Jun 14 2011

Hacker Groups Attacks US Senate WebSite

Category: cyber security,Security BreachDISC @ 11:04 pm
Seal of the United States Senate.

Image via Wikipedia

US Senate Hacked! “We Don’t Like The U.S. Government Very Much” LULZ Security

The video states some reasons in significant rise of hack attack by Lulz Security on US information assets including critical assets (US senate) which is a growing threat to national security.

Leon Penetta warned in last week hearing that next Pearl Harbor might very well be a cyber attack which may affect power grid, financial system or government system.

“The Computer systems of exective branch agencies and the congress were probed or attacked on an average of 1.8 billion times per month last year” Sen. Susan Collins (R-ME)

http://www.youtube.com/watch?v=aFD3W6LhO04

Cyber War: The Next Threat to National Security and What to Do About It

Tags: Bethesda Softworks, Federal government of the United States, National security, Pearl Harbor, Sony, Susan Collins, United States, United States Senate


Jun 08 2011

In cyberspy vs cyberspy, China has the edge

Category: cyber securityDISC @ 12:11 pm
USA-China

Image via Wikipedia

By Brian Grow and Mark Hosenb

WASHINGTON: As America and China grow more economically and financially intertwined, the two nations have also stepped up spying on each other. Today, most of that is done electronically, with computers rather than listening devices in chandeliers or human moles in tuxedos.And at the moment, many experts believe China may have gained the upper hand.

Though it is difficult to ascertain the true extent of America`s own capabilities and activities in this arena, a series of secret diplomatic cables as well as interviews with experts suggest that when it comes to cyber-espionage, China has leaped ahead of the United States.

According to US investigators, China has stolen terabytes of sensitive data — from usernames and passwords for State Department computers to designs for multi-billion dollar weapons systems. And Chinese hackers show no signs of letting up.

“The attacks coming out of China are not only continuing, they are accelerating,” says Alan Paller, director of research at information-security training group SANS Institute in Washington, DC.

Secret US State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches — colourfully code-named “Byzantine Hades” by US investigators — to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China`s People`s Liberation Army.

Privately, US officials have long suspected that the Chinese government and in particular the military was behind the cyber-attacks. What was never disclosed publicly, until now, was evidence.

US efforts to halt Byzantine Hades hacks are ongoing, according to four sources familiar with investigations. In the April 2009 cable, officials in the State Department`s Cyber Threat Analysis Division noted that several Chinese-registered websites were “involved in Byzantine Hades intrusion activity in 2006.”

The sites were registered in the city of Chengdu, the capital of Sichuan Province in central China, according to the cable. A person named Chen Xingpeng set up the sites using the “precise” postal code in Chengdu used by the People`s Liberation Army Chengdu Province First Technical Reconnaissance Bureau (TRB), an electronic espionage unit of the Chinese military. “Much of the intrusion activity traced to Chengdu is similar in tactics, techniques and procedures to (Byzantine Hades) activity attributed to other” electronic spying units of the People`s Liberation Army, the cable says.

Reconnaissance bureaus are part of the People`s Liberation Army`s Third Department, which oversees China`s electronic eavesdropping, according to an October 2009 report by the US-China Economic and Security Commission, a panel created by Congress to monitor potential national security issues related to US-China relations.

Staffed with linguists and technicians, the Third Department monitors communications systems in China and abroad. At least six Technical Reconnaissance Bureaus, including the Chengdu unit, “are likely focused on defence or exploitation of foreign networks,” the commission report states.—Reuters

Cyber War: The Next Threat to National Security and What to Do About It

Tags: Chengdu, china, People's Liberation Army, SANS Institute, Sichuan, Sino-American relations, United States, WikiLeaks


May 06 2011

NSA publish list of recommendations for Keeping Networks Secure

Category: cyber securityDISC @ 10:27 am
National Security Agency seal

Image via Wikipedia

‘Best Practices for Keeping Your Home Network Secure’ is a new guide published by the National Security Agency. This document provides home users directions for keeping their systems secure and protected.

