Two Weeks in Review: are we really getting anywhere?

Sept. 15, 2008

A number of activities occurred over the past 2 weeks.

A number of activities occurred over the past 2 weeks.

-         Last week, the American Water Works Association (AWWA) held a webinar on water system cyber security. DHS and several water utilities gave presentations. The DHS presentation had a significant error that needs to be addressed - the description of the Hatch Nuclear Plant incident. It was significant because:

o       The general issue of unknown connections affects all industries and has caused several VERY significant cyber incidents

o       DHS described the interconnections as between business systems and control systems - neither were business systems.

The water system SCADA case history was given by the Broward County IT organization. DHS and AWWA gave a “good housekeeping seal of approval” to this presentation and approach. In addition to slighting the work that has been done by ISA and others (controls systems are different than IT and require their own standards), there were several major technical flaws with the presentation. I am waiting until next week when the Water Sector Coordinating Council (WSCC) meets to determine if WSCC will address the errors and omissions. The irony of this webinar is the water industry has been behind most other industries in the area of control system cyber security. The presentation, and acceptance of it by AWWA, reinforces how far water is behind other industries. Water industry representatives need to join ISA 99 and other appropriate control system cyber security organizations.

-         A question was presented by a junior engineer from an electric company on the SCADASec listserver asking who should “own” SCADA. Suffice it to say this generating a significant amount of conflicting responses between IT and Operations.

-         The Citect vulnerability issues reared its head in a very public way. I would portray this as we are now at a stage of “innocence lost”.  I don’t believe the issue of disclosure will be resolved as IT security researchers will publish and Operations will cringe. It was one thing when the hacker community didn’t really understand SCADA and exploits weren’t for sale. Now that a metasploit has been created, what next? Dale Peterson mentioned that a Metasploit can be a useful way to demonstrate to your doubting executives how easy it is to take control of an unpatched system. I doubt it - Operational executives don’t understand cyber issues and this is far too techie. There really needs to be some significant thought given to what can and should be published about cyber vulnerabilities of “lower level” devices. There also needs to be some significant thought about the benefits of using “grey or black hat” hackers to do penetration tests of field devices. This is no longer a laughing matter. This is also exacerbating the issues between IT and Operations.

-         I attended Bay Area SecureWorld Expo Thursday. There were no vendors directly representing the control systems community. There were two vendors who have been working on “SCADA Security” but they were not familiar with field devices. This was another case of reinventing or repackaging the IT wheel for control systems.

-         Thursday, the Chairman of FERC testified to Congress. He made what I consider to be several very important points:

o       Cyber is very time sensitive and waiting several years for standards is not acceptable. New legislation is needed.

o       Industry still has not addressed Aurora. What will it take for industry to address real vulnerabilities and how does NERC and FERC address identification of new vulnerabilities? Obviously advisories don’t work.

o       Cyber security of the Smart Grid and electric distribution also need to be addressed. Who will regulate- FERC or local PUCs?

Let’s hope NERC and industry are listening

Joe Weiss