Electric Power Utilities Are Not as Cyber Secure As They Say They Are
An Orderly Strategic Advance to the Rearward: The Cybersecurity of Electric Power Utilities Depend on How You Count It
Several times in the past few weeks I've seen articles in magazines and newspapers, and online that state as a fact that the electric power utilities have taken the lead in protecting the country's infrastructure from cyber attack. As we've shown repeatedly for years, nothing could be further from the truth. How "cyber secure" each utility is depends on how you count it. The North American Electric Reliability Corp. (NERC), which is both the trade association of electric utilities and the federal government's main regulator of those utilities, simply made it possible to have entire power plants and distribution facilities declared to be "non-critical" cyber assets. Why? Well, it seems they have excess generation capacity. What arrant nonsense!
By Walt Boyes
The very fact that there is, at a given point in time, excess generation capacity does not logically lead to the notion that a cyber attack will only happen to one generation station at a time. In fact, it is likely that such an attack will happen to all of them. Not a critical cyber asset? Says who?
Read Also: Bound to Fail: Why Cybersecurity Risk Cannot Simply Be Managed Away
Says the lawyers, that's who. The utility industries have been quick to treat cybersecurity exactly as they have treated safety—as regulatory compliance exercises. They comply with the regulations, no more and no less.
Why would the utilities not want to be measured on increasing security? It's about liability. If you admit there's a security problem, or even a security metric, then you have admitted liability—and when the power goes out and the root cause is traced to a cyber attack, the large users who have been inconvenienced will sue to recover what production they lost and what damages they suffered.
If the utilities treat the idea of cybersecurity as a regulatory compliance issue, not only are they not admitting that they might have liability, but also they can use the very fact of compliance as a defense against liability claims.
Meanwhile, what about making our power grid more secure? Since NERC is the regulatory body, as well as the trade association, it really doesn't have any reason to do that, and nobody to tell it to do it either. Congress doesn't look like it is going to do anything anytime soon, so NERC is in the clear until the lights go out.
Joe Weiss, our "Unfettered" cybersecurity blogger, said in a recent post that he believes the way to increased security in the utility sector isn't through NERC or government regulation, but through the insurance companies.
Joe wrote, "The insurance companies that ensure industrial facilities are struggling to understand the new cyber risk as it is different from other risks already insured. When the insurance company ensures a company or a facility, they do not assume that key pieces of equipment or key facilities will not have threats addressed. Yet that is precisely what the NERC CIPs do. They allow the utilities to exclude facilities, equipment, communications, etc. from any cyber inspection."
Once the insurance companies understand this, they will push for real cybersecurity measured by increased security, rather than by regulatory compliance. When the lights go out, the insurance companies are the ones that pay.
Currently, the penetration of cyber insurance in the private sector is very low (less than 20% of companies) and centered on enterprise security, not industrial control systems. It's even lower in the public sector. What this means is that the insurance companies don't understand the risks they are being asked to insure against. When they do, regulatory compliance instead of real security just won't cut it.
I think Joe is right. It may be that the "free market" will work better than any other way to improve security in the power utility industries. I sure hope so. I also own a very large generator.
Electric Power Utilities Are Not as Cyber Secure As They Say They Are
An Orderly Strategic Advance to the Rearward: The Cybersecurity of Electric Power Utilities Depend on How You Count It
Change Is in the Wind for SCADA
Are SCADA Systems Showing Us the Future of Control System Architecture?
Need a Control System? Google It!
Companies Are Doing Business Entirely Online. If You Need Something The Web Has It
Wireless May Make Valve Maintenance Easier
Should You Use Wireless in Managing Your Valve Assets?
New Hall of Fame Members Look to the Future
Our Newest Process Automation Hall of Fame Members Gaze into their Crystal Balls and Share What They See About the Future of the Industry
ControlGlobal.com Norminated for Neal Award
We Are Competing in the "Best Website" Category. We Are Proud to Be Recognized by the Neal Award Jury, Whether We Win or Not
Automation Experts: It's About Being Your Authority
The Authorities Writing for Us Have More Than 375 Man-Years of Experience in Process Automation Between Them
Level Applications from the Dark Side
Some Level Measurements Are so Hard as to Be Nearly Impossible. Here's What to Do.
