I talk a lot about security in the procurement and contracting processes. I think using capitalism as a means of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts.
The abstraction of that idea is that suppliers are a risk, and exercising control over those suppliers -- using the power of the purse in the preceding example -- is one key to moving the cybersecurity needle. This post addresses the application of that idea in the local energy sector (our PUDs and dams, mainly).
If you follow the Daily New Blast, it's become obvious through a proliferation of stories that small product and service providers, which have some degree of trusted electronic access to their customers, are the entry point for infiltration of the true targets. Click here for a good summary of the issue.
Think about the energy grid. There are small suppliers of energy ("generation," in the parlance of the sector) all over the place. We have dams. In Weatherford, OK, wind turbines stand as far as you can see. Each of these contributes a tiny fraction of energy to the grid, but they do supply the grid. Again, small suppliers are a big target for disruption. NERC and DHS are working with these organizations, but there's another exposure that's under the federal regulatory radar that, for now, can only be addressed through that market force.
There are small businesses that frack, drill, fabricate, weld, and perform a host of other services for the companies that extract, transport and refine a lot of the raw fossil fuels used for generation and export. This Bloomberg article talks about a cyber-attack against an oil pipeline in 2008 that resulted in an explosion, which preceded Russia's action in the country of Georgia.
So it seems to me, that with oil below $60/barrel and continuing to fall, and with Russia hurting from sanctions over Ukraine, and now its only real export being devalued, there is a strategic reason for Putin to consider an action that spikes energy prices. What's the soft target—the one most likely to facilitate an action that doesn't leave fingerprints? It's a driller, welder, or fabrication service with access to those pipelines. They don't invest in logical controls, and they certainly don't log the events that would facilitate forensic recovery of the root cause. It will look like incompetence by a small company, but energy prices will still head North with alacrity.
So until big companies start requiring small company suppliers to meet cybersecurity standards, and while geopolitics are so tied to fossil fuels, some real volatility is to be expected as we march into the new world of bytes as a weapon.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Sep 17, 2018[EVENT] We’re going to @techtalksummits in #Seattle on Wed., 9/26, at El Gaucho, and we’d like you to join us! Register today for an engaging evening of IT discussions, w/ free drinks and apps—PLUS hear @seattlemkh speak at 7 PM! https://t.co/V7Zp8XgNqd https://t.co/OUSifccORo
@critinformatics | Sep 17, 2018#ICYMI [VIDEO] Check out this month’s #NewsJacker w/ @seattlemkh for the latest #InfoSecNews on #SmartCity & #Aviation #vulnerabilities, #ElectionSecurity, #WannaCry culprits, #NationStates, & more. #ITSecurity #InfoSec #MondayMorning #MondayMotivation https://t.co/uREOTBFN7P https://t.co/ucJddZ4QMB
@critinformatics | Sep 14, 2018The world of managed IT security has far too many acronyms. Yet the nuances between #MDR, #MSSP, SIEM, and EDR #infosec services are significant. Get in the know with this quick guide to #informationsecurity services. https://t.co/gWffmjPPkt https://t.co/9E00KEYtP2
@critinformatics | Sep 14, 2018[VIDEO] #CISO @seattlemkh covers #smartcity & aviation #vulnerabilities, #electionsecurity, North Korea operatives named in #WannaCry, and how nation states’ #surveillance & #PII policies could impact the future of #ITsecurity in this month's #NewsJacker. https://t.co/Dk0UavFwnf https://t.co/R2szCM2Frf
@critinformatics | Sep 13, 2018#WhitePaper: The #cybersecurity regulatory requirements financial services firms must adhere to protect customer #PII, data, and assets are complex. Get the full scoop with this outline of the #finserv #ITsecurity regulatory environment: #GLBA #CFPA #FCRA https://t.co/gZh1H4Gz1S https://t.co/aPZ5gp1ilo