Users are faceing lots of security issues now a days, and trying to apply all the required security measures is complicated due to the fast pace of changes in technology and new vulnerabilities that may leave them open to new attack. Thess controls are industry best practice and mitigate most risks to safeguard your information assets.

The document is divided in 4 parts:
■ Host-Based Recommendations:
■ Network Recommendations:
■ Operational Security (OPSEC)/Internet Behavior Recommendations:
■ Enhanced Protection Recommendations:

To be safe on the internet, use these recommendaions as a best practice to reasonably safeguard your information assets. These best practice information controls may also help you to invest wisely and justify cost on security.


NSA titles for IAM and IEM implementation and certification

Tags: Best practice, Industry Standard Architecture, IPad, Microsoft, National Security Agency, Operating system, Security, United States


Apr 25 2011

Phishing emerges as major corporate security threat

Category: Email SecurityDISC @ 9:11 pm
A picture of the EVEREST visualization facilit...

Image via Wikipedia

Source: Computer World

The successful use of phishing emails to breach secure organizations like Oak Ridge National Laboratory and RSA are stark reminders of the serious threat posed by what some experts have dismissed as as a low-tech method of attack.

Oak Ridge, a U.S. Department of Energy-run research lab, this week disclosed it had shut down all Internet access and email services after discovering a sophisticated data stealing malware program on its networks.

According to the lab, the breach originated in a phishing email that was sent to about 570 employees. The emails were disguised to appear as notes about benefits changes written by the lab’s HR department. When a handful of employees clicked on the embedded link in the email, a malware program was downloaded onto their computers.

In terms of internal security, people are the weakest link – which makes phishing the emerging threat to any organization. Regular awareness training is one of the key control to countermeasure Phishing.

Latest titles on Phishing and countermeasures

Tags: Internet access, Malware, Oak Ridge National Laboratory, phishing, RSA, U.S. Department of Energy, United States, United States Department of Energy


Mar 24 2011

Federal Cyber Attacks Rose In 2010

Category: cyber securityDISC @ 9:16 pm
Injuries incurred by service members are cover...

Image via Wikipedia

Federal Cyber Attacks Rose 39% In 2010

Cyber attacks on the federal government increased in 2010 over the previous year, even though the total number of cybersecurity incidents was down overall, according to a new report from the Office of Management and Budget (OMB).

There were 41,776 reported cyber incidents of malicious intent in the federal network in 2010 out of a total 107,439 reported to the United States Computer Emergency Readiness Team (US-CERT), according to the OMB’s fiscal year 2010 report on federal implementation of the Federal Information Security Management Act (FISMA). The number represented a 39% increase over 2009, when 30,000 incidents were reported by the feds, of 108,710 attacks overall, according to the report.

To read more on Federal Cyber Attacks Rose 39% In 2010

Richard Clarke: U.S. Chamber committed felony in ChamberLeaks scandal


Tags: Computer security, Federal government of the United States, Flickr, Office of Management and Budget, United States, United States Computer Emergency Readiness Team, United States Department of Veterans Affairs, Veteran


Jan 06 2011

Security 2020: Reduce Security Risks This Decade

Category: Information SecurityDISC @ 10:59 am

 

Security 2020: Reduce Security Risks This Decade

Identify real security risks and skip the hype. After years of focusing on IT security, we find that hackers are as active and effective as ever. This book gives application developers, networking and security professionals, those that create standards, and CIOs a straightforward look at the reality of today’s IT security and a sobering forecast of what to expect in the next decade. It debunks the media hype and unnecessary concerns while focusing on the knowledge you need to combat and prioritize the actual risks of today and beyond.

IT security needs are constantly evolving; this guide examines what history has taught us and predicts future concerns
Points out the differences between artificial concerns and solutions and the very real threats to new technology, with startling real-world scenarios
Provides knowledge needed to cope with emerging dangers and offers opinions and input from more than 20 noteworthy CIOs and business executives
Gives you insight to not only what these industry experts believe, but also what over 20 of their peers believe and predict as well

With a foreword by security expert Bruce Schneier, Security 2020: Reduce Security Risks This Decade supplies a roadmap to real IT security for the coming decade and beyond.

