We have not made enough progress

In this month’s Intech magazine, there is an article and insert on the need for regulating the power industry for cyber security:  “Voices ignite on power security standards”.  It states:

While Weiss strongly believes in a need for legislation, Bryan Singer said, "Most of industry including other leaders would say that this is not necessarily the case. A big disappointment in recent testimony was the regurgitation of the same types of messages with the same 'this is really bad' messaging and scare tactics," said Singer. "It does a great discredit to excellent work done by many. Are we perfect? No. But look at the messages of 2001-2002, and compare them to today's messages," he said. The messages of 2001-2002 implied "lots of problems, and technology was not appropriate to solve them," Singer said. "We need to solve these problems. These messages were largely driven by a smattering of solutions that have since been either greatly improved or have been invalidated," he said. "Today, look at how we talk about security and topics like smart grid, and network defense, Singer said.  "Look at the great efforts of ISA99, government, and countless firms; there is more work to be done, but a positive message for us is to show progress, and if there is any problem, it is that legislation and many regulatory efforts should be encouraged and directed to enhance and support such work, to grow and change the messages along with the common level of understanding. If anything needs to be done by government, it is more collaboration with industry and to create bodies like OSHA to help provide vehicles for assessing and regulating whether or not companies are indeed exercising due care and due diligence," he said.

Normally, I do not respond to criticism, but in this case it needs to be done.  Industry awareness of HMI (Windows and TCP/IP) cyber security issues is well-known and DOE and DHS are expending resources to better secure these vulnerabilities. However, the same can not be said of legacy control system issues (field monitoring, instrumentation, and controllers) with either understanding or technologies. One only has to look at the increasing number of actual control system cyber incidents occurring with legacy systems to see how little we have progressed since 2000.  February, March, and April events demonstrate the lack of understanding of control system issues: Distributech, the Infrastructure Modernization Workshop in Monterey, the IEEE PSCE Conference in Seattle, the Senate hearings, the RSA Conference, etc.  At each of these events, people understood the terms “SCADA Security” and “NERC CIP compliance”. However, start talking about security and not compliance or securing field devices and you could see the eyes glaze over. Unfortunately, this included supposed “SCADA Security” experts. As far as legislation is concerned, it is long overdue. The NERC CIPs were an attempt at self-regulation. Mike Assante’s letter explicitly documents how the industry has used the self-installed loopholes to avoid having to address the NERC CIPs by defining their assets as not being critical. In fact, in some instances, they have made the grid less secure and less reliable to avoid addressing the NERC CIPs.

Joe Weiss