Skating on Stilts is a blog that says it is about “why we aren’t stopping tomorrow’s terrorism”. A post today discusses Emergency Powers to Respond to a Computer Attack.

Note the disclaimer in paragraph six:

So, if operators of our power grid are dumb enough to run their systems by relying on the Internet and Windows XP, then the bill’s authority to order emergency measures would apply to the providers of electric power, to their ISPs, and to Microsoft. Otherwise the ISPs and Microsoft are in the clear. As for the rest of us, including our search engines, we’re in the clear from the start.

Dumb enough?

At this point I wonder if the author, Stewart Baker who served as General Council for the NSA and worked in DHS under President Bush, has a clue about security let alone how utilities depend on and use technology.

Utilities have critical systems (as defined under NERC CIP 002) that run Windows XP and they also rely on the Internet. Critical systems not only include those involved in bulk power generation and distribution systems but also the daily operations systems including financial management and market systems. That is not to mention the expanding use of the Internet for smart grid and smart metering systems.

Why bash utilities for using Windows XP? I mean if he had said Windows 98 we might have had a laugh or two but Windows XP? Gartner just started recommending that enterprises begin migrating from Windows XP…by 2012.

Microsoft will support Windows XP with security fixes into April of 2014, but past experience has shown that independent software vendors (ISVs) will stop testing much earlier. “New releases of critical business software will require Windows 7 long before Microsoft support for Windows XP ends,” said Steve Kleynhans, research vice president at Gartner. “Organizations that get all of their users off Windows XP by the end of 2012 will avoid significant potential problems.”

I am not defending Windows XP. It is just a simple reality that it is widely used by bulk power and it is still a supported operating system. There are significant security concerns with Windows XP yet it is misplaced to blame a single supported OS for security failures. In other words it is not the technology, stupid.

Remember how President Bush signed Executive Order 13231 in October 2001? The security recommendations in that order went something like this:

1. Identify SCADA systems connected to the network
2. Disconnect those systems from the network

That is not what I would call smart security; and we wonder why we are in such trouble with security of critical infrastructure. The irony of the Order is that it carried the title “Critical Infrastructure. Protection in the Information Age”. Perhaps it could have had the alternate title “Welcome to the information age, please disconnect for safety.” Switching from Windows XP to some other OS does not fix everything. Same for getting “off” the Internet. Much better to recognize how to handle these as a reality of any modern IT environment.

Although well-intentioned, Baker’s blog post would have been more effective if he had done some basic research on information security and technology used by utilities. His reference to Windows XP and the Internet as dumb choices really just reflects poorly upon his own knowledge of security risks and what authority the government needs to help manage them.

I suggest, for example, that FERC quickly tighten up the NERC CIP. It currently allows too much leeway for entities — they can dictate scope unreasonably, which can turn it into something like a bad SAS70. Force more accurate scope through prescriptive compliance based on NIST SP. Handing out almost open-ended amounts of rope to energy companies seems to have just gotten them severely tangled or worse. Even Sarah Palin, after the latest disaster, has become an advocate for far more industry regulation.

With all that said the key to Baker’s analysis seems to be found in the concluding paragraphs when he asks

…do we want the President to look as helpless as he looks today in response to the BP spill?

Make the President look good? That sounds eerily familiar.

Worthy advised Brown: “Please roll up the sleeves of your shirt, all shirts. Even the president rolled his sleeves to just below the elbow. In this [crisis] and on TV you just need to look more hard-working.”

Give the President more authority so he can look better during a crisis? Just to look better? That does not sound well-reasoned at all to me. Give more authority if a user is qualified and there are adequate controls in place to prevent catastrophic mistakes and misuse.