Stuxnet and Aurora utilized design features of the system or controllers to attack physical systems. Stuxnet and Aurora are not traditional network vulnerabilities and cannot be found or mitigated by using traditional IT security techniques. May 19th, I attended a lecture by Rebecca Slayton at Stanford’s Center for International Security and Cooperation (CISAC) on “Information for Power: Risk Management, Cybersecurity, and the Electrical Power Grid”. Rebecca identified the Smart Grid NISTR-7628 “Top-Down Analysis of Cyber Threats by classes” as the vehicle for identifying classes of cyber threats to the electric systems. The NISTR approach did not identify design features that can be exploited such as by Stuxnet or system design features that can be exploited such as by Aurora. The recent NERC Lessons Learned report provided another set of design features that can be exploited by cyber that can damage electric substations but not be identified by IT as a cyber threat or attack. It should also be noted that NERC continues to refuse to identify cyber incidents as “cyber”. There is a disconnect between what the electric industry is trying to protect and what a sophisticated attacker that wants to damage the grid will attack.
Joe Weiss