We had a note on the new NERC Cyber Assessment Task Force in the Friday News and Notes blog. Here’s some more information and thoughts based on the Powerpoint from the CATF conference call.

“The primary intent of the CATF is to consider the impact of a coordinated cyber attack on the operation of the bulk power system, and to develop flexible options for detecting, operating, and recovering”, see the task force’s scope document.

The final report is planned for December of this year. “The CATF will recommend solutions for broad implementation across the electricity sector.” There will be weekly conference calls on the document effort with approximately a quarterly face-to-face meeting.

The CATF will focus on an attack that is designed to take out a large portion of the bulk electric system. How would such an attack be detected? What could utilities to do isolate or counteract a broad impact?

Marc Engels answered the why not CSSWG question.

NERC CIPC did assign responsibility for this effort to the CSSWG. Since I am also chair of the CSSWG, I chose to create a separate group that could focus on the specific goals and schedule required of the CATF while keeping the other activities of the CSSWG moving forward … reviewing and updating existing NERC Security Guidelines.

The limited timeframe and specific tasking of this project is smart. Will the electric sector get anything beyond better crafted general guidance? Probably not? Committees or task forces rarely generate innovative solutions or new approaches. The result is still likely to be worthwhile given the current cyber incident detection and response capabilities of the majority of the electric sector.

Incident detection and response has been an area of focus for research with only minor success. There are the basics like Quickdraw IDS for ICS that is limited as all signature based systems are to known attacks, and a variety of anomaly detection research projects that have not been transitioned effectively to public use. Maybe more than anything this CATF points out the need for more effective ICS tools for detection and isolation. NESCOR are you listening? You may have a worthy research goal coming from the CATF.

image: MGM