Category Archives: Uncategorized

Weakness in Systems used by Pentagon Power Grid

Posted on by
Reply

From http://www.csmonitor.com/USA/2012/0425/America-s-Stuxnet-Weakness-found-in-systems-used-by-Pentagon-power-grid:

America’s Stuxnet? Weakness found in systems used by Pentagon, power grid.

An amateur enthusiast has found evidence that hackers could exploit a security vulnerability in the systems of a company that serves power plants and military installations.

By Mark Clayton, Staff writer / April 25, 2012

An amateur cybersecurity researcher who bought industrial computer networking equipment on e-Bay for fun has discovered a critical weakness in equipment that helps run railroads, power grids, and even military installations nationwide.

The American Electric Power corporate headquarters in Columbus, Ohio. AEP is a customer of RuggedCom.

Paul Vernon/AP/File

The vulnerability means that hackers or other nations could potentially take control of elements within crucial American infrastructure – from refineries to power plants to missile systems – sabotaging their ability to operate from within.

Analysts say the problem is likely fixable, but the enthusiast says he has gone public only because the company that manufactures the equipment, RuggedCom of Concord, Ontario, has declined to address the issue since he made it known to them a year ago.

“It’s clearly a huge risk,” says Dale Peterson, CEO of Digital Bond, a control systems security firm in Sunrise, Fla. “Anytime someone can take down your network infrastructure, essentially cause a loss of control of the process – or your ability to monitor it, very dangerous things can happen.”

The vulnerability has to do with what is known as a digital “back door.” The back door is a secret login that allows the manufacturer to get into the equipment’s control systems without anyone knowing about it – even the purchaser. In theory, manufacturers could use their back doors to send updates to the equipment, but since they are secret, their use is not well known.

The discovery of back doors built into digital industrial control systems is not unprecedented. In fact, RuggedCom was recently acquired by a subsidiary of Siemens AG, the giant German industrial engineering company that has been criticized for using hidden, yet vulnerable, back doors in its control systems.

What is unusual is that RuggedCom’s equipment is often used as a digital fortress, protecting from hackers far more vulnerable systems that throw mechanical switches or close and open valves. Also surprising, experts say, is that the password needed to enter through this back door appears to be relatively easy to hack.

If hackers can get through the back door of RuggedCom’s routers and digital switches, the entire system that they are a part of becomes vulnerable. For example, Stuxnet, the world’s first publicly identified cyber super weapon, in 2009 wreaked havoc on Iran‘s nuclear centrifuge refining system by exploiting a password hidden inside a Siemen’s operating system.

“It is a very serious threat,” says Robert Radvanovsky, a cybersecurity researcher and cofounder of Infracritical, a think tank focused on shoring up cyber weaknesses in critical infrastructure. “The big concern is that these devices are what connect to the control systems that run the substations where power gets routed.”

RuggedCom sells “hardened” equipment designed to run around the clock in any temperature or weather condition. So it has a variety of clients seeking such robust machinery. Defense-industry customers mentioned on the RuggedCom website include big names like Boeing and Lockheed Martin, while power-industry customers include several of the nation’s largest utilities – American Electric Power, National Grid, Pepco, and others. The systems are also used by transportation authorities in the cities of Houston, Lakeland, Fla., and in Washington State and Wisconsin.

Pipelines, refineries, traffic lights, trains, military systems – all are at greater risk, especially to adept hackers belonging to nation-state intelligence agencies. The “good news,” Peterson says, is that even though the vulnerable systems are widespread, the problem is likely fixable, unless the RuggedCom operating system is too reliant on the back door login and its weak password-encryption system.

A RuggedCom spokesman, responding to an e-mail query, wrote that the company would be unable to respond Wednesday to Monitor queries about the vulnerability.

Feeling the company was dragging its heels and might never fix the problem was a key motivator for Justin W. Clarke, the San Francisco-based researcher who finally decided to reveal the threat a year after he first informed RuggedCom managers about it. RuggedCom said in mid-April that it would need three more weeks to notify customers but did not say whether it planned to fix the back door access with a firmware upgrade, Mr. Clarke says.

