Perceptions and misperceptions on control system cyber security

I wanted to discuss some perceptions and misperceptions by a senior utility security manager as well as other individuals working on cyber security for the electric utility industry.

- NIST definition of a cyber incident
NIST’s definition of a cyber incident includes intentional and unintentional cyber threats. The senior security person told me he did not like the NIST definition. NIST has been designated as the technical focal point for Smart Grid and all proposed electric grid cyber security legislation. If industry doesn’t like NIST’s definition, work with NIST to change it or accept it.
- The need for control system cyber security policies
The senior security person felt there was no need for control system cyber security policies as, according to him, ISO-27002 applies across the board. This same feeling was expressed by a number of people in the NIST Cyber Security Smart Grid Working Group. The senior security person was not willing to accept that control systems can apply approximately 80% of IT policies, but 20% are control system specific and they are important. This is why NIST SP800-53 had to be extended to address control systems and ISA established a control system cyber security committee. Many control system cyber incidents including nuclear plant shutdowns and major power outages did not violate IT security policies. Doesn’t that say something about the inadequacy of IT security policies for control system applications?  What is even more disconcerting is the NERC CIP Drafting Committee has refused to modify the NERC CIPs to require control system cyber security policies.
- Are cyber incident disclosure requirements adequate
The senior security person was adamant the electric industry was covered because of CIP-008 disclosure requirements.  Mike Assante’s (NERC’s VP and Chief Security Officer) April 9th letter stated that approximately 70% of the generation and 30% of the generation assets (as well as 100 % of distribution) were not considered critical assets. Consequently, none of those assets would be addressed by CIP-008 as they were excluded from having to address ANY of the NERC CIPs and therefore would not be under any disclosure requirements.

In summary, the senior security person assured me his utility was doing a great job, but he could not tell me what that encompassed, including if they were doing more than just complying with the NERC CIPs. I told Mike Assante of these discussions. He was disappointed but not surprised.

The following is a note from Saturday August 1 from the SCADA listserver that demonstrates what is reality but not understood by many in our industry.
 
“We are an engineering organization in IRAN, we received an enquiry for retrofitting a control system, any company interested please contact me. The customer is a power plant. They have INFI90 DCS from Bailey (now ABB). They plan to migrate the monitoring part of this DCS to a PC based system, OPC Server and client. They want to keep the field wirings, Termination boards, I/O Modules, CPU and CIU. They want to replace all after CIU, which consists of VAX 3300 systems, Graphic Netstations and monitors.”  This equipment is prevalent throughout North America. Anyone want to debate whether adversarial nation-states understand our equipment?

Suffice it to say, I am not comfortable our lights will stay on. Are you?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> "This equipment is prevalent throughout North America. Anyone want to debate whether adversarial nation-states understand our equipment?" </p> <p> My impression is that the threat by foreign nations or organizations (such as Al-Qaida) is sometimes misunderstood. People think about Internet-based WAN connectivity and about computer geniusses in China and Russia... while all that it takes is simply MONEY. </p> <p> Let's assume an organization in Iran (Russia, Pakistan, ...) intends to launch a cyber attack against the US electrical grid. They certainly have the option of fiddling around with DCS protocols and applications up to the point where they MIGHT have enough understanding to try launch an attack. On the other hand, they could just raise enough money (enough translates to approximately 100K $) and simply hire someone who is technically capable of executing the attack, even from within the US, which may come with the benefit of hiding traces, avoiding retaliation etc. </p> <p> There are enough offerings both on the black and the grey market for buying zero-day exploits, and my theory is that several bucks on top will buy you some decent DCS attack software. Enemies don't need knowledge, they only need money. Little money, in our case. Remember "Charlie Wilson's war"? You shoot down an attack helicopter worth 1 million $ with a 10 k $ missile -- that's a good business... </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments