Despite Assante’s attempts to change NERC’s approach on cyber security, NERC has continued its focus as a utility-directed organization. NERC’s Board of Trustees approved revisions to the NERC CIPs on May 6, 2009, after passage by the electric industry with an 88% approval rating. However, the revisions did not address any of the technical limitations, such as exclusions of telecom, distribution, non-routable protocols or strengthening CIP-002 to address Assante’s April 7 letter. A second example would be the June 30, 2009, Alert on the Conficker Worm.13 The Alert states the ES-ISAC estimates the risk to bulk power system reliability from Conficker is LOW due to the limited exploitation of this vulnerability and generally widespread awareness of the issue, even though NERC acknowledges the potential consequence is high and the awareness among control system users is very low.
Smart Grid – The intent of the Smart Grid is to embed intelligence into the electric grid to allow two-way communications between devices and control centers for monitoring and control. The Smart Grid’s use of the Internet and Internet Protocols (IP) is blurring the line between business IT and control systems, resulting in more people without knowledge of the electric system being involved in securing these systems.
This is a recipe for disaster - there has already been at least one case of a denial of service attack (DDOS) to a distribution automation system.
From a regulatory standpoint, the situation is convoluted because the NERC CIPs explicitly exclude electric distribution, which is the heart of the Smart Grid and yet the NIST Smart Grid security efforts point to the NERC CIPs.
Unless Congress passes legislation to allow FERC to include distribution or the individual public utility commissions mandate that the NERC CIPs must be followed for their distribution systems, there are no regulations for securing the Smart Grid.
Education – To the best of my knowledge, there are no technical, interdisciplinary university curricula for control systems cyber security. There are universities, such as the University of Illinois and Mississippi State University, starting to address this subject in an ad hoc manner. Congress might well seek ways to encourage and fund more such curricula as a significant way to improve cyber security in all control systems.
Certifications – There are no personnel certifications for control system cyber security.
IT certifications such as the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM) do not address control systems. Professional engineering examinations do not include security.
There needs to be a certification demonstrating knowledge of control systems as well as security by organizations competent to oversee this requirement. One organization could be the CSFE14 which certifies Functional Safety experts. There are on-going efforts by individual companies and organizations such as ISA to certify industrial control systems for cyber security.
Government R&D – R&D has been focused on effectively "repackaging IT." Very little work has been devoted to legacy and even new field equipment, even though these devices have limited or no security and can cause the biggest impacts.
There has also been no attempt to analyze actual cyber incidents to learn what policies and technologies should be developed to protect them.
NIST – NIST has effectively two disjointed programs on cyber security that impact the electric grid. The NIST Information Technology (IT) Laboratory has been responsible for updating NIST SP800-53 and the daughter standard NIST SP800-8215. There has been a significant amount of effort addressing industrial control systems and applicability to the electric industry. NIST is also acting as the standards coordinator for the Smart Grid.
As a member of the Smart Grid Cyber Security Working Group and the Industry-to-Grid Working Group, I see a dichotomy that troubles me. Instead of mandating NIST SP800-53 for the Smart Grid, it appears as if NIST doesn’t want to be seen as pushing its own standards. Not only is NIST SP800-53 the best cyber security standard currently available, it is mandatory for all federal power agencies.
Why shouldn’t NIST SP800-53 be mandated for all power utilities, not just federal ones?
Traditional reliability threats such as tree trimming to prevent power line damage could be handled by private industry. However cyber is a new threat that requires a joint effort by the government and private industry. I believe there are a number of roles for the federal government to play in defending against cyber incidents and/or physical attacks against electric facilities.
Articles such as the recent Wall Street Journal article on Chinese and Russian hackers imply that the electric industry is unaware of computer intrusions16. This is probably true on several accounts. As mentioned, the electric industry is not doing an adequate job of even looking. Additionally, there is a lack of adequate cyber forensics for control systems. This leads to the fact that is it difficult to have an early detection and warning capability for cyber threats for the electric industry today. However, that same difficulty is also an opportunity for the government and private industry to develop appropriate forensics. A non-technical challenge is the industry’s continuing reticence to provide control system cyber incident data to the government and for law enforcement to share relevant information on actual attacks to the industry so they can protect themselves.
What can DHS and DOE do?
I cannot speak for the division in responsibilities between DHS and DOE, but I can point out what needs to be done: