There are at least two holes in the NERC CIP process so gaping you have to suspend belief in order to accept them.
The first is the brightline criteria in general and for power plants in particular. What person with a security background in anything but NERC CIP that would accept a “brightline” approach for cyber security? Cyber threats are communications not size. NERC yesterday filed with FERC the results of the recent survey of the NERC membership. This survey aimed to determine the number of assets owned by NERC Registered Entities that would be identified as Critical Assets (CAs), with and without Critical Cyber Assets (CCAs), under the “bright-line” criteria included in Appendix 1 of CIP-002 in the proposed NERC CIP Reliability Standards, Version 4. There will be 281 units (no nuclear as they are excluded) that will be CAs with CCAs, and 323 units that will be CAs without CCAs. Additionally, there will be 10,309 units that won’t be CAs at all, for a total number of US generating units of 10,913. This means that generating units that will be CAs with CCAs are 2.6% of the total units! Isn’t it comforting to know that hackers won’t go after the other 97.4% of non-nuclear generation in the US even though many are extremely cyber vulnerable and none will have to address cyber security? Last I looked, we need many of those NERC-excluded generation units to provide the the power to keep our lights on.
The second issue is the exclusion of all serial communications, ie, Modbus, RS-232, RS 485, etc. Most communications with field devices (PLCs, sensors, drives, analyzers, etc) are serial and then converted to IP. There are 4 classes of serial communication intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. I will have Dr.Tommy Morris from Mississippi State University demonstrate this at the September ACS Conference. Could you use serial as means to inject Stuxnet – YES!!!
Making exclusions for serial is similar to performing a partial scope or highly restricted penetration test as opposed to a full scope, no holes barred penetration test.
What will it take for NERC and the utilities to notice the emperor wears no clothes?
Joe Weiss