I just returned from participating on a panel session at Electric Power 2008 in Baltimore. Electric Power 2008 is focused on electric power generation (not transmission and distribution). Consequently, it was fascinating to hear what the generation attendees felt about security and the NERC CIPs as well as to see what the next generation of power generation technologies would look like with respect to cyber.
I thought there were three important points made during the panel session:
- Cyber is real and needs to be addressed. One utility experienced three cyber-related plant trips that resulted in significant costs
- According to a retired security manager at NSA, the NERC CIPs are not adequate and simply trying to meet compliance and not actual security is not acceptable to protect the critical infrastructure
- One of the attendees noted that his plants are not considered critical cyber assets so he was at a loss at what could he do.
Some generation managers considered NERC CIP compliance a “game” to remove assets from CIP-002 without realizing they were shooting themselves in the foot by not addressing the reliability threat. Specifically, at a meeting of plant managers, one manager of a very large coal-fired power plant was charged to ensure his plant was not considered a critical cyber asset. Another plant manager whose plant had black start capability and therefore deemed a critical cyber asset by CIP-002 considered it cost-effective to remove its black start capability. In both cases, the plant managers didn’t consider the potential cyber threat to reliability. They only thought about the cost of NERC CIP compliance, and possible fines, if their facilities were considered critical cyber assets. This same thought process occurs with transmission managers as they unplug their IP connections thinking that will exclude them from the NERC CIPs. This approach does exclude them from the NERC CIPs as currently written. However, it also eliminates the productivity improvements IP was implemented to bring as well as maintains the potential cyber vulnerabilities of serial and other non-IP connections. This thought process of generation and transmission managers defeats the intent of the need to secure the critical infrastructure.
Informal discussions with two DCS suppliers found they felt they were secure. However, in one case, a recent factory acceptance test (FAT) had no testing for security. In a second instance with another vendor, the vendor claimed his system was secure and the utility agreed. However, when I contacted the utility engineer, he said the vendor was not addressing specific vulnerabilities. Seems like a disconnect doesn’t it?
Finally, there is a great need for senior management buy-in that security is important for reliability and the bottom line, not for the sake of compliance. We are hoping to find a few senior executives willing to carry that message.