Security guru Richard Clarke, industry practitioners weigh in on cyber threat
Washington loves a good acronym, and when it comes to cyber security, Richard Clarke has a great one: CHEW
The renowned national security expert who served three presidents as senior White House advisor spoke last week at ABB’s Western Utility Executive Conference in Pebble Beach, CA, and outlined what he sees as the four main threats in cyber security. They are, in order: crime, “hacktivism, “espionage and war.
On this last element, Clarke made the point that cyber war was not merely scrambling databases in some faraway computer system, but using digital means to affect the same ends as conventional war, namely “blowing things up.”
That may have sounded a bit hyperbolic, but Clarke offered numerous examples not only of potential threats but of cyber attacks already carried out. So far, these have been limited to less explosive, but no less effective, results such as the presumably Russian effort to wall off Georgia’s access to the internet and disrupt its banking system during the 2008 South Ossetia war.
Indeed, Clarke noted, breaches are happening every day and he expressed particular concern over the power grid as “the first target everyone talks about because everything depends on electric power.”
He also spoke plainly about what he saw as a widely held impression in Washington that the power industry is “resistant” to dealing with the cyber security issue, seeing it as an invitation to burdensome regulation.
Clarke’s remarks were followed by a panel discussion led by Industrial Defender CEO Brian Ahern that included DTE Energy Division Information Officer Mike Carlen, Commonwealth Edison Vice President of Information Technology Mark Browning, and FirstEnergy Vice President of Distribution Support Steve Strah.
Ahern began by seemingly confirming the Washington consensus, at least in retrospect, by noting that the early days of his company were spent evangelizing the importance of cyber security to a power industry that at the time did not see it as something broken that needed to be fixed. That was then.
Stuxnet, in particular, served as a wake-up call and now Ahern finds a much more receptive audience in the utility C-suite. This was borne out by unanimity among the panelists in terms of a) recognizing the threat of cyber attack is real and b) making a financial and managerial commitment to addressing it.
“The cost of doing nothing is far too much,” said FirstEnergy’s Strah. “Presented with relevant facts regarding cyber security incidents, from a risk management standpoint, we have to take it seriously.”
To be fair, what resistance there is in the industry can be chalked up to the challenge of simply getting a large entity like a utility to embrace change. This is culture shift on a massive scale, and it will take time. However, regulators have a role to play, too.
NERC’s current cyber security regime, for example, requires some parts of the utility’s network to be secured while others are not. That could be problematic. Ahern said he expects NERC will soon extend its Critical Infrastructure Protection (CIP) requirements beyond the generation and energy management systems it covers today to include all aspects of utility operations. In the meantime, though, utilities will have to manage their compliance with an evolving standard.
Compliance and security are two different things, however, and as DTE’s Carlen stated, “Security trumps compliance.”
“We will be compliant,” he said “but being compliant does not guarantee you are secure.”
The three utilities represented on the panel are therefore moving forward aggressively to propagate a culture of security, not simply compliance, across their organizations.
Still, that won’t be enough, according to Clarke. Given how reliant all industries are now on third party software, he encouraged the executives in attendance to look beyond their own companies and apply the same rigor to their supply chains as they do to their own operations. He described the need to build security into the development process from the very beginning, and cited the financial services industry as one sector that has done this with some success.
Clearly there is much to do on all sides, but government and industry would be well advised to adopt a cooperative approach when it comes to cyber security.
“Government should be rewarding the private sector for investments in cyber security,” said Ahern, and he pointed out the importance of safe harbor protections so companies can share information about attacks as well as best practices without fear of legal retribution.
Leveraging each other’s experiences, he explained, is the best roadmap to a more secure power grid.