“I didn’t do this for money – I didn’t get paid for this,” he says. “I just wanted the problem fixed and nothing I heard from the company ever indicated that would happen.”

Everywhere he went during his day, he says, he saw the systems he knew how to hack sitting there vulnerable – from traffic light control boxes to power substations.

He learned about the vulnerabilities after buying the company’s devices off e-Bay “when they showed up cheap,” says Clarke in an interview. “This is something I do in my spare time with own money. I’m just this guy on street who knows how to do very bad things to important equipment, and I couldn’t stand that feeling so many systems – even in our military – were so vulnerable.”

He hopes a fix will come out now that the US-Computer Emergency Readiness Team, a federal cyberwatchdog, issued a vulnerability warning Tuesday, and its sister agency focused on industrial computerized control systems put out its own warning Wednesday.

Testimonials on the RuggedCom website show how deeply embedded its equipment is inside some of the most important US systems. Located at the end of the Alaska’s Aleutian island chain, about 300 miles from the coast of Siberia, the Shemya Island power plant provides power to National Missile Defense Authority facilities on the island.

“Ruggedcom switches were selected for use in the US Air Force Shemya Power Plant,” wrote Ted Creedon, chief engineer for Creedon Engineering in one testimonial for the company. “All electronics provided to the USAF were disassembled, quality inspected and burned in at the Chief Engineers office in Anchorage. Reliability was not an option.”

CERM Bootcamp Lessons Learned

Posted on by
Reply

We just ended our first Certified Enterprise Risk Manager(R) Bootcamp in Seattle.  Five days of risk bonding, sharing of risk information, and risk learnings.  it was a great success.

We had a number of lessons learned:

Enterprise Risk Management (ERM) is reshaping many industries from pharma, electric power, water, food, etc.  These industries are developing ERM standards.  The challenge is that many of these standards have not been deployed or adopted.

Adoption of ERM is still early in most companies.  Publicly held companies often have mature ERM as part of their internal control over financial reporting programs to comply with Sarbanes Oxley and other regulations.  The operational ERM programs are still in their infancy.

Material risks are more often in operations, technology, and IT.  Engineering, IT, quality, supply management, and other operational professionals need to learn and implement risk management in their areas.

Tell us your ERM experiences?  Are they the same as our lessons learned?

Critical Questions Answered by CERM® – Electric Reliability™

Posted on by

What does the NERC Reliability Assurance Initiative (RAI), proposed CMEP changes, Actively Monitored List (AML) and the tiered approach to auditing mean to registered entities?

What are the major differences between the current ‘zero defect’ and NERC’s proposed Reliability Assurance Initiative (RAI)?

How will regional entities (best guess) conduct risk-based assessment and compliance monitoring using GAGAS (Yellow Book)?

What are Yellow Book and Red Book Auditing and how will performance and effectiveness audits impact registered entities?

What do fundamental concepts and terms mean such as RAI, risk based decision making, risk assurance, inherent risk, residual risk, risk frameworks, CIP GAGAS, etc

How does the registered entity design, develop, deploy, and assure an adequate control framework and mitigating risk – controls?

What should registered entities do NOW to prepare for RAI and what would an action plan for the next six months and year look like?

Certified Enterprise Risk Manager – Electric Reliability Learning Objectives and Outline

Posted on by

Length – Three Days
CERM – ER Learning Objectives
This course will enable attendees to understand:

  • Common risk concepts and develop an ERM vocabulary
  • How to assess risks
  • How organization determine risk appetite
  • How to prioritize and prepare risk response (treatment) strategies to mitigate and manage organizational or business unit risk
  • How to design, monitor, evaluate, and test the effectiveness of a system of internal controls
  • Determining audit scope and documenting the elements of findings using principles of ERM
  • Determining risk in audits

CERM – ER Course Modules

  1. Context (Risk)
  2. Internal Environment
  3. Objective Setting
  4. Risk/Event Identification
  5. Risk Assessment
  6. Risk Response
  7. Control Activities
  8. Information & Communication
  9. Monitoring
  10. Value Added Auditing™ (GAGAS) Sections
    Planning
    Fieldwork
    Reporting
  11. CERM Exam