The inconsistency within the electric industry of what is security vs compliance

Feb. 24, 2011

There is a discussion on the SCADA/Control System Security Professionals linked-in site concerning how to handle an internal assessment on vulnerabilities in control systems.  Stacy Bresler stated he has audited approximately 30 entities as an official NERC CIP auditor and says he has found many more than just 2 utilities who are trying to secure their systems and not just CIP identified cyber assets either. This is inconsistent with discussions with personnel from some of the utilities he has audited.

There is a discussion on the SCADA/Control System Security Professionals linked-in site concerning how to handle an internal assessment on vulnerabilities in control systems.  Stacy Bresler stated he has audited approximately 30 entities as an official NERC CIP auditor and says he has found many more than just 2 utilities who are trying to secure their systems and not just CIP identified cyber assets either. This is inconsistent with discussions with personnel from some of the utilities he has audited.

To me cyber security is end-to-end without exclusions. Anything less cannot be considered secure. Electrons go from point to point regardless of whether it is generation, transmission or distribution. They do not care about the size of the facility or the protocols being used. Neither electrons nor hackers have organization charts or care about artificial exclusions such as only addressing routable protocols, excluding market systems, excluding telecom, etc. In fact, if I were a hacker, I would target those exclusions since nobody is looking. It takes somebody with a strong sense of the “emperor wears no clothes” to overlook such obvious exclusions. These exclusions were “exploited” in many of the control system cyber incidents that have occurred to date. Stuxnet can be included in “exploiting” these holes as its exploit vector is not through a routable protocol and it is inside the electronic security perimeter. Another question is why Aurora is not being addressed by more than a letter saying it does not apply because it does. Now with NERC Version 4, NERC and the utilities have managed to exclude a large percentage of the generation and transmission assets in North America.  Even more, the transmission lines that were involved in the 2003 August Northeast Outage are now excluded by Version 4 – shouldn’t that be mind boggling?  If Stacey and others think meeting the NERC CIPs means security, we are on completely different wavelengths.

As Stacy is a key member of EnergySec and the new NESCO, my concern about the relevance of NESCO grows even more. As an aside, Patrick Miller from NESCO never responded to me about my previous blog concerning the relevance of NESCO.

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.