March 19, 2009
Good afternoon Mr. Chairman and Members of the Committee. I would like to thank the Committee for your invitation to discuss the current status of cyber security of the control systems utilized in our nation’s critical infrastructure.
I am a nuclear engineer who has spent more than thirty years working in the commercial power industry designing, developing, implementing, and analyzing industrial instrumentation and control systems. I have performed cyber security vulnerability assessments of power plants, substations, electric utility control centers, and water systems. I am a member of many groups working to improve the reliability and availability of critical infrastructures and their control systems, including the North American Electric Reliability Council’s (NERC) Control Systems Security Working Group (CSSWG), the Instrumentation Systems and Automation Society (ISA) S99 Manufacturing and Control Systems Security Committee, the National Institute of Standards and Technology (NIST) Industry-Grid Working Group, Institute for Electrical and Electronic Engineers (IEEE) Power Engineering Society Substations Committee, International ElectroTechnical Commission (IEC) Technical Committee 57 Working Group 15, and Council on Large Electric Systems (CIGRÉ) Working Group D2.22- Treatment of Information Security for Electric Power Utilities (EPUs). I would like to state for the record that the views expressed in this testimony are mine.
Until 2000, my focus strictly was to design and develop control systems that were efficient, flexible, cost-effective, and remotely accessible, without concern for cyber security. At about that time, the idea of interconnecting control systems with other networked computing systems started to gain a foothold as a means to help lower costs and improve efficiency, by making available operations-related data for management “decision support.” Systems of all kinds that were not interconnected with others and thereby could not share information (“islands of automation”) became viewed as an outmoded philosophy. But at the same time, there was no corresponding appreciation for the cyber security risks created. To a considerable extent, a lack of appreciation for the potential security pitfalls of highly interconnected systems is still prevalent today, as can be witnessed in many articles on new control systems and control system conferences. As such, the need for organizations to obtain information from operational control system networks to enable ancillary business objectives has often unknowingly led to increased cyber vulnerability of control system assets themselves.
The timing of this hearing is fortuitous as the Stimulus Bill has recently been approved which is stimulating work on the Smart Grid, the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards are being updated, the Chemical Facility Anti-Terrorism Standards (CFATS) is being reviewed, and the water industry R&D Roadmap has been issued. In each case, I believe there are shortcomings that can have significant impacts on the security of our critical infrastructures if they are not adequately addressed.
Industrial Control Systems (ICS)3 are an integral part of the industrial infrastructure providing for the national good. While sharing basic constructs with Information Technology (IT) business systems, ICSs are technically, administratively, and functionally more complex and unique than business IT systems. Critical infrastructure protection focuses on protecting and maintaining a safe and reliable supply of electric power, oil, water, gasoline, chemicals, food, etc. Computer cyber vulnerabilities are important if they can affect the safe, functional performance of these systems and processes. One should view current ICS cyber security as where mainstream IT security was fifteen years ago – it is in the formative stage and needs support to leapfrog the previous IT learning curve.
The convergence of mainstream IT and ICS systems require both mainstream and control system expertise. It is the successful convergence of these systems and organizations that will enable the promised secure productivity benefits. To ensure that ICS are adequately represented, include subject matter experts with control systems experience in all planning meetings that could affect these systems.
Generally cyber security has been the purview of the Information Technology (IT) department, while control system departments have focused on equipment efficiency and reliability – not cyber security. This has led to the current situation where some parts of the organization are now sensitized to security while others are not as yet aware of the need. Industry has made progress in identifying control system cyber security as an issue while not appreciating the full gravity of the matter. There is a significant difference between the security philosophies of enterprise IT and ICS. The purpose of enterprise security is to protect the data residing in the servers from attack. The purpose of ICS security is to protect the ability of the facility to safely and securely operate, regardless of what may befall the rest of the network.
Cyber refers to electronic communications between systems and/or individuals. This term applies to any electronic device with serial or network connections. For this White Paper, the umbrella term “cyber” addresses all electronic impacts on ICS operation including:
- intentional targeted attacks,
- unintended consequences such as from viruses and worms,
- unintentional impacts from inappropriate policies, design, technologies, and/or testing,
- Electro Magnetic Pulse (EMP),
- Electro Magnetic Interference (EMI),
- other electronic impacts
The umbrella term “ICS” includes: