Is progress really being made on CONTROL SYSTEM cyber security

The SCADASec listserver continues to be unsettling to say the least. There are still multiple definitions that have no uniform meaning inside or outside the control system cyber security community. These include the terms IT, security, SCADA, etc. There have been numerous attempts to standardize definitions (ISA, NIST, PCSF, IEEE, etc), yet it still a work in progress. ITAA and other IT organizations are not part of this process. If you take a high enough view, all computing systems can be construed as part of Information Technology. It is the same with cyber security policies and procedures. At the highest level, the general requirements are the same - minimize unsecured remote access and take responsibility. Unfortunately, the devil is in the details. That is why ISO-17799, 27001, etc are not sufficient to address control systems.

 I would like to give kudos to Kevin Finisterre. On 9/16, he wrote:
This is kinda cool...

“Welcome to the SEL Relay Test Rack. Connect to real SEL relays from any computer that supports TELNET communications. When you click on the Telnet links below, your web browser will start   a "Telnet" session to an SEL Communications Processor. Through the   communications processor, you will be able to connect to one of   several different SEL relays, listed below.”

Interestingly enough, the SEL relay test rack website now has the following message:

“The SEL Relay Rack is temporarily unavailable.  We apologize for any inconvenience.”  I think this is the kind of public disclosure that can help industry by pointing out information that should not really be in a public venue. There are other more secure ways to get this information to the appropriate audience.

An indication of the convergence of the financial mess and the lack of control system cyber security understanding is a Wall Street firm’s response to the SCADASec listserver.  They have real-time data connections into power plants yet the financial firm’s management doesn’t yet see it as an unacceptable risk that needs to be addressed (sound familiar).

The electric and water industries have made progress in IT security and IT-like systems (modern SCADA and DCS). However, I believe progress in addressing field control systems in power plants and substations is still abysmal. There are no publicly available statistics about the number of power plants and substations that have been identified as NERC critical assets. FERC and Congress obviously are not satisfied with the progress in addressing general lack of addressing power plants (including Aurora) as can be seen from the Congressional hearings. As an example, SERC serves as the regional entity with delegated authority from NERC for proposing and enforcing reliability standards (including the NERC CIPs) within the Southeast Region. SERC includes the states of North and South Carolina, Georgia, Alabama, Tennessee, Louisiana, Kentucky, and parts of Texas, Oklahoma, Illinois, and Virginia (based on the SERC website map). There is not a single power plant (fossil or nuclear) in the SERC region considered a NERC critical asset despite the number of large nuclear and coal plants.

Friday I had a conversation with an individual from one of the largest coal plants in the country (not in the SERC region). In fact, this plant is larger than any individual nuclear unit. However, it is not a NERC critical asset. I have also been working with another utility with very large coal plants (again not in the SERC region). The multiple units make it one of the larger generating stations in the country. They are also not NERC critical assets. At the Electric Power 2008 Conference, a number of power plant managers talked about how their units were not NERC critical assets. In fact, one went so far as to say they are no longer a black start unit just to get away from the NERC CIP requirements. The past two weeks’ blogs described the abysmal (there is that word again) efforts of the water industry to address control systems. What does it take to get utilities to take security seriously?

The CSIS Industrial Control Systems (ICS) White Paper providing cyber security recommendations to the next presidential administration will be published in full. The actual CSIS report (48 pages long) will have a condensed ICS discussion with recommendations (approximately 700 words). There was a an additional comment in the shortened version thanks to input from an international colleague: “A number of North American control system suppliers have development activities in countries with dubious credentials (e.g. a major North American control system supplier has a major code writing office in China) and a European RTU manufacturer has code written in Iran” - so much for security by obscurity. The condensed discussion was provided to CSIS for comments this week. I will provide the final version once I have the comments from CSIS.

The SCADASec listserver is not meant to be a training course in control system cyber security. There are very few places to find credible control system cyber security training. This week, ISA will also be providing control system cyber security training in Houston and I will be giving a lecture on industrial control system cyber security at Mississippi State University.

Joe Weiss