Step 1. Issue press release.
Step 2. Insert buzzwords liberally (ex. China, Russia).
Step 3. Gauge public reaction. NB. Cracking open skulls and feasting on brains == Win!
From The Wall Street Journal:
Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
Run screaming.
The FUD approach is an unfortunate one. Let’s be honest and call this what it is. It’s an attempt to raise support for the Senate Bill S.773. The bill can be found by searching the THOMAS Search engine from the Library of Congress. At this point the full text has (still) not been uploaded yet. Draft copies have been seen in the wild. I’m unclear as to the legality of posting the drafts so, you won’t find them here.
Here description from the THOMAS site:
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
So, a crew of contractors to build a DeathStar? Heh.
The best part is that amidst this cloud of FUD, a breather. The CSO for NERC, Michael Assante released a letter to NERC entities. The long and the short of it is that the “come to $deity time” is upon them and they are gonna have to belly up to the bar with respects to their compliance reporting. For the ones that stuck their heads in the sand they will soon have a boot in their ass.
From Digital Bond:
NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least one critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)
And that’s the rub. Some entities will cook up some wild ass logic to avoid (in their minds) having to comply with NERC CIP.
They will fail.
I am going to address this matter head on in a way that many in the security community can understand, with more buzzwords.
We need to spearhead an operation to address the issues plaguing the Cyberfrontier. Insider threats, cyber espionage, stack overflow attacks, and murder are big deals. What every netizen needs to do is get a firewall to keep their computers safe from spyware, malware, ransomware, tupperware, and viruses.
@Brooks
Ah, but you missed a critical step. You forgot the “machine that goes ping”.
@Dave Lewis
The microwave?
This is nothing new! At one point in my career, I sat point monitoring a security information management system and was a member of the incident response team for one of the three main electrical grids in the US. Adherence to CIP standards has always been an issue either due to complacency in self regulation or manipulation of data given to outside auditors. I would bet my lunch that the claims that Russia and China are hacking the grid come from IPS alerts and site these countries as sources (obviously not reliable). If that’s the case, I can personally tell you that we need to add several more countries to the list. I have never heard of this bill until this posting, but it would not surprise me that this is a ploy to get funding. One thing you dont hear is what systems were “attacked”. were they email servers, customer portals, monitoring and control systems, or the actual SCADA nodes them selves? Were the systems found with “malware” critical systems designated under the CIP standards?