CIPAG, FERC, NSF, FREEDM, CERT for Control Systems, CSIS and other acronyms...

The CIPAG Metrics Workgroup for Water was convened by the Water Sector Coordinating Council and Government Coordinating Council to develop a national performance measurement system for the water sector. Consequently, they issued “Recommendations of the CIPAC Metrics Work Group for Water” dated June 2008. It is an extremely disappointing document. The document itself is 76 pages. The term “SCADA” is used 3 times. To the best I can tell, there were no control system cyber experts participating.  The measure for SCADA protection capability is defined as the percent of SCADA transmission networks that are segregated from telephony or Internet networks. As a singular metric, this is obviously inadequate for assessing for SCADA security compliance. The other mention of SCADA was “to establish physical and procedural controls to restrict access only to authorized individuals and to detect unauthorized physical and cyber intrusions. This was to be done by identifying critical facilities, operations, components, and cyber systems (such as SCADA) and then developing and implementing physical and cyber intrusion detection and access control tactics that enable timely and effective detection and response.” This is only part of a comprehensive solution. The Water industry was also a key player in the development of “The National Infrastructure Advisory Council’s Final Report and Recommendations on the Insider Threat to Critical Infrastructures” dated April 8, 2008. The word “SCADA” is not mentioned and there is a paucity of control system cyber security expertise. Additionally, there is a caveat to exclude regulation; “To be clear, none of the NIAC’s recommendations should be interpreted as a call for regulation.”  Combine this with the AWWA webinar and it is scary how out-of-touch the water sector is when attempting to address control system (SCADA) security. For the country’s sake, it is critical to regulate the water utilities for cyber with input from knowledgeable experts. 

I had an opportunity to speak to two universities with government funding. The first was Fabian Monrose and a team at University of North Carolina.  Fabian has a DSH S&T-sponsored project on information sharing to test the effectiveness of data anonymization algorithms. As Dale Peterson stated in his blog, “the bad news is the current solutions often don’t do that great of a job, but if the community can get objective testing and recommendations for data anonymization perhaps we will be a step closer to information sharing.” The idea that technology to anonymize input will spur information sharing seems questionable at best. I don’t believe the reason for the lack of information sharing is technical. To my limited knowledge, DHS S&T is funding at least two other information sharing projects that have the same limitations – lack of industry input. Consequently, I talked to Fabian and found that, like the other two, he has “limited” data for control systems. Based on the success of information sharing in Australia and the UK, I continue to believe a non-governmental CERT for Control Systems with credible control system experts is needed before information sharing can work. Additionally, there is still a lack of legacy control system logging capabilities for control system cyber events. Once there is the desire to share information and also the ability to log control system cyber information, technological approaches can be viable.

 The National Science Foundation has announced a new engineering research center focused on the Smart Grid. The FREEDM Systems Center (Future Renewable Electric Energy Delivery and Management), headquartered at North Carolina State University, launches with partnerships with utilities, vendors, universities and national laboratories from 28 states and 9 countries. It targets the usual issues (renewables integration, DG, storage, etc.) grouped into 10 areas that will culminate in a 1MW “green energy hub” demonstration project. It is supported by a five-year, $18.5M NSF grant with an additional $10M in institutional and industry support. Security is currently not a part of this effort. 

FERC issued a proposed rulemaking on “Mandatory Reliability Standards for Critical Infrastructure Protection. The purpose is to include nuclear power plants as they affect continuity of power. It will be extremely important for the nuclear industry’s credibility not to play the same games the utilities did with fossil plants by classifying these plants as non-critical assets per CIP-002. Can anyone in their right mind consider a nuclear power plant not to be a critical asset per CIP-002? In answer to questions, this requirement applies to EVERY US commercial nuclear plant that has cyber connections. What is also fascinating is the possibility of these plants having to meet conflicting standards.

 

On Thursday, I did a podcast for Dale Peterson. The salient questions and points were:

- There is a need for two different types of entities for disclosure. The first is a CERT for Control Systems (US CERT does not work) for end-users and vendors. The second is for security researchers as they find vulnerabilities. This will be the tougher nut to crack.

- Dale noted the pervasive flavor of the CSIS White Paper is the need for more education. This is absolutely true. All of us are still learning as the Hatch nuclear plant attests. However, there is a need to compile the expertise of the FEW control system cyber security experts.

- Dale also asked about regulation – is it really needed and what would be the best model. The answer to the first question is very simple – do you want your lights on? Anything less than regulation will not assure the availability of lights, water, oil/gas, chemicals, etc. Currently, the best model I know is the Nuclear Regulatory Commission’s (NRC) approach and the Regulatory Guide now in preparation. Once public, it can be useful to industries beyond nuclear. In fact, NERC and FERC need to take a close look at having appropriate sections of the Regulatory Guide  replace the existing NERC CIPs which are inadequate to assure anything but a pile of paperwork.

 

There has been a continuing blogathon on the need for disclosure of cyber researcher-identified disclosures. One aspect I believe is obvious are the differences between the control system and security researchers views on what can or should be disclosed and when. Until security researchers gain a better understanding of control systems and facility operations, there is little chance of resolving this impasse.

 The recent federal pronouncements denigrating the work of DHS are right on target. This is another area where Dale Peterson and I disagree. According to Dale: “I have a hard time siding with Congress or the GAO reports they charter on these cyber security issues. The problems are hard, the Congress lacks the time and background to understand the issues, and it is to easy to grandstand on an issue like this. Listening to Congressional pronouncements on these topics make be more rather than less nervous.”  (In view of full disclosure, Dale should mention that he is receiving funding from the organizations he is trying to defend.)  I believe that Congress and GAO are sufficiently informed to make very clear defensible statements. I believe them before I believe DHS, NERC, water, or some of the other so-called experts. In that vein, let’s hope Mike Assante can turn NERC around before it is too late. 

This week the DNP Users Group met in Kansas City. Jake Brodsky attended and can provide his insights.

 Joe Weiss 

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments