The Cyber Intelligence Sharing and Protection Act (CISPA) is likely to fail if it goes to a vote on the Senate floor, according to comments made today by Sen. Jay Rockefeller (D-W.Va.), the chairman of the committee on commerce, science and transportation.

CISPA is a bill that would enable major companies to share cyberthreat data with the government (and each other) to prevent attacks on their networks. Many critics have spoken out against CISPA because it doesn’t specify what information can be shared and what it will be used for beyond preventing cyberattacks. CISPA passed a vote in the House last week despite threats of a presidential veto.

“We’re not taking [CISPA] up,” Rockefeller told U.S. News. “Staff and senators are divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. They’ll be drafting separate bills.”

CISPA isn’t technically dead, because the Senate hasn’t brought the bill to a vote. And even though there’s promise of carving CISPA’s various cybersecurity issues into separate bills, it could easily morph into something that’s very much like the original piece of legislation that was passed by the House.

It’s worth noting that this is the second go-around for CISPA. Last year the bill also passed successfully in the House — and the Senate version of CISPA bill even had the White House stamp of approval. Yet the Senate is also where CISPA met its demise the first time, so maybe there is some hope that Rockefeller’s comments will hold true. Still, the White House is still pushing for some type of cybersecurity legislation to pass into law, and the Obama administration has even laid the groundwork for companies to voluntarily start participating in a CISPA-style coalition.

It’s time to add another issue to the list of what’s ailing publisher Electronic Arts. The company’s chief executive officer announced yesterday that he is stepping down, and it is still reeling from a public-relations snafu with the recently launched city-builder SimCity. Now, a security research firm revealed that members of EA’s digital-download service are vulnerable to attack from hackers.

A fatal flaw in EA’s Origin service may enable hackers to remotely execute software on a target’s Mac or PC, according to Malta-based security researchers ReVuln (via Time’s Techland blog). ReVuln published a paper earlier this month that explains the vulnerability in detail.

“Our team is constantly investigating hypotheticals like this one as we continually update our security infrastructure,” Origin spokesperson John Reseburg told GamesBeat.

The hack only takes seconds. It works by exploiting an “Origin://link” uniform resource identifier (URI), which publishers utilize to enable browsers to open and control actions on the Origin platform. Origin’s links follow a particular pattern. Hackers can mess around with that pattern to make the URI execute different commands. One of those commands could be bringing up a box that asks a user to download an application. They might trust that application because they’re on their trusted Origin site and click yes. The malware will then install, and the hacker will effectively “own” the system.

“Using games as an attack vector is pretty difficult to spot,” ReVuln security researcher Donato Ferrante told GamesBeat. “One of the reasons is that most people underestimate games as a possible way for attackers to compromise their systems.”

ReVuln released a proof of concept of the hack, which you can see in the video embedded into ReVuln’s Tweet:

EA Origin Insecurity paper: revuln.com/files/ReVuln_E… and video: vimeo.com/61361586 #BlackHatEU #0day—
ReVuln (@revuln) March 15, 2013

In October, ReVuln discovered a similar insecurity in Valve’s Steam digital service — EA’s primary competitor in the PC space. Ferrante claims Valve still hasn’t addressed the issue.

The security firm suggests that users set their browsers to pop up with a prompt when attempting to open a game in Origin or in Steam. More security-conscious users can install a tool like URIprotocolview to disable the “Origin://” URI.

VentureBeat security reporter Meghan Kelly contributed to this report

---

GamesBeat 2013 is our fifth annual conference on disruption in the video game market. You'll get 360-degree perspectives from top gaming executives, developers, and analysts on what’s to come in the industry. Our theme this year is “The Battle Royal.” Check out full event details here, and grab your early-bird tickets here!

---

While congress has yet to reach any sort of lasting solution regarding the nations growing cyber security problems, President Barack Obama has decidedly taken the first big step in an executive order signed earlier today.

The executive order places the National Institute of Standards and Technology with the responsibility of  creating cyber security standards for organizations and industries that are of great importance to the country, such as transportation, utilities (water and electric), and healthcare. The department of Homeland Security will then work with businesses and industry groups on a volunteer basis to ensure that the standards are being met properly as well as come up with incentives to get more organizations/businesses on board.

The executive order would also create a new initiative for businesses to share their cyber security data with a centralized organization that could make sense of it, and allow security experts to advise on how to prevent future attacks.

Right now the biggest deterrent in getting businesses and other organizations to get on some kind of standard cyber security plan is that most don’t want to be held liable for security breaches due to failure of these self-imposed regulations. However, if congress passes new legislation regarding cyber security standards, that could change.

Last year the House passed legislation call CISPA, or the Cyber Intelligence Sharing and Protection Act, which would have addressed many of the concerns businesses and other organizations had about a cyber security standards. The bill sought to give American companies more legal breathing room (protection against lawsuits) when collecting and sharing consumer/user data for the purpose of preventing massive Internet security threats. However, CISPA had few guarantees that it wouldn’t grossly violate an individual’s privacy rights, and initially faced of a presidential veto threat). The White House eventually put a stamp of approval on a revised version of the bill, which failed a vote in the Senate.

Now, that same House bill is tentatively headed back to the floor for another vote Wednesday, meaning congress has one more chance to pass the White House-approved version.

This is an issue that President Obama clearly understand is important (having highlighted it specifically in tonight’s State of the Union address), and his executive order essentially lays the groundwork for the CISPA bill to pass, should that happen.

You can read full text of the cyber security executive order in the document embedded below.

If there is any weakness in security, you can guarantee the criminals will try to exploit it. And if a cyber criminal discovers a weakness in one community, it won’t be long before that isolated crime turns into a trend. The commercialization of malware is rapidly becoming a well-organized and highly lucrative business.

So what can we expect in 2013? Based on what crimes we are seeing around the globe, here is a list of the top six emerging cyber security threats we will likely see in 2013.

Criminals will enter your home using smart TVs – Smart TVs are extremely vulnerable to attacks especially as app stores for TVs become more prevalent. Hundreds of applications are becoming available for users to download, and an attacker needs to exploit vulnerabilities in just one of these apps to enter people’s homes. In 2013, the attacks may be geared more towards stealing content, like movies and games, but as Smart TVs become more sophisticated and integrated into home networks, you can be assured cyber criminals will find new ways to exploit this new avenue inside the home.

Virtual kidnapping of cellphones – Scarlett Johansson, Olivia Munn, Christina Hendricks, and Rihanna were just a few celebrities who got their phones hacked in 2012. Next year, you can expect this crime to go from celebrities to consumers. TopPatch has already seen hackers hold phones for ransom. It is a virtual form of hijacking your cell phone and we are expecting more of these crimes to hit the global consumer in 2013 as smartphone use continues to increase.

Attacks using bloggers will increase - Many content management systems that bloggers use, and the ad servers they are integrated with, don’t have enough security measures to protect content created by writers and bloggers, or the ad units served by advertisers. In 2013, hackers will exploit these security weaknesses further to spread viruses, conduct phishing attacks, and steal data from the audiences who visit these websites.

Virtual attacks end in human death - Nation-state attackers will target critical infrastructure networks such as power grids at unprecedented scale in 2013, resulting in human casualties from a cyber attack. Violent extremist groups have already attacked nuclear reactors, hospitals and assembly lines at automobile companies. These types of attacks are growing more sophisticated, and will soon enough lead to the loss of human life at an unprecedented scale.

Rogue regimes use cyberterrorism to attack their governments – In 2012 we already saw numerous government-sponsored cyber attacks, but next year we will see rogue regimes utilize the skills they have developed to attack their own governments.

Attacks will follow natural disasters - Cyber criminals like to attack when people are most vulnerable. Many networks go down during natural disasters, leaving security gaps for cyber criminals. With the rise of natural disasters in 2013, we can expect more systems to become vulnerable, leaving more opportunities for cyber criminals to exploit. If global warming leads to more hurricanes and weather changes, you can expect the opportunities for cyber criminals to grow during these down times.

Chiranjeev Bordoloi is the CEO of TopPatch. He has consulted government agencies, financial institutions and Fortune 500 companies on cyber security for more than 20 years. TopPatch was the first cyber security company to develop a patent-pending Peer-to-Peer Security Patch Management Software that exponentially improves on the “old” way of securing computers, which required all security to go through one server.

Cyber security photo via alexskopje/Shutterstock

These are all possible scenarios in an insufficiently secured electricity grid, and in particular in the emerging smart grid.

Smart grid is a bionic upgrade to power generation and distribution that will let our energy network diagnose and heal itself, dynamically integrate renewable energy and local power sources and automatically lower electricity demand. The source of those new superpowers is information technology. But increasing automation and communications within the electricity grid potentially has a dark side; increased vulnerability to attack.

The Stuxnet worm, which attacked nuclear power plants in Iran, suddenly thrust a subject which was previously the domain of a small group of experts, the security and automated control of industrial systems, into the limelight. The systems used to control nuclear power plants are very similar to those which run the power grid. “The idea that industrial control systems of infrastructure can be penetrated in a clever way like that has really opened the eyes of the community and the general public.” says Jeff Meyers, a smart grid executive at Telvent.

While security experts always knew that an attack like Stuxnet was possible, the general view was “the threat is going to be an external one. It’s going to come from hackers”. In fact Stuxnet was delivered as part of a Siemens industrial control system, an internal threat rather than an external one.

Markus Braendle is the cyber security manager at ABB, a leading vendor to utilities. He asks “How do you put a price on what happens if we lose power in a small distribution grid? Anywhere from a couple of people being annoyed because they can’t watch TV to, if it’s a cold winter, people losing their lives.”

Security in the smart grid

The Government Accountability Office (GAO), which audits government activities, recently released a report on smart grid cybersecurity which reveals significant problems. The report concluded that there are gaps in cybersecurity regulation and problems with jurisdiction and that even when regulation exists utilities are focused on regulatory compliance rather than comprehensive security. Utilities are governed by a complex set of national, state and municipal regulators who set compliance rules and can impose fines if they are not met. Many state regulators have not imposed any formal requirements on utilities, and even when there are requirements, they are usually limited to smart metering.

Currently NERC (North American Electric Reliability corporation) defines national standards on cybersecurity for utilities, but according to several of the experts I spoke to, the NERC CIP standards are not sufficient to ensure robust security in the smart grid. Making sure the standards are implemented correctly via testing and monitoring is also an area of concern.

The smart grid security problem

The smart grid presents unique security problems. When a power grid operator talks about security, he means reliability of electricity supply. Keeping the electricity flowing is the primary concern of every operator. In the IT world, security means cybersecurity.

Braendle explained that ”in the end what we are trying to secure is a physical process and not a piece of information.” Most security techniques like encryption or authentication were developed for environments like banking which manipulate pure data. They don’t take into consideration the delays required to open a valve or switch a feeder and conversely often cannot operate fast enough for grid applications like protection where the local grid must be isolated from a malfunction in less than two milliseconds.

Bob Lockhhart, who wrote Pike Research’s smart grid cybersecurity report, told me that something as simple, from the IT point of view, as “pinging” a device to see if it is running can sometimes bring down a legacy system. Adding monitoring can disrupt real-time processes on the grid. For a grid operator reliability of supply is all. Braendle points out that “we have systems which have an allowed down time of 5 minutes per year.”

The smart grid will be composed of an enormous number of devices of various types and vintages, from smart meters and solar inverters to electrical substation equipment and sensors on electricity lines. More devices means more entry points into the grid which can be used as points of attack. Many legacy devices in the grid have limited processing power, communicate using proprietary protocols over low-bandwidth connections and have no built-in security. Replacing older devices is often not an option for cost or reliability reasons. For this reason, building the smart grid has been compared to rebuilding a plane in flight.

What are the security threats?