2013 Process Automation Hall of Fame Inductees
The Kings of Control. Four Automation Leaders as Varied as the Suits in a Deck of Cards
The Automation State
ARC Advisory Group and Control Take the Pulse of the Process Industries and Present It to You in the Automation Index
It Is About Customer Service
Customer Service Is Not the Basis of Service at All. The Basis of Service Is Money, Income, Profit
Top 50 Automation Companies for 2011
The Economic Recovery Is Serene. Meet The 2011 Top 50 Leaders, Find Out How the Automation Market Stands And Learn Our Predictions of What's Coming Next
Well the Good Guys Won-or Lost
No Matter Who Won, We Need to Create Skilled Workers for the Manufacturing Jobs That Are Coming Back and for the Ones Being Created
Rockwell Automation Ups Ante in Services Business
"Virtual Support Engineer" Program to Allow Rockwell Automation and Partners to Provide More Seamless Customer Support
Get What You Want in Low-Bid Projects
Don't Let Low-bid Suppliers Make Decisions They Shouldn't
PlantPAx Capabilities Quickly Maturing
Process Automation System Features Improved Performance and Scalability
How to Tell a Life Science Leader from a Laggard
Aberdeen Analyst Shares What Differentiates Leaders from Followers—and Those Bringing Up the Rear
PlantPAx Users Reaping Virtualization Benefits
Rockwell Automation Users Prevent Downtime While Saving Money, Energy and Effort
Shell Streamlines Subsea System Design
Modular Methodology Helps Deliver Engineering Efficiency and Global Uniformity
Yokogawa Debuts Big DAQ Features, Tiny Coriolis Meter
Powerful New Data Acquisition Station and World's Smallest Dual-Bent-Tube Coriolis Meter
Procedural Automation Boosts Oil Well Productivity
Chevron Taps Yokogawa Exapilot Tool to Get Wells to Production More Quickly and Efficiently
Why You Come to ControlGlobal.com
Don't Believe Everything You Read on the Web, But Do Trust Everything You Read Here
Virtualization Simplifies Server Upkeep
CF Industries Moves Five Exaquantum Historians to a Virtualized Application Environment
Growing Globally, Yokogawa Takes Aim at U.S. Gas Industry
10th North American User Group Conference Focuses on Integrated Solutions for a Sustainable Future
Connecting the Manufacturing Dots
Smaller Companies Can't Afford to Implement the Systems and Support Structures Necessary to Use Smart Manufacturing Technologies
New Wonderware Software Tackles Range of Industry Needs
From Smartphone Access to Quality Management to High-end Scalability, There's Something for Every Industry in Wonderware's Latest Releases.
CMMS by the Numbers: Frito-Lay's KPI Journey
Disciplined Process Execution Is Key to Data Integrity--and Savings
Process Automation Systems: How Secure Is Secure Enough?
Where Do you Draw the Line in Applying Security to Your Systems?
Community and Responsibility
Don't You Wish That Today's "One Percent" Were as Community-Inspired as Their Financial Ancestors Were?
Old Habits Die Hard, Even for Automation Professionals
We Are Creatures of Habit, and We can't Get Beyond the Habits That Make Automation Accidents Happen
Virtual Instrumentation Monitors Arkansas Emissions
Arkansas Electric Cooperative Says Software Sensors Are Just as Good as Hardware Sensors, With Less Maintenance and Fewer Headaches
Flow Like an Egyptian
Back to Basics: Measuring Flow in Open Channels
Natural Gas, Sustainability and the Far North
If You Have an Opinion About the Way Your Plant, Your Country or Your World Is Being Run, It Is Up to You to Take Action
Next Steps: From Batch to Procedure-Controlled Automation
The Principles of Batch Automation Are Being Used in Continuous Process to Improve Process Safety and Quality, and to Compensate for Losing Older, Highly Experienced Operators
Automation Global Economy: How to Survive Merger Madness
How Do You Survive After an Acquisition? Update Your Skills, Learn the Business Side, and Take Charge of Your Own Career
Get Your Virus Info Here
Tell Your IT People to Visit Our Web Page. They Might Now Knowth That Plant-Level Security is Different and More Complex Than Standard Enterprise Security. We Have All the Info They Need
STEM: Let's Think Differently!
