Three blind mice

Ironically, less than a week after the ICS Cyber Security Conference that NERC did not attend, NERC issued another set of Lessons Learned for three incidents:

-       Failure of Energy Management System While Performing Database Update

While performing the restore procedure for the database, the standby communications server in the Primary Control Center was manually restarted. This caused the reversal of the database edits to fail and created faulty data files that synchronized across the integrated system servers. This is loss of integrity. According to Kaspersky’s Roel Schoenberg presentation at last week’s Conference, this is similar to the loss of integrity attacks starting to occur.

-       SCADA Failure Resulting in Reduced Monitoring Functionality

A utility’s primary control center SCADA servers became unresponsive, which resulted in a partial loss of monitoring and control functions for more than 30 minutes. Because this loss of functionality was a result of a conflict between security software configuration changes and core operating system functions, a cyber security event was quickly ruled out, and no loss of load occurred during this event. This is loss of availability. This event is similar to the loss of view/loss of control of a turbine that was discussed at the Conference.

-       Loss of EMS – IT Communications Disabled

Transmission system operators lost the ability to authenticate to the EMS system, resulting in a loss of monitoring and control functionality for more than 30 minutes because a specific firewall policy allowing authentication failover from the local authentication server to the remote authentication server was inadvertently deleted. This is loss of integrity and availability. This event is similar to others that have occurred and also to issues associated with Stuxnet.

In each case, cyber communication issues resulted in system impacts. Were they malicious – NO; were they cyber incidents – YES, could you have accomplished these maliciously – YES! Why is NERC so insistent on not identifying obvious cyber incidents as cyber 

It appears that NERC has a very narrow definition of what is a cyber incident. Apparently, a cyber incident, in NERC terms, is an attack from outside the relevant network.

NERC may want to take note that one of the world’s most famous cyber attacks (Stuxnet) was an attack that originated within the network from ostensibly authorized individuals. Additionally, because of lack of control system cyber logging and forensics, it may be difficult to distinguish an unintentional incident from an actual cyber attack.

It is far past time that we have a common definition of a cyber incident. Everybody else has a pretty good one. Maybe it is time that NERC started using it.

Joe Weiss