Father to young son, “If you eat any more ice cream, you are going to explode!”

Son to Father, “Pass the ice cream, and stand back!”

That is about what I feel like right now, although I am ingesting Information Security information rather than ice cream.  If I try to stuff one more arcane detail about encryption algorithms, security models  or communications protocols into my brain, I think it will explode.

So … pass the information and stand back!

It is was fitting today that as I studied the subject of encryption in preparation for my CISSP exam, I stumbled upon information about the newly-formed United States Cyber Command, a US armed forces sub-command subordinate to United States Strategic Command. The command was officially activated May 21, 2010 and is slated to reach fully operational readiness by October 2010.

The Cyber Command:

“ … plans, coordinates, integrates, synchronizes and conducts activities to direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries."

Defense Secretary Robert Gates, stated in the official June 23rd announcement:

“Cyberspace and its associated technologies offer unprecedented opportunities to the United States and are vital to our nation’s security and, by extension, to all aspects of military operations. Yet our increasing dependency on cyberspace, alongside a growing array of cyber threats and vulnerabilities, adds a new element of risk to our national security. To address this risk effectively and to secure freedom of action in cyberspace, the Department of Defense requires a command that possesses the required technical capability and remains focused on the integration of cyberspace operations.”

OK.  This sounds like a good thing to do.  But what was really intriguing and fitting for me today was to learn that the command’s handsome new emblem contains an encrypted message its inner gold ring: 9ec4c12949a4f31474f299058ce2b22a.

Can you figure out what it means?  The Wikipedia article for the command states:

“The text "9ec4c12949a4f31474f299058ce2b22a", which is located in the command’s emblem, is the MD5 hash of their mission statement.”

This is consistent with a statement from a command spokesman quoted in an article by John Cook of Yahoo! News.  However, something is not quite right.  John explained:

“We tried encrypting that entire statement using an MD5 hash generator, and we didn’t get a match to the logo code. So it looks like just a portion of the statement has been encoded.”

Wired Magazine has launched a contest to see who can crack to code.  Can you do it?  You can win a t-shirt from Wired or a ticket to the International Spy Museum.

Even better, rumor has it that the Cyber Command wants to hire 1,000 new cyber specialists over the next few years.  Maybe this game is part of the recruitment process.

Or … maybe this will remain another obscure mystery destined to someday being mentioned in a novel by Dan Brown.

I think that Kerberos (or Cerberus), the three-headed dog from Greek mythology that guards the gates of Hades, ought to be proclaimed the mascot of the CISSP exam.  I think studying for the exam (including Kerberos, the computer network authentication protocol) is going to eat me alive.

On June 25, 2010, the US Federal Government released a draft document entitled, “National Strategy for Trusted Identities in Cyberspace.” This document proposes a strategy that:

… defines and promotes an Identity Ecosystem that supports trusted online environments.  The Identity Ecosystem is an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their digital identities. 

The Identity Ecosystem enables: 

1. Security, by making it more difficult for adversaries to compromise online transactions;   
2. Efficiency based on convenience for individuals who may choose to manage fewer passwords or accounts than they do today, and for the private sector, which stands to benefit from a reduction in paper-based and account management processes; 
3. Ease-of-use by automating identity solutions whenever possible and basing them on technology that is easy to operate with minimal training;
4. Confidence that digital identities are adequately protected, thereby increasing the use of the Internet for various types of online transactions; 
5. Increased privacy for individuals, who rely on their data being handled responsibly and who are routinely informed about those who are collecting their data and the purposes for which it is being used;
6. Greater choice, as identity credentials and devices are offered by providers using interoperable platforms; and  Opportunities for innovation, as service providers develop or expand the services offered online, particularly those services that are inherently higher in risk;

The strategy proposes four primary goals and nine actions to implement and promote the Identity Ecosystem:

Goals

1. Develop a comprehensive Identity Ecosystem Framework
2. Build and implement an interoperable identity infrastructure aligned with the Identity Ecosystem Framework
3. Enhance confidence and willingness to participate in the Identity Ecosystem
4. Ensure the long-term success of the Identity Ecosystem

