I wanted to provide my observations on the July 21st House Homeland Security hearings.
The first point is that Congress is obviously not happy with the pace and content of the electric industry’s response.
As stated by Chairwoman Yvette Clarke, “My colleagues on the Homeland Security Committee and I have spent nearly three years identifying and reviewing the security protections that are in place to mitigate the effects of any intentional or unintentional attack on the electric system. Our goal is to determine whether appropriate protections are in place that would mitigate catastrophic incidents on the grid. Our review has required extensive discussions and review with the private sector, which owns, operates, and secures the grid. The private sector develops its own security standards. The private sector also oversees compliance with these standards. In short, the private sector has the responsibility for securing the grid from electromagnetic events and cyber attacks.”
“In the course of our review, we have questioned hundreds of experts and reviewed thousands of pages of research and analysis. Many have submitted statements for the record today. They have all reached one conclusion: the electric industry has failed to appropriately protect against the threats we face in the 21st century.”
“In the past, this Committee has been deeply critical of the standards that the industry has written. They are, in the words of GAO, NIST, and other independent analysts, ‘inadequate for protecting critical national infrastructure.’ The Committee has suggested that the industry adopt NIST standards for control systems if it hopes to achieve greater security. My understanding is that the industry has not embraced this suggestion.”
“The Committee has also been critical of the industry’s effort to timely mitigate the Aurora vulnerability. What should have been an urgent action issue has taken some utilities years to fix. Many have not even hardened their assets at all. This is especially troubling, given the catastrophic damage that could be caused by an Aurora-style attack.”
“Today there’s a new problem. Many in industry are apparently trying to avoid compliance with their own inadequate standards. I am deeply concerned about this irresponsible behavior. A letter dated April 9, 2009, which is attached for the record, sent to industry by NERC, suggests that industry is choosing not to identify critical assets in order to avoid securing them. According to NERC, only 29% of Generation Owners and Generation Operators reported identifying at least one critical asset. 63% of Transmission Owners identified at least one critical asset. This effort seems to epitomize the head-in-the sand mentality that seems to permeate broad sections of the electric industry. The Committee will be following up with NERC to learn which utilities have not appropriately identified assets, and seek to make this information public.”
“It is amazing that many within the industry would gamble with our national and economic security than implement precautionary security measures. This calculus amazes me even more when you realize that utilities can be reimbursed for these security expenditures in their rate cases.”
“I’m at a loss to explain why the industry isn’t appropriately securing its assets. But clearly, the time has come for change. I am pleased to join Chairman Thompson, Ranking Member King, and my other colleagues in co-sponsoring HR 2195. Given the industry’s lackluster approach towards securing its own assets, I believe this measure will provide the Federal Energy Regulatory Commission with the appropriate authorities to ensure that our grid is secure and resilient against the threats we face in the 21st century.”
“This Subcommittee will continue to perform vigorous oversight until we are satisfied that progress is being made.”
Some comments on specific testimony:
Mike Assante (NERC VP and Chief Security Officer- he is the author of the April 9th letter referred to by Chairwoman Clarke):
“NERC is not aware, however, of any cyber attacks that have directly affected the reliability of the power system in North America to date.”
Assante is technically correct. However, the statement depends on the definition of the term “cyber attack”. I know of no malicious targeted cyber attack that has affected the bulk electric grid. There have been at least three cyber-related incidents (none were malicious) that have caused significant power outages. There was also one case where a SCADA system was targeted and incapacitated for a significant period of time but it did not affect power supply.
Mike Assante:“NERC develops all its Reliability Standards through an ANSI-accredited process, which we believe provides the appropriate framework for ensuring that subject matter expertise is used to create and vet the standards. Though use of an ANSI-accredited process is not specifically required, the Federal Power Act does specify that the standards development process must “provide for reasonable notice and opportunity for public comment, due process, openness, and balance of interests in developing reliability standards….” (Sec. 215(c)(2)(D)). In certifying NERC as the ERO, FERC found that NERC’s ANSI-accredited standards setting process meets these requirements. The standards development process is set forth in NERC’s Rules of Procedure, which FERC has approved.”
As Chairwoman Clarke pointed out, self-regulation hasn’t worked. FERC’s Joe McClelland also made that very clear in his prepared testimony and response to questions. It’s okay for NERC to develop the standards in an ANSI-accredited fashion, but they shouldn’t be responsible for certifying compliance to their own standards. That should be somebody else’s job—like FERC.
Pat Hoffman (DOE Acting Assistant Secretary Office of Electricity Delivery and Energy
Reliability): “No single methodology or tool has been used to assess risks to energy sector assets, such as the Nuclear Regulatory Commission’s design basis threat (DBT) which is used to design safeguards and systems to protect against acts of radiological sabotage and to prevent the theft of special nuclear material. Lessons learned from DBT analysis in the nuclear industry could be applied to the electric industry especially for large generating stations, large substations and major control centers.”
