Vancouver security specialist named to NERC
Written by Kathleen Sibley Wednesday, 28 May 2008 10:39
There have been no major interruptions to the North American electricity supply since the blackout of August 2003, at least on the same scale.But that doesn’t mean there haven’t been plenty of “incidents,” as Bryan Singer calls them. We — the public — just haven’t heard about them.
“In a lot of cases there is no proper recording or notification of
these events,” says Singer. “If we really start looking at these
facilities we find out things have been going on ”“ they just haven’t
been characterized properly.”
Singer, vice-president of security services at Vancouver-based Wurldtech Security Technologies, was one of the eleven security specialists recently named to the North American Electric Reliability Corporation’s (NERC) cyber-security Standards Action Request (SAR) drafting team.
Wurldtech sells a suite of products and services designed to identify and mitigate vulnerabilities in industrial control networks and systems that operate the foundation of the world’s critical infrastructure.
The NERC is a self-regulated organization charged with ensuring the reliability of the bulk power system in North America. The SAR drafting team is charged with developing the scope for improving the current set of CIP standards.
Singer has an extensive cyber-security pedigree. As well as heading Wurldtech’s security services team, he is also the founding chairman and now co-chairman of the ISA SP-99, Industrial Automation and Control Systems Security Standards Committee, a standards body focusing on the security issues of the control systems environment. As well, he is a U.S. technical expert to multiple IEC standards bodies, a representative to the Idaho National Labs Recommended Practices Commission, a previous board member to the U.S. Department of Homeland Defense’s Process Control Systems Forum (PCSF), and an industry advocate in industrial security and critical infrastructure protection.
And while the standards that have been developed for electrical utilities have made the North American electricity supply more stable and reliable, there is still room for improvement, says Singer.
“I’ve been working with a number of standards bodies over the years, and I’ve been following the NERC guidelines as they’re being developed,” he says. Being appointed to the SAR team gives him the opportunity to participate in the development of those guidelines and standards.
“What it means to me is I get the opportunity to contribute to the direction for electronic reliability for cybersecurity for all of North America,” he says. “For my company, it means we’re able to have a greater understanding of the needs of the type of customers we serve.”
Singer, who has a security-related blog on Wurldtech’s website, says there’s no room for complacency in today’s cyber-security environment.
“Some of more serious threats we face are ones we’ve worked ourselves into,” he says. Old age — both of platforms and people — is emerging as one of the biggest.
“In some companies, 70 per cent of the workforce is close to retiring,” he notes. “People coming out of school now don’t have the same thought process and discipline these engineers had 30 years ago, and the knowledge of the existing infrastructure is declining.”
That aging infrastructure is not being kept up to date with basic security protection such as anti-virus software and patches, he adds.
Network design is another major source of security issues, mostly because so many more devices are being connected to local area networks and the Internet.
“The network design is where all the ”˜gotchas’ are right now because of the continued pressure to do more with less,” says Singer. “We’ve started connecting all these devices to the Internet and Ethernet ... and that’s a great way to consolidate labour resources, because two or three security experts can support 15 to 20 plants.”
At the same time, however, many more devices are then exposed to the kind of security threat that could potentially leave huge chunks of the continent scrambling for candles and flashlights ”“ or worse.
“Often when you go into a power plant, as soon as you get on the shop floor there are no passwords on those machines and no virus protection.”
Singer advocates taking an offensive, rather than defensive, approach to security. Whereas a defensive approach includes passive measures such as policy and procedure type of activities, an offensive approach requires more aggressive measures towards monitoring network performance and employee actions, he says.
“An offensive approach implies getting to understand the hacker mentality.”
Last modified on Monday, 18 August 2008 07:45
Singer, vice-president of security services at Vancouver-based Wurldtech Security Technologies, was one of the eleven security specialists recently named to the North American Electric Reliability Corporation’s (NERC) cyber-security Standards Action Request (SAR) drafting team.
Wurldtech sells a suite of products and services designed to identify and mitigate vulnerabilities in industrial control networks and systems that operate the foundation of the world’s critical infrastructure.
The NERC is a self-regulated organization charged with ensuring the reliability of the bulk power system in North America. The SAR drafting team is charged with developing the scope for improving the current set of CIP standards.
Singer has an extensive cyber-security pedigree. As well as heading Wurldtech’s security services team, he is also the founding chairman and now co-chairman of the ISA SP-99, Industrial Automation and Control Systems Security Standards Committee, a standards body focusing on the security issues of the control systems environment. As well, he is a U.S. technical expert to multiple IEC standards bodies, a representative to the Idaho National Labs Recommended Practices Commission, a previous board member to the U.S. Department of Homeland Defense’s Process Control Systems Forum (PCSF), and an industry advocate in industrial security and critical infrastructure protection.
And while the standards that have been developed for electrical utilities have made the North American electricity supply more stable and reliable, there is still room for improvement, says Singer.
“I’ve been working with a number of standards bodies over the years, and I’ve been following the NERC guidelines as they’re being developed,” he says. Being appointed to the SAR team gives him the opportunity to participate in the development of those guidelines and standards.
“What it means to me is I get the opportunity to contribute to the direction for electronic reliability for cybersecurity for all of North America,” he says. “For my company, it means we’re able to have a greater understanding of the needs of the type of customers we serve.”
Singer, who has a security-related blog on Wurldtech’s website, says there’s no room for complacency in today’s cyber-security environment.
“Some of more serious threats we face are ones we’ve worked ourselves into,” he says. Old age — both of platforms and people — is emerging as one of the biggest.
“In some companies, 70 per cent of the workforce is close to retiring,” he notes. “People coming out of school now don’t have the same thought process and discipline these engineers had 30 years ago, and the knowledge of the existing infrastructure is declining.”
That aging infrastructure is not being kept up to date with basic security protection such as anti-virus software and patches, he adds.
Network design is another major source of security issues, mostly because so many more devices are being connected to local area networks and the Internet.
“The network design is where all the ”˜gotchas’ are right now because of the continued pressure to do more with less,” says Singer. “We’ve started connecting all these devices to the Internet and Ethernet ... and that’s a great way to consolidate labour resources, because two or three security experts can support 15 to 20 plants.”
At the same time, however, many more devices are then exposed to the kind of security threat that could potentially leave huge chunks of the continent scrambling for candles and flashlights ”“ or worse.
“Often when you go into a power plant, as soon as you get on the shop floor there are no passwords on those machines and no virus protection.”
Singer advocates taking an offensive, rather than defensive, approach to security. Whereas a defensive approach includes passive measures such as policy and procedure type of activities, an offensive approach requires more aggressive measures towards monitoring network performance and employee actions, he says.
“An offensive approach implies getting to understand the hacker mentality.”
Published in
News
Tagged under
-
Sécurité Québec welcomes a new editor
Eric Cloutier outlines his plans for the next era of the French language security magazine for the Quebec market
2013
2012
