I had an opportunity to speak to two universities with government funding. The first was Fabian Monrose and a team at University of North Carolina. Fabian has a DSH S&T-sponsored project on information sharing to test the effectiveness of data anonymization algorithms. As Dale Peterson stated in his blog, “the bad news is the current solutions often don’t do that great of a job, but if the community can get objective testing and recommendations for data anonymization perhaps we will be a step closer to information sharing.” The idea that technology to anonymize input will spur information sharing seems questionable at best. I don’t believe the reason for the lack of information sharing is technical. To my limited knowledge, DHS S&T is funding at least two other information sharing projects that have the same limitations – lack of industry input. Consequently, I talked to Fabian and found that, like the other two, he has “limited” data for control systems. Based on the success of information sharing in Australia and the UK, I continue to believe a non-governmental CERT for Control Systems with credible control system experts is needed before information sharing can work. Additionally, there is still a lack of legacy control system logging capabilities for control system cyber events. Once there is the desire to share information and also the ability to log control system cyber information, technological approaches can be viable.
The National Science Foundation has announced a new engineering research center focused on the Smart Grid. The FREEDM Systems Center (Future Renewable Electric Energy Delivery and Management), headquartered at North Carolina State University, launches with partnerships with utilities, vendors, universities and national laboratories from 28 states and 9 countries. It targets the usual issues (renewables integration, DG, storage, etc.) grouped into 10 areas that will culminate in a 1MW “green energy hub” demonstration project. It is supported by a five-year, $18.5M NSF grant with an additional $10M in institutional and industry support. Security is currently not a part of this effort.FERC issued a proposed rulemaking on “Mandatory Reliability Standards for Critical Infrastructure Protection. The purpose is to include nuclear power plants as they affect continuity of power. It will be extremely important for the nuclear industry’s credibility not to play the same games the utilities did with fossil plants by classifying these plants as non-critical assets per CIP-002. Can anyone in their right mind consider a nuclear power plant not to be a critical asset per CIP-002? In answer to questions, this requirement applies to EVERY US commercial nuclear plant that has cyber connections. What is also fascinating is the possibility of these plants having to meet conflicting standards.
On Thursday, I did a podcast for Dale Peterson. The salient questions and points were:
- There is a need for two different types of entities for disclosure. The first is a CERT for Control Systems (US CERT does not work) for end-users and vendors. The second is for security researchers as they find vulnerabilities. This will be the tougher nut to crack.
- Dale noted the pervasive flavor of the CSIS White Paper is the need for more education. This is absolutely true. All of us are still learning as the Hatch nuclear plant attests. However, there is a need to compile the expertise of the FEW control system cyber security experts.
- Dale also asked about regulation – is it really needed and what would be the best model. The answer to the first question is very simple – do you want your lights on? Anything less than regulation will not assure the availability of lights, water, oil/gas, chemicals, etc. Currently, the best model I know is the Nuclear Regulatory Commission’s (NRC) approach and the Regulatory Guide now in preparation. Once public, it can be useful to industries beyond nuclear. In fact, NERC and FERC need to take a close look at having appropriate sections of the Regulatory Guide replace the existing NERC CIPs which are inadequate to assure anything but a pile of paperwork.
There has been a continuing blogathon on the need for disclosure of cyber researcher-identified disclosures. One aspect I believe is obvious are the differences between the control system and security researchers views on what can or should be disclosed and when. Until security researchers gain a better understanding of control systems and facility operations, there is little chance of resolving this impasse.
The recent federal pronouncements denigrating the work of DHS are right on target. This is another area where Dale Peterson and I disagree. According to Dale: “I have a hard time siding with Congress or the GAO reports they charter on these cyber security issues. The problems are hard, the Congress lacks the time and background to understand the issues, and it is to easy to grandstand on an issue like this. Listening to Congressional pronouncements on these topics make be more rather than less nervous.” (In view of full disclosure, Dale should mention that he is receiving funding from the organizations he is trying to defend.)I believe that Congress and GAO are sufficiently informed to make very clear defensible statements. I believe them before I believe DHS, NERC, water, or some of the other so-called experts. In that vein, let’s hope Mike Assante can turn NERC around before it is too late.This week the DNP Users Group met in Kansas City. Jake Brodsky attended and can provide his insights.
Joe Weiss
