If pigs could fly…

I had a telephone and email exchange today with an international electric industry security standards committee that I would like to share. It goes to the heart of the issue that there is little knowledge and understanding of control system cyber security issues and the resulting training that is required. The recent CIGRE D12.22 Security meetings in Florence, Italy had a presentation that stated “Developing Off-line tools for Risk Assessment” was “Done”. In my estimation, the area of risk assessment for industrial control systems (power systems, power plants, etc) is not well-understood. Consequently, this morning I had a conversation with the developer of the utility’s methodology. He stated it was for the IT infrastructure and not for power systems. Since IT security is reasonably well understood and extends beyond the control system domain, I believe the CIGRE Security Working Group should be focusing on what is not well understood- that is the control systems domain. I received the following response from one of the other member’s of the Committee: “,,, once the relevant parts have been identified by appropriate personnel with the necessary skills, there is no reason why an IT security risk assessment framework could not be applied, again by appropriate personnel with the necessary skills. If control systems weren’t different than IT systems, we wouldn’t be discussing control system cyber security. If those people and skills actually existed within each of the utility organizations, these issues would not be relevant. If… I do not believe there are enough people with requisite skills who understand these issues. I have documented too many control system cyber incidents (including recent events that caused significant impacts) that were caused by inappropriate policies, procedures, technologies, and testing to believe that appropriate personnel and skills exist. Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p>Joe,</p> <p>Since you decided to make your take on this discussion public, I feel that I need to make my side public too.</p> <p>Firstly, some readers may not know Cigre; Cigre is the International Council on Large Electric Systems (abbreviated to Cigre from the original French name) and is one of the leading worldwide Organizations on Electric Power Systems, covering their technical, economic, environmental, organisational and regulatory aspects. Cigre is NOT a standards organisation.</p> <p>The meeting you refer to is the meeting of study committee D2, working group WG D2.22. WG D2.22 is concerned with "Information Security for Electric Power Utilities".</p> <p>The presentation you refer to was a presentation of a case study by one of the member utilities, covering the development of their IT security framework and application to one part of their business. In this presentation they simply stated that, on their project, “Developing Off-line tools for Risk Assessment” was “Done”.</p> <p>You commented on this to the WG as you mention in your post, and I responded as a member of the WG. You have not quoted my response clearly in your post (you missed the closing quotation mark, so it's not clear where my quote ends), so I present it in its entirety below.</p> <p>"I don't think anyone was in any doubt at the meeting that this framework is principally for risk assessment of IT infrastructure. This does not mean that it is simply not applicable to power systems/control systems - there will be some parts of it that are applicable, and there will be some parts that are not. Yes, IT security is reasonably well understood, but the parts of IT security which can be applied to power systems/control systems are more challenging to identify (for legacy reasons, because of technology convergence, because of lack of understanding of where IT exists in power systems/control systems, because of different risk profiles, etc.). However, once the relevant parts have been identified by appropriate personnel with the necessary skills, there is no reason why an IT security risk assessment framework could not be applied, again by appropriate personnel with the necessary skills.</p> <p>I think that this is exactly what WG D2.22 is focused on; how to apply methodologies, standards, frameworks and technologies (which mostly already exist) in a manner that is relevant to the control systems domain."</p> <p>I later further qualified my statement on personnel with the following:</p> <p>"I have not made any assumption [regarding personnel] in my statement; I am simply stating that efforts must be made by appropriate personnel with the necessary skills, rather than just anyone, in order to be effective. I make no assumption that such personnel exist in numbers - I know that they are in short supply just as much as you do. Indeed, the Cigre work should be part of the toolbox that utilities can use to help develop such personnel."</p> <p>Note that I have made these comments as an individual, and not on behalf of the WG (although a number of members have confirmed that they agree with me).</p> <p>My conclusion 1: You and I seem to disagree on whether or not IT security skills have a place in control systems security efforts; I think they do, if applied appropriately by skilled personnel.</p> <p>My conclusion 2: We agree that the skills to apply control systems security are in short supply.</p> <p>I really don't know how much of audience your blog has, so I may be talking to an empty room here, but I feel that it is important to set the record straight.</p> <p>And I really don't understand the title "If pigs could fly...".</p> <p>Regards,</p> <p>Marc Tritschler marc.tritschler@kema.com</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments