NERC is creating a group called Hydra that will be a network of electric industry subject matter experts (SME) to handle modern fast-moving threats to the bulk power system. There is an open invitation for two hundred SME’s.
I applaud the intention of creating a cadre of SMEs. However, I have several observations on the difficulty of finding 200 SMEs for cyber security:
- I believe there are currently less than 100 control system cyber security experts world-wide, in all industries. Most of those real experts are not in the US electric power industry. Many of these electric industry “SCADA security experts” are not addressing “security” but are actually doing NERC compliance. Few of these “experts” are trained in control system design or operation. How will they know what to look for when addressing threats to control systems?
- There are minimal cyber forensic capabilities in legacy control systems. Consequently, what will the untrained eye look for?
- Many of the control system cyber incidents to date haven’t even violated IT security policies. These incidents include shutdowns of power plants and at least one regional outage. Again, what will the untrained eye look for?
The idea of having 200 SMEs is a noble, but non-trivial goal. How does NERC propose to get there?
Joe Weiss
Leaders relevant to this article: