Roadmap to Secure Energy Delivery was published for comment. It is a revision of the 2006 Energy Sector Security Roadmap that has subsequently been highly leveraged/copied by other sectors. Before diving into the revised Roadmap, let’s take a quick look at how the community did meeting the original roadmap’s goals five years later.
Original Roadmap Vision: “within ten years control systems throughout the U.S. energy sector will be to survive an intentional cyber assault with no loss of critical function in critical applications.”
Revised 2011 Roadmap Vision: “within ten years resilient energy delivery systems will be designed, installed, operated, and maintained to survive a cyber incident with no loss of critical function.”
By the measure of vision, it looks like we kicked the can down the road five years. However, take a closer look at the 2 to 5 year goals in the 2006 plan, and remember the energy sector also includes oil/gas, not just electric/CIP.
- “50% of asset owners and operators performing self-assessments of their control systems using consistent criteria.” — Yes on the self-assessment, but no on consistent criteria. Still a win.
- “Common metrics available for benchmarking security posture.” — Partial at best. The DoE funded Digital Bond Bandolier project does this for ICS applications on workstations and servers, but this does not cover a system security posture. I believe the goal was to have some sort of objective score reflecting the security posture, which is a hard problem.
- “90% of energy sector asset owners conducting internal compliance audits” — Yes for the electric sector due to CIP. No on oil/gas. Oil/gas are doing a lot of assessments, probably more complete and effective assessments than electric. However true audit is more common in electric because of the CIP regulations.
- “Field proven best practices for control system security.” — Yes. There are a plethora of ICS security guidance documents of varying quality, but plenty of good documents.
- “Secure connectivity between business systems and control systems within corporate network.” — Partial. The firewalls creating the security perimeter are in place so that could be viewed as meeting this goal. All too often the firewall has a porous ruleset that is not following least privilege and allowing significant attack paths. Some owner/operators just identified existing communication and codified that into a firewall ruleset.
- “Widespread implementation of methods for secure communication between remote access devices and control centers that are scalable and cost effective to deploy.” — Yes. Their are both add-on products for deployed systems and security features in new access gateways. NERC CIP was a real driver for these security features as we noted in earlier blog entries.
- “Cyber incident response is part of emergency operating plans at 30% of critical control systems.” — Yes. NERC CIP alone has led to meeting this goal. There may be some concern about the effectiveness and reality of the incident response.
- “Commercial products in production that correlate all events across the enterprise network” — Partial, but closer to no than yes. Our DoE funded Portaledge project does some of this but not close to “all events”, and it is not widely deployed as of yet. Commercial SIEM’s have added little ICS intelligence, with Industrial Defender ICS SIEM probably the most complete.
- “Secure forum for sharing cyber threat and response information.” — Yes. In fact there are numerous forums. The sharing has been underwhelming, but I’m optimistic that the DoE funded organization that EnergySec is running will improve the amount of sharing.
- “Compelling, evidence-based business case for investment in control system security.” — No. Perhaps the biggest miss in all the 2 – 5 year goals. The lack of data makes evidence-based business case impossible at this time.
- “Undergraduate curricula, grants and internships in control system security.” — Yes. The USG has funded numerous programs to accomplish this. Some would argue that curricula has not been achieved yet, but curricula have been in place for years now.
- “Effective Federal and state incentives to accelerate investment in secure control system technologies and practices.” — Hmmm, this is the toughest one to judge. Partial.
There was some clear progress towards meeting the 2006 2-5 year roadmap goals. Not all were met, but it was an ambitious document as roadmaps should be. There were active DoE and community funded efforts to meet each of these goals, so the roadmap served the purpose of guiding where efforts and resources should be placed.
Coming Soon: A review of the changes in the 2011 roadmap.
FD: Digital Bond has research contracts with the Dept of Energy who funded the roadmap development, and Digital Bond has been a minor participant in the revised roadmap.