not entirely true but still very dense as regulatory guides go, and also getting more NIST aligned (more). Commercial nuclear has gone through a number of development steps over the last decade, see NEI Power Plant Security- Cybersecurity.

More perspective around RG 5.71 can be gained from reviewing NRC's Advisory Committee on Reactor Safeguards (ACRS) 567th Meeting- Nov2009 - Official Transcript (copy, - 330 pages, good place to start is page 98 for "cybersecurity", jump to page 275 for more specific RG 5.71 coverage). This guide is writen for the cybersecurity professional and covers aspects that others may miss when reading through it.


FERC Order 706-B - NRC/NERC MOU Released. FERC recognized a regulatory gap with Order 706B; the NRC, primarily focused on public safety and nuclear significant aspects of NPPs, does not have regulatory scope addressing continuity of power. FERC Order 706-B states that balance of plant systems at NPPs not regulated by the NRC must comply with NERC CIP Standards and requires NRC to make a compliance filing outlining implementation schedule. A NRC/NERC MOU released last week, establishes a working agreement consistent with FERC Order 706-B recommendations. FERC's Dec 17th filing expects additional compliance filing from NERC to more clearly address (i) how determinations of systems will be made that that fall under either program (NRC Cyber or NERC CIP), and (ii) establishing an exception process for exempting systems that fall under NRC Cyber from CIP compliance.

More:

1. Informal Comment Form: Project 2008-06 Cyber Security Order 706 CIP-002-4 (due 2/12/2010)
2. NRC and NERC Execute Memorandum of Understanding Regarding Enforcement of Cyber Security Requirements- Morgan Lewis Energy Lawflash, January 12, 2010
3. NRC Reg (10 CFR 73.54) Protection of digital computer and communication systems and networks.
4. NIST on a roll with "Historic" Security Controls Guidance (SP 800-53 Rev 3)
   
   
   

Security Challenges Into the Next Decade and Beyond- A Leap Into the Future with Kurzweil, Suarez & Joy

Over the New Year's Holiday, I dusted off and finished pressing my way through a stunning, expansive view into the not so distant future with Ray Kurzweil’s tome The Singularity Is Near: When Humans Transcend Biology. In his richly cited work, huge advancements in renewable energy and storage efficiency, with microscopic fuel cells and other technologies, will capture abundant energy available for the taking in a distributed manner- intrinsically reducing unique security risks associated with centralized power stations.

Looking at accelerating trends continuing with information technology, Kurzweil argues that The Law of Accelerating Returns applies to many problems once sufficiently addressed with information technology based approaches. For example, rather than traditional experimental trial by error, exponentially improving computing environments are increasingly being used to effectively model and test medical treatments virtually. Expect significant life extension and expansion improvements over the next 20 years, as well as rapidly emerging non-biological intelligence fundamentally going beyond various narrow artificial intelligence applications widely used today. Related nanotechnology will drive expanding human intelligence and also result in new existential threats as we eventually transcend our biology- some heady prognostications.

If you haven’t read about or heard Ray Kurzweil in depth before, here’s an informative Dec 2008 Ray Kurzweil presentation from the 26th Army Science Conference The Impact of Accelerating IT on War and Peace - Dec 2008, video 54m) This talk was broader than the title implies, providing his updated views and supporting presentations slides (142 w/pdf, pptx formats) regarding IT driven advancements and unfolding implications.

Focusing on cyber security, non-biological computer infections or actions taken by malicious actors will increasingly be less just about compromising computers and more about harming the physical environment including humanity - who wants to let their bio or nano augmented substrate be chewed up and spit out as grey goo by rapidly replicating nano-nasties or otherwise adversely repurposed? So much promise and notable perils which many baby boomers may be able to witness if they stick around long enough. Kurzweil, turning 62 in Feb, is taking several hundred supplements daily and adhering to a strictly formulated diet- striving to bridge into his predicted, further life extended future bridges with continuing advancements in GNR (genetics, nanotechnology, and robotics).

