Information Security Management
Discussion Assignments are designed to ensure critical reflection and application of course content as well as peer interaction. Your responses should reflect your active engagement in understanding the information from the weekly reading material. For each discussion, you will: Post a detailed response of 250 - 300 words to the question or questions posed by the professor.
1.In communications and network security aspects, securing the grid is very important. Suggest your opinion about grid vulnerabilities and threats and corresponding countermeasures to protect them.
2.What kind of attacks and mobile malware are dominant in mobile communications environment? Would you suggest some of your ideas to fight against them?
3.How can you get the best out of information security projects? Please suggest your ideas.
4.Do you think an organizational behavior including institutions can cultivate your information security program? Please show your rationale of your answer with supporting evidences.
5.How can you manage the security testing process on the service-oriented architecture? Is it possible or not?
6.How can you improve security resilience in the Software Development Life Cycle? Suggest your ideas.
7.What would be the best practice of applying the principles of cryptography in cloud computing? Suggest your ideas.
8.Do research about the five major cloud computing services and introduce their cloud computing security technologies and policies respectively.
In fo
rm a tio
n S
e c u rity
M a n a g e m
e n t H
a n d b o o k
Sixth Edition • Volume 7
Information Security Management Handbook
Edited by Richard O’Hanley • James S. Tiller
O’Hanley Tiller
Sixth Edition Volume 7
ISBN: 978-1-4665-6749-8
9 781466 567498
90000
K16337
nformation Technology / Security & Auditing
Updated annually, the Information Security Management Handbook, Sixth Edition, Volume 7 is the most comprehensive and up-to-date reference available on information security and assurance. Bringing together the knowledge, skills, techniques, and tools required of IT security professionals, it facilitates the up-to-date understanding required to stay one step ahead of evolving threats, standards, and regulations.
Reporting on the latest developments in information security and recent changes to the (ISC)2® CISSP® Common Body of Knowledge (CBK®), this volume features 27 new chapters on topics such as BYOD, IT consumerization, smart grids, security, and privacy.
• Covers the fundamental knowledge, skills, techniques, and tools required by IT security professionals
• Updates its bestselling predecessors with new developments in information security and the (ISC)2 CISSP CBK
• Provides valuable insights from leaders in the field on the theory and practice of computer security technology
• Facilitates the comprehensive and up-to-date understanding you need to stay fully informed
The ubiquitous nature of computers and networks will always provide the opportunity and means to do harm. This edition updates its popular predecessors with the information you need to address the vulnerabilities created by recent innovations such as cloud computing, mobile banking, digital wallets, and near-field communications. This handbook is also available on CD.
K16337_COVER_final.indd 1 7/24/13 11:07 AM
© 2010 Taylor & Francis Group, LLC
Information Security
Management Handbook
Sixth Edition
Volume 7
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Asset Protection through Security Awareness Tyler Justin Speed ISBN 978-1-4398-0982-2
Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks Mohssen Mohammed and Al-Sakib Khan Pathan ISBN 978-1-4665-5727-7
The Complete Book of Data Anonymization: From Planning to Implementation Balaji Raghunathan ISBN 978-1-4398-7730-2
The Complete Guide to Physical Security Paul R. Baker and Daniel J. Benny ISBN 978-1-4200-9963-8
Conflict and Cooperation in Cyberspace: The Challenge to National Security Panayotis A Yannakogeorgos and Adam B Lowther (Editors) ISBN 978-1-4665-9201-8
Cybersecurity: Public Sector Threats and Responses Kim J. Andreasson ISBN 978-1-4398-4663-6
The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules John J. Trinckes, Jr. ISBN 978-1-4665-0767-8
Digital Forensics Explained Greg Gogolin ISBN 978-1-4398-7495-0
Digital Forensics for Handheld Devices Eamon P. Doherty ISBN 978-1-4398-9877-2
Effective Surveillance for Homeland Security: Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Franceschetti (Editors) ISBN 978-1-4398-8324-2
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval David R. Matthews ISBN 978-1-4398-7726-5
Enterprise Architecture and Information Assurance: Developing a Secure Foundation James A. Scholz ISBN 978-1-4398-4159-4
Guide to the De-Identification of Personal Health Information Khaled El Emam ISBN 978-1-4665-7906-4
Information Security Governance Simplified: From the Boardroom to the Keyboard Todd Fitzgerald ISBN 978-1-4398-1163-4
Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0 Barry L. Williams ISBN 978-1-4665-8058-9
Information Technology Control and Audit, Fourth Edition Sandra Senft, Frederick Gallegos, and Aleksandra Davis ISBN 978-1-4398-9320-3
Iris Biometric Model for Secured Network Access Franjieh El Khoury ISBN 978-1-4665-0213-0
Managing the Insider Threat: No Dark Corners Nick Catrantzos ISBN 978-1-4398-7292-5
Network Attacks and Defenses: A Hands-on Approach Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, and Sujith Samuel Mathew ISBN 978-1-4665-1794-3
Noiseless Steganography: The Key to Covert Communications Abdelrahman Desoky ISBN 978-1-4398-4621-6
PRAGMATIC Security Metrics: Applying Metametrics to Information Security W. Krag Brotby and Gary Hinson ISBN 978-1-4398-8152-1
Securing Cloud and Mobility: A Practitioner’s Guide Ian Lim, E. Coleen Coolidge, and Paul Hourani ISBN 978-1-4398-5055-8
Security and Privacy in Smart Grids Yang Xiao (Editor) ISBN 978-1-4398-7783-8
Security for Wireless Sensor Networks using Identity-Based Cryptography Harsh Kupwade Patil and Stephen A. Szygenda ISBN 978-1-4398-6901-7
The 7 Qualities of Highly Secure Software Mano Paul ISBN 978-1-4398-1446-8
AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: orders@crcpress.com
. .
