August 22nd, the DHS Cyber Security Division held the Transition to Practice Technology Demonstration for Investors, Integrators and IT Companies in San Jose. To great fanfare (it was on local radio and TV) there were 8 cybersecurity technologies being showcased. NONE were directly relevant to control systems!
The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype.
We had assumed that insurers were taking the risk of ICS cyber security seriously. We also thought this could be the driver to get end-users to actually secure their ICSs. Consequently, we intended to have a session on insurer's role in ICS cyber security at the 2013 ICS Cyber Security...
I have been involved with NIST to one degree or other on ICS cyber security since 2000 and on other technical issues long before that. I have done this as I firmly believed NIST was the best independent organization to be able to develop ICS cyber security standards.
Electrons do not have organization charts. Neither do hackers. Unfortunately people and organizations do. As a result of the second utility willing to engage in an Aurora demonstration project, an issue arose about the cyber security of the devices used in the transformer controls.
NIST Released New Draft Outline of Cyber Standard #pauto #critical-Infrastructure #automation #cybersecurity #hacking
NIST Releases Draft Outline of Cybersecurity Framework for Critical Infrastructure
What precipitated this blog was a NERC employee trying to discourage a utility from participating in an Aurora hardware demonstration. Based on the facts below, I would posit that the NERC CIP approach has not improved the reliability of the electric grid from cyber threats and may have actually made...
As an engineer, I have been brought up to work with number, physics, and logic. As a control systems engineer, I have brought up to focus on reliability and safety - we want the process to work and not to hurt people.
I am aware of a utility having just performed a SCADA upgrade with a major SCADA supplier. The previous version was not secure. Part of the upgrade process was to secure the new version. Following the completion of the upgrade, the vendor is remotely accessing the live SCADA system and...
Critical infrastructures include water, oil/gas, pipelines, chemicals, manufacturing, telecommunications, transportation, etc. Their continued operation requires the electric utility industry to be available. However, the electric utility industry is also a cyber threat to all of those end-users. That threat is Aurora.