After a few days of letting the Congressional Hearings on security of electric sector control systems sink in here are the three items I found most interesting and important.
1. The fact that NERC previously provided false information to Congress on Aurora mitigation efforts by the electric sector was a huge mistake, whether intentional or inadvertent. Aurora was obviously going to be the main topic of that previous subcommittee meeting so it seems unlikely that NERC could have been unprepared. This only leaves an intention to mislead or a significant blunder, and either the blunder or misleading data allowed Congress to rail against NERC and suggest a replacement organization may be warranted.
On a related note, we are hearing a lot of rumors and stories on the origin and processing of Aurora that are disturbing. It has proven difficult to verify without signing NDA’s, but we are close to completing our fact checking so stay tuned.
2. Many of the Congressmen and women were clearly fishing for FERC to ask for additional laws and authority to regulate cyber security in the electric sector. Rep. Sheila Jackson Lee was almost begging to be asked to write additional legislation.
FERC appears to have convinced that the committee they are doing all they can and most of the fault lies with either restrictions on their authority or NERC.
3. Many of the subcommittee members focused on the need to secure everything attached to the electric system.
This is a very bad idea and flies in the face of Security 101 or Risk Management 101. The approach in CIP-002 to identify Critical Cyber Assets and focus the security protections on these Critical Cyber Assets and other assets in the same security zone is excellent. There could be more description and guidance on the criteria. There could be more rigor in auditing this very important step in the CIP. There could even be more than two categories, Critical and Non-Critical, with an escalating set of security requirements.
The last thing we need the industry needs to do now is focus precious resources, primarily time and attention, on cyber assets that would have a minimal impact if successfully attacked.
As an IT example, you would prioritize your security efforts on the email server over any single email client. You would focus your security efforts on an e-commerce server rather than an individual browser. In the control system world, you would prioritize securing your control servers that monitor and control the entire SCADA or DCS over a securing a PLC with an Ethernet card that provides helpful but non-essential monitoring data.