The electric industry still doesn’t understand what sophisticated attackers are after

May 21, 2014

Stuxnet and Aurora are not traditional network vulnerabilities and cannot be found or mitigated by using traditional IT security techniques. The Smart Grid NISTR-7628 and NERC do not identify design features that can be exploited. There is a disconnect between what the electric industry is trying to protect and what a sophisticated attacker that wants to damage the grid will attack.

Stuxnet and Aurora utilized design features of the system or controllers to attack physical systems. Stuxnet and Aurora are not traditional network vulnerabilities and cannot be found or mitigated by using traditional IT security techniques. May 19th, I attended a lecture by Rebecca Slayton at Stanford’s Center for International Security and Cooperation (CISAC) on “Information for Power: Risk Management, Cybersecurity, and the Electrical Power Grid”.  Rebecca identified the Smart Grid NISTR-7628 “Top-Down Analysis of Cyber Threats by classes” as the vehicle for identifying classes of cyber threats to the electric systems.  The NISTR approach did not identify design features that can be exploited such as by Stuxnet or system design features that can be exploited such as by Aurora. The recent NERC Lessons Learned report provided another set of design features that can be exploited by cyber that can damage electric substations but not be identified by IT as a cyber threat or attack. It should also be noted that NERC continues to refuse to identify cyber incidents as “cyber”. There is a disconnect between what the electric industry is trying to protect and what a sophisticated attacker that wants to damage the grid will attack.

 Joe Weiss