Category Archives: Best Practices

Texas – The Post Mortem

Now that the power is mostly back on in Texas and the majority of people can drink the water, the what-iffing begins. This is relevant because Texas is far from alone. They just got caught this time and they will be pilloried – for the most part appropriately – as a result.

#1 – According to KHOU-11 in Houston, the number of ERCOT board members who have resigned so far is now up to 6. IT APPEARS THAT NONE OF THEM LIVE IN TEXAS.

#2 – Those of us who have studied this stuff know that nationally, the power grid is extremely fragile. In Texas it is even more fragile because they made a deal with the devil decades ago not to tie into either of the national power grids. They did that because Texans don’t like the federal government and by not connecting into the national power they escaped federal regulation. The folks that manage the Texas grid, ERCOT (note the R in ERCOT stands for reliability) said that the state was 4 minutes and 37 seconds away from a total meltdown when they pulled the power plug. Think about that for a minute. If they had a meltdown, the grid would likely have been down for at least weeks because, in part, it is hard to do a cold start – where they don’t have some power to start up the network. In part, also due to damage to equipment from the meltdown.

#3 – Homeland Security has been working for several years at figuring out how to deal with this (see #4 below), but it is a hard problem. Equipment is not standardized; most is not made in the U.S.; much of it is custom made to order and it might take a year to replace some of the damaged equipment.

#4 – Ever hear of Plum Island? Most people have not. It is a small island off New York’s Long Island. It is DHS’s private test bed for experimenting and training grid technicians on doing a cold start, especially when there is an adversary working against them. DHS and DARPA work together to use the island, which is it’s own power plant and power grid, to test theories and train techs, but how many techs do you think you can train? There are probably millions that need to be trained.

#5 – The Trump administration commissioned a study that reported three years ago that the US was in danger of a “catastrophic power outage”. The problem they said was an aging grid dependent on oil and gas (and no, not on wind turbines, solar panels or a mythical green new deal). Here is a quote from the Trump administration’s own report:

“After interviews with dozens of senior leaders and experts and an extensive review of studies and statutes, we found that existing national plans, response resources, and coordination strategies would be outmatched by a catastrophic power outage… that could leave large parts of the nation without power for weeks or months, and cause service failures in other sectors—including water and wastewater, communications, transportation, healthcare, and financial services—that are critical to public health and safety and our national and economic security.”

The report urged “significant public and private action”. What did the administration do? Nothing much.

The governor, who is under a lot of pressure right now, said the problem was due to green energy – wind turbines and solar. He didn’t point out that the Space Station is completely powered by solar (no oil up there) and it operates in a temperature range of minus 250 degrees to plus 250 degrees. Forbes says that wind turbines work in cold climates. Finland uses them and it gets pretty cold there.

The problem is that no one in Texas wanted to spend the money to winterize their grid, even after a smaller meltdown in 2011 and recommendations (but not mandates) to fix the problem.

#6 – The problem is that oil, gas and coal have to be replenished. Oil and gas have to flow through pipelines. Coal has to be transported, usually by train. If you lose the flow for some reason, the power goes off.

#7 – Other parts of the world were cold too. In Colorado it got down to minus 15 (way colder than Texas) in the Denver area and minus 30 in other parts of the state. Colorado uses green energy too. Note that there were no significant outages in Colorado. Why? Because the state was prepared for it.

#8 – It could have been a lot worse. As bad as it was in Texas, the grid only failed there. I grew up in the Northeast and I am old. I remember what is now called the great northeast blackout that started on the evening of November 9, 1965. New York activated 10,000 National Guardspeople and 5,000 police reserves that night to deal with the chaos. That blackout, along with a similar one in 2003, caused the feds to change the rules for utilities that they regulate. One thing they did was automate a lot of what was done manually because in that case, they only had seconds to do an orderly blackout instead of a meltdown. They were able to restore power in about 48 hours as I remember.

#9 – Texas is big into the concept of a free market economy. Like California before them, they deregulated the energy industry decades ago. As a result, some consumers were charged the going market rate for electricity. Electricity that normally cost 2 cents per kilowatt hour shot up to $9 per kilowatt hour. This means that some people got electric bills of $5,000, $10,000 or even $15,000 for the week of cold. Needless to say, Texas legislators are bearing the brunt of the upset from unhappy residents.

Bottom line, there was plenty of warning that this could happen, but no one – not the Texas regulators, legislature or governor or the national administration – did anything to mitigate the problem.

While we have only started dissecting the situation and there are a lot of investigations sill going on at all levels, including Congress, we already know many things that have to be done.

And, while Texas is in the spotlight, they are far from alone, so hopefully utility regulators in other states will make changes without having to have a meltdown.

I think we will have to wait and see.

New York Issues Cyber Insurance Framework

Early this month, New York’s Department of Financial Services, the regulator for banks and insurance companies, issued guidance on cybersecurity insurance.

Unfortunately, the guidance was not to insurance customers; it was for insurance companies.

The regulator is concerned that big breaches may cause insurance companies to go out of business.

DFS advised insurers against paying ransoms, in part because they may run afoul of new Treasury Department regulations that consider those payments aiding terrorists.

Insurance companies had to pay out almost $3 billion after the Not Petya attack for policies that didn’t say anything about cyber events.

DFS wants insurers to consider 7 specific practices. These practices are designed to help insurers understand risk, set prices and control payouts.

None of this helps clients.

Attacks like SolarWinds may cause insurers to exclude coverage to companies who bought insurance to get coverage.


All this means that it is even more important than ever to have an insurance agent who is specifically knowledgeable in cyberrisk insurance.

Credit: <a href="http://

” target=”_blank” rel=”noreferrer noopener”>CSO Online

What the Heck is ‘Zero Trust’ Anyway?

If you read the security news or talk to security vendors, the buzz word of the year is ZERO TRUST. Many vendors tell you that they have the zero trust answer. The reality is a lot more complex.

Zero trust is not a product or even a family of products. It is not a platform. It is really a strategy built are one concept: “never trust, always verify:.

Vendors and their products are certainly a component of zero trust, but not a silver bullet.

Still, zero trust is a good idea and you should begin to understand it of you do not already.

One challenge with the traditional security strategy of “moat and drawbridge” is that the strategy worked reasonably well when you knew where the castle was. But today, there is no castle as people are everywhere and so are servers and services. Zero trust is designed to be flexible.

Zero trust is a journey. It requires education and research and even I can’t explain it in a blog post. Here are some things to consider in the zero trust journey.

  • Assessing your existing security program’s Zero Trust maturity (people, skills, technology, capabilities, etc.). This includes understanding how people are doing their jobs and how existing business processes are done today, mapping existing technology capabilities, and understanding gaps. 
  • Mapping the output of this maturity assessment to the ZTX framework to understand what pillars you are strong in and which ones are lacking, specifically the capabilities in which you need to improve. 
  • Considering tools and technology to address the areas where you’re lacking and integrating Zero Trust implementation into existing business, IT, and security projects. 

Here is a tutorial on zero trust.

Credit: Forrester

Lawsuits Often Follow Ransomware

Last October Wilmington Surgical Associates was dealing with a ransomware attack.

Allegedly, the Netwalker ransomware group stole 13 gigabytes of data, which in today’s world easily fits on a flash drive, and leaked that data online.

The patients of the North Carolina clinic whose data was stolen and leaked are seeking “redress for its unlawful conduct, and asserting claims for: negligence; negligence per se; invasion of privacy; breach of implied contract and fiduciary duty; and violation of the [State’s] Unfair and Deceptive Trade Practices Act…” 

Hackers often post “proof” that they have really stolen the data. In this case, the initial post leaked 3,702 files and 201 folders, which included both patient and employee data. Given the nature of the business, most of the data stolen was likely sensitive.

The clinic notified 114,00 people just before Christmas, likely within the legal notification timeline.

The lawsuit says that Wilmington Surgical inadequately protected the PHI and PII in their possession and maintained data in a reckless and negligent manner.

They also claim that the clinic failed to properly monitor its network, system and servers.

The lawsuit seeks compensatory damages, reimbursement of out-of-pocket expenses, restitution, and injunctive relief. The patients also want the court to require Wilmington Surgical  to improve its data security systems, as well as adhere to annual auditing and adequate credit monitoring services to be paid by the provider.

While some of these suits are settled quietly, others come with multi-million dollar settlements. There have been a number of these lawsuits filed recently.

So here is my question for you. If you had a breach and the claim was similar to the one above in red, how would you or could you defend yourselves? Just asking.

Credit: Health IT Security

Supply Chain Risk in the Software Process

I have been talking a lot about supply chain risk lately and there is a good reason. From open source products with backdoors like Webmin or Rubygems to NotPetya a few years ago which shut down many companies around the world to the recent attacks against SolarWinds or Centreon, supply chain attacks are running rampant.

There is a good reason for this – we have not, historically, paid enough attention to them, so they work very well.

Here is a new attack that works against the software development process.

Security researcher Alex Birsan posted a blog on February 9th that detailed how he used dependency, or namespace confusion to push malicious proof of concept code to organizations like Microsoft, Apple, Tesla, Uber and others. It is not because these companies are stupid. They are not. It is because we are not paying enough attention to the problem.

The good news is that he is a good guy and wasn’t trying to take down the world.

I am not going into total-geek with details of why this attack works, but right after the vulnerability was announced, hundreds of copycats were released into the wild. And still are being released – knowing that some companies will ignore or not understand the problem and remain vulnerable, potentially forever.

Not surprisingly, the root of the problem is the tradeoff between security and convenience.

The problem is that if the bad guys are sophisticated, developers will not detect the problem because their malicious code won’t activate until a trigger event happens and all of the normal functionality works correctly.

The researcher who launched the test attack called the results simply astonishing. I don’t think the copycats were launching mock attacks.

For more details on how this attack works, read the article here.

Bloomberg Says China Adds Spy chips to Computers

In 2018 Bloomberg ran a story that claimed that China had embedded tiny microchips on Supermicro computer server processor boards in 2015. Everyone denied it – Supermicro, the intelligence community (IC), China.

Supply chain attacks seem to be everywhere these days and this is another one.

I don’t know if it is true, but why would Supermicro or China admit what what going on. The IC might know but might not want China to know how much they know and when they knew it.

While Bloomberg took a lot of heat for the story at the time, they never gave up on it and continued to investigate.

Well this week Bloomberg wrote chapter two of the story.

They are saying that China targeted Supermicro products for over a decade, that the IC was aware of it and that they kept it quiet because they were studying it and trying to figure out how to counter it.

14 former law enforcement and IC sources confirmed the story to Bloomberg.

According to Bloomberg, the Pentagon detected the chip implant back in 2010. Intel detected that China had hacked it in 2014 and the FBI issued a private warning to multiple companies in 2015 telling them that China had planted a surprise inside their computers.

Bloomberg also says that the Feds got a FISA warrant in 2012 to surveil several Supermicro employees.

And of course, Supermicro issued a new denial.

Would you expect anything else?

Remember also that it is well documented that the NSA did hardware implants for years.

You get to figure it out.

However, I do recommend you dust off that vendor cyber risk management program and see if you are doing all that you can do. Credit: The Register