We Need To Talk About Great Britain’s Smart Metering & Its Security

CyberSolace in association with STORM|Guidance has produced a paper around Great Britain’s Energy Smart-Metering programme and its cybersecurity concerns.

The paper is intended to tell the story of Great Britain’s smart-metering journey from a fuller perspective laying out the early beginnings, reasons for change, progress so far, and some of the challenges that have cast a shadow thus far. The second part of the study presents a special focus on the cybersecurity aspects and where better decisions could have been made.

Ultimately, we hope to share our opinions on the programme and its cybersecurity provisions, as well as inform the general public, and any other commercial party or organisation, that may take special interest in the topic. Whether it be from an investment point, risk management, insurance concerns or smart-metering technology adoption and lessons-learnt point of view.

Read the full paper by clicking the button below.

,

How to Hack a Credit Card in 6 Seconds, Experts Reveal

,

Encrypting Data At Rest Or In The Cloud: Is It Value Adding?

It is often touted that encrypting data at rest will add a level of protection that can allay most fears of data breach.  I like to differ on this matter and suggest that this is not necessarily a strong argument.

A better view in my opinion is that improving access-control measures (i.e. authentication, authorisation) can provide a much more useful and effective approach to data security than encryption at rest.  The cost, complexity and functionality-reduction overheads of applying an encryption solution to data at rest far outweigh any perceived benefits.  Perhaps the recent increased focus and interest in encryption of data at rest is due to the heightened appetite of organisations wishing to move to the cloud.  A number of commercial organisations nowadays are creating big business by offering encryption services/solutions for protecting data in the Cloud.

The practical truth in my view is that no current encryption solution for data at rest, in Cloud environments at least, adds much protection to the data.  Typically the easiest route to the data for most adversaries is through circumventing the access-control mechanism.  E.g. via hacking legitimate accounts, using social engineering to steal/phish relevant credentials, hijacking encryption keys, pilfering/intercepting open information sources/systems, back-dooring systems/applications, coercing insiders or planning malicious insider access, etc. In other words, the ultimate route to the data at rest will most likely be through circumvention of the access-control mechanisms.  Thus it is far easier, cheaper and more effective to bolster the access control barriers and overlay a monitoring and alerting mechanism for timely detection and response to anomalous activity.  Simply adding a complex and costly encryption solution will unlikely offer a solid defence against a compromised access-control mechanism because by definition anyone with the right access credentials will have unfettered access to the data.

Another argument against the usefulness of encryption at rest is the fact that current encryption regimes are:

  1. Being subverted by state security agencies such as the NSA in the US and GCHQ in the UK to name a couple. (Read <this> New York Times article. Also see Bruce Schneier’s article <here>).
  2. Becoming increasingly susceptible to advances in technology and novel computer processing capabilities which may render it totaly unusable in the not too distant future. (Read <this> article from the Global Risk Institute).

It is unlikely that this short article will do justice to such a big and complex topic but my intention is really to share thoughts and offer a different perspective on an issue that often tends to be treated by default according to old security precepts and rules.  Encryption at rest is not a panacea and must not always be considered as the ultimate solution to data security.  It has its use-cases but every solution architect needs to weigh its merits on a case by case basis and not take it as a mandatory measure by default because the rule book says so.

We need to inform not just the end-users of encryption services but also, and more concerning, the law-makers/regulators that hail encryption as a primary solution (or even a crucial prerequisite in some cases) for preserving data privacy and security.

It is important to make well founded decisions about the value of encryption and not be blown away by the hype.  We need to have the opportunity to choose the best value security solution for each case and not be dictated to or stifled by regulatory or standards bodies who are not necessarily best positioned to understand the technical advantages/disadvantages of encryption technology/science.

We also need to be in an informed position to objectively validate the claims made by commercial organisations that sell encryption solutions and services.

,

Patients’ Privacy: Lessons learned from major health care data breaches

The Brookings Institution for research in the USA has recently issued a very informative and layman friendly report about the state of information security and privacy in the health-care sector.  Whilst the report is US centric, its key findings and recommendations apply almost universally in the developed world.

Recent leaps in technology toward health care digitization have resulted in unprecedented amounts of personal health data being collected, shared, and analyzed on an everyday basis. Due to this proliferation in data, there are now more reasons to be concerned about patient privacy than ever. Despite public concerns and government’s efforts, the frequency and magnitude of privacy breaches have been on an upward trend and data breaches are more likely to happen in the health care industry than any other sector. In this new report, Niam Yaraghi examines the recent privacy breaches in the health care system. He uncovers underlying factors leading to these incidents, documents lessons learned, and examines how to prevent similar breaches in the future.

Yaraghi identifies and explains several reasons that the health care sector is particularly vulnerable to privacy breaches:

  • Health care data are richer and more valuable for hackers;
  • Too many people have access to medical data;
  • Medical data are stored in large volumes and for a long time;
  • The health care industry embraced information technology too late and too fast;
  • The health care industry did not have strong economic incentives to prevent privacy breaches; and As Yaraghi illustrates, medical data breaches can be especially catastrophic because they contain information that cannot be changed.