Electric Grid Cyber Vulnerability Who’s to Blame? What Now?

This blog is essentially a follow-on to Walt's earlier blog on the elctric industry's lack of critical assets.

There is plenty of blame to go around for the current state of cyber vulnerability of the electric grid – the consultants for performing inadequate assessments and not informing the utilities they were not complete; the utilities for accepting inadequate assessments and not asking questions about why the assessments weren’t adequate, and NERC for continuing to allow this to happen.

Mike Assante’s letter of April 7th should have been a rallying cry to do the right thing. Obviously it didn’t work. On May 6th the NERC Board approved the latest version of the NERC CIPs without addressing the problems in CIP-002 that Mike identified.

The reason for improving electric grid cyber security is to maintain electric service reliability for the grid and for customers. If the industry doesn’t address customers (distribution), it cannot address the Smart Grid, which is primarily distribution.

Three Object Lessons
Three relatively small utilities recently had established consultants complete NERC assessments. Even though these utilities are small, they have inter-ties with larger utilities, and as noted in the NERC Annual Report, NERC is concerned about weak links between utilities.

One utility security consulting firm performed assessments for two of the utilities and identified ZERO critical assets. Both utilities have combustion turbines and automated substations. While working for this consulting firm, I actually worked on substation automation for one of the utilities in question and identified several security issues inherent in the substation automation design. Those issues have not, to my knowledge, been addressed.

It is not possible to have “no critical assets” when the purpose of substation automation is to allow remote access, interoperable communications, and inter-ties with other utilities. Automated, interconnected substations are by definition critical assets. Unfortunately, very little technology is available today to secure a substation. IEC 61850 introduces the IP and Ethernet communication world to substations enabling IT-type security to be employed. However, at this point, some utilities are disconnecting their IP communications so they won’t have “critical assets”. Without IP connections, it will make implementing IEC 61850 and/or the Smart Grid difficult or impossible. And, even without IP connections, cyber vulnerabilities still exist in substations.

In the third case, the utility had another major utility consulting firm perform a NERC assessment with the expectation that security and compliance were the same. However, in this case, this consulting firm did not look beyond the limited scope of the NERC CIPs, thereby missing obvious critical assets. This included not identifying any of the automated substations as critical assets. Being secure and compliant in this case was completely different resulting in an obviously disappointed utility.

What’s Wrong with this Picture?
An engineer at one of the utilities asked me who you should trust, if you can’t trust your consultant to know what they are doing. It is a very good question. The two engineering consulting firms are credible companies with cadres of good engineers. However, there is a lack of CONTROL SYSTEM cyber security experts. Both of these firms, and other consulting firms for that matter, cannot be faulted for not hiring the proper experts if the experts aren’t there to be hired. And the fact is they are not there.

I remember an ISA Northern California Section cyber security conference several years ago where a very large water consultant had cyber security people attend. This consultant has very experienced control systems engineers. Unfortunately, the cyber security “expert” wasn’t one of them. In fact, he had to ask what a Programmable Logic Controller (PLC) was.  

As I testified recently to Senator Rockefeller in a Senate committee hearing, there is no university curriculum nor are there certifications for control system cyber security. There are a miniscule number of control system cyber security experts and very few are in the electric power industry. Simply being able to spell “SCADA” does not make one an expert. What should scare people is the response from an individual last week on the SCADA listserver on the subject of defining CIP (Critical Infrastructure Protection).  The poster stated: “I appreciate the clarification. I'm just getting involved in a couple of SCADA projects and need all the quality information I can get my hands on.”

If we want to assure adequate security as we go forward with or without the Smart Grid implementation, we need to stop mistaking compliance for security. We need to design the Smart Grid with integral security provisions. If the electric utility industry will not do it voluntarily, and it is becoming extremely clear by their actions and inaction that they will not, then legislation to compel them to do so is the only remedy.

Joe Weiss