Actions

1. Designate a Federal Agency to Lead the Public/Private Sector Efforts Associated
   with Achieving the Goals of the Strategy
2. Develop a Shared, Comprehensive Public/Private Sector Implementation Plan
3. Accelerate the Expansion of Federal Services, Pilots, and Policies that Align with
   the Identity Ecosystem
4. Work Among the Public/Private Sectors to Implement Enhanced Privacy
   Protections
5. Coordinate the Development and Refinement of Risk Models and Interoperability Standards
6. Address the Liability Concerns of Service Providers and Individuals
7. Perform Outreach and Awareness Across all Stakeholders 
8. Continue Collaborating in International Efforts 
9. Identify Other Means to Drive Adoption of the Identity Ecosystem across the
   Nation

The Strategy Document doesn’t discuss any specific technologies, but rather, addresses the needs and general concepts required for a national Identity Ecosystem.

If you would like to make public comments on the strategy, a good place to visit is this IdeaScale page hosted by the Department of Homeland Security. Reading comments from other parties on that page is quite interesting.

In other areas of Cyberspace, the reactions to this strategy are mixed.  For example, an active proponent is my friend Dazza Greenwood, who encourages everyone to become familiar with the strategy and actively give feedback:

At the other end of the spectrum is a blogger, Arnold Vintner, whom I do not know, who shares a much more pessimistic view. In his post, “Obama Administration Moves to Reduce Online Privacy,” Mr. Vintner opines:

The Obama administration is proposing a new identity management system for the Internet which is calls “Identity Ecosystem.” This new system will replace individually managed usernames and passwords with a taxpayer-funded federally-managed system.

The scheme is outlined in the National Strategy for Trusted Identities in Cyberspace. The planned system will tie together all of your accounts into one national online identity.  This will enable the federal government to easily track all online activity of every American.

The system will start with the federal government requiring the ID’s for use in accessing federal web sites — such as for filing your taxes online.  The federal government will then force businesses to adopt the system, starting with banks and credit card companies and slowly spreading to encompass the entire online environment. Once fully implemented, Internet users will no longer be able to comment anonymously on blogs or web forums, because all online identities will be verified with the U.S. government.

Where do you stand?  I personally like the idea of public dialog on this issue and the call for public and private entities to participate in a solution.  I look forward to giving feedback and tracking progress.

Thanks to my friends from the Arizona Telecommunications & Information Council (ATIC) for pointing out a valuable broadband performance testing service provided by the Federal Communications Commission.

A bit of introduction to the testing system:

“The purpose of the Consumer Broadband Test (Beta) is to give consumers additional information about the quality of their broadband connections and to create awareness about the importance of broadband quality in accessing content and services over the internet. Additionally, the FCC may use data collected from the Consumer Broadband Test (Beta), along with submitted street address, to analyze broadband quality and availability on a geographic basis across the United States.”

My Desktop results:

My iPhone results, using the FCC  Mobile Broadband Test iPhone application:

Further information about this service provided by the FCC:

The Consumer Broadband Test, currently in beta, is the FCC’s first attempt at providing consumers real-time information about the quality of their broadband connections. Because measuring broadband speeds with software tools is not an exact science, we are providing two popular consumer broadband testing tools in this Beta version: Ookla and M-Lab. Both will enable consumers to test the quality of their broadband connection by transferring a small temporary file back and forth and measuring the results. Users will be randomly assigned to one of the two chosen testing tools: Ookla or Network Diagnostic Tool (NDT) running on the Measurement Lab (M-Lab) platform, or they can choose their preferred tool by using links on this page. Each test is likely to provide a different result, and the differences may be significant in some cases. While the tests will give consumers some information on relative speeds, the FCC does not endorse either one as being a definitive testing method. In the future, the FCC anticipates making additional broadband testing applications available for consumer use. The FCC does not endorse any specific testing application.

Try it out!  Does your broadband performance match what you think you should get?

Thanks to Malisa Vincenti, leader of the LinkedIn Group Security & Technology – Critical Infrastructure Network & Forum, for highlighting the CNN article entitled “Why face recognition isn’t scary – yet.”

Much of the article was dedicated to describing the benefits and deficiencies of facial recognition software used by online services like Facebook, Picasa and iPhoto to make it easier for users to keep track of photographs.  Speaking of such functionality,  Michael Sipe, vice president of product development at Pittsburgh Pattern Recognition, a Carnegie Mellon University split-off company that makes face-recognizing software said these types of photo programs are a response to the hassles of keeping track of growing digital photo collections.

"In general, there’s this tsunami of visual information — images and video — and the tools that people have to make sense of all that information haven’t kept pace with the growth of the production of that information," he said. "What we have is a tool to help extract meaning from that information by using the most important part of that media, which is people."

It is interesting that one of the most distinguishing attribute of a person’s identity – his or her face – is so difficult for computers to recognize.  We humans often say, “I can remember faces much better than names,” yet computers are just the opposite.  It turns out that a person’s smile, which may be one of the most easily-remembered feature of the human face (for us humans, at least), is the most difficult for computers to comprehend:

Anil Jain, a distinguished professor of computer science at Michigan State University, said it’s still not easy, however, for computers to identify faces from photos — mostly because the photos people post to the internet are so diverse.

Computers get confused when a photo is too dark, if it’s taken from a weird angle, if the person is wearing a scarf, beard or glasses or if the person in the photo has aged significantly, he said.

Smiling can even be a problem.

"The face is like a deformable surface," he said. "When you smile, different parts of the face get affected differently. It’s not just like moving some object from one position to another," which would be easier for a computer to read.

So … what will happen when this technology matures and makes the leap from family-friendly Facebook to applications in real live security or survellance applications?

Marc Rotenberg, executive director of the Electronic Privacy Information Center, said the motives behind the technology are what worry him.

Governments and corporations intend to use facial recognition software to track the public and to eliminate privacy, he said, noting that automatically identifying people in public in the U.S., when they are not suspected of a crime, could be a violation of constitutional rights.

When facial recognition comes to surveillance cameras, which are already in place, "you’re no longer racing through iPhoto to figure out how many pictures of Barbara you have," Rotenberg said. "You’re walking around in public and facing cameras that know who you are. And I think that’s a little creepy."

I suppose this is like many other technologies – there are an abundance of positive applications, and the potential for terribly nefarious uses.

For example, if facial recognition can be used to identify  terrorists so they could be detained prior to boarding airplanes, we would generally think that was a good application. 

Similarly, if I could be granted entrance to my corporate office building or be logged onto necessary computer systems just by smiling (or frowning) into a camera, the building and computer systems might be more secure and the present-day use of passwords or ID cards might go the way of the buggy whip.

However, if an abusive husband used facial recognition software to stalk his estranged wife, or if the government successfully tracked every movement its citizens made in the normal course of events, we would generally think of those applications as negative.

I have a crazy habit of smiling and waving at security cameras I see in airports or banks or convenience stores. Who knows what is happening on the other side?  At the present level of today’s technology, I’m probably being recorded and not much more.  In a few years, however, the sophisticated software behind the camera will probably recognize Mark Dixon and report my antics to the NSA.  That will surely make me frown, not smile, when I wave to the ubiquitous cameras.

I am pleased to announce the official public webcast introducing Oracle Identity Management 11g:

Date: Wednesday, July 21, 2010
Time: 10:00 a.m. PT / 1:00 p.m. ET

Amit Jasuja,  Oracle’s Vice President Identity Management and Security Products, will lead the discussion, as he and other Oracle executives:

“… introduce a new and revolutionary approach in application security – Oracle Identity Management 11g.

