Another Washington think tank paper on critical infrastructure – another miss

The most recent Washington think tank to write a paper involving cyber security and the electric grid is the Center for the Study of the Presidency and Congress and the paper is “Understanding the threats to the most critical infrastructure while securing a changing grid”. As with the other papers, the paper chairs reflect the upper strata in political Washington. Unfortunately, like the other papers, there is a lack of control system expertise that has been applied even though I was told more than 200 people worked on the paper. The lack of control system expertise has led to numerous wrong assumptions and omissions dealing with “SCADA” and control systems. As I have written about many times, this includes the lack of understanding of the control system-unique threats. Consequently, the conclusions are suspect.

The lack of understanding about control system cyber security should not be surprising as the electric industry has been throttled in their attempts to address control system cyber security by having to stay within the NERC CIP umbrella. This has also resulted in a lack of utility participation (including nuclear) in wider industry control system cyber security organizations that have significantly more expertise than the utility industry. The irony is the NERC CIP approach has developed a culture of almost “blind compliance” while at the same time precluding the opportunity to develop the expertise needed to actually secure control systems in the electric and nuclear industries.

Joe Weiss