The buck stops where?


Co-ops take responsibility for cybersecurity

Ten years ago in the United States, hackers armed only with a keyboard and mouse destroyed a diesel-electric generator, demonstrating a dangerous vulnerability of the electric grid. Fortunately, these “hackers” were researchers at the Idaho National Laboratory experimenting with cybersecurity and they devised a defense against the specific attack they’d carried out.

But after an additional decade’s worth of increasing sophistication, real hackers with hostile intent might attempt a wider attack seeking spectacular consequences.

This spring, the Center for International Studies at the Massachusetts Institute of Technology (MIT) published “Keeping America Safe: Toward More Secure Networks for Critical Sectors.” Broadly critical of cyber defense efforts, the paper declares that the federal government has failed, through several presidential administrations, to coordinate leadership in defending “the infrastructure on which virtually all economic and social activit[ies]depend.”

Fact-Finding or Fault-Finding? 

The paper comprises a report on MIT workshops with government, academic, and private-sector participants in four critical sectors: electricity, finance, communications, and the oil and natural gas industry. It makes recommendations for the Trump administration to focus on what’s clearly portrayed as a haphazard approach to cybersecurity.

In an executive summary titled “A History of Hesitancy,” the paper states that “The nation can no longer afford a pattern of uncoordinated executive action and scattershot research.” Reaching back to 1990, it quotes Presidents George H. W. Bush, Bill Clinton, George W. Bush, and Barack Obama, each calling for vigilance in reducing vulnerability to cyberattack, and concludes that the goal hasn’t been met.

Workshop participants asserted that “materially improved” security will require “more energetic and coordinated steps from the president than any of his predecessors has been willing to take.”

A Front-Line Perspective 

Not everyone shares MIT’s view that effective cybersecurity demands hands-on attention from the nation’s chief executive. Barry Lawson of the National Rural Electric Cooperative Association (NRECA) told Wisconsin Energy Cooperative News, “That’s not where the focus is. The focus primarily is with the owner or operator of the infrastructure.”

The MIT report, he said, “is a little heavy-handed in potentially seeking new regulation and in some cases legislation, and in most cases that’s not where we want to go. It’s an informative paper but cybersecurity problems are not going to all be solved by the president or the agency secretaries.”

Lawson, NRECA’s senior director for regulatory affairs, pointed out that “We already have mandatory and enforceable standards” that generation and transmission cooperatives and several dozen distribution cooperatives must meet along with other utilities, that the standards are set by the nonprofit North American Electric Reliability Corporation (NERC), and that they “have to be complied with and that includes cybersecurity.”

NERC standards, once voluntary, acquired serious teeth by an act of Congress following the August 2003 multi-state blackout attributed to deficient vegetation management practices.

For local electric distribution cooperatives, a cyber attack is unlikely to travel upstream and cripple the transmission grid as a result of something the co-op does or doesn’t do, Lawson says. He sees data theft and the implanting of ransomware as a far greater threat at the distribution co-op level and urges adoption, at minimum, of three key defenses.

These include strong passwords, revised periodically; prohibiting use of thumb drives and other portable memory transfer devices; and educating employees and directors to not open attached files or web links in an email unless the recipient is certain of the sender’s identity.

“If co-ops work hard in those areas it goes a long way to guard against data breaches and ransomware. It also works for each person at home,” Lawson says.

Alison Kennedy, NRECA’s communications manager for business & technologies strategies, notes the organization is developing educational resources for small to medium-sized cooperatives to assist them in self-assessment of potential risks, through the Rural Cooperative Cybersecurity Capabilities (RC3) program. RC3 was devised with financial support from the Department of Energy, and funding of $2.5 million has been appropriated for the first year of what’s hoped to be a three-year program.

Uneven Performance 

Amid listing many technological needs, the MIT report makes a point reflecting Barry Lawson’s remarks about cybersecurity’s essential focus on the humans who operate the infrastructure.

“It is a serious error,” the report says, “to assume that cybersecurity is entirely a matter of technical specifications and system design. Poor business management, lack of clear responsibility within organizations, and bad user behavior would continue to create significant vulnerabilities even if the technical issues could suddenly be fixed.”

The paper faults “many [unnamed]firms” that “fail to take basic security precautions” in the fundamentally unsecure world of the internet, noting that most intrusions are “discovered by law enforcement and other third parties and not by the enterprise that owns the network.”

And if plugging in the right software is insufficient without broad acceptance of personal and corporate responsibility, the same reasoning says overreliance on federal leadership is the wrong solution. Ellen Nowak, chairperson of Wisconsin’s Public Service Commission, told Wisconsin Energy Cooperative News there are “many actors, on the local, state, and federal levels, and in both the private and public sectors, working to improve infrastructure security.”

“I think leadership is going to come from all levels of government and industry,” Nowak said.

She noted that the commission “meets regularly with Wisconsin’s investor-owned utilities, monitoring their work in safekeeping their facilities and data, and we participate in the Wisconsin Homeland Security Council in order to coordinate with other stakeholders to prepare for possible events or developments that might be aimed at affecting or compromising safe and reliable utility services.”

Even so, the MIT workshops recognized that “offense remains dominant,” that “total security is not achievable,” and that “significant efforts” by key federal departments such as Homeland Security, Defense, and Energy have nevertheless “not altered the strategic balance.”

Along those lines, Nowak pointed out that “Our infrastructure must not only be resistant to attacks, but resilient as well—able to recover quickly and able to isolate intrusions so that they don’t spread throughout the system.”

Like Nowak, Lawson takes the view that any business needs to balance prevention and mitigation with quick response and recovery. “You can take the prudent steps to address cybersecurity but you might still have an event,” he says. “Because of that, you also need to have response and recovery preparations as well. You need to realize cybersecurity is now part of doing business.”

The MIT paper quotes Edward Amoroso, retired AT&T security chief, in a letter to the then-president-elect last November. Amoroso wrote that large-scale cyber attacks against critical U.S. infrastructure are “inevitable” in the next few years.

“These attacks will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens,” Amoroso wrote, adding, “I do not know of a single cybersecurity expert in our country who would disagree with this view.”

The Necessity of Self-Defense  

The MIT paper warns that linkages between systems in different business sectors can offer a point of entry for attackers, creating “possibilities for cascading failure…not adequately illuminated” by exercises conducted within single sectors.

Whether more active White House involvement is the answer can be debated, but Lawson’s experience confirms challenges coordinating cyber defense.

“Coordination across sectors is challenging but the electric sector has been coordinating with the financial, telecommunications, water, and oil and natural gas industries. It takes a lot of effort to make that happen,” he says. “It’s going to get better but it’s going to take continuous effort by all parties.”

Coordination with government also has some hurdles to clear. Lawson notes that the government provides abundant threat and vulnerability information, much of it classified. It therefore needs to be reinterpreted by industry personnel with security clearance and purged of classified material before it can be distributed to infrastructure owners and operators who are ultimately responsible for taking action.

“The federal government has been a good ally and we are working with them to help them understand why we need more information in a timely and actionable way,” he says.