Yesterday evening, CNN ran a segment on the cyber security of power grid and the Associated Press ran a companion article. The AP article states:
"¦a government video shows the potential destruction caused by hackers seizing control of a crucial part of the U.S. electrical grid: an industrial turbine spinning wildly out of control until it becomes a smoking hulk and power shuts down. The video, produced for the Homeland Security Department and obtained by The Associated Press and CNN on Wednesday, was marked "Official Use Only." It shows commands quietly triggered by simulated hackers having such a violent reaction that the enormous turbine shudders as pieces fly apart and it belches black-and-white smoke. The video was produced for top U.S. policy makers by the Idaho National Laboratory, which has studied the little-understood risks to the specialized electronic equipment that operates power, water and chemical plants.
Stan Johnson from NERC was quoted as saying the following: "The video is not a realistic representation of how the power system would operate." However, it really is and the issue is what should be done about it. The NERC CIP standards as written are not doing that. As the ERO, NERC should be supporting approaches that will prevent this type of event such as implementation of NIST SP800-53. Why isn't it? Secondly, the tape stated DHS will be spending $12 Million on control system cyber security. If control system cyber security is so critical, why isn't more being spent and domain expertise utilized?