© 2010 Taylor & Francis Group, LLC
Information Security
Management Handbook
Edited by
Richard O’Hanley • James S. Tiller
Sixth Edition
Volume 7
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Asset Protection through Security Awareness Tyler Justin Speed ISBN 978-1-4398-0982-2
Automatic Defense Against Zero-day Polymorphic Worms in Communication Networks Mohssen Mohammed and Al-Sakib Khan Pathan ISBN 978-1-4665-5727-7
The Complete Book of Data Anonymization: From Planning to Implementation Balaji Raghunathan ISBN 978-1-4398-7730-2
The Complete Guide to Physical Security Paul R. Baker and Daniel J. Benny ISBN 978-1-4200-9963-8
Conflict and Cooperation in Cyberspace: The Challenge to National Security Panayotis A Yannakogeorgos and Adam B Lowther (Editors) ISBN 978-1-4665-9201-8
Cybersecurity: Public Sector Threats and Responses Kim J. Andreasson ISBN 978-1-4398-4663-6
The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules John J. Trinckes, Jr. ISBN 978-1-4665-0767-8
Digital Forensics Explained Greg Gogolin ISBN 978-1-4398-7495-0
Digital Forensics for Handheld Devices Eamon P. Doherty ISBN 978-1-4398-9877-2
Effective Surveillance for Homeland Security: Balancing Technology and Social Issues Francesco Flammini, Roberto Setola, and Giorgio Franceschetti (Editors) ISBN 978-1-4398-8324-2
Electronically Stored Information: The Complete Guide to Management, Understanding, Acquisition, Storage, Search, and Retrieval David R. Matthews ISBN 978-1-4398-7726-5
Enterprise Architecture and Information Assurance: Developing a Secure Foundation James A. Scholz ISBN 978-1-4398-4159-4
Guide to the De-Identification of Personal Health Information Khaled El Emam ISBN 978-1-4665-7906-4
Information Security Governance Simplified: From the Boardroom to the Keyboard Todd Fitzgerald ISBN 978-1-4398-1163-4
Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0 Barry L. Williams ISBN 978-1-4665-8058-9
Information Technology Control and Audit, Fourth Edition Sandra Senft, Frederick Gallegos, and Aleksandra Davis ISBN 978-1-4398-9320-3
Iris Biometric Model for Secured Network Access Franjieh El Khoury ISBN 978-1-4665-0213-0
Managing the Insider Threat: No Dark Corners Nick Catrantzos ISBN 978-1-4398-7292-5
Network Attacks and Defenses: A Hands-on Approach Zouheir Trabelsi, Kadhim Hayawi, Arwa Al Braiki, and Sujith Samuel Mathew ISBN 978-1-4665-1794-3
Noiseless Steganography: The Key to Covert Communications Abdelrahman Desoky ISBN 978-1-4398-4621-6
PRAGMATIC Security Metrics: Applying Metametrics to Information Security W. Krag Brotby and Gary Hinson ISBN 978-1-4398-8152-1
Securing Cloud and Mobility: A Practitioner’s Guide Ian Lim, E. Coleen Coolidge, and Paul Hourani ISBN 978-1-4398-5055-8
Security and Privacy in Smart Grids Yang Xiao (Editor) ISBN 978-1-4398-7783-8
Security for Wireless Sensor Networks using Identity-Based Cryptography Harsh Kupwade Patil and Stephen A. Szygenda ISBN 978-1-4398-6901-7
The 7 Qualities of Highly Secure Software Mano Paul ISBN 978-1-4398-1446-8
AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: orders@crcpress.com
. .
CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works Version Date: 20130723
International Standard Book Number-13: 978-1-4665-6752-8 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the valid- ity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or uti- lized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopy- ing, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http:// www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com
and the CRC Press Web site at http://www.crcpress.com
v © 2010 Taylor & Francis Group, LLC
Contents
Introduction .........................................................................................................................ix Contributors ...................................................................................................................... xiii
DOMAIN 2: TELECOMMUNICATIONS AND NETWORK SECURITY Communications and Network Security
1 Securing the Grid .........................................................................................................3 TERRY KOMPERDA
Network Attacks and Countermeasures
2 Attacks in Mobile Environments ................................................................................23 NOUREDDINE BOUDRIGA
DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT Security Management Concepts and Principles
3 Security in the Cloud .................................................................................................35 SANDY BACIK
4 Getting the Best Out of Information Security Projects ..............................................45 TODD FITZGERALD
5 Mobility and Its Impact on Enterprise Security .........................................................57 PRASHANTH VENKATESH AND BALAJI RAGHUNATHAN
6 An Introduction to Digital Rights Management ........................................................67 ASHUTOSH SAXENA AND RAVI SANKAR VEERUBHOTLA
7 Information Security on the Cheap ............................................................................81 BEAU WOODS
8 Organizational Behavior (Including Institutions) Can Cultivate Your Information Security Program .................................................................................101 ROBERT K. PITTMAN, JR.
vi ◾ Contents
© 2010 Taylor & Francis Group, LLC
9 Metrics for Monitoring .............................................................................................121 SANDY BACIK
Policies, Standards, Procedures, and Guidelines
10 Security Implications of Bring Your Own Device, IT Consumerization, and Managing User Choices .....................................................................................133 SANDY BACIK
11 Information Assurance: Open Research Questions and Future Directions .............143 SETH J. KINNETT
Security Awareness Training
12 Protecting Us from Us: Human Firewall Vulnerability Assessments .......................151 KEN M. SHAURETTE AND TOM SCHLEPPENBACH
DOMAIN 4: APPLICATION DEVELOPMENT SECURITY Application Issues
13 Service-Oriented Architecture ..................................................................................161 WALTER B. WILLIAMS
Systems Development Controls
14 Managing the Security Testing Process ....................................................................179 ANTHONY MEHOLIC
15 Security and Resilience in the Software Development Life Cycle ............................197 MARK S. MERKOW AND LAKSHMIKANTH RAGHAVAN
DOMAIN 5: CRYPTOGRAPHY Cryptographic Concepts, Methodologies, and Practices
16 Cloud Cryptography ................................................................................................209 JEFF STAPLETON
DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN Principles of Security Models, Architectures, and Evaluation Criteria
17 Identity and Access Management Architecture ........................................................221 JEFF CRUME
18 FedRAMP: Entry or Exit Ramp for Cloud Security? ...............................................239 DEBRA S. HERRMANN
Contents ◾ vii
© 2010 Taylor & Francis Group, LLC
DOMAIN 7: OPERATIONS SECURITY Concepts
19 Data Storage and Network Security .........................................................................251 GREG SCHULZ
DOMAIN 9: LEGAL, REGULATIONS, COMPLIANCE, AND INVESTIGATIONS
Information Law
20 National Patient Identifier and Patient Privacy in the Digital Era ..........................259 TIM GODLOVE AND ADRIAN BALL
21 Addressing Social Media Security and Privacy Challenges ......................................267 REBECCA HEROLD
Investigations
22 What Is Digital Forensics and What Should You Know about It? ...........................279 GREG GOGOLIN
23 eDiscovery ................................................................................................................287 DAVID G. HILL
24 Overview of the Steps of the Electronic Discovery Reference Model .......................293 DAVID G. HILL
25 Cell Phone Protocols and Operating Systems ..........................................................303 EAMON P. DOHERTY
Major Categories of Computer Crime
26 Hacktivism: The Whats, Whys, and Wherefores .....................................................321 CHRIS HARE
Compliance
27 PCI Compliance .......................................................................................................345 TYLER JUSTIN SPEED
28 HIPAA/HITECH Compliance Overview.................................................................357 JOHN J. TRINCKES, JR.
Information Security Management Handbook: Comprehensive Table of Contents .........387
ix © 2010 Taylor & Francis Group, LLC
Introduction
This is the first annual edition of the Information Security Management Handbook since 1994 without the guidance and the insight of Hal Tipton. Hal passed away in March 2012. He will be missed by a lot of people for a lot of reasons.
It seems that every year is an interesting one for information security, and 2012 was no dif- ferent. It is interesting, too, how perceptive Kaspersky Labs, for example, was with its forecast. It also foreshadows the end of online trust and privacy. If you cannot trust digital certificates, what is left to trust?
