The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset owners and vendors. They are so obvious, but many NERC CIP discussions completely ignore these two points that should be the foundation of the discussion.
1. NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems.
And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.
When you go into a network or system with little or no attention to cyber security, massive risk reduction can occur with minimal cost or effort. Basic security practices like establishing and hardening the security perimeter, applying security patches and requiring basic security training, have a major positive impact.
Most organizations will have by far the greatest risk reduction in the first year of their security program because they can pick the low hanging fruit. So we are seeing the greatest improvement in the cyber security of the electric grid that we are likely to ever see. Is there an argument that implementing these basic security practices cannot help but significantly reduce risk?
When you start to look at the other requirements such as user management, log retention and monitoring, recovery, … there are a plethora of examples of improved security postures.
2. An attacker may only require one accessible security flaw, the weak link, to compromise a control system
This may be what NERC CIP opponents are arguing. If CIP does not address each and every risk in a verifiable manner then the system is not secure. True, but we need to think of security from a risk management standpoint, not aiming for perfect security that can never be compromised. This is not achievable and even nearing it will cost more than the reduced risk is worth.
Most owner/operators are nowhere near that point. There still are many administrative and technical security controls that are needed and are easy risk management systems. There is a limit to how many new technical and administrative security controls an organization can incorporate in a year, and in my opinion, most of the electric sector is at that limit right now. But wait for years 2, 3, 4, we should be seeing and expecting continued improvements in the security posture.
Because they are early in the security program, today many well intentioned NERC CIP compliant companies likely still have some weak links that would not be too difficult for a motivated and well funded adversary to compromise. Given the complexity of these networks and applications the advantage will always be on the attacker’s side may only need to find one flaw or one mistake, while the defender needs to be perfect.
So one of the things the industry is going to need to deal with is what is an acceptable level of risk? But we are probably a few years away from that question be germane. For now we need to all we can to help the electric sector asset owners and vendors to successfully implement the basics and move to more advanced security controls.