What Does the Reverse Engineering Toolbox Contain? Find Out
Cybersecurity in Your Safety DNA
If Your Functional Safety and Cybersecurity Programs Aren't Intertwined, You May Not Be as Safe as You Think
About That Safety and Security Stuff
A Plant That Can Be Easily Penetrated by an Evil-Doer, or a Plant That Can Easily Have a Cyber-Induced Accident Is, by Inspection, Not a Safe Plant
Innovations Continue to Flow from ABB Measurement Labs
Autonomous Sensors and Laser Level Scanners Are Among the New Technologies on Tap
Control System Evolution at Bayer: 24 Years and Counting
Bayer Healthcare Partnered with ABB to Bring its 1980s-Era Control Systems into the Future
Unprotected Control Systems Are Easy Pickings
Lagging IT Practices, Lack of Rigorous Testing Make SCADA, Industrial Control Systems and PLCs "Low-Hanging Fruit" for Hackers. Smart Phones and Tablets Could Be Next
People Issues, Policy Uncertainties Headline Power Industry Concerns
Panelists Agree: Whatever Keeps You Up at Night, What Really Matters Is What You Do About It
The League of Competent People
The World Needs Saving and Only We Can Save It by Working Together. Lets Start Investing in STEM Education and Jobs
It's About What We Know--The ControlGlobal All Stars
When We Go Looking for Advice, We Want to Ask the People Who Know
A Modest Proposal for STEM Education
Want to Help the Future Industry Professionals? Offer to Run a Science Club for Young Students
The Lowdown on Radar Level Measurement
Free-Air or Guided-Wave -- Which Do You Use When?
Process Automation Hall of Fame: Cast a Giant Shadow
Three Men Whose Careers Changed the Automation Industry and the World
STEM Education - We Get What We Deserve
In Order to Be Competitive in the World Today, We Need to Revitalize American Manufacturing
Industrial Computers, Part 1 PID on Your Smart Phone? Maybe
Moore's Law and the Internet of Things Are Driving the Convergence of Embedded Controllers
The Usual Suspects Win the Readers' Choice Awards!
The Question Isn't Who Won, but Rather Why Do They Win and How Do They Do It
Some Standards Committees Work -- and Work Well
When Was the Last Time You Looked at the Standard for Duplex and Fourplex Convenience Electrical Receptacles?
Meet the 2010 Top 50 Automation Companies
The Numbers for the Top 50 Automation Companies Look Very Good, but the Recovery Feels Wobbly. Could That Be a Broken Bridge Over the Next Hill?
Cyber Attack, But Wait–We're the Good Guys!
Does Being the "Good Guys" Mean We Can Do Things We Would Find Objectionable If Others Did Them to Us?
Less Bang for the Buck
Intrinsic Safety Makes Protecting Field Devices Easier and Cheaper
Web "Portal" is "Porthole" Misspelled
To Surf the Web You Don't Have to Be an Expert, but Finding What You Want Sometimes Is Difficult
Recession, Go Away. Come Again Another Day
Stop Depending on Your Employer to Pay for Your Training and New Expertise. You Need to Plan Your Continuing Education
It's a Matter of Value
There Is No Added, Measureable Value to the Corporation in Demonstrating Social Responsibility.
Safety and Security Are All About Perception
Why Aren't We Investing on Cybersecurity? What Are Our Reasons? Financial Or Just The Way We Human Beings React to Threats?
All Quiet on the Wireless Front
End Users Have Voted With Their Feet, Ignoring Standards Wars and Moving Ahead With Useful Apps
Really, Really, Really Cyber Secure
It Is Now Clear That Machine-level, Embedded Controllers, Such as PLCs, PACs and DCS Controllers Are Vulnerable From Both Inside and Outside the Plant
Looking Through the Electronic Porthole
Take Your Hands and Put Thumb to Thumb and Forefinger to Forefinger. Look Through Your Hands. Do You See Everything There Is to See?
Is Smart Manufacturing Really the Answer?
The Differential Between Labor Cost in India or China and the United States and Europe Is Still There Now, but Soon It Will Be Gone
Leadership Is Not a Dirty Word
Does Your Company Raise, Train and Nurture Leaders? If Not, Maybe You Should Consider Going to One That Does
Safe Engineering Practices Fail to Make Headlines
"Good Engineering Saves Millions of Lives After Earthquake, Tsunami" This Is A Headline You Will Never See. The Press Gets Away With Abysmal Reporting Because the Scientific Literacy of the Population Is so Low
Economic Recovery: It's All About the Uptime!
All the Safety and Industrial Controls Security Systems in the World Can't Defeat Human Beings Intent on Screwing Things Up
How to Make a Sustainable Plant
Why Is Sustainability Important? If You Want Your Plant to Continue Operating, It Must Become More Efficient Than It Already Is
Process Plants Accidents - Careful. We Don't Want to Learn from This
2010 Brought Dozens of Deaths and Injuries to Process Operators and Maintenance Personnel. What Do You Suppose 2011 Will Bring?
The Nice Thing About Standards
The Burden of the Costs of Working With Multiple Standards Is Placed on the Shoulders of End Users
Masters of All the Tools
These Hall of Fame Inductees Are Multi-talented in the Interdisciplinary Field of Automation
Happy New Year...We Hope!
If We Won't Steer Our Own Kids Towards STEM Careers, How Can We Justify Pushing Other Kids into Manufacturing?
You Get the Security You're Willing to Pay For
Since the Stuxnet Worm Hit, Vendors and End Users Alike Are Thinking and Talking About Their Security Policies
Doing with Less or Happy Thanksgiving!
Your Skills Are Yours. They Go Where You Go. Time Was, "He Who Dies With the Most Toys Wins." Now "He Who Has the Most Skills Wins"
Can Smart Manufacturing Save U.S. Jobs?
Kids See Factories as Filthy, Polluting and Evil. Who Would Want to Work in One?
Convergence-or Not. That's the Question
The People in Control Here Are the End Users, but Convergence Isn't Going to Happen Unless They Require It
It's the People, Not the Technology
We Need to Look Closely at the Culture of Manufacturing Now and Restore the Belief That Manufacturing Is an Honorable Profession
If We Have the Will...
We CAN Revitalize American Manufacturing…If We Want To
Oil Ought to Be used As a Chemical Feedstock for Things Like Clothing, Building Materials and Shelter-Not Fuel
Let's Do One for the End Users!
We Got Us a Wireless Standards War, and End Users Really Hate Standards Wars
Control Systems and the Great Toyota Fail
Toyota Is Simply Not Bulletproof as Advertised. We, as All Auto Makers, Aren't Willing to Pay Enough for Failures Not to Happen
Blocking and Tackling Are Still Required Skills
It Is Sometimes Easier to Get Classes on Advanced Process Control Than on the Basics of General Instrumentation and Control
Airport Kabuki and Functional Security
What do 9/11, the Detroit Bomber and ICS Security Have in Common?
Functional Security–Walking the Walk
When It Comes to Functional Security, How Do You Handle Security Updates?
ISA: What Is There to Do?
ISA's Executive Board Needs to Hire a Turnaround Specialist, Not Another Association Manager - or Divvy Up the Money and Go Home
Opportunity Out of Crisis
What Would Happen if ISA's Leadership Began to Creatively Restructure and Reorganize the Organization?
Shrink-Proof Your Career
Read This Article and Find Out Why Boyes Says That Automation Professionals Have Been Less Hurt by the Recession Than Other Professionals
Creating a Safety and Security Culture
The Process Manufacturing Industries Are Inherently Dangerous. Accident Still Happen, Plants Blow Up, and People Get Injured
Creating Functional Security and Safety
We Still Have Not Managed to Create Whatever Culture We Need to Eliminate the Majority of Safety and Security Failures
Functional Safety and Security- It's Cultural
Fostering a "Safety and Security Culture" in Our Workplaces
Another Major Safety Fail
There’s No Way to Tell If the Safety System Would Have Worked, or Did Work, Because Major Parts of It Were Turned Off
Save the WBF
If You Care About 21st-Century Manufacturing, Go to the Website and Join WBF. We Need the “How” as Much or More Than We Need the “Why”
How Safe is Safe? How Secure is Secure?