From a more current perspective, the emerging best-seller “fiction” hit in 2009 Daemonby Daniel Suarez (audio clips at audible.com) provides a present day look into what could go wrong with runaway non-biological intelligence. His first book, and just released sequel Freedom (TM) provides subtle and ruthless ways civilization could be systemically torn down by a cleverly designed artificial entity savvy in human behavior, reaching out from cyber space via online gaming and other methods, recruiting and exploiting human agents, etc. While entertaining and recommended reading, his informative, non-fiction presentation Daemon: Bot-Mediated Reality- The Long Now Foundation (video 1:20) emphasizes underlying themes with concerns about how humanity is increasingly facing the prospects of a Darwinian struggle with non-biological intelligence. He emphasizes key strategies and controls needed now to address the growing risk.

For more on concerns about the perils – here’s a provocatively titled article “Why the future doesn't need us.”- Bill Joy, Wired, April 2000 “Our most powerful 21st-century technologies — robotics, genetic engineering, and nanotech — are threatening to make humans an endangered species."

More:

• Top futurist, Ray Kurzweil, predicts how technology will change humanity by 2020 and
  Ray Kurzweil's Crystal Ball - New York Daily News, Dec 2009
• China blames online games for drugs, murder, teen pregnancy - bitbucket.kylewelsh.com, Dec 2009
• Ray Kurzweil Explains the Coming Singularity (video, 7m) - bigthink.com, Apr 2009

Cyber Security Happy New Year 2010 - Perspective and Predictions

First Cut 1/2/2009 

2009 Perspective - hot stories and list of lists.

• U.S. seeks 'top guns' for cybersecurity - ComputerWorld, Jul 27, 2009
• Rogue Antivirus Operations Thrive in 2009 -eWeek, Dec 22, 2009
• Obama names a cyber security chief  - Boston Globe, Dec 22, 2009
  
• Verizon Business Issues 2009 Data Breach Supplimental Report Profiling 15 Most Common Attacks (32p) Anatomy of a Data Breach' Sheds New Light on How and Why Attacks Occur 
  - Results from 600 incidents over five years make a strong case against the long-abiding and deeply held belief that insiders are behind most breaches.
  
  -  Top 15 threat action types  (flckr link) from 2009 DBIR (page 6 of 32):
  - Where should mitigation efforts be focused?
        a. Ensure essential controls are met.
        b. Find, track, and assess data.
        c. Collect and monitor event logs.
        d. Audit user accounts and credentials.
        e. Test and review web applications.
  
  
  

• Top Security Stories of 2009 - eWeek, Dec 28, 2009
  1. Conficker Countdown, see "The Internet is Infected" - 60 Minutes - April 2009
  2. Cyber Security Coordinator (Czar)
  3. Gonzalez and His Gang Taken Down (huge takedown!)
  4. Social Networking and You (organizations, regulators wressle with privacy, security issues)
  5. Apple iPhone Security Woes (Dutch teanager discovery leads to worm attacking jailbroken phones)
  6. Hacktivists Stay Busy (twitter redirection to Iranina cyber army, DDos attacks, etc)
  7. Electric Grid Lights Out (hacker spies causing power outages, infiltrating national defenses) see "Sabotaging The System" - 60 Minutes - Nov 2009
  8. F-35 Fighter Plans Hijacked by Hackers
  
• The Future of Threats and Threat Technologies: How the Landscape is Changing (24 p) TrendMicro, Dec 2009-  Several threat area predictions that that came true in 2009:
  - Social networking sites will grow as targets;
  - Social engineering will become increasingly prevalent and clever - Unlike the global economy, the underground economy will continue to flourish.
  
  More:  Perspective One Year Ago
  
  

2010 and Beyond Predictions - more hot stories and list of lists. 

• The Future of Threats and Threat Technologies: How the Landscape is Changing (24 p) TrendMicro, Dec 2009
  - No global outbreaks, but localized and targeted attacks.
  - It’s all about money, so cybercrime will not go away.
  - Windows 7 will have an impact since it is less secure than Vista in the default configuration.
  - Risk mitigation is not as viable an option anymore—even with alternative browsers/OSs
  - Malware is changing its shape—every few hours.
  - Drive-by infections are the norm—one Web visit is enoughto get infected.
  - New attack vectors will arise for virtualized/cloud environments.
  - Bots cannot be stopped anymore, and will be around forever.
  - Company/Social networks will continue to be shaken by data breaches.

• Risky Business #137 -- Year in review special!   - Patrick Gray, Dec 2009  (news and opinion)
  
  
  More: Predictions One Year Ago