Order this book for advice on how to reduce IT security risks on emerging threats to your business in coming years. Security 2020: Reduce Security Risks This Decade

From the Back Cover
Learn what’s real, what’s hype, and what you can do about it
For decades, security experts and their IT peers have battled the black hats. Yet the threats are as prolific as ever and more sophisticated. Compliance requirements are evolving rapidly and globalization is creating new technology pressures. Risk mitigation is paramount. What lies ahead?

Doug Howard and Kevin Prince draw upon their vast experience of providing security services to many Fortune-ranked companies, as well as small and medium businesses. Along with their panel of security expert contributors, they offer real-world experience that provides a perspective on security past, present, and future. Some risk scenarios may surprise you. Some may embody fears you have already considered. But all will help you make tomorrow’s IT world a little more secure than today’s.

Over 50 industry experts weigh in with their thoughts

Review the history of security breaches

Explore likely future threats, including social networking concerns and doppelganger attacks

Understand the threat to Unified Communication and Collaboration (UCC) technologies

Consider the impact of an attack on the global financial system

Look at the expected evolution of intrusion detection systems, network access control, and related safeguards

Learn to combat the risks inherent in mobile devices and cloud computing

Study 11 chilling and highly possible scenarios that might happen in the future

Tags: Bruce Schneier, Computer security, Consultants, Doug Howard, Intrusion detection system, Kevin Prince, Security, United States


Nov 22 2010

Stuxnet virus could target many industries

Category: MalwareDISC @ 1:25 pm
I constructed this image using :image:Computer...
Image via Wikipedia

By LOLITA C. BALDOR, Associated Press

A malicious computer attack that appears to target Iran’s nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday.

They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer.

The complex code is not only able to infiltrate and take over systems that control manufacturing and other critical operations, but it has even more sophisticated abilities to silently steal sensitive intellectual property data, experts said.

Dean Turner, director of the Global Intelligence Network at Symantec Corp., told the Senate Homeland Security and Governmental Affairs Committee that the “real-world implications of Stuxnet are beyond any threat we have seen in the past.”

Analysts and government officials told the senators they remain unable to determine who launched the attack. But the design and performance of the code, and that the bulk of the attacks were in Iran, have fueled speculation that it targeted Iranian nuclear facilities.

Turner said there were 44,000 unique Stuxnet computer infections worldwide through last week, and 1,600 in the United States. Sixty percent of the infections were in Iran, including several employees’ laptops at the Bushehr nuclear plant.

Iran has said it believes Stuxnet is part of a Western plot to sabotage its nuclear program, but experts see few signs of major damage at Iranian facilities.

A senior government official warned Wednesday that attackers can use information made public about the Stuxnet worm to develop variations targeting other industries, affecting the production of everything from chemicals to baby formula.

“This code can automatically enter a system, steal the formula for the product you are manufacturing, alter the ingredients being mixed in your product and indicate to the operator and your antivirus software that everything is functioning as expected,” said Sean McGurk, acting director of Homeland Security’s national cybersecurity operations center.

Stuxnet specifically targets businesses that use Windows operating software and a control system designed by Siemens AG. That combination, said McGurk, is used in many critical sectors, from automobile assembly to mixing products such as chemicals.

Turner added that the code’s highly sophisticated structure and techniques also could mean that it is a one-in-a-decade occurrence. The virus is so complex and costly to develop “that a select few attackers would be capable of producing a similar threat,” he said.

Experts said governments and industries can do much more to protect critical systems.

Michael Assante, who heads the newly created, not-for-profit National Board of Information Security Examiners, told lawmakers that control systems need to be walled off from other networks to make it harder for hackers to access them. And he encouraged senators to beef up government authorities and consider placing performance requirements and other standards on the industry to curtail unsafe practices and make systems more secure.

“We can no longer ignore known system weaknesses and simply accept current system limitations,” he said. “We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts to address” cybersecurity challenges.

The panel chairman, Sen. Joe Lieberman, I-Conn., said legislation on the matter will be a top priority after lawmakers return in January.

