It has been a busy year in the U.S. for Cybersecurity. The latest development (as of August 6, 2013) is an announcement from the White House outlining incentives under consideration to encourage Critical Infrastructure companies to implement the Cybersecurity Framework under development by NIST: Continue reading
Tag Archives: US Congress
Mooselodgism: The Biggest Challenge to Organizations
Most associations and organizations are becoming or are going the way of moose lodges. This is the biggest challenge to all organizations over the next 20 years. So, what is mooselodgism?
Moose, Elks, Masons, Daughters of American Revolution (DAR) and other service organizations were prevalent for hundreds of years. They were staple and anchored the social service activities in many communities. But, they have largely disappeared. Why? They couldn’t adapt to technology and couldn’t change to meet new requirements.
We’re seeing this now in most organizations and assocations. Think of the organization or association you belong to? How many folks attend a meeting? What is the demographic of the folks who attend? How are decisions being made or not made? How diverse is the population who attends meetings? How does the organization use technology to manage itself?
Don’t think Mooselodgism applies to you or to the US? What’s the most prominent organization in the world? US Congress. They US has a $1000 billion deficit. Congress can’t make a decision and solve this problem that impacts all of us. Go figure if Mooselodgism is real or not?
IEEE ComputerWise- Two US Appeal Court Opinions Throw Software-related-theft Laws a Curve
From http://newsmanager.commpartners.com/ieeecw/issues/2012-05-02-email.html:
IEEE ComputerWise
Software, Systems and IT: News and Analysis May 2, 2012
Two US Appeal Court Opinions Throw Software-related-theft Laws a Curve
by Robert N. Charette
The U.S. Congress may have to revamp laws that ostensibly set the rules regarding what constitutes illegal activity when it comes to information technology. The U.S. Court of Appeals for the Ninth Circuit overturned the conviction of someone charged with stealing proprietary data from a former employer, reasoning that the wording of the law that prosecutors said he violated points specifically to hacking into computer systems and not the misappropriation of information residing there by an otherwise authorized user. A day later, a separate appeals court overturned the conviction of another defendant whose lawyers successfully appealed his conviction for violating that same law and two others—again arguing that the facts of the case didn’t fit the wording of the criminal statutes.
How US Utilities Passed Up Chance To Protect Their Networks
Cybersecurity: How US utilities passed up chance to protect their networks
Cybersecurity needs are not hypothetical, as the recent DHS warning of a cyberattack on the US natural gas industry shows. Why then was a post-9/11 initiative to secure US utilities dropped?
By Mark Clayton, Staff writer / May 17, 2012
A natural gas pipeline is seen under construction near East Smithfield in Bradford County, Pa., in this January 7 file photo.
Les Stone/Reuters/File
With America now trying to thwart a cyberattack on its natural gas industry, it is helpful to recall the hectic days after 9/11, when industry scientists raced to shield from potential terrorist cyberattacks hundreds of thousands of vulnerable devices that control vital valves and switches on America’s gas pipelines, water plants, and power grid.
It was a race that seemed winnable. After five years of intense effort, a 35-member team of industrial-control-system wizards from the gas, water, and electric utilities industries had created a powerful new encryption system to shield substations, pipeline compressors, and other key infrastructure from cyberattack.
But just weeks before it was to be finalized in 2006, the funding plug was pulled on the encryption system, called AGA-12, by the American Gas Association and its partners at the electric power and water utility industries, some who worked on the project recall.
To this day, the cancelation of the project has called into question whether US utilities will, on their own, invest in measures necessary to protect their networks.
Tested at a Los Angeles water treatment plant, a gas utility in Chicago, and other locations, AGA-12 worked well. National labs verified it. Experts said it was good to go. Yet with 9/11 receding in memory, utility industry executives had begun worrying anew about the cost of deploying the system, former project participants say.
Today, six years after AGA-12 was aborted and 11 years after the World Trade Center attacks, the US natural gas industry is trying to thwart a real cyberattack campaign, according to the US Department of Homeland Security (DHS). Congress, meanwhile, is still debating whether voluntary or mandatory security standards are the best way to secure America’s critical infrastructure.
All of which leaves researchers who helped develop AGA-12 frustrated and a little wistful about the digital shield that they say would have provided a badly needed layer of security – especially in light of a trend toward cyberattacks on critical infrastructure companies.
“Technically it was an excellent standard and we were almost done with it when the project was terminated,” says William Rush, a now-retired scientist formerly with the Gas Technology Institute, who chaired the effort to create the AGA-12 standard. “One of the things I wake up in the middle of night and worry about is what to do if we’ve just been attacked. That’s not the time to worry about it – now’s the time.”
AGA-12, he says, was designed to secure older industrial control system devices out in the field, many of which still today communicate by modem and phone line, radio, or even wireless signal, but were never designed with cybersecurity in mind and remain highly vulnerable today.
It’s not clear that AGA-12 could have stopped the “spear-phishing” type of cyberattack now under way against the natural gas industry, experts say. But it could stop at least one kind: attacks directly on systems in the field of the kind DHS has highlighted in numerous studies and reports.
Installed in front of each vulnerable device would have been an AGA-12 gatekeeper, a sealed black box with a processor and cryptographic software inside, he explains. That “bump in the wire” would sift and decipher commands coming in from legitimate operators, but shield the vulnerable industrial control systems behind them from any false signals that might allow a hacker to take over.
“It was never intended to be a silver bullet,” Dr. Rush says. “But it would definitely have provided quite a lot more protection for critical infrastructure like gas pipelines and the power grid than we have right now.”
-
How much do you know about cybersecurity? Take our quiz.
- Exclusive: Cyberattacks on US natural-gas pipeline companies, evidence points to China
- China blamed for multi-continent cyberspying caper in 2011
- How one man may have foiled a devastating cyberattack against America
- Cybersecurity bill (CISPA): After House passage, what will Senate do?
The reality of the cyberthreat was driven home in late March, when DHS issued the first of four confidential “alerts” warning of a cyberattack campaign against US natural gas pipeline companies’ computer networks. Some researchers have linked the attack to a 2011 attack for which US officials blame China.
Those recent attacks follow a trend in which corporate and industrial networks belonging to critical infrastructure companies are seen to be a growing target. In April, the cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS), a Washington think tank, found that 40 percent of electric utility company officials in 14 countries said their networks were under attack and more vulnerable than ever.
Meanwhile, in an election year, Congress and the Obama administration are wrangling over new cybersecurity standards for critical infrastructure companies – primarily whether they should be based on a voluntary or mandatory approach.
“The issue isn’t a lack of standards,” says James Lewis, director of the Technology and Public Policy Program at CSIS. “It’s the lack of a business case for individual companies to spend for public safety. This [AGA-12 case] just confirms it. They know what to do to make things secure and have chosen not to do it for sound business reasons. A voluntary approach doesn’t work.”
At least six energy industry organizations that have developed voluntary cybersecurity standards for their industrial control systems would disagree. They include the North American Electric Reliability Corporation (NERC), International Electrotechnical Commission, American Petroleum Institute, and the AGA. But because the standards are voluntary or are “guidelines,” it’s unclear how widely they have been acted upon.
Asked if field devices have received added protections that supplanted the need for AGA-12, Jake Rubin, an AGA spokesman, says the AGA, federal government, and industry groups “have put cybersecurity guidelines in place that independent operators are using currently in the field.” However, he adds, “The ‘bump in the wire’ concept cannot be applied to all existing systems.”
“AGA members are committed to the safe and reliable delivery of clean natural gas to their customers at affordable and stable prices,” says Mr. Rubin, an AGA spokesman in an e-mail response. “They must make decisions that balance these factors, with safety always being the top priority for America’s natural gas utilities.”
But other observers say that while some newer equipment with better security has been adopted in recent years, many of the same vulnerabilities remain because long-lived industrial control systems are rarely replaced if still functioning. Without a mandate, few companies will incur the cost to deploy enhanced security systems, they say.
“We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” Stewart Baker, a former DHS official who led the CSIS and McAfee study, said in a statement in April.
IEEE ComputerWise- Two US Appeal Court Opinions Throw Software-related-theft Laws a Curve
From http://newsmanager.commpartners.com/ieeecw/issues/2012-05-02-email.html:
IEEE ComputerWise
Software, Systems and IT: News and Analysis May 2, 2012
Two US Appeal Court Opinions Throw Software-related-theft Laws a Curve
by Robert N. Charette
The U.S. Congress may have to revamp laws that ostensibly set the rules regarding what constitutes illegal activity when it comes to information technology. The U.S. Court of Appeals for the Ninth Circuit overturned the conviction of someone charged with stealing proprietary data from a former employer, reasoning that the wording of the law that prosecutors said he violated points specifically to hacking into computer systems and not the misappropriation of information residing there by an otherwise authorized user. A day later, a separate appeals court overturned the conviction of another defendant whose lawyers successfully appealed his conviction for violating that same law and two others—again arguing that the facts of the case didn’t fit the wording of the criminal statutes.