I wanted to discuss some perceptions and misperceptions by a senior utility security manager as well as other individuals working on cyber security for the electric utility industry.
- NIST definition of a cyber incident
NIST’s definition of a cyber incident includes intentional and unintentional cyber threats. The senior security person told me he did not like the NIST definition. NIST has been designated as the technical focal point for Smart Grid and all proposed electric grid cyber security legislation. If industry doesn’t like NIST’s definition, work with NIST to change it or accept it.
- The need for control system cyber security policies
The senior security person felt there was no need for control system cyber security policies as, according to him, ISO-27002 applies across the board. This same feeling was expressed by a number of people in the NIST Cyber Security Smart Grid Working Group. The senior security person was not willing to accept that control systems can apply approximately 80% of IT policies, but 20% are control system specific and they are important. This is why NIST SP800-53 had to be extended to address control systems and ISA established a control system cyber security committee. Many control system cyber incidents including nuclear plant shutdowns and major power outages did not violate IT security policies. Doesn’t that say something about the inadequacy of IT security policies for control system applications? What is even more disconcerting is the NERC CIP Drafting Committee has refused to modify the NERC CIPs to require control system cyber security policies.
- Are cyber incident disclosure requirements adequate
The senior security person was adamant the electric industry was covered because of CIP-008 disclosure requirements. Mike Assante’s (NERC’s VP and Chief Security Officer) April 9th letter stated that approximately 70% of the generation and 30% of the generation assets (as well as 100 % of distribution) were not considered critical assets. Consequently, none of those assets would be addressed by CIP-008 as they were excluded from having to address ANY of the NERC CIPs and therefore would not be under any disclosure requirements.
In summary, the senior security person assured me his utility was doing a great job, but he could not tell me what that encompassed, including if they were doing more than just complying with the NERC CIPs. I told Mike Assante of these discussions. He was disappointed but not surprised.
The following is a note from Saturday August 1 from the SCADA listserver that demonstrates what is reality but not understood by many in our industry.
“We are an engineering organization in IRAN, we received an enquiry for retrofitting a control system, any company interested please contact me. The customer is a power plant. They have INFI90 DCS from Bailey (now ABB). They plan to migrate the monitoring part of this DCS to a PC based system, OPC Server and client. They want to keep the field wirings, Termination boards, I/O Modules, CPU and CIU. They want to replace all after CIU, which consists of VAX 3300 systems, Graphic Netstations and monitors.” This equipment is prevalent throughout North America. Anyone want to debate whether adversarial nation-states understand our equipment?
Suffice it to say, I am not comfortable our lights will stay on. Are you?