The Emperor Wears no clothes - the NERC CIP process

July 8, 2011
There are at least two holes in the NERC CIP process so gaping you have to suspend belief in order to accept them. 
There are at least two holes in the NERC CIP process so gaping you have to suspend belief in order to accept them. 
The first is the brightline criteria in general and for power plants in particular.  What person with a security background in anything but NERC CIP that would accept a “brightline” approach for cyber security?  Cyber threats are communications not size. NERC yesterday filed with FERC the results of the recent survey of the NERC membership.  This survey aimed to determine the number of assets owned by NERC Registered Entities that would be identified as Critical Assets (CAs), with and without Critical Cyber Assets (CCAs), under the “bright-line” criteria included in Appendix 1 of CIP-002 in the proposed NERC CIP Reliability Standards, Version 4. There will be 281 units (no nuclear as they are excluded) that will be CAs with CCAs, and 323 units that will be CAs without CCAs.   Additionally, there will be 10,309 units that won’t be CAs at all, for a total number of US generating units of 10,913. This means that generating units that will be CAs with CCAs are 2.6% of the total units! Isn’t it comforting to know that hackers won’t go after the other 97.4% of non-nuclear generation in the US even though many are extremely cyber vulnerable and none will have to address cyber security?  Last I looked, we need many of those NERC-excluded generation units to provide the the power to keep our lights on.
The second issue is the exclusion of all serial communications, ie, Modbus, RS-232, RS 485, etc. Most communications with field devices (PLCs, sensors, drives, analyzers, etc) are serial and then converted to IP. There are 4 classes of serial communication intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. I will have Dr.Tommy Morris from Mississippi State University demonstrate this at the September ACS Conference.  Could you use serial as means to inject Stuxnet – YES!!!
Making exclusions for serial is similar to performing a partial scope or highly restricted penetration test as opposed to a full scope, no holes barred penetration test.  
What will it take for NERC and the utilities to notice the emperor wears no clothes?
Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...