Project Hydra will we get there

NERC is creating a group called Hydra that will be a network of electric industry subject matter experts (SME) to handle modern fast-moving threats to the bulk power system. There is an open invitation for two hundred SME’s.

I applaud the intention of creating a cadre of SMEs.  However, I have several observations on the difficulty of finding 200 SMEs for cyber security:
- I believe there are currently less than 100 control system cyber security experts world-wide, in all industries. Most of those real experts are not in the US electric power industry. Many of these electric industry “SCADA security experts” are not addressing “security” but are actually doing NERC compliance. Few of these “experts” are trained in control system design or operation. How will they know what to look for when addressing threats to control systems?
- There are minimal cyber forensic capabilities in legacy control systems. Consequently, what will the untrained eye look for?
- Many of the control system cyber incidents to date haven’t even violated IT security policies. These incidents include shutdowns of power plants and at least one regional outage. Again, what will the untrained eye look for?

The idea of having 200 SMEs is a noble, but non-trivial goal. How does NERC propose to get there?

Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p> "I believe there are currently less than 100 control system cyber security experts world-wide, in all industries." </p> <p> Interesting aspect. How can such experts be identified? What would help an asset owner to make an educated decision about the qualification of a consulting company? What would the formal education of a SME look like? </p> <p> The fact of the matter is: All these questions can't be answered easily, and this tells a lot about the state of our art. Governments have spent millions in research programs over the last couple of years, but we still don't have solid qualification programs in place that would produce said experts. </p>


  • <p> Ralph- Thanks for being a straightman for me on this subject. There are no formal mechanisms for designating who is truly an SME. That said, there are currently no certifications or academic curricula devoted to the technical aspects of control system cyber security. (Livermore National Lab has been working on policy issues.) The Professional Engineering (PE) exams for Control Systems, Electrical Engineering, Nuclear Engineering, Mechanical Engineering, Chemical Engineering, etc do not have questions on security. Neither the CISSP nor CISM exam have questions on control systems. When I did my Masters in Strategic Planning for Critical Infrastructures at the University of Washington, I had to rewrite the draft textbook we used on cyber security of the critical infrastructures. The 1000 page graduate textbook we used for cyber security made NO mention of SCADA/control systems. </p> <p> It also begs an interesting question with respect to NERC CIP-004 and NEI-0404. Do you have to be an SME to provide the required training? </p> <p> Joe Weiss </p>


  • <p> Patrick Coyle </p> <p> Chemical Facility Security News </p> <p class="MsoNormal"> Joe: </p> <p> </p> <p class="MsoNormal"> As I pointed out yesterday in <a href="">my blog</a> on this subject, the problem is about to get worse as DHS is preparing to issue its guidance on cyber security for high-risk chemical facilities. Their original draft guidance treated control system security just like IT security; which drew a number of negative comments. When that new guidance document is issued it will need to be applied, almost immediately, to the site security plans being developed for 7,000 high-risk chemical facilities. There is going to be a need for more than 200 control-system cyber-security experts. </p> <p>   </p>


RSS feed for comments on this page | RSS feed for all comments