Why we need a holistic approach to control system cyber security

The old security adage is that you are only as secure as the weakest link in the chain. ABB, the leading international power and automation technology group, announced that twelve of its utility partners have formed a consortium spanning two continents to privately fund advanced research and testing into securing supervisory control and data acquisition (SCADA) systems that protect the nation's electric grid. "The formation of this consortium demonstrates the importance we have placed on cyber security," said Stephen Diebold, Manager Real-time Systems at KCP&L and Chairman of the consortium." Having access to the incredible assets at Idaho National Laboratory (INL) provides the consortium the ability to test a wide range of potential cyber security vulnerabilities." The new research will focus on validating remediation of issues discovered in previous DOE/OE NSTB-funded tests on successive releases of the Network Manager product, and will investigate additional security concerns that the consortium members and ABB wish to explore. ABB will supply the hardware, software and technical support necessary for the tests, and will use its Cooperative Research & Development Agreement with DOE and INL to facilitate the research effort. DOE will support this effort by making available the significant resources of the Idaho National Laboratory. DOE/OE's NSTB program will provide seed funding to jump-start this important industry initiative. Kudos for ABB and the utilities for doing this. However, there are other parts of the overall control system besides the control center SCADA that also need to be addressed. ABB like the other major suppliers are essentially multiple companies under one roof. The ABB division which makes SCADA systems is effectively a separate company than the ABB division that makes power plant control systems or substation equipment. Additionally, INL's National SCADA Test Bed is exactly that- a SCADA test bed not a substation equipment test bed. The reason for this blog is a recent announcement by ABB that their new OVR3 Recloser is Blue tooth-enabled. The research is focusing on the SCADA, not the input to it. This type of issue is not unique to ABB. I had the same conversation with another major control system/SCADA supplier. The SCADA engineer's response was that the SCADA was secure. The substation engineer stated they now have an Internet-based transformer monitoring solution with no security. Obviously, the substation monitoring is an input to SCADA. The Aurora demonstration is another example of why it is important to address other parts of the system than just the SCADA or DCS. Joe Weiss