One reason why we need regulation

Dec. 18, 2008
In late February 2007, the ES-ISAC (Electric Sector - Information Sharing and Analysis Center) was informed of a potential cyber vulnerability dubbed Aurora which, if exploited by an attack, would have significant consequences. Consequently, DHS designated discussions of the Aurora vulnerability as FOUO (for Official Use Only). On March 4, 2007, the Idaho National Laboratory (INL) demonstrated the vulnerability.
In late February 2007, the ES-ISAC (Electric Sector - Information Sharing and Analysis Center) was informed of a potential cyber vulnerability dubbed Aurora which, if exploited by an attack, would have significant consequences. Consequently, DHS designated discussions of the Aurora vulnerability as FOUO (for Official Use Only). On March 4, 2007, the Idaho National Laboratory (INL) demonstrated the vulnerability. The vulnerability and the mitigation measures were reviewed in closed sessions with the NERC Critical Infrastructure Protection Committee in March 2007 and again in June 2007.  On June 20, 2007, an ES-ISAC Advisory was issued to generation owners and operators and transmission owners and operators in the electricity sector while the Nuclear Energy Institute (NEI) issued a set of mitigation measures for nuclear power plant operators.  The ES-ISAC Advisory contained a set of mitigation measures that needed to be promptly implemented (yet an advisory has NO mandatory implementation requirements) to address the identified vulnerability.  These measures required (there is that word again that makes it look like regulation which it is not) coordination with transmission owners and operators as well. September 27, 2007 CNN aired a tape of the Aurora vulnerability presumably supplied by DHS. One would expect that a vulnerability as significant as this with such wide-spread notification and notoriety would be addressed post-haste. WRONG! One would at least think that the information would be made available to cognizant end-users – WRONG AGAIN! The FOUO designation continues despite the repeated airing of the CNN tape and the fact that there are over 182,000 references to the Aurora vulnerability in a simple Google search. We held the August 2008 Applied Control Solutions Control System Cyber Security Conference in Burr Ridge, IL. Since Cooper Power Systems had produced a patented solution for Aurora (the patent itself is available on the Web), Cooper was asked to give a presentation on Aurora - their first public presentation. For most of the attendees including end-users, it was their first explanation of the Aurora vulnerability. One water utility mentioned their local electric provider refused to answer any questions on Aurora. Last week, I had a chance to discuss this issue with a nuclear utility representative. He mentioned they have multiple transmission providers most of whom refused to tell the nuclear utility anything about their Aurora issues - so much for coordination between transmission providers and generation operators. Yesterday a utility relay protection engineer sent me an e-mail asking about Aurora. Why ask me?  He was not able to get access to the information from his own utility because of the FOUO designation. I could go on with the anecdotes, but hopefully you get the picture. Any question as to why we need regulation? Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.