© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
I   talk   a   lot   about   security   in   the   procurement   and   contracting   processes.   I   think   using   capitalism   as   a   means   of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts. The   abstraction   of   that   idea   is   that   suppliers   are   a   risk,   and   exercising   control   over   those   suppliers   --   using   the   power of   the   purse   in   the   preceding   example   --   is   one   key   to   moving   the   cybersecurity   needle.   This   post   addresses   the application of that idea in the local energy sector (our PUDs and dams, mainly). If   you   follow   the   Daily   New   Blast   (sign   up   on   the   right   side   of   this   page),   it's   become   obvious   through   a   proliferation   of stories   that   small   product   and   service   providers,   which   have   some   degree   of   trusted   electronic   access   to   their customers, are the entry point for infiltration of the true targets. Click here  for a good summary of the issue. Think   about   the   energy   grid.   There   are   small   suppliers   of   energy   ("generation,"   in   the   parlance   of   the   sector)   all   over the   place.   We   have   dams.   In   Weatherford,   Okla.,   wind   turbines   stand   as   far   as   you   can   see.   Each   of   these   contributes   a tiny   fraction   of   energy   to   the   grid,   but   they   do   supply   the   grid.   Again,   small   suppliers   are   a   big   target   for   disruption. NERC   and   DHS   are   working   with   these   organizations,   but   there's   another   exposure   that's   under   the   federal   regulatory radar that, for now, can only be addressed through that market force. There   are   small   businesses   that   frack,   drill,   fabricate,   weld,   and   perform   a   host   of   other   services   for   the   companies that   extract,   transport   and   refine   a   lot   of   the   raw   fossil   fuels   used   for   generation   and   export.   This   Bloomberg   article   talks   about   a   cyber-attack   against   an   oil   pipeline   in   2008   that   resulted   in   an   explosion,   which   preceded   Russia's   action in the country of Georgia. So   it   seems   to   me,   that   with   oil   below   $60/barrel   and   continuing   to   fall,   and   with   Russia   hurting   from   sanctions   over Ukraine,   and   now   its   only   real   export   being   devalued,   there   is   a   strategic   reason   for   Putin   to   consider   an   action   that spikes   energy   prices.   What's   the   soft   target   --   the   one   most   likely   to   facilitate   an   action   that   doesn't   leave   fingerprints? It's   a   driller,   welder,   or   fabrication   service   with   access   to   those   pipelines.   They   don't   invest   in   logical   controls,   and   they certainly   don't   log   the   events   that   would   facilitate   forensic   recovery   of   the   root   cause.   It   will   look   like   incompetence by a small company, but energy prices will still head North with alacrity. So    until    big    companies    start    requiring    small    company    suppliers    to    meet    cybersecurity    standards,    and    while geopolitics   are   so   tied   to   fossil   fuels,   some   real   volatility   is   to   be   expected   as   we   march   into   the   new   world   of   bytes   as a weapon.
Small Companies, Russia and Energy   12/16/2014 By Michael Hamilton CISSP CEO
Threat Intelligence Blog CRITICAL INFORMATICS INC.
(206) 687-9100
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100