Why Aren’t Solutions Addressing Problems?

I read about, or attend, government programs, industry programs, and industry conferences that purport to have solutions for “SCADA security”. All I can do is shrug my shoulders.  There are several fundamental issues that have not yet been addressed: - There is still a dreadful lack of understanding about legacy field devices (non-Windows-based systems). Recently, the following question was posed on the SCADAsecurity listserver: "what is unique about SCADA security?" I find it incredible that someone would be asking that question on that specific listserver at this time and even more incredible were some of the answers. - There is no information sharing, or even solid understanding, about actual control system cyber incidents. - We are still learning. Systems today are complex and getting more so. The law of unintended consequences keeps recurring with unexpected results. I thought NIST SP800-53 was the most comprehensive programmatic approach available and would address existing case histories. However, the latest incidents show SP800-53 also needs to be extended. - There is no “connecting the dots.” One of the lessons learned from 9-11 was to understand how seemingly independent events could be connected. I have identified over 90 cases (and growing) of control system cyber incidents. A cursory look shows there are some similarities. There needs to be a more comprehensive assessment to determine if there are patterns in either intentional or unintentional events that can lead to improvements in policies, programs, and/or technologies. - Many of the “SCADA security” solutions are repackaged IT solutions – another VPN, another firewall, etc. Again, that word crops up – “assume”. These solutions assume that the data entering the VPN is trusted – it isn’t. There are only two technologies that I am aware of that are trying to address this issue. Hardware: - There has been one public demonstration of an exploitation of a control system vulnerability that has actually destroyed equipment – Aurora. Prior, to the disclosure one company developed a hardware fix – in this case the Cooper REID relay. This problem was deemed so important the Electric Sector ISAC issued an Advisory (not a requirement) and sent it to other industries. Since there did not appear to be a push by the electric industry to address the Advisory, a Congressional hearing was held with follow-up FERC questions. To this day, very few utilities have bought the fix, and no one that I am aware of has implemented it. Why???? Software: - Through DHS’ LOGIIC program, there have been several software solutions for “protecting” oil/gas control systems. One aspect of the solution is to identify potential cyber attacks by using a powerful software event correlation engine. Generally, legacy control systems have no forensics for cyber and it is still not clear to me we know the spectrum of control system cyber attack signatures. The lack of control system cyber forensics has been abundantly clear as we try to do retrospective analyses of control system cyber incidents. Programs: - The electric industry has developed the NERC CIPs to “protect” the bulk electric grid from cyber events. Since the publication of the NERC CIPs, I am aware of two major blackouts in the US that were cyber-related that were outside the scope of the NERC CIPs. The NERC CIPS also would not have addressed a cyber-related major blackout that occurred prior to the issuance of the NERC CIPs. - The nuclear industry has developed NEI-0404 to protect nuclear plants from cyber events. There have been two nuclear plants that have scrammed (shutdown) because of cyber-related issues. Similar to the limitations of the NERC CIPs, NEI-0404 wouldn’t have addressed either of those two nuclear plant events. Education: There are very few (I don’t want to say zero) college courses dedicated to control system cyber security, particularly the technical issues. There is also a yawning gap in the academic community between control system expertise and computer science expertise. Efforts by Livermore National Laboratory to develop course material for control system cyber security focus on policy not technology. The University of Illinois will be holding a Summer School session funded by NSF entitled: “Cyber Security for Process Control Systems.” The course is focused on electric power systems with no focus on power generation. Yet, the term “Process Control” is reflective of generation not T&D. And what about all the other “process industries?” Don’t they deserve equal time in a course about process control systems? Even control system cyber security procurement guidelines are affected. The procurement guidelines need to address relevant control system issues that have been demonstrated to affect control system reliability and availability. So far, I do not believe this to be the case. Joe Weiss