Functional Security: a Convergence of the Disciplines of Functional Safety and Control System Cybersecurity
Its Not Just a Job
Welcome to the Hotel Automation. You Can Check Out but You Can Never Leave
What Will It Take to Keep Us Cyber–Safe?
How Are Different Companies in the Automation Industry Approaching Cybersecurity Issues? Are They Working Towards Protecting Their Assets?
So You Can’t Retire—Now What?
If Your 401K or Pension Plan Has Lost Its Value, Take a Look at Your Skills and Your Training. Now May Be the Time to Look at CAP or CCST Training
It Looks Like Up to Me…
The Process Industries Will Be Among the Least Affected of the Industrial Verticals by the Global Economic Meltdown
What Is To Be Done?
Who’s Going to Step Up and Create A Global Infrastructure Computer Emergency Response Team?
ISA100.11a: Half Baked to a Schedule
If this Standard's Not Done, It Shouldn't Be Leaving the Oven
If They Can, Why Haven’t They?
It’s the Time Between When the Vulnerability Is Found and When It Is Fixed by the Vendor and the Fix Is Installed by the End User That Is Scary
Not Playing Nice
If You Were Waiting for the ISA Standard to Make Everything Right, You Might as Well Stop. It Isn’t Going to Happen
The Future and YOU
Manufacturing Isn’t Going Away, Toffler Pointed Out, Any More Than American Agriculture Went Away A Hundred Years Ago
Them as Can, Do
Informing the Government of the Problem Is Good, but It Might Be Better for ISA to Spend Some Serious Money Doing Something About It
Sometimes You Just Have to Let Go
ISA Has Decided to Use the Compliance Institutes as a Way to Recover the Lost Revenue from the Dying ISA Show
The Elephant in the Room
There’s an Elephant in the Wireless Room
Just Because They Haven’t, Doesn’t Mean They Won’t
At the SANS Conference in January, CIA Representative Tom Donahue Revealed that the Agency Had Documentary Evidence of Attacks on Utilities Outside the U.S. Of Course, If Systems Can Be Hacked Outside the U.S., the Same Systems Are Vulnerable Inside. And the Systems Are the Same.
The Horse with Stripes
IT Security Professionals Profess to Be “Industrial Cyber Security ," Yet, It Takes More to Function Properly in the Industrial Controls Environment
A Quick Pause for Shameless Self-Congratulation
Walt Boyes Says: "We're Still Here, and We’ve Created the Best Magazine in the Space"
What’s in a Name?
ISA Council of Society Delegates votes to rename the society the International Society for Automation.
Get 'em While They're Young
We need to attract new star talent to the automation profession.
What’s It Going to Take?
The ASM Consortium, and the Center for Chemical Process Safety, ISA, the IEC and other organizations have been out beating the drum for increased operator training and improved alarm management and human-machine-interfaces.
Out of the Automation Box
ISA announces the S100 Compliance Institute to test and enforce compliance with new wireless standard. The S100 will be avilable to the publin in late 2008.
Take one for the team!
Organizations that only serve declining memberships are missing the point. The number of automation professionals isn’t declining; it is the number of them who feel the need to be included that’s declining.
Finally playing nice
Editor in Chief Walt Boyes congratulates the members of the SP100 Industrial Wireless Standard committee for their willingness to compromise in the name of service to the end-user community.
The virtues of simplicity
If we can design higher level development tools, both hardware and software, all the way down to kids’ toy level, imagine what we’re about to see for design tools for professional automation applications.
Profession development kit?
For the automation profession to be successful and recognized as one of the most important disciplines in the world, ISA has to reinvent itself as the banner carrier for the automation profession.
Reaching the young crowd
It’s time the industry develops new content and new ways of delivering it to young automation professionals, the ones who are so hard to find, and who are so leery of joining professional organizations.
