Vancouver security specialist named to NERC

“In a lot of cases there is no proper recording or notification of
these events,” says Singer.  “If we really start looking at these
facilities we find out things have been going on ”“ they just haven’t
been characterized properly.”

Singer, vice-president of security services at Vancouver-based
Wurldtech Security Technologies, was one of the eleven security
specialists recently named to the North American Electric Reliability
Corporation’s (NERC) cyber-security Standards Action Request (SAR)
drafting team.

Wurldtech sells a suite of products and services designed to identify
and mitigate vulnerabilities in industrial control networks and systems
that operate the foundation of the world’s critical infrastructure.

The NERC is a self-regulated organization charged with ensuring the
reliability of the bulk power system in North America. The SAR drafting
team is charged with developing the scope for improving the current set
of CIP standards.

Singer has an extensive cyber-security pedigree. As well as heading
Wurldtech’s security services team, he is also the founding chairman
and now co-chairman of the ISA SP-99, Industrial Automation and Control
Systems Security Standards Committee, a standards body focusing on the
security issues of the control systems environment. As well, he is a
U.S. technical expert to multiple IEC standards bodies, a
representative to the Idaho National Labs Recommended Practices
Commission, a previous board member to the U.S. Department of Homeland
Defense’s Process Control Systems Forum (PCSF), and an industry
advocate in industrial security and critical infrastructure protection.

And while the standards that have been developed for electrical
utilities have made the North American electricity supply more stable
and reliable, there is still room for improvement, says Singer.

“I’ve been working with a number of standards bodies over the years,
and I’ve been following the NERC guidelines as they’re being
developed,” he says. Being appointed to the SAR team gives him the
opportunity to participate in the development of those guidelines and
standards.
“What it means to me is I get the opportunity to contribute to the
direction for electronic reliability for cybersecurity for all of North
America,” he says. “For my company, it means we’re able to have a
greater understanding of the needs of the type of customers we serve.”
Singer, who has a security-related blog on Wurldtech’s website, says
there’s no room for complacency in today’s cyber-security environment.

“Some of more serious threats we face are ones we’ve worked ourselves
into,” he says. Old age — both of platforms and people — is emerging
as one of the biggest.

“In some companies, 70 per cent of the workforce is close to retiring,”
he notes. “People coming out of school now don’t have the same thought
process and discipline these engineers had 30 years ago, and the
knowledge of the existing infrastructure is declining.”
That aging infrastructure is not being kept up to date with basic
security protection such as anti-virus software and patches, he adds.

Network design is another major source of security issues, mostly
because so many more devices are being connected to local area networks
and the Internet.

“The network design is where all the ”˜gotchas’ are right now because of
the continued pressure to do more with less,” says Singer. “We’ve
started connecting all these devices to the Internet and Ethernet  …
and that’s a great way to consolidate labour resources, because two or
three security experts can support 15 to 20 plants.”

At the same time, however, many more devices are then exposed to the
kind of security threat that could potentially leave huge chunks of the
continent scrambling for candles and flashlights ”“ or worse.

“Often when you go into a power plant, as soon as you get on the shop
floor there are no passwords on those machines and no virus protection.”

Singer advocates taking an offensive, rather than defensive, approach
to security. Whereas a defensive approach includes passive measures
such as policy and procedure type of activities, an offensive approach
requires more aggressive measures towards monitoring network
performance and employee actions, he says.

“An offensive approach implies getting to understand the hacker mentality.”