What are NERC, DHS, and NIST doing?

Jan. 21, 2011

I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria.  However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.

I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria.  However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.

NERC
January 19, 2011, the NERC Standards Drafting Team approved the document “Need, Goals, and Objectives – Project 2008-06-CIP Cyber Security Standards 5”.  The document states (my comments in Italics): “Stuxnet is a prime example of an exploit with the potential to seriously degrade and disrupt the BES with highly malicious code introduced via a common USB interface.” (The NERC CIPs don’t address Stuxnet). “Other types of attacks are network or Internet-based, requiring no physical presence and potentially affecting multiple facilities simultaneously.” (Aurora is neither network or Internet-based.) “It is clear that attack vectors are plentiful, but many exploits are preventable. The common factors in these exploits are vulnerabilities in BES Cyber Systems. The common remedy is to mitigate those vulnerabilities through application of readily available cyber security measures, which include prevention, detection, response and recovery.” (This statement is not correct for control systems).  How can a document with statements so obviously wrong be approved?

The NERC CIPs Version 4 include a “bright line” that indicates what is clearly a critical asset that needs to meet the NERC CIPs.  For generation, that bright line is 1500MW per site which excludes most generation in North America including all single unit nuclear stations.  For transmission, it is 500KV which eliminates most high voltage transmission and all distribution. How do these criteria make the grid more reliable and secure?

DHS
DHS hasn’t issued an update on Stuxnet since September and still hasn’t explained how to identify a controller that has been infected. What is DHS waiting for?

NIST
NIST provided FERC five standards for Smart Grid. None were NIST Standards or even US standards. How can NIST SP800-53 which is mandatory for all federal agencies and being applied to nuclear plants not be good enough for Smart Grid? Additionally, GAO found that while NIST developed and issued cybersecurity guidelines, they do not deal with key issues, including the risk of attacks that involve both cyber and physical means.

Shouldn’t we expect better from these organizations?

Joe Weiss

Sponsored Recommendations

Municipalities are utilizing inline total solids measurements to enhance sludge thickening, lower polymer usage and cut operational expenses.
Carbon dioxide is increasingly recognized as a vital resource with significant economic potential. While the conversion of carbon dioxide into products is still in its infancy...
Discover our wide range of temperature transmitters that convert sensor signals from RTDs and thermocouples into stable and standardized output signals!
An innovative amine absorption-based carbon capture process enables retrofitting of existing industrial facilities to reduce emissions in hard-to-abate sectors, with advanced ...