Tags: anti virus, Associated Press, Dean Turner, Industrial control systems, Iran, Joe Lieberman, Siemens, United States


Oct 20 2010

Incidence Of Cybertheft Surpasses Incidence Of Physical Theft

Category: cyber securityDISC @ 1:17 pm
私は No Click!
Image by mie_journal via Flickr

Fraud-related losses rose 20 percent to $1.7 billion in the past year, Kroll study says

Incidence of theft of information and electronic data at global companies has overtaken physical theft for the first time, according to a study released yesterday.

According to the latest edition of the Kroll Annual Global Fraud Report, the amount lost by businesses to fraud rose from $1.4 million to $1.7 million per $1 billion of sales in the past 12 months — an increase of more than 20 percent.

The findings are the result of a study commissioned by Kroll and conducted by the Economist Intelligence Unit, which surveyed more than 800 senior executives worldwide.

To read more: Incidence Of Cybertheft Surpasses Incidence Of Physical Theft

Tags: Computer crime, crime, Economist Intelligence Unit, fraud, Identity Theft, Security, Theft, United States


Sep 09 2010

DHS Cyber security Watchdogs Miss Hundreds of Vulnerabilities on Their Own Network

Category: cyber securityDISC @ 8:36 am
Seal of the United States Department of Homela...
Image via Wikipedia

By Kevin Poulsen @wired.com

The federal agency in charge of protecting other agencies from computer intruders was found riddled with hundreds of high-risk security holes on its own systems, according to the results of an audit released Wednesday.

The United States Computer Emergency Readiness Team, or US-CERT, monitors the Einstein intrusion-detection sensors on nonmilitary government networks, and helps other civil agencies respond to hack attacks. It also issues alerts on the latest software security holes, so that everyone from the White House to the FAA can react quickly to install workarounds and patches.

But in a case of “physician, heal thyself,” the agency — which forms the operational arm of DHS’s National Cyber Security Division, or NCSD — failed to keep its own systems up to date with the latest software patches. Auditors working for the DHS inspector general ran a sweep of US-CERT using the vulnerability scanner Nessus and turned up 1,085 instances of 202 high-risk security holes (.pdf).

“The majority of the high-risk vulnerabilities involved application and operating system and security software patches that had not been deployed on … computer systems located in Virginia,” reads the report from assistant inspector general Frank Deffer.

Einstein, the government’s intrusion-detection system, passed the security scan with flying colors, as did US-CERT’s private portal and public website. But the systems on which US-CERT analysts send e-mail and access data collected from Einstein were filled with the kinds of holes one might find in a large corporate network: unpatched installs of Adobe Acrobat, Sun’s Java and some Microsoft applications.

In addition to the 202 high-risk holes, another 106 medium- and 363 low-risk vulnerabilities were found at US-CERT.

“To ensure the confidentiality, integrity, and availability of its cybersecurity information, NCSD needs to focus on deploying timely system-security patches to mitigate risks to its cybersecurity program systems, finalizing system security documentation, and ensuring adherence to departmental security policies and procedures,” the report concludes.

In an appendix to the report, which is dated Aug. 18, the division wrote that it has patched its systems since the audit was conducted.

DHS spokeswoman Amy Kudwa said in a statement Wednesday that DHS has implemented “a software management tool that will automatically deploy operating-system and application-security patches and updates to mitigate current and future vulnerabilities.”

Tags: Adobe Acrobat, Computer security, Intrusion detection system, Microsoft, National Cyber Security Division, Security, United States, United States Computer Emergency Readiness Team


Jul 10 2010

FTC Says Scammers Stole Millions, Using Virtual Companies

Category: CybercrimeDISC @ 11:23 pm
Seal of the United States Federal Trade Commis...
Image via Wikipedia

100% Internet Credit Card Fraud Protected

by Robert McMillan
The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.

The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

“We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

Small Thefts Overlooked

The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.

U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.

“They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

Similar Cases Show Trend

In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.

Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

Aided by ‘Mules’

To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

“Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.

