Comments on Digital Bond’s Top 10 SCADA Cyber Security Stories in 2008

Enclosed are my comments (indented) on three of Digital Bond’s top 10 SCADA Security Stories in 2008. I find it interesting that the NRC’s Cyber Security Rule and development of the Regulatory Guide (gee, something technically adequate and with teeth) isn’t even mentioned.

5. Blue Ribbon Cyber Security Recommendations for Obama
Control system security had a prominent place in the CSIS recommendations to the next President. We didn’t agree with recommendations, but it is another data point on the increased attention to control system security.
   This could be one of the most important vehicles the control system industry has to become mainstream with the Washington establishment. It is unclear to me how Digital Bond can disagree with the recommendations that are based in fact and actual events.

The quote from Tom Donahue from CIA with very non-specific information about electric utility intrusions still pops up in presentations. Please, if you can’t provide any details don’t bother with the FUD statements.
   After having discussed this with the appropriate individuals, it is clear to me this actually occurred. Unfortunately, because it was the CIA, the details are classified. I was at the RSA Conference in April when a utility panel also dismissed the CIA’s disclosure as FUD. Unfortunately, the only organization that keeps throwing this up is Alan Paller at SANS as part of his conference hype which leads people to believe it is hype. What does it take to get the industry (and Digital Bond) to realize this is real? I believe this is one reason for industry’s (NERC and the utilities) refusal to accept the need to do something real (eg, NIST and NRC) to secure our assets.

3. FERC Throws NERC Under The Bus / Congress Warms to Regulation
When Congress started looking at the electric sector control system security they were rough on FERC as well as NERC as well as the utilities. At the hearings in May it was clear that FERC had repaired any issues with Congress and now was pointing the finger at NERC and industry as the problem. By the end of the year the Congressional Committee was practically begging FERC to ask for legislation that would give FERC more regulatory clout.
Is it possible that NERC could be replaced as the ERO in the foreseeable future?
Congress seems to believe regulation is the answer. Congressional regulation is my best guess for the number one story for 2009.
   Since NERC and the utilities are obviously not taking this seriously (see the glaring technical issues with the CIPs particularly CIP-002 and the reticence to immediately adopt NIST), isn’t it about time someone else takes it seriously?
Joe Weiss

Beginning in January, I will be providing a monthly subscription newsletter. Stay tuned for more details.