FERC Letter on Aurora and industry misstatements

The recent FERC letter to collect Aurora information has spawned some interesting reading. My comments are in red.

Dale Peterson had a blog on his Digital Bond website today that states: "Unfortunately, there have also been suggestions that would delay risk reduction like throwing out the NERC CIP and replacing it with NIST SP800-53 (What's unfortunate about a document that requires utilities to do a complete job?). SP800-53 is a great document, but you have the large transmission and generation folks understanding terms like electronic security perimeters, critical cyber assets, and quoting CIP requirements (What's the point here - the large transmission and generation folks are not securing their systems). They are building security programs around that approach (that are not complete and allow them to exclude all kinds of critical systems). I cringe when I hear asset owners saying maybe we should wait because it looks like NERC CIP might change or be replaced. Even if you could snap your fingers and say replace CIP with SP800-53 it would set back efforts six months to a year. Even worse would be to start over with a new standard or wait for ISA SP99 Part 4 (what is worse about doing the right job?). There is momentum and improving security due to the NERC CIP's (dream on). I have seen it first hand both from utilities that have always cared about cyber security (pardon my incredulity because if they always cared they would have done a comprehensive job long ago) and those that are only doing it because of NERC CIP. The worse thing would be to derail this train (NO! The worse thing to do is let this train run to the end and have the biggest false sense of security we have ever had).

Tom Kropp from EPRI responded to a note I wrote to CIGRE with the following:

With due respect to Joe, his response to Marc's request is off the mark. U.S. Industry has responded responsibly to requests about their activities in response to the Aurora demonstration. (Most of the generating plants in the US have been excluded from being classified as critical cyber assets by the misuse of NERC CIP002 risk assessments. This has led to the exclusion of doing anything about Aurora).  NERC sent a survey to the industry and received good response (NO!); this was not as detailed as FERC would have liked, but it would be unsound practice to provide such detail without a strong guarantee that the information can be protected.  We have a Freedom of Information Act (FOIA) in the US and it is not clear that information provided could be protected from a request, under FOIA, for that information.  Accumulating detailed information on security practices could provide a wealth of information for would be attackers.  NERC and most industry people will tell you that Industry has, indeed, been responsive and is implementing the required mechanisms to protect against an Aurora-type attack (NERC has misled Congress and the public - that is the reason for the FERC request).

National security is too important to have people who should know better making comments like this. I am ashamed for them.


Joe Weiss