Ask a group of smart grid experts to name the major threats to the smart grid and you will get as many answers as people. According to Lockhart, when it comes to smart meters, utilities want smart meters to last for 20 year but this timeline is too long for IT companies. So they are concentrating on making the meters upgradeable. Upgradeability creates vulnerabilities. The threats include rolling back the meter to avoid billing, using the meter as an entry point to the rest of the network or even denial of service attacks on meters.

Braendle asserts that customer privacy is a new problem for utilities. Data from smart meters can reveal all kinds of private information from the number of people in your household to when you are on holiday. Utilities have a legal obligation to keep this data private. “How do you protect the privacy of the customer so not everyone knows when you are taking a shower?” he asks.

John Cooper, author of GridNet’s cybersecurity whitepaper, agrees on meters being a possible entry point to the grid but also points to the distribution grid (the part which connects to homes and businesses) where decisions which were previously manual are being automated and made locally. Cooper also considers renewables, in particular small-scale, local generation of renewable energy known as Distributed energy resources (DER), as a brand new area which doesn’t fit the current paradigm. Utilities are used to generating power in large-scale, centralised power stations. Distributed solar or wind farms, local electricity storage and even electrical vehicles add thousands of devices on the edge of the grid. ”DER will require control” Cooper maintains “and we will have much less control over the physical access to those locations as opposed to substations (A substation transforms high to lower voltage and acts as a local centre to distribute electricity to homes and businesses)”.

Rolf Adam, Cisco‘s Director of utilities and smart grid in Europe, contends that physical security will be more important than cybersecurity in early smart grid deployments. “Doing physical damage to an infrastructure is much easier than damaging that infrastructure using cybersecurity” he says. The best firewall in the world won’t stop someone from driving a bus into a substation. Adams also highlights the need to apply security to people, e.g. who gets access to a substation, and processes. Cisco is using RFID tags for utility employees and materials to track them in the field. It is also advocating the use of video collaboration tools so that more inexperienced, maintenance staff, who may inadvertently cause damage by flicking the wrong switch in a substation, can get expert advice.

Meyers also mentioned physical security threats and small-scale power generation but added that there are threats everywhere that new communication and sensing technology is used.

The good news

The good news is that cybersecurity standards and techniques or smart grid are being developed. “In North America right now the awareness (of cybersecurity) is higher than anywhere else” asserts Braendle. One reason for this is the NERC CIP cybersecurity guidelines and the accompanying fines for non-compliance. Another is that all smart grid projects which receive stimulus money from the U.S. government must meet certain cybersecurity standards.

Meyers and Cooper agree that a lot of good work has been done on defining cybersecurity requirements, but there are still many open questions related to regulation, testing and compliance. Meyers explained that the diversity in the devices in the grid and their age could be an advantage as well as a difficulty since it makes it more difficult to acquire the knowledge to do harm. He also wonders if hackers will think it’s as “sexy” to take down a part of the distribution grid as, for example, a big bank.

Cooper says that the ultimate goal of cybersecurity is not to make the smart grid impregnable, but to make it more costly, and therefore less attractive, to attack. However, his final words are clear. ”The smart grid should not be built if it’s not built securely.”

The anti-Russian blogger allegedly at the heart of the last two days’ worth of attacks on Twitter and Facebook is back up on the microblogging service. (His LiveJournal page is still down though.) The blogger, who goes by the handle @cyxymu, blamed the attacks on Russia’s security forces.

Both Twitter and Facebook have suffered distributed denial of service attacks in the last two days, where a malicious party makes so many illegitimate requests of a single site that other users can’t get through. Facebook said the attacks that slowed its service yesterday were all targeted at a single activist Georgian blogger.

“A botnet was directed to request his pages at such a rate that it impacted service for other users,” the company said. Twitter was less specific, saying the attacks were “geopolitical in motivation.“

The blogger, a 34-year-old economics lecturer, told the Guardian yesterday that he believed the attacks were in retaliation for criticism of Russia’s conduct in the war in the South Ossetia region.

“Maybe it was carried out by ordinary hackers but I’m certain the order came from the Russian government,” he told the U.K. newspaper. ”An attack on such a scale that affected three worldwide services with numerous servers could only be organised by someone with huge resources.”