Tags: American Express, Business, Credit card, Federal Trade Commission, First Data, fraud, FTC, United States


Jun 08 2010

U.S cybersecurity policies update

Category: Information Warfare,Security Risk AssessmentDISC @ 12:47 am

Breakdown of political party representation in...
Image via Wikipedia

By Greg Masters

The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.

The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.

The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.

“The passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,” Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. “These provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.”

The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.

The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.

A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.

Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.

Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.

The amendment also calls for developing policies to be used in the purchasing of technology products and services.

A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee

The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.

Tags: Diane Watson, Federal government of the United States, Federal Information Security Management Act of 2002, FISMA, Information Security, Security, Senate, United States


Jun 01 2010

The Smart Grid needs to get smart about security

Category: Information Security,Information WarfareDISC @ 6:17 pm

A terminus of the Nelson River HVDC system, no...
Image via Wikipedia

by Larry Karisny
While following the Connectivity Show in Santa Clara California, I thought I should follow-up on the at Greentech Media’s annual Smart Grid conference in Palm Springs last week. I wanted to focus this article on Smart Grid security so I thought I should find some clear explanation of where we are now and then add my thoughts on where we need to be in smart grid security. To get an indication of where we are I couldn’t pass up this simultaneously humorous and cautionary anecdote opening panel discussion from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:

Now with all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand alone power facilities and substations connected with point to point microwave communication links (many times upgraded to their own dark fiber point to points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on your own island with your own power and communications grid and every thing was just fine. Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers’ homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs begin learning this who knew an complex smart grid system (See: Inside PGE’s Smart Grid Lab Chris Knudsen, director of the technology innovation center at PG&E, shows us what they’re tinkering with).

It didn’t take long for problem to occur. Again, you need to understand that even smart meters were just dusted off 20 year old designs that were lying around waiting for someone to push the power companies into the 21 century. These designs were never meant to securely send a store data real time. It wasn’t long before serious security issues were found and were reported by respected security form like InGuardian and IOactive. And we are not talking about someone hacking you PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco . So now with little knowledge of the Internet and security the power companies have billions of dollars of grant in hand with one big problem. The grants mandate an iron clad security platform.

To add to the smart grid security problems some people think the power grid is the main target in the new battle in cyber wars.

Richard Clarke, the former anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent NewsWeek article Clarke was quoted as saying, “I think the average American would understand it if they suddenly had no electricity.

The U.S. government, [National Security Administration], and military have tried to access the power grid’s control systems from the public Internet. They’ve been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That’s the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures.”

So what can we do to secure the grid now while upgrading it to smart grid capabilities?

Ed Smith, CEO of WirelessWall has one word, “Attack.” Having a military background he understands that you begin an attack by crippling an enemy’s communication and critical infrastructure. His civilian background has a long history of Situational Crisis Management, using Rapid Response Teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.

“People in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons. That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.”

“We can’t afford not to put good enough security in our power grids. My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the Smart Power Grid protection has to be implemented now.”

“If you are a Smart Grid Integrator offering a solution, someone that has been breached, or better yet, don’t want to be breached, you have to be proactive. Where are the power companies? What are they waiting for? PG&E, Duke Power, Florida Power and Light, Progress Energy, Sacramento Municipal Utility District (SMUD), we are right here in Silicon Valley California, WirelessWall can even be installed remotely and proven in a matter of hours so there is really no excuse for not putting this in their labs and testing it. After about 10 years of real-life military testing and the only wireless protection allowed by the DoE to secure nuclear sensors for the last 6 years, there is not a lab test that can come close to disputing the protection capabilities of WirelessWall. It is a time and situation proven solution and our Rapid Response Team approach is designed to install protection immediately”.

Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name of few, they were the trail blazers that learned along the way and can now bringing tested wireless network expertise to the smart grid. With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.

SP AusNet selects GE for world’s first 4G communications smart grid solution, delivering revolutionary security and reliability benefits.(CONTRACTS): An article from: Home Networks

Tags: Business, Electrical grid, Federal government of the United States, Sacramento Municipal Utility District, San Francisco, Security, Smart Grid, United States