August 19th, I spent a day with the NERC Critical Infrastructure Protection (CIP) Version 5 Drafting team working on one of the NERC CIP Standards. The focus was on boundary protection, not on the actual control system devices and serial communications which were explicitly excluded. The vulnerabilities that could lead to major equipment damage and associated extended outages because of design features in the control system devices such as Stuxnet, system vulnerabilities such as Aurora, or measurement vulnerabilities such as serial HART communications were not addressed. Rather, the focus was on the traditional network issues – firewalls, routers, etc. Given the recent spate of IT hacks that have managed to make it through existing boundary protection, isn’t this thinking a bit antiquated? About the only discussion on actual control systems or facility operation came from the FERC representative not the utility attendees. The utilities’ and NERC’s concerns were how to minimize the number and activities needed to address the “Lows” (smaller facilities). There just doesn’t seem to be an appreciation of what a determined, knowledgeable attacker would attack. There also doesn’t appear to be an appreciation of just how common the equipment and the associated cyber vulnerabilities are across multiple facilities. That is, there does not seem to be an appreciation of just how many “Lows” could be compromised that could impact large portions of the bulk electric grid for a substantial period of time.
(Warning- major sarcasm) In order for the NERC CIP approach to be successful, NERC needs to hold a training session for the hackers on what the NERC ground rules are for their attacks – what is in scope for attacks and when. The hacker training should assure them that the utilities’ and NERC’s paper approach on Aurora is adequate and so they should not attempt to use that scenario. It should also convince them not to use available ICS metasploits because they are out of scope for NERC CIP mitigation.
Is there a question as to whether the lights will stay on?