Thursday, March 21, 2013

Getting serious on cybersecurity

There's no shortage of cyber-attack stories in the news, but as you read them you tend to wonder how serious the problem really is. Maybe this is because no group of hackers has been able to do something big and dramatic, like say triggering a cascading power outage that knocked San Francisco off the power grid for a full day.

But just because it hasn't happened yet is no guarantee that it can't or won't happen. I spoke with Marty Meyer, president and CEO of Corero Network Security, who said utilities, if anything, are more vulnerable than entities that have already been attacked.

"We're on the first step of a twelve-step program to admitting we have a potential problem with cybersecurity," Meyer said.

Cyber-attacks on utilities are up 52 percent, according to the Department of Homeland Security's cybersecurity protection arm.

An attack like a distributed denial of service attack (or DDOS attack) can flood a computer network with a large, sudden volume of attack traffic until it is overwhelmed and shuts down, he said. The systems that support power grids weren't designed to handle this level of attack traffic, and a DDOS attack is relatively unsophisticated — easily within the capability of a small group of hackers, such as Anonymous.

"There was an attack reported on an unnamed U.S. utility, and it was one of these DDOS attacks. The impact was that people could not pay their bills online. It wasn't people losing their electricity and freezing in their homes, but it was still a successful attack that denied service to people," he said.

Cyber-attacks can range in severity from "this is annoying" to something more malicious, he said. Furthermore, a relatively simple DDOS attack could be used as a diversionary tactic to distract from a more sophisticated network intrusion.

"So while I would say there's been no advertized take-down of a major utility where people lost actual services, but there certainly could be concerned from the utilities to protect themselves now instead of waiting around," he said.

Simple firewalls by themselves are not a prudent strategy to prevent malicious attacks, he said. Geoblocking (also known as geofiltering) is an extra layer of protection that works by cutting off network access to computers from IP addresses that are affiliated with a geographic area or country that you don't want to allow access to.

Another way of launching a malicious attack is to "spoof" an IP address, which lets a malicious computer disguise itself as coming from a trusted address. Utilities can upgrade their systems to unmask such attacks, he said.

"There are technologies that can make sure that addresses are trusted," he said. "Utilities need to specifically look at technologies that restrict access in terms of geography or known problem locations to ensure that the network connection that's coming in is a real connection and not a spoofed connection."

My thanks to Marty Meyer for his help in putting this post together. His company, Corero Network Security, is based in Hudson, Massachusetts.


Tuesday, March 5, 2013

10 facts about Obama's new head of the DOE

After a lot of speculation, the official announcement has been made. Ernest Moniz will be President Barack Obama's main man at the Department of Energy pending approval by the Senate. Here are 10 things worth knowing about Moniz, who will run the DOE during Obama's second term.

1. Moniz is a nuclear physicist by training, and an advocate for the safe use of nuclear power as an energy source. In the aftermath of the Fukushima nuclear disaster, Moniz said it would be a mistake not to pursue a nuclear friendly energy policy in the U.S.

2. Obama is the second president Moniz has worked for. Moniz was President Bill Clinton's undersecretary of the DOE from 1997 to 2001. He also served as an associate director for science in Clinton's Office of Science and Technology Policy.

3. Moniz has a "wait and see" approach to new techniques in natural gas extraction, like "frakking." He says the risks of such techniques are challenging, but manageable. He has also referred to natural gas as a "bridge" fuel that can take the country to a future low-carbon energy portfolio (i.e. Away from coal).

4. Among the issues Moniz has handled at the DOE are: Oversight of science and energy policy, nuclear weapons proliferation and stockpile stewardship, nuclear fuel cycles (including waste disposal) and solar energy in a low-carbon world.

5. In a Washington Post story about carbon capture and storage, Moniz was quoted as saying in 2009 that there is no credible pathway to meeting greenhouse gas reduction targets without cutting carbon dioxide from existing coal-fired power plants.

6. As director of MIT's Energy Initiative, Moniz has some financial ties to the energy industry via the research group's $125 million in donations from the oil and gas industry since 2006, according to reports. Founding members of the organization include BP, Saudi Aramco and Shell.

7. Unlike his predecessor Steven Chu, Moniz will probably have less funding to work with. Chu's tenure at the DOE was marked by the early passage of the American Recovery and Reinvestment Act of 2009, which significantly expanded the department's operating budget.

8. Moniz's grandparents were immigrants to the U.S. who came from the Azores, an archipelago that is an autonomous region of Portugal. He grew up speaking some Portuguese.

9. Moniz serves in Chu's Blue Ribbon Commission on nuclear energy's future, which was tasked with finding new solutions for storing and disposing of nuclear waste. Moniz advocated transferring spent nuclear fuel from pools to dry casks.

10. On solar power, Moniz said he is "bullish," adding, "It just has so many features, including the fact that even though it's intermittent, at least it tends to be on when you want it." He adds, however, that fossil fuels like oil and gas will remain at the forefront of the world's energy picture for the foreseeable future.