Kaspersky Cyberthreat Forecasts
2012 2013
Cyber weapons Government surveillance
Mass targeted attacks Continued targeted attacks
Mobile threats Mac OS X malware and mobile malware
Attacks on online banking Cloud attacks
PPI attacks PPI threats
Hacktivism More hacktivism
Problems with trust and digital authorities
Ramsomware and extortion malware
Espionage and other government cyberattacks
Cyberwarfare has jumped to the front pages of every newspaper, both print and virtual. Stuxnet spawned Flame, Duqu, and Gauss. While we were all focused on attacks and espionage by China, France, and Israel, Iran mounted a DDoS (Distributed Denial of Service) attack against US banks in retaliation for sanctions that appear to be working. At the same time, Iran’s central bank was attacked. Added to the online attacks is the growing threat of supply chain security, and products shipped with back doors or embedded systems that let them phone home. Witness the difficulty Chinese telecom equipment suppliers like Huawei are having with gaining toeholds in the United States by purchasing the US suppliers.
x ◾ Introduction
© 2010 Taylor & Francis Group, LLC
While Russians and Eastern Europeans are not singled out for cyberwarfare, crime syndicates based there continue to threaten commerce and privacy.
Theft of passwords from LinkedIn and Dropbox, and what seems like daily reports of attacks on or by Facebook show the lure of social media to hackers, and the dangers to the rest of us. And while Facebook and others do not install rootkits like Sony did, its data collection efforts, combined with the apparent insecurity of the site emphasizes the growing dangers of Big Data and the Cloud.
We saw a huge increase in hacktivism as Anonymous and LulzSec launched various attacks on both government and private sites around the world.
It was only a matter of time until Mac OS X became a profitable target. Once critical mass was reached, hackers could not resist investing the time to own it.
As with Mac OS X, mobile devices are becoming even more alluring targets. We have seen the same types of attacks and malware used against PCs adapted to mobile, plus new threats like SMS (short message service) spoofing. Not surprisingly, Android, Google’s open platform, has suffered the most. Plus, the growing number of apps for all platforms introduces a level of threat that is hard to estimate, but definitely growing.
M2M and the Internet of Things are creating more opportunities for hackers. From NFC (near- field communication) payments to utility sensors sending unencrypted data, this is a potentially lucrative area for fraud and identity theft. Sensor networks are now in the DIY (do-it- yourself) arena, which creates yet a new class of threats.
BYOD (Bring Your Own Device), IT consumerization, whatever you call it, is making life so much more fun for black hats. It has given new meaning to “insider threats.” With portable digital devices being introduced into the enterprise, both with and without permission, we are seeing a manifold increase in threats. Clearly, policies alone are not sufficient to deal with this, and it is unclear how draconian management wants to be with forcing compliance. The products exist, but does the will to use them?
Looking at 2013, the promise of more surveillance, both from governments and online data collectors, means less privacy, even for the most careful users. Short of totally disconnecting from the grid, if such a thing is possible now, it is apparent we do not and would not have privacy.
This edition of the Information Security Management Handbook addresses many of these trends and threats, plus new areas such as security SDLC (software development life cycle), as well as forensics, cloud security, and security management. Chris Hare takes an in-depth look at hacktiv- ism, identifying the motivations and the players, and providing advice on how to protect against it. Becky Herold analyzes the security and privacy challenges of social media. Sandy Bacik looks at the security implication of BYOD, and the challenges of managing user expectations. The Smart Grid offers its own security and privacy challenges as Terry Komperda explains. Noureddine Boudriga explains attacks in mobile environments.
There is new guidance on PCI and HIPAA/HITECH compliance. In addition to forensics and e-discovery, a chapter looks at cell phone protocols and operating systems from the perspective of a forensic investigator.
I have heard it said, “You can’t fix stupid.” So many of these attacks are successful because of clueless or irresponsible users. In what I hope is not a vain effort, Ken Shaurette and Tom Schleppenbach look at human firewall testing, social engineering, and security awareness. We also look at security and resilience in the software development life cycle, managing the security testing process, and SOA (service-oriented architecture) security.
Introduction ◾ xi
© 2010 Taylor & Francis Group, LLC
Here is a shout out to my friend Jim Tiller, head of Security Consulting, Americas for HP Enterprise Security Services, for his help in preparing this edition. Jim’s done a lot for the Handbook over the years, and I am hoping he will continue.
All-in-all, this is a good volume of the Information Security Management Handbook. We are working on the next edition now. If you would like to contribute, please contact me at 917-351-7146 or rich.ohanley@taylorandfrancis.com.