“Modern enterprise architectures are evolving rapidly, yet many security solutions in use today represent decade old technology. Businesses must adapt swiftly to stay competitive, yet bolted-on security controls impede IT agility. Compliance mandates continue to grow in number, while organizations continue to struggle with their staggering costs and complexity.

“Oracle Identity Management 11g redefines the architectures that secure the modern enterprise, ushering in a new era of agile security, rapid ROI, and sustainable compliance. Join us to learn more about the exciting new developments.”

I’m looking forward to this event.  We hope you can join us, too.

You can register by clicking here.

In a recent post, I highlighted a new Oracle white paper entitled, “Protecting the Electric Grid in a Dangerous World,” which describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards.

An Oracle colleague asked appropriately, What about the oil and gas industry?  Isn’t this part of the energy industry also considered part of the critical infrastructure in the United States?  Isn’t the oil and gas industry vulnerable to cyber attack? Aren’t methods for protecting information assets in the oil and gas industry similar to those in the electrical distribution industry? 

The answer to each question is a resounding “Yes,” but with some differences. Let’s explore a bit of history and discuss the focus of Information Security in the Oil and Gas Critical Infrastructure. This post is longer than most of my blog posts, but I felt the length was justified to give a good overview of the topic.

Historical Perspective

The Federal Government official recognition of the vulnerability of critical infrastructure in the US began with the Presidential Decision Directive NSC-63 on Critical Infrastructure Protection, signed by Bill Clinton on May 22, 1988.  The executive summary of that directive reads in part:

The United States possesses both the world’s strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

The Homeland Security Presidential Directive – HSPD-7 – entitled “Critical Infrastructure Identification, Prioritization, and Protection", signed by President George W. Bush, on December 17, 2003, served to amplify the focus and attention on Critical Infrastructure Protection.

Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

America’s open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

In response to this directive, seventeen CIP sectors of national importance were specified:

1. Information technology
2. Telecommunications
3. Chemicals
4. Transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems
5. Emergency services
6. Postal and shipping services
7. Agriculture, food (meat, poultry, egg products)
8. Public health, health care, and food (other than meat, poultry, egg products)
9. Drinking water and waste water treatment systems
10. Energy, including the production refining, storage, and distribution of oil and gas, and electric power
11. Banking and finance
12. National monuments and icons
13. Defense industrial base

The US Department of Energy (DOE) bears responsibility for leadership of the Energy sector, encompassing  the production refining, storage, and distribution of oil and gas, and electric power except for commercial nuclear power facilities.  DOE responsibilities in this sector include:

• collaboration with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector;
• conducting or facilitating vulnerability assessments of the sector; and
• encouraging risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.

In June 2006, the U.S. Department of Homeland Security (DHS) announced completion of the National Infrastructure Protection Plan (NIPP) Base Plan, including a sector-specific plan for the Energy Sector.  The Vision statement for the energy sector stated:

The Energy Sector envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government.

Relevant Systems

The following diagrams included in the Energy Sector plan highlight the components in the relevant systems addressed by this sector.  Each of these sectors is highly dependent of information systems to administer and control complex, interconnected systems.

The descriptions accompanying each diagram came from the National Infrastructure Protection Plan (Energy Sector).

The electrical distribution grid

The U.S. electricity segment contains more than 5,300 power plants with approximately 1,075 gigawatts of installed generating capacity. Approximately 49 percent of electricity is produced by combusting coal (primarily transported by rail), 19 percent in nuclear power plants, and 20 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (7 percent), oil (2 percent), and by renewable (solar, wind, and geothermal) and other sources (3 percent). Electricity generated at power plants is transmitted over 211,000 miles of high-voltage transmission lines. Voltage is stepped down at substations before being distributed to 140 million customers over millions of miles of lower voltage distribution lines. The electricity infrastructure is highly automated and controlled by utilities and regional grid operators using sophisticated energy management systems that are supplied by supervisory control and data acquisition (SCADA) systems to keep the system in balance.

 The Petroleum System

The petroleum segment entails the exploration, production, storage, transport, and refinement of crude oil. The crude oil is refined into petroleum products that are then stored and distributed to key economic sectors throughout the United States. Key petroleum products include motor gasoline, jet fuel, distillate fuel oil, residual fuel oil, and liquefied petroleum gases. Both crude oil and petroleum products are imported, primarily by ship, as well as produced domestically. Currently, 66 percent of the crude oil required to fuel the U.S. economy is imported. In the United States, there are more than 500,000 crude oil-producing wells, 30,000 miles of gathering pipeline, and 51,000 miles of crude oil pipeline. There are 133 operable petroleum refineries, 116,000 miles of product pipeline, and 1,400 petroleum terminals. Petroleum also relies on sophisticated SCADA and other systems to control production and distribution; however, crude oil and petroleum products are stored in tank farms and other facilities.

The Flow of Natural Gas

Natural gas is also produced, piped, stored, and distributed in the United States. Imports of liquefied natural gas (LNG) are increasing to meet growing demand. There are more than 448,000 gas production and condensate wells and 20,000 miles of gathering pipeline in the country. Gas is processed (impurities removed) at over 550 operable gas processing plants and there are almost 302,000 miles of interstate and intrastate pipeline for the transmission of natural gas. Gas is stored at 399 underground storage fields and 103 LNG peaking facilities. Finally, natural gas is distributed to homes and businesses over 1,175,000 miles of distribution pipelines. The heavy reliance on pipelines highlights the interdependency with the Transportation Sector and the reliance on the Energy Sector for power means that virtually all sectors have dependencies with the Energy Sector.

Interdependencies across the economy

Although the electricity, oil and gas sub-sectors are complex in and of themselves, we must also recognize that these systems interact with other key CIP sectors.  The networked connectivity among these sectors amplifies increases the probability of an attack in one sector to directly affect multiple other sectors.

It is interesting to note that even small and medium size U.S. companies included in this interconnected network:

…  are more and more exposed to cyber threats from organized crime, foreign intelligence services, and probably terrorist organizations; 85 percent of U.S. critical infrastructure is owned and operated by private companies — and these companies are especially vulnerable to determined attacks which may ruin or seriously disrupt company operations.… (source: Homeland Security Newswire: “Cyber threats now targeting traditional companies”)

In recognition of the importance of addressing information security issues, the Energy sector plan states:

Today’s developing “information age” technology has intensified the importance of CIP, in which cyber security has become as critical as physical security to protecting energy CI/KR. The Energy Sector has rapidly responded to the increasing need for enterprise-level physical and cyber security efforts and business continuity plans. Voluntarily conducted vulnerability assessments have not only improved sector security but have also demonstrated industry commitment to a secure and resilient Energy Sector. Many asset owners and operators conduct self-assessments or contract with third parties to perform energy vulnerability assessments and implement protective programs at their facilities.

Specific efforts to address information security in the Electricity subsector include:

NERC has developed Cyber Security Standards CIP-002 through 009,37 which have been filed with FERC for approval and address the following requirements:

• Data and information classification according to confidentiality
• Identification and protection of cyber assets related to reliable operation of the bulk electric systems
• Process control, SCADA, and incident reporting

NERC’s CIPC has issued a summary of several electric power vulnerability assessment methodologies, including a variation of DOE’s Vulnerability and Risk Analysis Program methodology, in a suite of potential vulnerability assessment tools that electric power companies should consider using.

Specific work to address information security in the Oil and Natural Gas subsectors include:

Establishing goals for vulnerability identification, detection and response:

• Assess  security vulnerabilities at single-point assets such as refineries, storage terminals, and other buildings, as well as networked features such as pipelines and cyber systems and
• Work toward resilient and secure cyber networks and SCADA systems to detect and respond to cyber attacks.

