Bipartisan Policy Committee Report on Cyber Security of the Electric Grid – What’s Missing
I reviewed the Bipartisan Policy report and then had a chance to meet with one of the project leads to discuss some of my concerns. I will address the big picture policy issues as they continue to recur in almost all industries and industrial organizations (there is a reason I am giving a lecture on control system cyber security at West Point next month).
The concern about cyber security of the electric grid is grid reliability. I believe the only means for cyber threats to cause long term and wide-spread grid failure is through compromising the control systems of facilities leading to physical damage of long-lead time critical equipment such as transformers and turbines. This could lead to long term outages of 6 months to more than a year (see recent Wall Street Journal article). There are two points that were missed not only in the Bipartisan Policy report but others - this is control system cyber security (not IT) and the focus is reliability and safety (not confidentiality or privacy). Policies need to address this focus.
Why should we care - there have already been more than 50 actual control system cyber incidents in the North American electric industry including 4 major control system cyber-related outages that affected at least 90,000 customers! This doesn’t include utility pipeline issues such as PG&E’s San Bruno natural gas pipeline rupture that killed 8, cost PG&E more than $590 Million to date, its CEO and several senior executives, and unfortunately resulted in regulators making the natural gas industry cyber vulnerable.
There are many nation-states that are developing offensive cyber capabilities to specifically target our critical infrastructures. This past year a security researcher created a control system honeypot (a simulated system meant to look like a real facility to attract attackers) to look like a small water utility in rural Missouri. Within 17 hours, that system was being attacked from Russia, China, the Middle East, etc with some of the attacks specifically aimed at compromising the control systems. Additionally, I reviewed an Iranian control system engineer’s articles (very competent) on Stuxnet and safety systems used in chemical plants, nuclear plants, water treatment facilities, etc.
A cyber attack may not be an isolated incident in disabling the nation’s infrastructure and could be a precursor to a larger attack that could include further larger acts of terrorism. Such a cyber attack could limit the nation’s response to any kind of attack that would follow.
What was missed in the report? Let me count the ways:
There was essentially no control system cyber security expertise – the ICS community still does not have a seat at the table! There is no chance to solve this problem if senior management does not get it.
This is a reliability problem not a security problem. The only reason to care about security is if it can affect “keeping the lights on”. The utility test bed (at a small utility) is trying to change the paradigm to this being an engineering issue, that good engineering will result in improved security, and will have a positive ROI (what a novel concept).
A major issue in every industry is the culture clash between IT and Operations. You can’t improve security when IT is more worried about a NERC audit than hackers and when Operations is more concerned about IT shutting down their systems than the hackers.
There is already a substantial effort dealing with control system cyber security – ISA99. The leaders are the chemical and petrochemical industries NOT the utilities. Neither NERC, the utilities, NEI, or the nuclear utilities are actively participating in the ISA99 efforts where REAL control system security is being addressed (IEC62443 was specifically mentioned in the NIST framework). Thanks to the chemical and petrochemical industries, there is already an equipment certification process certifying the same equipment the utility industry uses. We cannot afford to have a separate certification process just for the electric industry.
Information sharing is based on trust not having a security clearance. It also doesn’t help when NERC and even NRC refuse to indentify actual cyber incidents as cyber.
Thanks to the NERC CIP process, size matters - in the opposite direction. Fear of NERC CIP audits have directly led to a DECREASE in grid reliability (remove systems that could potentially be audited), stifled innovation, and minimized engineering input. In addition, the NERC CIP process is actually a roadmap for hackers to know what systems are not being secured and even the types of security and schedule for those systems that will be secured.
The INPO concept is great but it requires relevant expertise. Unfortunately there is very little actual control system cyber security expertise in the electric or nuclear utilities that extends beyond putting check marks on paper.
As can be seen in a previous blog, the insurance industry doesn’t yet know how to address control system cyber security. This is critical as they can be the needed forcing function to get the utilities to actually secure their facilities.
The only interdependency issues mentioned were the “same old-same old”. There was no mention of interdependencies on vendors and no mention of Aurora where the utilities’ substations are the actual attack vectors against their customers’ equipment.
Lots of lessons here - what does it take for people to learn before it is too late?