As can be seen in Figure 1, IT encompasses a large realm, but does not include control system processes. Arguably, there are less than several hundred people worldwide that fit into the tiny dot called control system cyber security. Of that very small number, an even smaller fraction exists within the electric power community.
Control System Cyber Incidents - Since I testified to this Subcommittee in October 2007, I have documented more than 30 control system cyber incidents, more than 20 of which were in the North American electric power industry! These incidents affected nuclear and fossil plants, substations and control centers. Impacts ranged from loss of displays, controller slowdowns and shutdowns to plant shutdowns and a major regional power outage. Geographically, these incidents occurred in more than ten states and a Canadian province. None of the incidents were actually identified as "cyber."
Meeting the NERC CIPs would not have prevented many of these incidents. In fact, some could have actually been caused or exacerbated by following the NERC CIPs.
Equipment Suppliers – It is important to understand that suppliers provide equipment with the features their customers’ request. Given that fact, the report card on our control system suppliers is a mixed bag. Responding to industry requests, the major Distributed Control System (DCS) and SCADA suppliers have been addressing security at the master station level. However, suppliers of field control and equipment monitoring systems have not had those industry requests and, thus, are continuing to include dial-up or wireless modems, BlueTooth and ZigBee connections, and/or direct Internet connections as part of their product offerings. This also applies to equipment used in the Smart Grid and nuclear plants.
Business IT-focused suppliers continue to supply equipment and testing tools designed for IT applications, not for legacy control systems applications. This has resulted in control system equipment impacts including shutdown or even hardware failures.
Consultants and System Integrators – Most of the consultants and system integrators that are focusing on "cyber security" are really focusing on compliance for NERC CIPs. Most are focusing on the SCADA or DCS master stations, as they are IT-like systems that non-control system personnel can understand. That leaves the legacy field equipment that has essentially no security hardly even addressed as part of the NERC CIP process. The consultants and system integrators that are focused on equipment upgrades or new equipment installation generally do not address security.
Utilities – The original intention of the NERC CIPs (even before they were called the CIPs) were to make the bulk electric grid secure. Unfortunately, the "letter of the law" of the NERC CIPs is not security, but compliance. It is a critically important distinction to make and to understand. I know of only one utility that is trying to assure their systems are secure independent of compliance considerations. Almost all utilities are playing the game of compliance rather than securing their systems. This has resulted in industry’s lukewarm attempt to meet NERC Advisories such as Aurora6. This lack of will has directly led to the significant number of actual electric industry cyber incidents many of which were not even addressed by the NERC CIPs!
NERC – The North American Electric Reliability Corporation (NERC) was established in 1968 to ensure the reliability of the bulk power system in North America. NERC is a self-regulatory organization, subject to oversight by FERC and governmental authorities in Canada. As of June 18, 2007, FERC granted NERC the legal authority to enforce reliability standards with all U.S. users, owners and operators of the bulk power system, and made compliance with those standards mandatory and enforceable, making NERC the Electric Reliability Organization (ERO). NERC's status as a self-regulatory organization means that it is a non-government organization that has statutory responsibility to regulate bulk power system users, owners and operators through the adoption and enforcement of standards for fair, ethical and efficient practices7. Prior to becoming the ERO, NERC was an American National Standards Institute (ANSI)-accredited organization, meaning it was a consensus standards organization and was subject to the direction of its member utility organizations. The ANSI accreditation requires standards need to go through a formal ballot process. This is a time-consuming effort and tends to favor setting a "very low bar." This consensus process has resulted in cyber security standards that are very weak and ambiguous assets and even exclude some of the most important recommendations from the Final Report of the Northeast Outage8. In the past, NERC has been a clear obstructionist to adequately securing the electric grid. NERC has used the ANSI process to reject more comprehensive requirements. That obstructionism included public responses denigrating Project Aurora9. The consensus approach is adequate for subjects like tree-trimming, but is not appropriate for critical infrastructure protection.
I was part of the NIST/MITRE team that performed a line-by-line comparison of the NERC CIPs to NIST Special Publication (SP) 800-5310, which is mandatory for all federal agencies including federal power agencies11. The report demonstrates that NIST SP800-53 is more comprehensive than the NERC CIPs. However, NERC and many utilities are fighting the implementation of NIST SP800-53. Are the utilities trying to say that the computers at the Department of Housing and Urban Development need a more comprehensive set of cyber security rules than every non-federal power plant, substation and control center in the United States? Unless an asset is classified as "critical" in CIP-002, no further cyber security evaluation is necessary. A large segment of the utility industry is using the amorphous requirements in CIP-002 to exclude most of their control system assets from even being assessed. Michael Assante, Vice President and Chief Security Officer of NERC wrote a public open letter on April 712 in which he makes it very clear that the industry is not doing an adequate job of even meeting the weakened intent of the NERC CIPs. Specifically, Assante’s letter states that only 29% of generation owners and operators identified at least one Critical Asset and fewer than 63% of the transmission owners identified at least one Critical Asset. This means that 71% of generation owners did not identify a single critical asset, and 37% of transmission owners did not identify a single critical asset. I am personally aware of utilities that have identified ZERO Critical Assets, even though they have automated their plants and substations and have control centers.