The AGA, the Interstate Natural Gas Association of America (INGAA), and APGA worked together to develop and release Security Guidelines: Natural Gas Industry, Transmission and Distribution. These guidelines provide an approach for vulnerability assessment, a critical facility definition, detection/deterrent methods, response and recovery guidance, cyber security information, and relevant operational standards. The industry security guidelines incorporate a risk-based approach for natural gas companies to consider when identifying critical facilities and determining appropriate actions, and are based on the DHS Homeland Security Advisory System (HSAS). The TSA, along with the PHMSA, is currently conducting onsite reviews based on these guidelines.

Importance of Energy Sector

So, just how important is the Energy Sector as a Critical Infrastructure? Though somewhat outdated, the 2006 DCSINT Handbook No. 1.02,  Threats and Terrorism states:

Energy is the infrastructure that supplies the driving force in most of American life today. Energy of some kind heats our homes, moves us for one point to another and drives our businesses and industry. The energy sector is critical to the well being of our economy, national defense and quality of life. The sector is divided into to areas, electricity and oil/natural gas. Electricity is required to operate and maintain homes, hospitals, schools, businesses and industrial plants; it is also necessary to refine oil. Disruption of electrical flow or a power grid would impact the economy and defense as well as response and recovery. Natural Gas consists of three major components: exploration and production, transmission, and distribution, with the U.S. producing 20% of the world’s natural gas supply. Oil’s infrastructure consists of five components: production, crude oil transport, refining, product transport and distribution, and control and other external support systems. The thousands of miles of pipelines offer an endless list of targets for terrorist attacks, and during transport there are opportunities for impacting more than one critical infrastructure. Over 43% of the total U.S. oil refining capacity is clustered along the Texas and Louisiana coasts. This area is subject to natural attacks as well as those of terrorists.

…

Recently the oil industry occupied the headlines, and the criticality of this infrastructure is not lost on terrorists. In mid-December 2004, Arab television aired an alleged audiotape message by Usama bin Laden in which he called upon his followers to wreak havoc on the U.S. and world economy by disrupting oil supplies from the Persian Gulf to the United States. The U.S. uses over 20.7 million barrels a day of crude oil and products and imports 58.4% of that requirement. On 19 January 2006 al-Qaeda leader Osama bin Laden announced in a video release that, “The war against America and its allies will not be confined to Iraq…..”, and since June of 2003 there have been 298 recorded attacks against Iraqi oil facilities. Terrorists conduct research as to the easiest point to damage the flow of oil or to the point where the most damage can be done.

Scenarios involving the oil fields themselves, a jetliner crashing into the Ras Tanura
facility in Saudi Arabia could remove 10 percent of the world’s energy imports in one
act. Maritime attacks are also option for terrorists; on October 6, 2002 a French tanker carrying 397,000 barrels of crude oil from Iran to Malaysia was rammed by an explosive laden boat off of the port of Ash Shihr, 353 miles east of Aden. The double-hulled tanker was breached, and maritime insurers tripled the rates. Energy most travel often long distances from the site where it is obtained to the point where it is converted into energy for use, a catastrophic event at any of the sites or along its route can adversely impact the energy infrastructure and cause ripples in other infrastructures. The security of the pipeline in Alaska increases in importance as efforts are made to make America more independent on energy use.

Securing Information and Control Systems

Of course, the business of oil and gas production and distribution relies heavily on security information management systems, the systems which control energy production and distribution represent widely points of access for potential cyber attacks.

In a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

In addition, the National Strategy to Secure Cyberspace states that "securing DCS/SCADA is a national priority".

Athough the NERC CIP standards apply specifically to electricity generation and distribution, the major categories could just as well apply to the Petroleum and Natural Gas subsectors:

1. Identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the [oil or gas distribution system].
2. Minimum security management controls in place to protect critical cyber assets.
3. An appropriate level of personnel risk assessment, training, and security awareness for personnel having authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors.
4. Identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
5. Implementation of a physical security program for the protection of critical cyber assets.
6. Defined methods, processes, and procedures for securing those systems determined to be critical cyber Assets, as well as the non-critical cyber assets within the electronic security perimeters.
7. Identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
8. Recovery plans for critical cyber assets that follow established business continuity and disaster recovery techniques and practices.

Recognized best practices for data security that are aligned with and answer the demands of these requirements include:

1. Critical asset identification and documentation.
2. Data classification.
3. Encryption of data at rest and in transit.
4. Data masking to hide information, for example, in test and development environments.
5. Access control to assure robust identification, authentication and authorization of system users.
6. Separation of duties to define administrative roles according to need.
7. Privileged user access control, closely tied to separation of duties, allows administrators only that access required to perform their jobs.
8. Database access monitoring, alerting and reporting.
9. Change control and configuration management.
10. Audit controls for all security processes.

Oracle Data Security Solutions

Oracle provides a wide range of information security products to meet the needs of industry requirements and information security best practices, including:

1. Encryption (for data at rest and in transit)
2. Data Masking
3. Privileged Database User Access Control
4. Identity and Role Administration
5. Access Control
6. Audit and Compliance Management
7. Label Security
8. Information Rights Management

In addition, complementary products from other vendors can be combined with the Oracle suite of products to implement a Defense-in-Depth Critical Infrastructure Protection security strategy strategy for the oil and gas industries.

Phew!  That’s a lot of information from many sources.  I hope you find this helpful.

A partial list of sources I used:

1. Oracle White Paper: Protecting the Electric Grid in a Dangerous World
2. Energy: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan (Redacted)
3. North American Energy Reliability Corporation (NERC)
4. NERC Critical Infrastructure Protection (CIP) cyber security standards
5. Presidential Decision Directive NSC-63 on Critical Infrastructure Protection
6. Homeland Security Presidential Directive – HSPD-7
7. DHS Sector-specific plan for the Energy Sector
8. National Infrastructure Protection Plan (Energy Sector)
9. DCSINT Handbook No. 1.02,  Threats and Terrorism
10. 21 Steps to Improve Cyber Security of SCADA Networks
11. National Strategy to Secure Cyberspace (February 2003)

Thanks for getting this far!  If you have any input or suggestions, please submit a comment or drop me an email.

The Wall Street Journal published an excellent article today entitled, “U.S. Program to Detect Cyber Attacks on Infrastructure” (subscription required),  reviewing a large U.S. government program, named “Perfect Citizen,” with the stated objective to:

“… detect cyber assaults on private U.S. companies and government agencies running critical infrastructure such as the electricity grid and nuclear power plants, according to people familiar with the program.”

We all know that the national infrastructure is vulnerable, as I mentioned recently in my blog about NERC Critical Infrastructure Protection (CIP) Cyber Security Standards. The object of this program appears to be an attempt to discover security holes that may not be CIP compliant, and detect patterns of attack before harm can be done.

U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.

How do you tackle this challenge?  Just monitor the network and find “unusual activity” that may suggest a pending cyber attack.

The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.

This accumulation and analysis of vast amounts of data from numerous sensors is a fascinating topic.  Last September, I blogged about work led by Jeff Jonas to analyze large data sets to detect the types of anomalies the NSA are seeking – all to catch threats to the Las Vegas gaming industry.  It would be interesting to know if the NSA is building upon his work to find terrorists before they strike.

Of course, any surveillance program led by the NSA is bound to be controversial, and this is no exception:

Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide.

Who knows … perhaps some day the NSA wizards might think my blogging efforts are a threat to national security and plant sensors to detect my email, blogging and social networking communications activity to see if something fishy is going on.   After all, I am not a “Perfect Citizen,” whatever that means.  No one is.

"The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," said one internal Raytheon email, the text of which was seen by The Wall Street Journal. "Perfect Citizen is Big Brother."

It will be fascinating, in an apprehensive way, to see how this all comes together:

Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected. NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems, they said.

I doubt that covert surveillance of US citizens is the initial intent of this program, but unintended consequences are what trouble me.  For some diabolical reason, increasing the amount of power vested in any one person or group of people tends to lead to oppression of others.  And it sounds like this program will put vast informational power in the hands of a few.