Project Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

Last Updated on Thursday, 21 January 2010 07:26 Written by Jeffreycarr Thursday, 21 January 2010 07:26

Proj Grey Goose report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

New NIST Smart Grid Security Requirements “more what you’d call guidelines”

Last Updated on Wednesday, 20 January 2010 12:14 Written by Jeffreycarr Wednesday, 20 January 2010 08:21

Bo’sun: Still the guns and stow ‘em, Signal the men, set the flags and make good to clear port. Elizabeth: Wait! You have to take me to shore. According to the Code of the Order of the Brethren…Barbossa: First, your return to shore was not part of our negotiations nor our agreement so I must do nothing. And secondly, you must be a pirate for the pirate’s code to apply and you’re not. And thirdly, the code is more what you’d call “guidelines” than actual rules. Welcome aboard the Black Pearl, Miss Turner .

- Pirates of the Caribbean: Curse of the Black Pearl (2003)

The National Institute of Standards and Technology just released a first draft of its NIST Framework and Roadmap for Smart Grid Interoperability Standards yesterday. It contains:

• • a conceptual reference model to facilitate design of an architecture for the Smart Grid overall and for its networked domains;
  • an initial set of 75 standards identified as applicable to the Smart Grid;
  • priorities for additional standards—revised or new—to resolve important gaps;
  • action plans under which designated standards-setting organizations will address these priorities; and
  • an initial Smart Grid cyber security strategy and associated requirements.

NIST intends to issue a final report in the Spring, however NIST only provides guidance to the Federal Energy Regulatory Commission (FERC) who is ultimately responsible for deciding which of NIST’s recommendations will be adopted as “standards”. This is important because when you read the NIST report, the phrase “security requirements” is used a lot, but in the arcane world of SCADA security and the bulk power grid, “requirements” doesn’t mean what the rest of us thinks it means. Like the “Pirates Code”, requirements “are more what you’d call guidelines than actual rules“.

What about the eight Critical Infrastructure Protection (CIP) standards adopted by FERC in 2008? Surely those are “requirements” that the asset owners and operators who make up 90% of the U.S. bulk power grid must comply with, right?

Nope. While FERC did remove the gargantuan loophole of “reasonable business judgment” that allowed NERC members to evade compliance with those regulations, they inserted a different, albeit much smaller, loophole called “technical exceptions”, which is yet to be clearly defined. And the CIPs are still in an implementation phase until 2011 as power companies struggle to understand what’s expected of them under a voluminous and confusing array of documents.

For an industry that plays such a vital role to U.S. national security, I’m shocked and dismayed at the state that it’s in, security-wise. A Project Grey Goose report on attacks against Critical Infrastructure will be released in the next few days.

NERC v FERC: A symbol of all that’s wrong with securing the Power Grid

Last Updated on Saturday, 7 November 2009 11:30 Written by Jeffreycarr Saturday, 31 October 2009 03:50

The state of affairs in how the U.S. has organized security responsibilities for our most critical infrastructure would be comical if it wasn’t so maddening.

Apart from the lunacy of trusting the owners of power plants to police themselves (NERC), and that, up till now, the Federal government has been enabling that lunacy (FERC), I particularly “love” this comment:

Rep. Fred Upton, R-Mich., warned against what he viewed as overregulation of the industry but also emphasized the need to address vulnerabilities before an attack occurs. (my emphasis added)

That’s how pervasive the illusion is that of the myriad of attacks that are defended against the Grid every day, and in spite of the hundreds of known vulnerabilities (not to mention the unknown number of 0days), that a U.S. Congressman on the House Energy and Commerce committee still thinks that by some statistical miracle there have been no successful breaches of the Grid yet.

I don’t know if our report will succeed in penetrating that illusion yet or not (we still have a few weeks left to go), but if nothing else I hope it will inform the work of the The Committee on Energy and Commerce and the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology that changes to the division of authority between NERC and FERC must be forthcoming, and, more importantly, that cyber-related incidents must be publicly reported and investigated, and asset owners and operators must be held financially and legally accountable.