Richard O’Hanley
xiii © 2010 Taylor & Francis Group, LLC
Contributors
Sandy Bacik Lord Corporation Cary, North Carolina
Adrian Ball TurningPoint Global Solutions Rockville, Maryland
Noureddine Boudriga Réseau National Universitaire Tunis, Tunisia
Jeff Crume IBM Research Triangle Park, North Carolina
Eamon P. Doherty Fairleigh Dickinson University Teaneck, New Jersey
Todd Fitzgerald ManpowerGroup Milwaukee, Wisconsin
Tim Godlove Department of Veterans Affairs Washington, DC
Greg Gogolin Ferris State University Grand Rapids, Michigan
Chris Hare Verizon Dallas, Texas
Rebecca Herold Rebecca Herold & Associates, LLC Des Moines, Iowa
Debra S. Herrmann Jacobs Engineering Washington, DC
David G. Hill Mesabi Group LLC Westwood, Massachusetts
Seth J. Kinnett Chicago, Illinois
Terry Komperda Illinois Institute of Technology Chicago, Illinois
Anthony Meholic The Bancorp Bank Wilmington, Delaware
Mark S. Merkow PayPal San Jose, California
Robert K. Pittman, Jr. County of Los Angeles Los Angeles, California
xiv ◾ Contributors
© 2010 Taylor & Francis Group, LLC
Lakshmikanth Raghavan PayPal San Jose, California
Balaji Raghunathan Infosys Limited Bangalore, India
Ashutosh Saxena Infosys Limited Hyderabad, India
Tom Schleppenbach Inacom Information Systems, Inc. Madison, Wisconsin
Greg Schulz StorageIO Stillwater, Minnesota
Ken M. Shaurette FIPCO Madison, Wisconsin
Tyler Justin Speed Electronics International Eugene, Oregon
Jeff Stapleton Bank of America Dallas, Texas
John J. Trinckes, Jr. PathForwardIT Cincinnati, Ohio
Ravi Sankar Veerubhotla Infosys Limited Hyderabad, India
Prashanth Venkatesh Infosys Limited Bangalore, India
Walter B. Williams Lattice Engines Boston, Massachusetts
Beau Woods Stratigos Security Atlanta, Georgia
© 2010 Taylor & Francis Group, LLC
TELECOMMUNICATIONS AND NETWORK SECURITY Communications and Network Security
DOMAIN
2
3 © 2010 Taylor & Francis Group, LLC
Chapter 1
Securing the Grid
Terry Komperda
Contents Introduction ................................................................................................................................ 4 The Power (Electrical) Grid ......................................................................................................... 4
Core Functions of a Power Grid ......................................................................................... 4 Power Grid Components .................................................................................................... 5 Power Distribution Topologies............................................................................................ 5 Communication Networks, Control, and Communications Protocol in the Grid ............... 5 Problems in Current Power Grids ....................................................................................... 6
Stuxnet ........................................................................................................................................ 6 The Case for a Smart Grid ........................................................................................................... 6 The Smart Grid ........................................................................................................................... 7
Smart Grid Technologies, Systems, and Components ......................................................... 7 Grid Vulnerabilities ..................................................................................................................... 8 Threats in the Grid ...................................................................................................................... 9
Threats by Confidentiality, Integrity, and Availability .......................................................... 9 Privacy Threats ..................................................................................................................10
Potential Attacks on the Grid .....................................................................................................10 Attacking Consumers ........................................................................................................10 Attacking Utility Companies .............................................................................................11
Federal Efforts to Protect the Grid in North America .................................................................13 Standards Bodies and Standards for Protecting the Grid .............................................................14 Security for the Grid ..................................................................................................................16
General Security Practices ..................................................................................................16 Technical Security Practices ...............................................................................................17 Privacy Practices ................................................................................................................18
Conclusion .................................................................................................................................19 References ..................................................................................................................................19 Further Reading .........................................................................................................................19
4 ◾ Information Security Management Handbook
© 2010 Taylor & Francis Group, LLC
Introduction Before we can dive into how utility networks will evolve and how those future networks will be exposed to issues that will affect their security and continued functioning, we need to look at some history on the current networks, why they need to change after functioning properly for so long, and the benefits to be realized related to their technological advancement.
The Power (Electrical) Grid The power grids of the twentieth century were designed to be a one-way broadcast of power from a few central generators to a large number of electrical users. At the time of the design, the main goal was to keep the lights on without any regard for energy efficiency, environmental considerations, or consumer choices. Typically, it has been a geographically organized number of integrated utilities with control based on a fixed hierarchical infrastructure. The following section is a simple illustration of a power grid that shows the main functions that a power grid performs (Figure 1.1).
Core Functions of a Power Grid The following factors are the core functions of a power grid:
a. Power generation—Power is generated at a power station and can emanate from coal and nuclear plants, dams, windmills, and so on.
Generation
Distribution Distribution
CustomerCustomer
Utility B Utility A Utility C
Customer Customer
Generation Generation
Figure 1.1 Power grid. (From Bakken, D. et al. 2003. Grid stat. Washington State University, School of Electrical Engineering and Computer Science, November 2003. Slide #4.)
Securing the Grid ◾ 5
© 2010 Taylor & Francis Group, LLC
b. Transmission—Electricity is transferred from power stations to power distribution systems at a substation. The substation is a point of monitoring and control in the grid, and high-voltage electricity is handled here.
c. Distribution—Medium-voltage electricity resides here, and this is where power is delivered to the end customers.
Historically, larger power companies have been granted a monopoly status and typically con- trol all the three functions for a geographic area.
