Having just returned from the ICSJWG meetings in Idaho Falls and the Applied Control Solutions Control Systems Cyber Security Conference two weeks ago in Bethesda, I have a number of observations. ICS cyber security is getting more attention. This is a positive. However, what was evident from the ICSJWG meeting was that many of the attendees (government and industry) were from the IT not control systems community. This slant led to many of the discussions focusing on Windows, Internet, and IP issues. It also led to a number of assumptions made by numerous speakers and attendees that were NOT accurate:
The primary ICS cyber threat is connecting control systems to the Internet. Maroochy, Bellingham, Browns Ferry, Hatch, DC Metro, Florida Outage, and other major control system incidents (also including Aurora) did not involve the Internet. These incidents caused major outages, shutdown nuclear plants, and killed people. The focus on the Internet is an IT problem. Why isn’t there a focus on the field devices - that is where you go “boom in the night”?
Forensics are available to identify ICS cyber incidents. Forensics are not available for the field device level. They are also often not adequate at the control network layer. There were two recent power plant control system incidents with new control systems from two different suppliers. The logging was not adequate to identify who or when. As a corollary, none of the more than 140 control system cyber incidents in my incidents were initially identified as cyber. It was also interesting to see the DHS Cyber Threat presentation where a timeline and list of major ICS incidents was presented. DHS identified 13 major ICS cyber incidents since 1990. I have identified almost 90 major and moderate (I don’t want to get into a discussion of the distinction between Major and Moderate) since 1990. Quite a difference isn’t there?
If you lose SCADA, you lose power. At the ICSJWG, I mentioned that a utility had their SCADA system targeted and lost SCADA for 2 weeks. They did not inform law enforcement or the ES-ISAC because they didn’t lose power. That was a revelation to a number of the attendees who equated loss of SCADA with loss of power. In fact, the Florida Outage was initiated by SCADA operations, not loss of SCADA operations.
Cyber incidents such as Hatch Nuclear Plant shutdown were design-up “screw-ups”. The Hatch incident did not violate any IT security policies. The design that led to the shutdown was prudent when it was originally designed, not after modern networking connections were made. This same concern has occurred in many other non-nuclear facilities. Engineering design need to keep pace with modern communications design.
Meeting NERC CIPs will protect the electric grid.
Many utility and vendor personnel at ISCJWG were focused on meeting the NERC CIPs assuming that would make them secure. There are several fallacies with this assumption. CIP-002 has critical exclusions such as no distribution and no telecom that keep any utility from actually being secure. Additionally, utilities are still playing games to minimize what they consider Critical Assets.
Classified briefings will provide actionable information.
The corollary is without the classified briefings you won’t have the actionable information to protect critical infrastructure. Both are true and false. It is important to know the threats. However, it is just as important to know the vulnerabilities. Many, such as the key vulnerability exposed by the Florida outage, could easily result in a loss of the North American electric grid for an extended period of time without requiring nation-state capabilities.
IT cyber security experts are also control system cyber security experts. At the ICSJWG, there were too many presentations and discussions by IT personnel who really didn't understand the real differences and fundamental needs of control systems. Additionally, I saw the latest posting from Nancy Bartels on the ControlGlobal Unfettered Blog on “must see TV”. Matt Luallen’s biography is given. There is nothing in his biography that even hints at industrial control system expertise. I should also mention that Jon Stanford, the Chief Information Security Officer for the Bonneville Power Administration, and myself submitted an abstract for RSA last year: “Critical Infrastructure Protection - Why We Need Both IT Security and Control Systems Expertise”. The abstract was not originally accepted. Contrast this with the interview Walt Boyes did with Bjorn Gudehus, a senior security advisor with Bell Canada, who spoke at the 2nd Annual Critical Infrastructure Conference in Calgary on Sept 28, 2009. Gudehus' paper was titled "Control System Security: Corporate and Control Resources Working Together." You can listen to the podcast at http://www.controlglobal.com/multimedia/2009/ITSecurity0910.html. We need more people with Gudehus’ experience in both control systems and IT.
Oh well, more of the same.
Joe Weiss