1. Home

The inconsistency within the electric industry of what is security vs compliance

Feb. 24, 2011

There is a discussion on the SCADA/Control System Security Professionals linked-in site concerning how to handle an internal assessment on vulnerabilities in control systems.  Stacy Bresler stated he has audited approximately 30 entities as an official NERC CIP auditor and says he has found many more than just 2 utilities who are trying to secure their systems and not just CIP identified cyber assets either. This is inconsistent with discussions with personnel from some of the utilities he has audited.

There is a discussion on the SCADA/Control System Security Professionals linked-in site concerning how to handle an internal assessment on vulnerabilities in control systems.  Stacy Bresler stated he has audited approximately 30 entities as an official NERC CIP auditor and says he has found many more than just 2 utilities who are trying to secure their systems and not just CIP identified cyber assets either. This is inconsistent with discussions with personnel from some of the utilities he has audited.

To me cyber security is end-to-end without exclusions. Anything less cannot be considered secure. Electrons go from point to point regardless of whether it is generation, transmission or distribution. They do not care about the size of the facility or the protocols being used. Neither electrons nor hackers have organization charts or care about artificial exclusions such as only addressing routable protocols, excluding market systems, excluding telecom, etc. In fact, if I were a hacker, I would target those exclusions since nobody is looking. It takes somebody with a strong sense of the “emperor wears no clothes” to overlook such obvious exclusions. These exclusions were “exploited” in many of the control system cyber incidents that have occurred to date. Stuxnet can be included in “exploiting” these holes as its exploit vector is not through a routable protocol and it is inside the electronic security perimeter. Another question is why Aurora is not being addressed by more than a letter saying it does not apply because it does. Now with NERC Version 4, NERC and the utilities have managed to exclude a large percentage of the generation and transmission assets in North America.  Even more, the transmission lines that were involved in the 2003 August Northeast Outage are now excluded by Version 4 – shouldn’t that be mind boggling?  If Stacey and others think meeting the NERC CIPs means security, we are on completely different wavelengths.

As Stacy is a key member of EnergySec and the new NESCO, my concern about the relevance of NESCO grows even more. As an aside, Patrick Miller from NESCO never responded to me about my previous blog concerning the relevance of NESCO.

Joe Weiss

Continue Reading

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...

Latest from Home

shutterstock_2425509123
shutterstock_2490634143
processing

Most Read

Sponsored