Power Grid Components These are the major components in a power grid:
a. Generator—Its major function is to generate power. b. Substation—This is a point of control and monitoring in the grid, and can service many
generators, boost voltage, and serve as a distribution point to the customers. c. Control area—This is a set or a group of substations in a geographic area covering a county
to a few states. A control area performs all the three core functions and corresponds to one or a few utility companies.
d. Grid—A set of control areas that are synchronously controlled.
Power Distribution Topologies Power is typically distributed in one of the three ways in a power grid:
a. Radial grid topology—Electricity is distributed from a substation in a pattern resembling a tree with branches and leaves. The branches and leaves receive power from a single source.
b. Mesh grid topology—Power is provided from other sources (other branches and leaves), and this allows a mesh grid to be more reliable than a radial grid.
c. Looped topology—This is a combination of mesh and radial topologies and is used primar- ily in Europe. This topology resists disruption in the grid, no matter where the problem occurs.
Communication Networks, Control, and Communications Protocol in the Grid a. Communication networks—Frame relay, asynchronous transfer mode (ATM), public
switched telephone network (PSTN), and the Internet are all used for communications in the current grid.
b. Control—Supervisory control and data acquisition (SCADA) is a serial system implementa- tion used to remotely control and monitor the transmission and the distribution of power in electrical grids.
c. Communications protocol—The most popular utility automation protocol used in North America is distributed network protocol (DNP). It is applied through distribution and trans- mission networks and provides connections from master stations to substations, between devices in substations, and out-to-pole top devices.
6 ◾ Information Security Management Handbook
© 2010 Taylor & Francis Group, LLC
Problems in Current Power Grids Although current grids have worked well for many years and have had upgrades such as automatic meter reading (AMR) to remotely read meters, the communications network is hardwired, dedi- cated, and slow, and this has led to networks that are dangerously antiquated. In fact, the dog food industry spends more on research and development than the electrical sector does, and aging tech- nologies have led to more blackouts, vulnerabilities, and colossal inefficiencies (Kingsbury, 2010). Additionally, the following factors are some of the other issues that are presenting themselves with:
◾ Distributed control systems (DCS) and SCADA that are now connected to the Internet, and when they were originally designed, the controls were not designed with public access in mind. These systems typically lack rudimentary security, and technical information and security flaws for penetrating into these systems are widely discussed in public forums and are therefore well known to attackers. In fact, many years ago, a 12-year-old broke into the computer system that runs Arizona’s Roosevelt Dam. He had full control of the SCADA system that controlled the dam’s floodgates (Bakken, 2003).
◾ The Energy Department came up with multiple scenarios for attacking the grid through SCADA systems and all of them worked.
◾ Continued automation is being added to substations to reduce human errors and mis- takes, but the computer-controlled systems and software increase the potential for security vulnerabilities.
A recent special case confirms that current power grids are not immune to attacks and vulnerabilities.
Stuxnet Stuxnet is the first known malware attack to target power plants. It is a worm that was introduced via a universal serial bus (USB) device in an Iranian nuclear plant. It infected a SCADA system that was considered as buffered from the attack as most of these systems are not connected to the Internet in nuclear power plants. It installs a rootkit on the control system and injects a mali- cious code into programmable logic controllers, reprograms them, and hides the changes. It was digitally signed with two stolen authentication certificates from two certificate authorities and this helped it to remain undetected for quite some time. Once inside, it uses default passwords (Siemens, the manufacturer of most SCADA systems, recommends against changing default pass- words) to command the software and exploits four different Windows zero-day vulnerabilities to infect all sorts of computers. Siemens reported that it has discovered an additional 14 clients (power plants) that have been infected, a number of which are in Germany (Evron, 2010). This attack pretty much quietened those that argued for maintaining the current grid with proprietary protocols and systems because it was thought that the current systems were more secure (especially if they were not widely connected to the Internet).
The Case for a Smart Grid The following factors are some of the reasons that it makes sense to evolve current electrical grids into smart grids:
Securing the Grid ◾ 7
© 2010 Taylor & Francis Group, LLC
◾ The rates can be variable based on true usage. The consumers would only pay for the power used and if more power is used (especially during peak periods), utilities could charge a premium. The customers will have to change their behavior, but they will be rewarded for saving energy.
◾ The consumers who have a power surplus (that they would not be using) could push the power back into the grid and sell it back to the utilities for other customers who could use it.
◾ The grid system could be more stable by automatically avoiding or mitigating power outages and power-quality issues and by repairing itself (self-healing) during a service disruption. This will lead to fewer brownouts and blackouts.
◾ Waste reduction: Cutting tiny inefficiencies can have dramatic effects on the overall grid and can lead to maintaining affordability for all.
◾ The grid will accommodate both renewable and traditional energy resources leading to bet- ter power quality and improved reliability.
◾ The grid will be able to account for new, larger potential loads in the network such as that from increasingly popular electrical vehicles.