Who do we trust?
Among high-tech industries, surveys show that end users of process automation equipment and systems trust their vendors more than trade magazines, industry analysts and others.
Control is truly global!
Perhaps you’ve noticed articles in CONTROL and on ControlGlobal.com have become less North America-centric over the past few years. This is intentional, and you can expect the trend to continue.
UCSC and automation education
There aren’t many schools training automation professionals, but who can blame them for not wanting to do more than a head nod toward teaching the tools and techniques in their science and engineering curricula?
The world according to…
There may be no going back to the days when people believed that ISA was the voice of the end user, but if it wants to carve out new territory for itself, it needs to put money back into niche groups.
SP50 times two?
CONTROL Editor Walt Boyes says we need to do more than pay lip service to the idea of user input when it comes to ISA’s SP100 Wireless Standard and proposes formation of a central, unbiased user group.
Vendor vs. vendor
CONTROL Editor in Chief Walt Boyes issues a challenge to end users everywhere: Tell your vendors to stop playing Spy vs. Spy and participate fairly in standards creation for fieldbus and wireless.
Are the wireless standards stalled?
At one point, SP100 nearly didn't issue a true standard. Now, HART Wireless is in trouble, too. What’s it going to take to not repeat the SP50 debacle? CONTROL Editor in Chief, Walt Boyes, comments.
Immigrants are us
We are all immigrants here, and if you look at the contributions made by immigrants to arts, letters, science and engineering in the U.S. over the past 400 years, the amount of innovation is staggering.
End users walk the walk
There’s been a huge language shift in the industry during the past 20 years which is driving end user nuts. It seems the higher you go up in the automation food chain, the harder it is to describe what you do.
Would you want your kid to do this job?
Despite a shortage of young engineering professionals, most of us don't want our kids to grow up to work in the automation industry, but what is automation but applied information science?
Institutional knowledge for the future
Knowledge earned by hard work and experience in process automation is waning at an alarming rate, but there are a few shining lights on the industrial landscape. CONTROL Editor in Chief Walt Boyes comments.
My opinion doesn't count!
Why do we do the Reader's Choice Awards? Because an editor's opinion doesn't matter, that's why. Read Editor Walt Boyes' column about this year's survey and find out who's the best...according to you!
It's a great time to be an end-user!
Editor in Chief Walt Boyes says the Big Boys are prepared to buy your loyalty with all sorts of goodies, so keep your price high. It's a buyer’s market out there for the first time in decades. Read why.
How safe is your job?
Editor in Chief Walt Boyes implores you to watch trends, stay current in your field, and have a backup plan just in case the levee breaks. After all, when it comes to job security, the best defense is a good offense.
Can we make the jump to a wireless plant?
CONTROL's Editor in Chief Walt Boyes says that if we don't, we won't continue to show the productivity and cost savings we've been able to until now. Read how wireless can affect what you do.
You better know more!
There is excellent training out there, provided by trainers who aren’t vendors, and don’t have the barely hidden agenda of wanting to sell you stuff.
The summertime blues
CONTROL Editor in Chief Walt Boyes prepares for another round of User Group Madness meetings and says he’d like to see creation of an unbiased user group run by end users of many different products.
In the future: More, better, cheaper sensors
According to Editor in Chief Walt Boyes, instrumentation companies are going to have to re-think their design criteria if they are going to make the “lights out” plant of the future practical.
How can we save ISA?
The resignation of ISA’s third Executive Director in less than six years makes CONTROL Editor in Chief Walt Boyes wonder what ISA has that still matters to the typical process automation end user.
Security is more than hating Microsoft
In his June editorial for CONTROL, Editor in Chief Walt Boyes believes we are picking unfairly on the security flaws of Microsoft, while ignoring the wider implications of the problem for process automation.
C’mon, vendors, let’s step up!
ISA has been trying for years to get employers in the process industries to support process automation careers, but it could do a lot more if it had the volunteer involvement it used to have from vendors.
Are You Ready for Process Control?
Editor in Chief Walt Boyes asserts that today's tools have shifted our viewpoint and that process automation professionals need to care more about the process itself, and not just the controls.
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers