The Arrival
My day began by sending out my reminder emails to my team, and configuring my 'Out of Office Assistant.' Fortunately, my case load was manageable enough that I had no ill feelings taking the day off for a little professional development. Besides, it was for one of my activities discussed in my Performance-Development-Plan (PDP); my fellow BAC colleagues know what that's all about. Traffic was light, so I arrived at the Charlotte Convention Center promptly during the on-site registration time frame. Surprisingly, only one PayPal terminal was present, and caused a bit of a bottleneck amongst registrants. Already with the anxiety of being at my first summit, and the impeding possibility that I may enter late and miss some world-dominating Jedi-mind-trick, a few sweat beads formed above my brow. Nevertheless, with a few self-assuring thoughts, I calmed and settled into the main hall in time for the first keynote speaker, Chris Hadnagy...how's that for a mind trick!
The Information
Obviously the premise behind attending such a conference, aside from networking, is information gathering. Little did I know how much of a treat I was in for. I was expecting a re-hashing of familiar concepts, littered with a few new tricks and some updated exploits around the info sec community...there was no 're-hashing.' Well perhaps a small portion of reiteration in reference to common pen-testing techniques and best practices, and some age-old threat vulnerabilities that have plagued mankind since the conception of...well, mankind. Other than that I was literally blown away by the collective knowledge base and insight of the presenters, not even including the attendees! Excuse my French, but these people really knew their s**t!
Unfortunately, the three information sessions (morning, noon, and afternoon) contained 5-7 one-hour classes each session, but the event was structured so that you could realistically only attend one class per session; for a total of three classes over the course of the day. For my first session class, I chose "Cyber Security for Electric Sector," hosted by Baiba Grazdina of Duke Energy. A course in which piqued my interest because of the recent Supervisory Control and Data Acquisition (SCADA) attacks; most notably, Stuxnet--an attack which targeted Iranian organizations, and speculative intentions on attacking it's nuclear power plant as well. I left the course with a fundamental understanding of how industrial equipment and software can be, and has been, exploited. As well as countermeasures for the detection and prevention of these threats. Baiba also broke down the importance of infrastructure improvements, and a migration to a "Smart Grid."
*Note: Both of which were buzz-words during the 2008 Presidential campaigns, but have taken a backseat to the now disconcerting banter surrounding our President's citizenship... UGH! I'll save that for another blog. I digress...where was I? Ah yes, the "smart-grid."
Baiba painted the picture for us of a highly distributed power grid, with more efficiency and functionality. I can see all of my security-mates eye brows rising. That's because increased functionality usually means decreased security and protection. Especially when this improvement upon functionality involves an array of communication nodes and end-points added to the picture. Encompassing hard, soft, and wireless technologies, these nodes presumably would create a major headache for any department trying to secure, monitor, or recovery from disaster. Albeit our current system is somewhat (cuff cuff) inefficient, it provides a single point of reference and control, and consequently monitoring and securing. Never mind the fact that alone is a vulnerability in it's own rite. Look at it this way...
Imagine you're a professional dog-walker. Would you prefer having to walk and monitor multiple dogs at a time, or just have the accountability for one single dog at a time? Surely, your time efficiency would improve by walking as many dogs as possible in a single outing, but could you really keep a good eye on each of them? And what about disaster recovery? What happens if one of those dogs gets loose...can you say, "lawsuit?!" Well our current traditional system is the 'one dog at a time' analogy, and the "smart grid" resembles that of the other scenario. One major power generator supplying a large region, versus many smaller generators supplying power to individual homes, or neighborhoods respectively in a distributed manner. I'm certainly not arguing that this approach is dead on arrival, just placing emphasis on the importance of proper security processes being mapped and implemented along with the infrastructure. When I asked Baiba if the responsibility of security would be passed on to the consumer within a "smart-grid" application, she responded by saying,
"Ideally, but not likely. We [energy company] would have to assume responsibility for security at the on-set of the project...we are currently working with vendors..."
(Had I more time, I would've dug a little deeper for those vendor names...in the words of my favorite money-guru Crammer, "Buy, Buy, Buy!!" LOL)
All-in-all, the security hurdles that face our industrial infrastructure presently, and in the future, are not to be taken lightly. I was throughly pleased with the presentation, and became more aware of the risks surrounding one of our country's most valuable resources; Her power.
Next time I will discuss more key topics including:
- Social Engineering
- Data Mining with OCR tools
- Employee Awareness
- Getting Management's Credit Card
- Meet-n-Greet: Networking at your first summit
TO BE CONTINUED....