I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria. However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.
January 19, 2011, the NERC Standards Drafting Team approved the document “Need, Goals, and Objectives – Project 2008-06-CIP Cyber Security Standards 5”. The document states (my comments in Italics): “Stuxnet is a prime example of an exploit with the potential to seriously degrade and disrupt the BES with highly malicious code introduced via a common USB interface.” (The NERC CIPs don’t address Stuxnet). “Other types of attacks are network or Internet-based, requiring no physical presence and potentially affecting multiple facilities simultaneously.” (Aurora is neither network or Internet-based.) “It is clear that attack vectors are plentiful, but many exploits are preventable. The common factors in these exploits are vulnerabilities in BES Cyber Systems. The common remedy is to mitigate those vulnerabilities through application of readily available cyber security measures, which include prevention, detection, response and recovery.” (This statement is not correct for control systems). How can a document with statements so obviously wrong be approved?
The NERC CIPs Version 4 include a “bright line” that indicates what is clearly a critical asset that needs to meet the NERC CIPs. For generation, that bright line is 1500MW per site which excludes most generation in North America including all single unit nuclear stations. For transmission, it is 500KV which eliminates most high voltage transmission and all distribution. How do these criteria make the grid more reliable and secure?
DHS hasn’t issued an update on Stuxnet since September and still hasn’t explained how to identify a controller that has been infected. What is DHS waiting for?
NIST provided FERC five standards for Smart Grid. None were NIST Standards or even US standards. How can NIST SP800-53 which is mandatory for all federal agencies and being applied to nuclear plants not be good enough for Smart Grid? Additionally, GAO found that while NIST developed and issued cybersecurity guidelines, they do not deal with key issues, including the risk of attacks that involve both cyber and physical means.
Shouldn’t we expect better from these organizations?