October 10, 2016, I wrote a blog: “The NERC CIPs continue to expose the grid to significant cyber vulnerabilities even after the Ukrainian hack” - https://www.controlglobal.com/blogs/unfettered/the-nerc-cips-continue-to-expose-the-grid-to-significant-cyber-vulnerabilities-even-after-the-ukrainian-hack/. This was because NERC, DOE, and DHS had effectively ignored the 2015 attack as it was against the distribution system. Ironically, two months later, the second Ukrainian cyberattack was against the transmission system. In both cases, the attack was step 1 of the 2 steps of Aurora. So what has happened in the interim to make the grid more cyber resilient?
- There is still no security in any Purdue Reference Model Level 0,1 device (process sensors, actuators, or drives). These devices are out-of-scope for NERC CIP. ISA99 has initiated a working group to address this issue, yet there is almost no electric utility participation in this effort. Iran is aware of this deficiency.
- There is a lack of monitoring of these devices before they become Ethernet packets to determine if the input to the ICS/SCADA network and associated network monitoring is uncompromised AND correct.
- Utilities are still not adequately addressing Aurora despite the Aurora information having been declassified. At the 2016 ICS Cyber Security Conference, a demonstration was given of hacking an Aurora hardware mitigation device (SEL751A) and effectively turning into an Aurora initiation device.
- A utility lost all relay communications to almost 400 high voltage relays and SCADA was not aware of the loss of relay communications.
Where is the cyber resiliency of the electric grid?