Despite Assante’s attempts to change NERC’s approach on cyber security, NERC has continued its focus as a utility-directed organization. NERC’s Board of Trustees approved revisions to the NERC CIPs on May 6, 2009, after passage by the electric industry with an 88% approval rating. However, the revisions did not address any of the technical limitations, such as exclusions of telecom, distribution, non-routable protocols or strengthening CIP-002 to address Assante’s April 7 letter. A second example would be the June 30, 2009, Alert on the Conficker Worm.13 The Alert states the ES-ISAC estimates the risk to bulk power system reliability from Conficker is LOW due to the limited exploitation of this vulnerability and generally widespread awareness of the issue, even though NERC acknowledges the potential consequence is high and the awareness among control system users is very low.
Smart Grid – The intent of the Smart Grid is to embed intelligence into the electric grid to allow two-way communications between devices and control centers for monitoring and control. The Smart Grid’s use of the Internet and Internet Protocols (IP) is blurring the line between business IT and control systems, resulting in more people without knowledge of the electric system being involved in securing these systems.
This is a recipe for disaster - there has already been at least one case of a denial of service attack (DDOS) to a distribution automation system.
From a regulatory standpoint, the situation is convoluted because the NERC CIPs explicitly exclude electric distribution, which is the heart of the Smart Grid and yet the NIST Smart Grid security efforts point to the NERC CIPs.
Unless Congress passes legislation to allow FERC to include distribution or the individual public utility commissions mandate that the NERC CIPs must be followed for their distribution systems, there are no regulations for securing the Smart Grid.
Education – To the best of my knowledge, there are no technical, interdisciplinary university curricula for control systems cyber security. There are universities, such as the University of Illinois and Mississippi State University, starting to address this subject in an ad hoc manner. Congress might well seek ways to encourage and fund more such curricula as a significant way to improve cyber security in all control systems.
Certifications – There are no personnel certifications for control system cyber security.
IT certifications such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM) do not address control systems. Professional engineering examinations do not include security.
There needs to be a certification demonstrating knowledge of control systems as well as security by organizations competent to oversee this requirement. One organization could be the CSFE14 which certifies Functional Safety experts. There are on-going efforts by individual companies and organizations such as ISA to certify industrial control systems for cyber security.
Government R&D – R&D has been focused on effectively "repackaging IT." Very little work has been devoted to legacy and even new field equipment, even though these devices have limited or no security and can cause the biggest impacts.
There has also been no attempt to analyze actual cyber incidents to learn what policies and technologies should be developed to protect them.
NIST – NIST has effectively two disjointed programs on cyber security that impact the electric grid. The NIST Information Technology (IT) Laboratory has been responsible for updating NIST SP800-53 and the daughter standard NIST SP800-8215. There has been a significant amount of effort addressing industrial control systems and applicability to the electric industry. NIST is also acting as the standards coordinator for the Smart Grid.
As a member of the Smart Grid Cyber Security Working Group and the Industry-to-Grid Working Group, I see a dichotomy that troubles me. Instead of mandating NIST SP800-53 for the Smart Grid, it appears as if NIST doesn’t want to be seen as pushing its own standards. Not only is NIST SP800-53 the best cyber security standard currently available, it is mandatory for all federal power agencies.
Why shouldn’t NIST SP800-53 be mandated for all power utilities, not just federal ones?
Traditional reliability threats such as tree trimming to prevent power line damage could be handled by private industry. However cyber is a new threat that requires a joint effort by the government and private industry. I believe there are a number of roles for the federal government to play in defending against cyber incidents and/or physical attacks against electric facilities.
Articles such as the recent Wall Street Journal article on Chinese and Russian hackers imply that the electric industry is unaware of computer intrusions16. This is probably true on several accounts. As mentioned, the electric industry is not doing an adequate job of even looking. Additionally, there is a lack of adequate cyber forensics for control systems. This leads to the fact that is it difficult to have an early detection and warning capability for cyber threats for the electric industry today. However, that same difficulty is also an opportunity for the government and private industry to develop appropriate forensics. A non-technical challenge is the industry’s continuing reticence to provide control system cyber incident data to the government and for law enforcement to share relevant information on actual attacks to the industry so they can protect themselves.
What can DHS and DOE do?
I cannot speak for the division in responsibilities between DHS and DOE, but I can point out what needs to be done:
- Provide intelligence on threats to those needing to know - that does not mean only security cleared individuals, but all individuals working in the area;
- Make use of available technical talent – there is very little, and the safety and security of our country depend on these efforts;
- Analyze actual control system cyber incidents to develop appropriate cyber technologies and policies – there are few places to get the information as most of it has not been provided to the government—and what has is often classified and unavailable;
- Establish benchmarks for how much security is enough, what is an acceptable vulnerability assessment, what is an acceptable risk assessment, audit metrics, trade-offs between security and functionality, etc.;
- Support first-of-kind technology development, particularly for legacy field devices;
- Support development of college technical as well as policy curricula;
- Support the establishment of a CERT (Computer Emergency Response Team) for control systems that is not under the purview of the government, because industry is still uncomfortable about providing what they consider to be confidential data to government agencies like the FBI.
What can Congress do?
Currently FERC is constrained by the Energy Policy Act of 200517. It cannot write standards and its scope is restricted to the bulk electric system. There are several steps that Congress can take to help maintain the reliability of the electric system from cyber threats:
- Provide cyber security legislation that gives FERC the scope to write standards including mandating NIST SP800-53 for the bulk electric grid and the Smart Grid
- For cyber security, increase FERC’s scope to include electric distribution. There are technical as well as administrative reasons. Low-voltage transmission and high-voltage distribution systems electronically communicate with each other; utilities electronically communicate with each other; and the utilities use common systems. We cannot afford to have a "Tower of Babel" set of rules for each state and for the same equipment.
- NERC is in a conflict-of-interest position because its fundamental purpose has changed. If NERC can not do the job of assuring cyber security of the electric grid, find an organization with the will power and authority to do so.
- HR 219518 would go a long way toward providing effective legislation. I would add the following: Mandate the NIST FISMA guidance documents, such as SP800-53 and require the establishment of a program to develop expertise in electric grid cyber security. The expertise gained from this program should be shared with every electric grid owner and operator.
It has been almost ten years since I helped start the control system cyber security program at the Electric Power Research Institute (EPRI). Ten years should have been sufficient time for the industry to make significant progress. Unfortunately, it has not happened. Actual control system cyber incidents continue to occur – in fact, they appear to be getting more numerous. An unsecured electric grid is dangerous to the safety and economic well-being of this country. Congress needs to step in and provide regulation to give FERC the additional powers necessary and mandate NIST SP800-53.