When mischief makers and thugs want to create chaos in a country these days among their first targets are the financial system and utilities. Nothing can bring a nation to a halt faster than a banking system that doesn’t work or a downed electricity network.
Which is why the Canadian and U.S. governments set up cyber infrastructure security programs several years ago to push those sectors into overhauling their security postures. Of course, it can’t be expected that in two or three years all vulnerabilities will have been welded shut, but how much progress is being made?
Not much according to two recent publications. Last month former U.S. broadcaster Ted Koppel released his book “Lights Out,” (here’s a link to a New York Times review,) (here’s another opinion) which argues the U.S. is unprepared for a major cyber attack on its grid. Meanwhile this week, Tim Erlin, Tripwire’s director of IT risk strategy wrote a column saying the North American Electric Reliability Corporation’s critical infrastructure protection standards (NERC CIP) aren’t tough enough.
However, on this the chief information and risk officer of a major Canadian utility disagrees.
The NERC is a not-for-profit international regulatory authority responsible for assuring the reliability of the bulk power system in Canada, the U.S. and the northern portion of Baja California, Mexico. Erlin likes the parts of the CIP that requires inventorying the environment, establishing configuration baselines for assets and monitoring for changes and centralized log management.
But, he points out it only requires a paper vulnerability assessment every 15 months; an active scan in a test environment every 35 months, where technically feasible and scans of new cyber assets before deployment, unless it’s a replacement of the same asset already deployed.
“We are, simply, leaving these assets at risk by not scanning them for vulnerabilities on a more frequent basis,” he complains.
Not only that, he adds, “no one wants to scan ICS/SCADA (industrial control/supervisory control and data acquisition devices) with vulnerability scanners because they tend to cause outages.”
However in an email to me Robert Wong, CIRO of Toronto Hydro suggests the situation may not be dire. “I do generally agree that NERC CIP is a key standard or framework for electrical utility security, but there are others such as NIST (National Institute of Standards and Technology) SP800-82 and NISTIR 7628 that can be used to augment NERC CIP.”
As for the lack of requirement for scanning ICS/SCADA devices in production and the inability to scan older devices, it’s good news/bad news. “This provides “security by obscurity” – i.e. it is very difficult to penetrate the physical and unique proprietary design barriers,” he wrote. “However, as part of our current SCADA application upgrade project and using our new architectural model we will be able to scan and patch the production software with virtually no outages. So going forward, at least the software can be scanned and patched on a regular basis like other critical IT systems.”
So no worries for electric utilities? Yes, there are. In a September interview during a conference on critical infrastructure Wong told me utilities are only in “middle of the road” on security for traditional IT systems. “Where we really are behind is in the operational technologies” such as power line relays, monitors and sensors that until recently were electromechanical. Now they’re becoming IP-enabled but their security isn’t good enough. As a result “we’re playing catch up in terms of cyber security for the critical infrastructure in the grid.”
“We need to get our OT vendors to raise their games and make security a priority in their products.”
On this Erlin agrees. “If you’re a consumer of any system that gets deployed in an ICS environment, you should ask your vendors how they test for vulnerabilities in their own products. Don’t simply accept a rote marketing answer either. Ask about frequency and depth of testing. Ask about how they accept vulnerability reports from other sources and whether they have an SLA around response and patches.”
