The purpose of trip was to attend the CSI “SCADA Summit” and meet with Congressional and government representatives to present an “unvarnished” status of industrial control system security as well as to request continuing support.
I provided my perspectives on the status of electric and water industry efforts. The water industry is in abysmal shape from a cyber perspective and cannot be counted on for self-regulation. The electric industry thru NERC and the redrafting team is making some, but marginal progress. The fundamental need to address all possible critical assets and apply the NIST framework is still being rebuffed by many on the NERC redrafting team. The utilities’ fear of fines for not meeting NERC CIP compliance, particularly with the compliance criteria being so muddled, has resulted in many utilities “unplugging” IP connections or refusing to provide black start capabilities to get around the NERC Compliance process. Isn’t it remarkable that in order to “secure” the grid, many utilities are making the grid less reliable? There is some good news - NRC has a solid grasp of the situation and is proceeding with preparation of the Nuclear Plant Cyber Security Regulatory Guide.
I was told by both House and Senate representatives that legislation to provide FERC adequate powers would again be brought forward. Congress was also concerned that funding was being prudently spent. I was asked what further Congress could do and if the proposed legislation was adequate.
Congress is not the only ones concerned about cyber security of the critical infrastructure. DOD is very concerned about grid reliability because of unresolved cyber concerns. These include lack of addressing Aurora and the inadequacies of the NERC CIPs. As can be seen by industry’s reaction to last year’s CIA announcement, there is a continuing concern that industry (not just electric) doesn’t believe cyber is real or it can happen to them.
Bottom line: The general view by government and Congressional representatives was that industry is not doing enough. With the new administration, the probability of regulation for control system cyber security for all critical infrastructures is increasing. Expect increasing scrutiny and hearings.