What are NERC, DHS, and NIST doing?

I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria.  However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.

NERC
January 19, 2011, the NERC Standards Drafting Team approved the document “Need, Goals, and Objectives – Project 2008-06-CIP Cyber Security Standards 5”.  The document states (my comments in Italics): “Stuxnet is a prime example of an exploit with the potential to seriously degrade and disrupt the BES with highly malicious code introduced via a common USB interface.” (The NERC CIPs don’t address Stuxnet). “Other types of attacks are network or Internet-based, requiring no physical presence and potentially affecting multiple facilities simultaneously.” (Aurora is neither network or Internet-based.) “It is clear that attack vectors are plentiful, but many exploits are preventable. The common factors in these exploits are vulnerabilities in BES Cyber Systems. The common remedy is to mitigate those vulnerabilities through application of readily available cyber security measures, which include prevention, detection, response and recovery.” (This statement is not correct for control systems).  How can a document with statements so obviously wrong be approved?

The NERC CIPs Version 4 include a “bright line” that indicates what is clearly a critical asset that needs to meet the NERC CIPs.  For generation, that bright line is 1500MW per site which excludes most generation in North America including all single unit nuclear stations.  For transmission, it is 500KV which eliminates most high voltage transmission and all distribution. How do these criteria make the grid more reliable and secure?

DHS
DHS hasn’t issued an update on Stuxnet since September and still hasn’t explained how to identify a controller that has been infected. What is DHS waiting for?

NIST
NIST provided FERC five standards for Smart Grid. None were NIST Standards or even US standards. How can NIST SP800-53 which is mandatory for all federal agencies and being applied to nuclear plants not be good enough for Smart Grid? Additionally, GAO found that while NIST developed and issued cybersecurity guidelines, they do not deal with key issues, including the risk of attacks that involve both cyber and physical means.

Shouldn’t we expect better from these organizations?

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> Of course there is room for improvement for all of these agencies. We can not all be geniuses. In any crisis there is always a terrible amount of confusion, stupidity, and mixed up goals.  </p> <p> Socially, we do not have the charters, the policies, or the human resources in place to deal with threats like Stuxnet properly.  This is like driving in the 1920's, seeing a crash, and then demanding seatbelts, crumple zones, airbags, and shatter-proof glass for the windshield.  </p> <p> It's not going to happen overnight, no matter how many people are dying every day from the lack of these measures. Yes, it is true, NERC is avoiding the problem. DHS doesn't know what to do about the problem, while FERC and NRC see opportunities for more regulation.   </p> <p>   </p> <p> Jake Brodsky </p> <p>   </p>

    Reply

  • <p>I don’t see why we should expect better from these organizations. As sobering as it is, we should face the fact that many of the models, theories, and methodologies that the community has developed over the last decade lack practical relevance after Stuxnet. Nobody is to blame here as we had the luxury to experience no serious cyber strike over the last years. However, expecting from bureaucratic organizations that they would be able to adjust to the new situation quickly is unrealistic. Stuxnet is so out-of-the-world as we knew it that it will take the usual suspects years to fiddle the experience into their standards and recommendations. When we had already started Stuxnet analysis, I participated in a workgroup meeting that focused, among other things, substantially on ARP poisoning attacks against controllers. I couldn’t have felt more out of place. The point is that it will take the community years to understand that we no longer live in a world where Vitek Boden was the worst case. I’m afraid though that we don’t have that much time to secure our critical systems before copycat attacks pop up.</p> <p>Certainly DHS plays a special role here as Sean McGurk testified before the US Senate that they are able to fully understand the capabilities of Stuxnet on control systems. With such a full understanding, telling asset owners what to do to prevent Stuxnet-inspired attacks should be easy; it doesn’t happen though. I have put my explanation for this bizarre behavior on the record some time ago: Stuxnet is a top secrect operation of the late Bush administration, forcing DHS into the uncomfortable situation that they can’t tell anything about it (at least nothing that hadn’t been published by us or Symantec already), even while recognizing the threat for US critical infrastructure.</p> <p>However, DHS got one thing straight in not answering the question how to identify infected controllers: It just isn’t necessary. Stuxnet’s attack code is so specific that it only infects controllers running the Natanz configuration. So as long as you aren’t operating Natanz (or a similar, yet clandestine) facility, there is little need to check if your controllers are infected by Stuxnet. For some funny reason, the vendor in question seems to have gotten that point straight from day one.</p> <p>As a side note, Dale Peterson also has some very valid comments on this over in his blog at Digital Bond (<a href="http://www.digitalbond.com/index.php/2011/01/17/believe-it-or-not-stuxnet-advisories-are-lacking/">http://www.digitalbond.com/index.php/2011/01/17/believe-it-or-not-stuxnet-advisories-are-lacking/</a>).</p>

    Reply

RSS feed for comments on this page | RSS feed for all comments