In this Month’s Power magazine (www.powermag.com), Black & Veatch did a survey on Infrastructure and Security. According to the survey results, computers and networks were regarded as the asset class most at risk of outside forces, such as acts of terrorism or cyber attack, having moved from last place in 2006 to a solid first place this year. However, the survey found only 13% felt the nation’s transmission system has been “hacked” per last year’s Wall Street Journal article about cyberspies leaving malicious software in the grid. Just over a third, 35%, believed that no hacking has occurred. In reality, there already have been numerous electric industry T&D cyber incidents including three cyber-related outages in the US. More than half, 57%, believed a generating facility would be harmed by a cyber attack in the future. In reality, there already have been numerous cases of power plant cyber incidents including fossil, hydro, combustion turbine, and nuclear facilities. Some of these incidents have harmed the facilities. These myopic results are similar to the Control Engineering magazine survey where almost 25% of the respondents felt control system cyber threats were not a risk to their business. Compare this to the whitepaper from Gene Kim of TripWire on NERC CIP Compliance where he states: “There is nearly universal agreement that information security controls must be integrated into daily IT operations.”
Too many people responsible for control systems are still in denial. Add to that IT trying to solve a “problem” that may not be the right problem and creating problems in their wake. IT has already CAUSED numerous control system cyber incidents by the use of inappropriate IT policies, technologies, and/or testing. Are Operations and IT growing further apart to the detriment of our critical infrastructures? Is compliance for the the sake of compliance compromising the security of electric grid? Jon Stanford, Bonneville Power Administration’s Chief Information Security Officer, and I will be addressing these issues March 3rd at the RSA Security Conference in San Francisco.