What are NERC, DHS, and NIST doing?

Jan. 21, 2011

I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria.  However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.

I have been quiet lately as I have been working on first-of-a-kind control system cyber security policies and associated risk criteria.  However, it is getting harder to ignore the lack of understanding by organizations that are supposed to know better.

NERC
January 19, 2011, the NERC Standards Drafting Team approved the document “Need, Goals, and Objectives – Project 2008-06-CIP Cyber Security Standards 5”.  The document states (my comments in Italics): “Stuxnet is a prime example of an exploit with the potential to seriously degrade and disrupt the BES with highly malicious code introduced via a common USB interface.” (The NERC CIPs don’t address Stuxnet). “Other types of attacks are network or Internet-based, requiring no physical presence and potentially affecting multiple facilities simultaneously.” (Aurora is neither network or Internet-based.) “It is clear that attack vectors are plentiful, but many exploits are preventable. The common factors in these exploits are vulnerabilities in BES Cyber Systems. The common remedy is to mitigate those vulnerabilities through application of readily available cyber security measures, which include prevention, detection, response and recovery.” (This statement is not correct for control systems).  How can a document with statements so obviously wrong be approved?

The NERC CIPs Version 4 include a “bright line” that indicates what is clearly a critical asset that needs to meet the NERC CIPs.  For generation, that bright line is 1500MW per site which excludes most generation in North America including all single unit nuclear stations.  For transmission, it is 500KV which eliminates most high voltage transmission and all distribution. How do these criteria make the grid more reliable and secure?

DHS
DHS hasn’t issued an update on Stuxnet since September and still hasn’t explained how to identify a controller that has been infected. What is DHS waiting for?

NIST
NIST provided FERC five standards for Smart Grid. None were NIST Standards or even US standards. How can NIST SP800-53 which is mandatory for all federal agencies and being applied to nuclear plants not be good enough for Smart Grid? Additionally, GAO found that while NIST developed and issued cybersecurity guidelines, they do not deal with key issues, including the risk of attacks that involve both cyber and physical means.

Shouldn’t we expect better from these organizations?

Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.