◾ The reductions in the carbon footprint will help with the overall energy conservation and will promote better environmental responsibility.
The Smart Grid Implementing a smart grid transforms the power grid from a one-way, closed, proprietary system to a modern, two-way, standards-based, intelligent system that allows operators to monitor and interact with numerous components in real time. It allows operators to detect issues and manage grid operations for faster problem resolutions and lower operating costs. A smart grid will not replace the legacy systems, but will have to incorporate them and evolve to a smarter grid over many years (and at a significant cost). Internet Protocol (IP)-based systems will tie SCADA and DCS into the evolving grid for efficient management and communication across the main sta- tions and remote locations. IP-based systems will pose a security challenge (just like they do when deployed elsewhere) but trying to secure legacy devices (that used isolation as a security technique) will make the security job even more challenging.
Smart Grid Technologies, Systems, and Components The following factors are some of the technologies, systems, and components that will be used in smart grids:
1. Integrated communications—Today, a good amount of data are still collected via the modem instead of direct communication. The implementation of direct communications can improve substation automation, distribution automation, demand response, and SCADA management. This will allow for real-time control as well as information and data exchange for optimizing system reliability, utilization of assets, and security.
2. Improved interfaces and decision support—The collection of extremely complex data will become difficult for humans to comprehend in a timely manner. The human machine inter- face (HMI) must simplify the data to enable operators and managers to make decisions quickly.
8 ◾ Information Security Management Handbook
© 2010 Taylor & Francis Group, LLC
3. Distributed grid management (DGM)—This aims at maximizing the performance of feeders, transformers, and other components of network-distribution systems and integrates with transmission systems and customer operations. The benefits derived are better reliability, reductions in peak loads, and improvements in the capability to manage distributed renew- able energy sources.
4. Wide area situational awareness (WASA)—This involves monitoring and display of power- system components and performance across interconnections and over large geographic areas. The goal is to optimize management and the performance of network components so that issues and disruptions can be anticipated, prevented, or responded before they occur.
5. Sensing and measurement technologies—These technologies evaluate congestion and grid sta- bility as well as monitoring network and customer side equipment in terms of health and power consumption. The following factors are some of the components used:
a. Smart meters—These are used to monitor usage statistics and report them to utility com- panies, businesses, consumers, and third-party service providers. They replace the old analog meters and record real-time usage. They can also show how much power is being used at different times of the day along with the related power costs. Two-way commu- nication on these meters also allows for power-outage notification as well as remotely disabling the service (if necessary).
b. Advanced metering infrastructure (AMI)—This remotely measures, collects, and analyzes usage statistics from smart meters. AMI is similar to advanced meter reading (AMR) but is an upgrade (two-way vs. one-way meter reading).
c. Phasor management units (PMU’s)—These are high-speed sensors distributed through- out the network to monitor power quality and respond automatically to power issues.
d. Wide area measurement system (WAMS)—This is a network of PMU’s that provides real- time monitoring on a regional and national basis.
e. Advanced components—These include excess electricity storage, fault tolerance, smart devices, and diagnostic equipment. Smart (intelligent) devices are useful for providing consumption feedback to customers in the home.
6. Home area network/business area network (HAN/BAN)—These networks look to address demand/response and consumer energy efficiency. These networks include mechanisms and incentives for businesses, utilities, industrial customers, and residential consumers to cut energy use during peak demand or when power reliability is questionable.
Now, we know something about power grids, the evolving grid, and future smart grids, and we can look at vulnerabilities, threats, and attacks on these utility grids.
Grid Vulnerabilities The following factors are some of the noteworthy security vulnerabilities:
◾ Many current security vulnerabilities are basic and include a failure to install security patches and poor password management. The fixes in these areas are inexpensive.
◾ Unsecure software-coding practices used in control networks and excessive allowance of portal access into networks are some of the prevailing security gaps. Poor code quality leads to bugs and vulnerabilities that can make the grid fragile and unstable as well as vulnerable to attacks.
◾ Ineffective passwords and lack of proper encryption for communications and databases are the common problems as well.
Securing the Grid ◾ 9
© 2010 Taylor & Francis Group, LLC
◾ Smart grid components and technologies such as smart meters and AMI/AMR networks use wireless Wi-Fi and/or BlueTooth technologies to transport the usage data from consumers back to utility companies. There are pervasive security issues with Wi-Fi networks, and many orga- nizations have banned their use or have implemented policies that have restricted their access to corporate networks. Bluetooth is an unsecure technology, and there are known scanning tools that allow for Bluetooth device discovery, operating mode, and strength of the device. Bluetooth 3.0 uses Wi-Fi radios, and Wi-Fi can be susceptible to wireless packet sniffers.
◾ The utilities that do not use wireless networks can still be vulnerable if employee laptops, handhelds, and smart devices are used. A tool called Karmetasploit can turn a wireless laptop into an access point that can associate wireless clients with it. Once associated, that client can be taken to a malicious service.
