When is a vulnerability not a vulnerability? @INL @DOE #cybersecurity #pauto #smartgrid

Oct. 4, 2011

This is Walt, putting up a post for Joe, who wrote it before he left for Japan today.

When is a Vulnerability Not a Vulnerability? Apparently, when DHS says so. "A design defect that cannot be patched is not a vulnerability," DHS' Marty Edwards said at Weisscon last week.

And when will INL and DHS start paying attention to the edge devices in industrial control systems?

This is Walt, putting up a post for Joe, who wrote it before he left for Japan today.

When is a Vulnerability Not a Vulnerability? Apparently, when DHS says so. "A design defect that cannot be patched is not a vulnerability," DHS' Marty Edwards said at Weisscon last week.

And when will INL and DHS start paying attention to the edge devices in industrial control systems?

INL (Idaho National Labs) has issued a report for the Department of Energy: Vulnerability Analysis of Delivery Control Systems (INL/EXT-10-18381) dated September 2011 (http://energy.gov/sites/prod/files/Vulnerability%20Analysis%20of%20Energy%20Delivery%20Control%20Systems%202011.pdf). 
 
Energy delivery systems include transmission systems under NERC purview and distribution systems for Smart Grid.  Energy delivery systems consist of control center SCADA systems and substation field devices including Intelligent Electronic Devices (IEDs), Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCS), etc. Generally, the SCADA system is Windows-based with some degree of cyber security while the field devices generally have minimal security and utilize proprietary real time operating systems.
 
For years, DOE and INL have focused on the security of SCADA systems with much less focus on field devices. This decision was made despite the fact that field devices are inherently less secure and compromises of these systems can lead to significant, long term outages.  Specifically, Stuxnet and the Aurora vulnerability target field devices not control center SCADA systems.
 
Unfortunately, this most recent report continues the trend by focusing almost exclusively on SCADA systems. Ignoring RTUs, IEDs, and PLCs does not make sense when one considers the many known vulnerabilities in these systems. Moreover, it was demonstrated at last week’s ACS Conference that it is no longer necessary to be a national lab or nation-state to exploit these vulnerabilities. Unfortunately, there was no attendance from INL or DOE at the ACS Conference.
 
Additionally, there is an inconsistency in the definition of cyber vulnerabilities.  The DOE report states: “A cybersecurity vulnerability is a weakness in a computing system that can result in harm to the system or its operation, especially when this weakness is exploited by a hostile actor or is present in conjunction with particular events or circumstances.”  This is inconsistent with DHS’s Marty Edwards statement at last week’s ACS Conference when he said a design defect that can’t be patched is not a vulnerability. Why is there a difference when INL has been involved in both projects?