CYA, not Cyber security, is Job One for Energy asset owners and operators
Last Updated on Wednesday, 21 October 2009 11:04 Written by Jeffreycarr Wednesday, 21 October 2009 11:04
I’ve spent the last few days reading various papers on SCADA security issued by Sandia and Idaho National Labs and I’m both shocked and stunned at the pervasive CYA (cover your ass) culture that NERC and its members have managed to construct with the support of DoE and DHS.
It’s not a question of whether a cyber intrusion has resulted in a blackout or not. It has. It’s just not made public. The better question is why has the Federal government allowed private industry to keep cyber attacks quiet? Researchers at both Sandia and Idaho know why, and it has nothing to do with national security and everything to do with financial security. The energy operators and owners don’t want to risk huge financial losses resulting from lawsuits if these breaches are made public. Period. End of story.
DoE and DHS enable them in this regard by either classifying the data or locking into protected databases like this one that are shielded from Freedom Of Information Act requests. So what happens as a result? Our critical infrastructure becomes more vulnerable to attack, because actual incidents are not reported and forensic data on the cyber attack isn’t collected by the very companies that are best suited to analyze and advise on corrective measures. That, in term, severely limits the Intelligence Community’s ability to provide accurate threat analysis to DoE, DHS, and the entire SCADA network.
Speaking of “threat analysis”, do you know what passes for that today? Because the researchers at Sandia Labs do not have access to real-time nor historical data on successful cyber attacks, they have been forced to create an open source alternative which relies, in part, on the chance that hackers will be planning their attack online in a forum that is being scanned by pretty much every law enforcement and intelligence agency in the world. You don’t have to be a statistician to know what the odds of that happening are.
The national security argument for protecting every successful cyber attack against the Grid fails because:
1. SCADA vulnerabilities are regularly made public by DoE reports like this one.
2. Hackers who target these systems already know how to do it, and are training others to do the same (we know that from our first Project Grey Goose report which identified an informal hacker hierarchy in the attacks against Georgia).
3. A threat analysis, to be useful to the customer, is only as good as the accuracy of the data that it’s built upon. To expect researchers in a National Lab to provide such an analysis with incomplete or nonexistent data is ridiculous.
The more we dig into the arcane world of SCADA, the more surreal this experience is becoming. I genuinely hope that our report, once its released, stirs up enough public outrage to raise the critical problem of protecting our infrastructure against cyber attacks high enough to draw the attention of the White House, and engage immediate action on the part of the President and his advisors.
[...] CYA, Not Cyber Security, Is Job One For Energy Asset Owners and Operators – Jeff Carr, IntelFusion [...]