S4 Call For Papers
AAA  AAA 

Friday News and Notes

Of course the big news this week is the Congressional testimony and the more mainstream articles around this. There really isn’t any new information for readers of this site, but remember it is not aimed at the control system security community.

  • Here is the link to the witness list, transcripts and video of the testimony to the House Subcommittee on Emerging Threats, Cybersecurity and Science and Technology. I promised myself I would not rant on this sideshow - - but what evidence is there that ISA would be any better than NERC at writing and enforcing compliance security standards? And while everyone is congratulating each other over the handling of the Aurora vulnerability, don’t they realize this is just one of what is and will continue to be a large number of control system application vulnerabilities with the added bonus of a vivid physical demonstration?
  • Ira Winkler wins the award for most inflammatory article of the news cycle with his How to Take Down the Power Grid. It is hard to say from the article whether he dumbed it down for a general audience or if he knows much about control systems.

Author: Dale Peterson
Posted: October 19th, 2007 under Uncategorized.
Comments: 2

Comments

Comment from Jake Brodsky
Time: October 19, 2007, 10:36 pm

Would ISA be an improvement over NERC? I think so. I believe the ISA would have a broader view than just the electrical sector. Many other sectors, such as oil and gas pipelines, water utilities, factories, and so on, would want to participate. The inclusion of industrial users would force the reliability and security issues to be more pragmatic than an organisation that listens strictly to electric utilities.

Furthermore, these standards, once they are applied, will propagate very rapidly to other industries, warts and all. For example, take the FDA’s Part 11 regulations for database design. The SQL databases we use in the water utility match those FDA standards. Why? Because it was first. Someone wrote software for it, and now many other industries also use it, whether it’s a good fit for them or not. (I happen to think we’d be better served with flat time and value CSV files and a series of signatures to indicate provinance –but nobody asked me).

Already the AWWA is seeking to copy many of the existing electrical utility practices for security. Would the NERC CIP be a good thing to copy? I don’t think so. Were that made law, we’d have a situation WORSE than the uncertain situation we have now. We’d have certain exclusions that would be perfectly legal. You could drive a truck through these exclusions. Better to have people uncertain, than to remove any doubt by enshrining this head-in-sand approach to security in to regulation.

People often say not to make good the victim of better. Well, the NERC proposal ain’t good. It deserves to fall on the floor. I don’t expect security regulations to be perfect. However the NERC proposal has so many holes, I can’t imagine that writing patches on a framework such as this would be easier than starting with a clean sheet of paper.

Just one frazzled engineers opinion…

Comment from Ron Southworth
Time: October 22, 2007, 2:10 am

What I see as being the issue is the same as Jake, where other industrys (non energy) volintarily seek compliance to this standard.

It will be interesting to read the findings from this latest congressional enquiry, also curious as to what happend to the release of Browns ferry’s enquiry!

Write a comment