//
you're reading...
Cybersecurity Canon, IT & TECHNOLOGY

The Cybersecurity Canon: Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath


PAN_BlogHeader_Canon

cybersec canon red

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben RothkeLights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (2015) by Ted Koppel

Executive Summary

One of the most successful television commercials in history was for the financial firm E. F. Hutton, based around the catchphrase, “When E. F. Hutton talks, people listen.”

In the world of broadcast journalism, when Ted Koppel speaks, people listen. And when he writes, people read. And read indeed, as his new book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath is in the Amazon top 200.

Yet, with his over 50 years of journalistic experience, this book shows that, just because you are a world-renowned reporter, that doesn’t mean you always get the story right.

Review

In the superb, Canon-worthy book Threat Modeling: Designing for Security, author Adam Shostack shows how to use threat modeling to enhance software security. By applying threat modeling, information security can be enhanced. Shostack’s book offers a structured, methodical framework, and a model for determining a threat and its entire lifecycle, such that each of the key elements are identified and adequately assessed.

The problem with Koppel’s book is that his approach to the topic is anything but structured and methodical. He sets up a straw man question, never fully identifies the threats facing the power grid, and never gives specific weights to those threats, such that the reader is left with Chicken Little meets the power grid. The book’s premise is that a major and devastating cyberattack on America’s power grid is imminent. While it’s a disturbing hypothesis, never once does Koppel detail how such an attack would actually take place.

Throughout the book, Koppel sets up his straw man and uses terms such as imagine, may, could and similar, tenuous phrases. While these doomsday and worst-case scenarios are indeed terrifying, never does the book detail the specific how. Much of the book contains details of Koppel’s travels and narratives of the people he meets. From preppers in Montana, to leaders of the Mormon Church, whose doctrines include planning for cataclysmic events, and more. This is a detail of Ted’s great adventure.

One of the more disturbing interviews is with Jeh Johnson, Secretary of the Department of Homeland Security. Johnson comes across somewhat clueless of the energy sector cyberthreat, about which Koppel noted that, while Johnson’s answer to Koppel’s question lasted 13 minutes, he never addressed the question, and it was an area in which Johnson conceded that he had little expertise.

Koppel admits that he is not proficient in the complicated energy sector. To help him navigate through the arcane world of grid reliance standards and the evolving relationship between power industry groups and federal regulators, Koppel engaged the services of Dr. Ryan Ellis of the Cyber Security Project at Harvard University. Koppel notes that he sent transcripts of key interviews and rough drafts of relevant chapters to Dr. Ellis for his review and comments. Incredulously and disconcertingly, Koppel states that he didn’t always follow the advice of Dr. Ellis.

What Koppel did is speak to a lot of very senior people and put what he gleaned into writing. What’s conspicuously missing is his speaking to any cybersecurity expert with experience in SCADA, malware or related areas. In an interview for CSO Online, Koppel was asked if he interviewed penetration testers who have experience in the electric generation and transmission sector. Incredulously, he said “no.” I don’t think Koppel understands the significance of that exclusion, and therein is the fundamental problem with this book.

There are indeed threats to the power grid. But, if you want to know about those – the real threats and how they can be dealt with – this is not your book.

[Palo Alto Networks Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,159 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

December 2015
M T W T F S S
« Nov   Jan »
 123456
78910111213
14151617181920
21222324252627
28293031  
%d bloggers like this: