By Joe Weiss, PE, CISM. Applied Control Solutions, LLC
I appreciate the opportunity to provide the following statement for the record. I have spent more than thirty-five years working in the commercial power industry, designing, developing, implementing and analyzing industrial instrumentation and control systems. I hold two patents on industrial control systems, and am a Fellow of the International Society of Automation. I have performed cyber security vulnerability assessments of power plants, substations, electric utility control centers and water systems . I am a member of many groups working to improve the reliability and availability of critical infrastructures and their control systems1.
On October 17, 2007, I testified to this Subcommittee on "Control Systems Cyber Security—The Need for Appropriate Regulations to Assure the Cyber Security of the Electric Grid"2.
On March 19, 2009, I testified to the Senate Committee on Commerce, Science, and Transportation on "Control Systems Cyber Security—The Current Status of Cyber Security of Critical Infrastructures"3.
I will provide an update on cyber security of the electric system, including adequacy of the NERC CIPs and my views on Smart Grid cyber security. I will also provide my recommendations for DOE, DHS and Congressional action to help secure the electric grid from cyber incidents.
First of all, I believe it is any utility’s obligation to maintain a high level of electric service reliability. For the most part, the utility industry takes this responsibility very seriously and focuses very strongly on electric system reliability. The grid has been designed to be resilient and accommodate failures (the N-1 criteria). The equipment in place (older legacy and new equipment) has demonstrated a high level of reliability. However, as the older equipment is replaced with new equipment such as for Smart Grid applications an interesting paradox occurs – as reliability increases from the installation of new equipment, the cyber vulnerability also increases.
First, I believe a major point of discontinuity has been the unsuccessful equating of the terms Critical Infrastructure Protection (CIP) and cyber security.
CIP (or "functional security") is focused on the function of the electric grid being maintained regardless of the status of the computers. Cyber security, on the other hand, focuses on protecting the computers independent of whether electric reliability is being maintained. For the sake of semantics, I will use the term "cyber security," but my intention is that the operation of the computers is focused on "keeping the lights on," or what is becoming increasingly referred to as "functional security.”
Secondly, cyber events can be either intentional attacks or unintentional incidents.
NIST defines a cyber incident as "An occurrence that actually or potentially jeopardizes the Confidentiality, Integrity or Availability (CIA) of an information system or the information the system processes, stores or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. Incidents may be intentional or unintentional."4
Cyber incidents are also more than just malware or botnet attacks. Cyber incidents include all forms of impacts on electronic communications.
Man-made Electromagnetic Interference (EMI) has already impacted North American and European electric and water Supervisory Control and Data Acquisition (SCADA) systems and ruptured a natural gas pipeline.
In industry control systems, the most probable cyber incident is unintentional. Moreover, in a stellar application of the "law of unintended consequences," I believe that "blindly" following the NERC CIPs5 will result in more unintentional cyber incidents.
Unintentional cyber incidents have already killed people, caused significant outages, and had large economic impacts. Additionally, if the incident can be caused unintentionally, the same type of incident, if intentional, could have even more damaging effect.
What has been happening since I testified to this Subcommittee in October 2007? It is not a pretty picture, and the power industry clearly needs Congress’s help.
Knowledge Base - Figure 1 characterizes the relationship of the different types of special technical skills needed for control system cyber security expertise, and the relative quantities of each at work in the industry today.
Most people now becoming involved with control system cyber security typically come from a mainstream business Information Technology (IT) security background and not a control system background. This trend is certainly being accelerated by the Smart Grid initiatives, where the apparent lines between IT and control systems are blurring. Many of the entities responsible for control system cyber security, industry, equipment suppliers and government personnel (e.g., DHS, NCSD and S&T, DOE, EPA, etc.) do not entirely appreciate the difficulties created by this trend.
This lack of appreciation has resulted in the repackaging of IT business security techniques for control systems rather than addressing the needs of field control system devices that often have no security or lack the capability to implement modern security mitigation technologies. This, in some cases, has resulted in making control systems less reliable without providing increased security. An example of the uninformed use of mainstream IT technologies is utilizing port scanners on Programmable Logic Controller (PLC) networks. This has the unintended consequence of shutting them down. This specific type of cyber incident has occurred more than once in both the nuclear power and conventional power portions of the industry, with negative consequences.