This could be a great step forward.
Steve Naumann (Vice President of Wholesale Markets – Exelon Representing:
Edison Electric Institute Electric Power Supply Association): “In summary, NERC, using a well-defined stakeholder process that leverages the vast technical expertise of the owners, users, and operators of the North American electric grid (including those in Canada with whom we are interconnected) develops reliability standards, which are then submitted to FERC for review and approval.”
I agree there is tremendous expertise in reliability and system operations. Unfortunately, there are very few control system cyber security experts. We should be figuring out how to grow more.
Steve Naumann:“Furthermore, every utility operates different equipment in different environments, making it difficult to offer generalizations about the impacts to the bulk power system or costs and time required to mitigate any particular threat or vulnerability.”
From a control system cyber perspective, this is not true. The instrumentation and control system vendors supply common hardware platforms with standard software packages; the control system protocols are the same; and many utilities are interconnected to each other and to the ISOs. This is why standards are effective.
Steve Naumann:“We perform penetration tests where a contractor attempts to find and exploit vulnerabilities. The results of these regular penetration tests inform us about whether our preventive strategies are working so that we can enhance our protection as technologies and capabilities evolve. These penetration tests, which allow us to practice and enhance our monitoring capabilities, also yield lessons learned that are unique to our system. Because no two utility companies have identical network, hardware or logistical configurations, no single entity will know our system’s strengths or weaknesses quite like we do.”
Penetration testing on systems such as PLCs will shut them down. I don’t think that is happening. When it does happen, such as the Hatch Nuclear Plant incident, it becomes very evident.
Steve Naumann:“Thus, we believe that the ISAC is providing timely and relevant analysis and alerts to the industry.”
I do not believe this or we wouldn’t still have plants being shut down from known cyber causes. There would also be relevant alerts to prevent another Florida-type outage. I want to make one other point: June 20, 2003 the Electric Sector ISAC made recommendations to address the Slammer worm including telecom. The Final Report of the Northeast Outage made similar recommendations. The NERC CIPs excluded those recommendations. Why isn’t the industry heeding their own advice?
Mark Fabro (President and Chief Security Scientist, Lofty Perch)
“Attacks that compromise availability, integrity, and confidentiality can easily be launched against infrastructure systems, and we cite examples such as the worm attack on the Davis-Besse nuclear plant and the hacker attack on the California ISO.”
The Davis-Besse incident occurred when a contractor brought in a laptop contaminated with the Slammer worm. That was not an attack and did no damage. It was, however, a functional security incident. The California ISO was an attack, but not against the SCADA system and did not impact the California ISO’s ability to monitor or control the grid. There are better examples that could have been used to demonstrate significant impacts on integrity or availability.
We need to move to a definition of functional security that includes malicious external or internal attacks, accidental attacks, and simple accidents if we are going to have a working functional security culture in the critical infrastructure industries.
Mark Fabro: “We have seen the NERC standards in action that, when implemented, have reduced an entities risk profile by orders of magnitude.”
If this were correct, Mike Assante wouldn’t have issued his letter. I don’t believe much has changed since April. How can utilities have generated so much risk reduction when they’ve excluded most of their critical assets, serial connections, telecom, distribution, and even control system cyber security policies? The other question is what baseline enabled such significant risk reduction? Compared to when, what, or whom?
Mark Fabro:“New activities that will attempt to create a secure energy infrastructure through hyper-rigorous compliance mandates is not the right approach. In the past we have seen how the process for instantiating new mandates can bring progress to a grinding halt, and any new changes could actually reduce the security posture of the electric system while entities struggle to align with new directives. The stakeholder community may be very unreceptive to new instruction and mandates, especially if it could make their historical progress obsolete.”
The NERC CIPs are for compliance, not security. This Hearing is because the utilities have not secured the grid (Mike Assante’s letter) and further regulation IS required unless they immediately begin to police themselves…and they have given no indication they will even at this Hearing.
Mark Fabro:“Specific technological security testing, perhaps under Cooperative Research and Development Agreement (CRADA) initiatives, could augment the analysis and processing of cyber security incidents that impact the bulk power system.”
Yes, that’s possible. However, the CRADA process is for the benefit of the control system vendor, not the end-users as all information flows to the vendor. There needs to be a process where the end-users actually get the results of the testing.
With all of the talk about EMP, several years ago I performed an assessment of the affect from an EMP event on SCADA systems. Additionally, one of my first projects when I was managing the EPRI Nuclear Plant Instrumentation and Diagnostics Program was to analyze the affects of Electromagnetic Interference (EMI) on nuclear plant controls and instrumentation. EMI is a less intense form of EMP. I think the utilities have done significant mitigation for EMI resulting in more EMP mitigation than is taken credit for.
Joe Weiss
