DOE Cyber Security Procurement Language – Is It Comprehensive Enough

April 30, 2014

DOE recently issued their revised report on Cyber security procurement Language for Energy Delivery Systems dated April 2014. The report is an update on the 2009 INL report. The report does a good job of addressing communication networks and traditional IT issues. However, it does little to address the unique issues of the sensors and actuators, particularly the “design features” that can be exploited.

DOE recently issued their revised report on Cyber security procurement Language for Energy Delivery Systems dated April 2014. The report is an update on the 2009 INL report. The report states: “Energy delivery systems are used to monitor and control the production, transfer, and distribution of energy. These systems include Supervisory Control and Data Acquisition (SCADA) systems, Energy Management Systems (EMSs), Distribution Management Systems (DMSs), and Distributed Control Systems (DCSs). Energy delivery systems comprise the following:

• The sensors and actuators used for monitoring and controlling energy delivery processes.

• The computer-based systems that analyze and store data.

• The communication pathways and networks that interconnect the various computer systems.

The report goes on to say: “In addition to the language included in this document, acquired products and services should conform to the applicable IT security standards and operations technology (OT) standards for energy delivery systems. This document is designed to provide baseline cybersecurity procurement language for the following:

• Individual components of energy delivery systems (e.g., programmable logic controllers, digital relays, or remote terminal units).

• Individual energy delivery systems (e.g., a SCADA system, EMS, or DCS).

• Assembled or networked energy delivery systems (e.g., an electrical substation [transmission and distribution] or a natural gas pumping station).

The report does a good job of addressing communication networks and traditional IT issues. The report does address malware. However, it does little to address the unique issues of the sensors and actuators, particularly the “design features” that can be exploited via exploits such as Stuxnet. It also is completely silent on Aurora and the need to have intelligent electronic devices that can detect and isolate downstream systems from these types of threats.

One can only wonder why DOE refuses to address these types of issues. It not only leaves systems vulnerable but provides a false sense of security.  The report also provides a roadmap for knowledgeable attackers to know what types of threats are not being addressed. This is very similar to what has been done with the NERC CIPs.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...