Threats in the Grid a. Hacking—Hackers may want to get into systems for an intellectual challenge or out of curi-
osity. Their actions could have negative impacts on consumers and utility companies. b. Theft—The consumers can monitor their electricity usage but if that information ends up
in the wrong hands, the usage can point to patterns in the home during certain times of the day. Determining when a homeowner is out of the house can lead to burglaries.
c. Extortion—The grid can be exploited for money and power. Extortive malware can be used to hold a system or data hostage, to extort a ransom from an owner/user. A specific service can lock a user out of the system or can prevent access to critical data (or a combination of these). Consumer access to power can be prevented and a monetary demand could be used by an attacker to restore power.
d. Power disruption due to vengeance and vindictiveness—A remote disconnect feature can be used by a problem neighbor, or the neighbor can also perform a physical attack on a smart meter on the side of the home.
e. Terrorism—This could affect a large number of people and could cause massive attention for a cause. It can occur by both digital means and physically by bombings.
f. Warfare—The attacks can be used during war time by an enemy to cripple a country’s infrastructure.
g. Poor patch management—Patches would not always install correctly, and these may be found during an audit, security assessment, or by a hacker. If these occur, a customer may receive billing errors or electricity can be shut off.
h. Intentional threats—The angry employees could attack the consumers. i. Activists—They can use the grid as an additional avenue to attack certain manufacturers
(e.g., fur manufacturers).
Threats by Confidentiality, Integrity, and Availability Flick and Morehouse (2011) discuss threats related to confidentiality, integrity, and availability.
Confidentiality—This involves protecting the information from unauthorized disclosure. In the grid, this has the greatest effect on consumers. Utility companies store names, addresses, social security numbers, and usage data. The hackers can compromise the
10 ◾ Information Security Management Handbook
© 2010 Taylor & Francis Group, LLC
database through a structured query language (SQL) injection on a website used by con- sumers to manage their accounts, monitor usage, and make payments. The hackers could obtain credit card numbers or bank accounts from customers who use online or automatic bill payment.
Integrity—This focuses on protecting the information from unauthorized modification. If the information is modified, it has the greatest effect on utility companies in terms of fraud or service theft. Once it is determined how to hack smart meters, the information can be placed on the Internet, and customers as well as hackers can defraud the utility companies by steal- ing services (underreporting to lower bills) or by fooling the utility company into thinking that they are selling more electricity (over reporting to get more credits) back into the grid.
Availability—This is attained when the service is protected from unauthorized interruption. This impacts the service provider as well as customers. The threats can be from script kiddies or people the victim knows and the threat could affect power to the home. A smart meter can be attacked through the wireless configuration on the router allowing access to the wire- less network to change the default password and to shutdown power. When the victim goes back in with her password to reenable power, the password is no longer known.
Privacy Threats 1. Identity theft—Grid identities (IDs) and other information can be placed on the Internet
and can be sold. The thieves can use personally identifiable information (PII) obtained to impersonate customers for fraudulent utility use, and this could affect customer credit reports.
2. Personal surveillance—Sensitive personal behavioral patterns can be revealed to expose cus- tomer schedules or personal details about their lives (interactions with others, medical issues, etc.). It can be determined whether a person lives alone, whether they leave the house vacant all day, whether they are senior citizens, have small children at home, and so on.
3. Energy use surveillance—This focuses on meter data used to show the specific appliance used in the home. It can report the number of gadgets in the home, whether there is an alarm system (and how often it is turned on), and so on.
4. Physical dangers—Real-time data can be used to cause harm. Domestic violence offenders/ stalkers/abusers can use the information to relocate the former victims who have an urgent and continued need for privacy.
5. Misusing data—Utilities could misuse the data by providing them to third-party marketing firms or a previous homeowner’s smart meter may have the data that were not wiped clean when they moved, and now, there are data known about the previous users.
Potential Attacks on the Grid Attacking Consumers 1. Attacking smart meters—Smart meters are a basic, low-cost technology that hackers can
purchase to take apart and learn about the communications network. The customers have physical and perhaps logical access to them as well. Additionally, these could be some com- mon attacks (Flick and Morehouse, 2011):
− Since smart meters are accessible through wireless networks or HANs, a tool such as net- work mapper (NMAP) (network scanner) can be used for transmission control protocol
Securing the Grid ◾ 11
© 2010 Taylor & Francis Group, LLC
(TCP) pings for port scans to identify active hosts with the common services that are running.
− NMAP can be used for probing on TCP or User Datagram Protocol (UDP) ports to determine a response on an associated port with a service running that may have a weak- ness that allows access.
− If a smart meter contains a web component that allows the users to view/change the usage information, vulnerability identification and verification can be performed against the web application.
− There can be an attempt to identify the valid credentials for a service or a web applica- tion by using a dictionary attack or through brute force.