Tuesday, May 11, 2010

A Controlling Interest in Securing Utility Control Systems

Energy and utilities control system cyber security expert and firebrand Joe Weiss is making waves again, this time via an interview with CNET in which he describes the current state of progress (and its lack) in this most essential yet often overlooked Smart Grid domain. You see, when word got out that the previously tech-averse utilities were stirring thanks to this thing called the Smart Grid, IT and IT security professionals rushed to sell their services and wares to utilities' IT shops.

Little did they know (and some still don't) that they can market Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Single Sign On (SSO), application firewalls, database security, pen testing and application security testing tools, not to mention NERC CIP compliance tracking and reporting systems and more ... till the cows come home, and still leave their utility customers, and their portion of the Smart Grid, woefully unprotected.

That's because of the other side of the house. You can call it field operations, or use an acronym like Operational Technology (OT); either way, it's a place where IT professionals fear to tread. And because of organizational culture reasons and the fact that SCADA-based operational systems are so unlike standard IT systems, the IT guys (vendors and utility employees alike) are generally unwelcome outside IT.

Weiss, a one man army, has been trying to get this message out to government and industry decision makers for years and is starting to make some significant inroads. Here's an excerpt from the CNET piece, though we highly recommend you read it all:
[A] utility's human resources network or their customer information networks are more cybersecure than any power plant, including nuclear, any substation, or any control center in the U.S. [Why?] Because the utilities got together and came up with a set of criteria, called the NERC critical infrastructure protection (CIP) standards. In those standards they input a number of exclusions and allowed them to self-define what would be "critical." NERC has put out emergency warnings on some of the areas that have been excluded, like telecommunications, but NERC CIPs specifically exclude them. Can you imagine doing a cyber assessment of your IT systems and being told "do not address telecom?" Because of the Energy Policy Act of 2005, electric distribution which is the heart of the smart grid is specifically excluded even though the electrons move from distribution to transmission and back. It simply doesn't make any sense.
Here's the full CNET Q&A. And while you're at it, you should read Forrester's take on the CNET-Weiss interview here. It's a little bit utopian in places, but it reminds us that we've been dealing with control systems security for years in other industries, and we like the emphasis on people vs. technology for a change, like here:
Deploying smart technologies is not enough. Take time to redefine existing processes and invest in people’s skills and education. You should invest the time and energy in marketing security and risk measures when deploying smart cities and smarter grids from day one.
Of course, the people Forrester is talking about dwell in both sides of the utility house. And if Joe Weiss had his way, there'd be more of an open floor plan, with security planning and implementation discussions reaching both IT and operations, and vendors and utility professionals alike understanding that their job's not done until they've secured the whole enchilada.

For more SGSB coverage of Joe's work, click here.

No comments: