The NERC CIPs have a number of characteristics that make them a roadmap for attacking the electric grid.
- They were developed by the NERC consensus process. The process is long, arduous, and inherently a “low bar”. As such, the process results in trying to make it easier on the “attackee” than trying to make it more difficult on the attacker.
- The CIPS are public and can be easily found on the Internet. Not only are the CIPs available, but so are the discussions behind the development of the CIPs. This is no different than other open standards processes.
- The CIPS are applied “uniformly” across all electric utilities in North America. What works against one can utility can work against multiple utilities. As Mike Assante stated in his recent Senate testimony, the NERC CIPs are static and predictable. This means the CIPs cannot be responsive to newly discovered threats such as Stuxnet. Consequently, a successful, coordinated cyber attack, especially with new threats, is very possible.
- The CIPS identify what is in scope, but more importantly what is out of scope. This defies all logic for security as a potential attacker now knows what is left unprotected. The attacker can use the unprotected asset to get at the “protected” asset. So much for securing critical assets.
- The CIPs provide a timetable for implementation. Consequently, a potential attacker knows how much time is available to develop an attack for those assets in scope. Those assets out of scope have no timetable.
What more can an attacker ask for?
What can the public ask for?
- End-to-end security of the grid – no exclusions
- Use available technology to secure control systems and develop appropriate technology where needed
- Mandate development of control system cyber security policies
- Regulate cyber security of the electric grid
- Hold executives accountable