NERC CIP, Low Hanging Fruit and the Weak Link
The NERC CIP cyber security work in the electric sector has been fast and furious as deadlines approach, as have the comments on the value, or lack thereof, of this effort. I am very confident in the following two conclusions based on working with many of the asset owners and vendors. They are so obvious, but many NERC CIP discussions completely ignore these two points that should be the foundation of the discussion.
1. NERC CIP has significantly reduced risk and improved the security posture of the bulk electric systems.
And if you will excuse the argument by emphatic assertion, anyone who says it has not either does not understand security or has an interest in denying this. It is valid to argue if this was the most efficient way to approach the problem, or if more risk reduction was required faster, or if the definitions of cyber assets and critical cyber assets should have been more stringent, but I don’t see how an honest look at the results could deny major improvements in the security posture have occurred.
When you go into a network or system with little or no attention to cyber security, massive risk reduction can occur with minimal cost or effort. Basic security practices like establishing and hardening the security perimeter, applying security patches and requiring basic security training, have a major positive impact.
Most organizations will have by far the greatest risk reduction in the first year of their security program because they can pick the low hanging fruit. So we are seeing the greatest improvement in the cyber security of the electric grid that we are likely to ever see. Is there an argument that implementing these basic security practices cannot help but significantly reduce risk?
When you start to look at the other requirements such as user management, log retention and monitoring, recovery, … there are a plethora of examples of improved security postures.
2. An attacker may only require one accessible security flaw, the weak link, to compromise a control system
This may be what NERC CIP opponents are arguing. If CIP does not address each and every risk in a verifiable manner then the system is not secure. True, but we need to think of security from a risk management standpoint, not aiming for perfect security that can never be compromised. This is not achievable and even nearing it will cost more than the reduced risk is worth.
Most owner/operators are nowhere near that point. There still are many administrative and technical security controls that are needed and are easy risk management systems. There is a limit to how many new technical and administrative security controls an organization can incorporate in a year, and in my opinion, most of the electric sector is at that limit right now. But wait for years 2, 3, 4, we should be seeing and expecting continued improvements in the security posture.
Because they are early in the security program, today many well intentioned NERC CIP compliant companies likely still have some weak links that would not be too difficult for a motivated and well funded adversary to compromise. Given the complexity of these networks and applications the advantage will always be on the attacker’s side may only need to find one flaw or one mistake, while the defender needs to be perfect.
So one of the things the industry is going to need to deal with is what is an acceptable level of risk? But we are probably a few years away from that question be germane. For now we need to all we can to help the electric sector asset owners and vendors to successfully implement the basics and move to more advanced security controls.
Author: Dale Peterson
Posted: May 28th, 2009 under NERC CIP.
Comments: 5
Comments
Comment from cnioperator
Time: May 29, 2009, 4:11 am
Dale, I like (agree with) your assessment. CIP will make a difference. The sooner the SCADA Secuity community moves away from throwing rocks at CIP the better (IMHO).
Once the basics are in place via CIP, the real debate should be around “what is an acceptable level of risk?”
Now there’s is an interesting discussion.
Who gets to decide what’s acceptable?
A. The owner of the system
B. The government
C. Self appointed SCADA security “experts”
D. other
Comment from Jake Brodsky
Time: May 29, 2009, 7:52 am
With regard to NERC CIP, the standard would have been much better, if only CIP-002 were focused on protecting functionality instead of assets. Most of the other parts of NERC CIP, while not perfect, are reasonable.
As for cniioperator’s view, it’s really not that simple, and we all know it. Deciding what’s acceptable is like deciding what pollution controls to put on a plant. If you leave such things to the owners or the operators of the system, they’ll say they have no mandate to do anything, so they don’t do much. If we leave it to government, they don’t know what’s practical, so all kinds of expensive stupidity happens. If we leave it to outside experts we’ll have a system designed by lawyers.
The key is to have government set a mandate by assigning a responsibility for security. The owners of the system will then take what actions they deem economically practical, and the “experts” will hover around and criticize what they see, hopefully spurring owners in to action wherever oversights or negligence has manifested itself.
Really, NERC CIP is like saying you have to wear underwear to shield your critical assets from public view. It might be OK to sit around in your house in your underwear, but if you expect to go anywhere you’ll have to wear something more appropriate.
Comment from bryan owen
Time: May 29, 2009, 10:12 am
“So we are seeing the greatest improvement in the cyber security of the electric grid that we are likely to ever see”
Perhaps true but I am optimistic the greatest improvements in context of the CIP ‘reliability’ standards are indirect and still to come.
Will it be micro-grid architectures with fewer critical assets or simply fewer vulnerabilities in critical cyber assets…only time will tell.
Comment from Rob Lewis
Time: May 29, 2009, 11:00 am
“the advantage will always be on the attacker’s side may only need to find one flaw or one mistake, while the defender needs to be perfect”
Interesting.
We used this same thought in our National Cyber Leap Year submission to explain how we “turn the tables” and give the advantage to the defender. For those who are not aware of this, this program was a call for research ideas and concepts that would be game changers. See:
http://www.nitrd.gov/leapyear/
Perhaps you will one day see the value of an “injectable” technology that converts existing IT infrastructure into trusted systems/networks with scalable MLS, multilevel integrity and multiple domain separation. The value of this is that it can be placed in key puncture points in the grid to create MLS enclaves.
This changes the risk model so that the user knows exactly what is protected and what is not.
As far as cost, implementation and management, all I can say is that we are not talking about your grandmother’s MLS.
Comment from Pan Kamal
Time: May 29, 2009, 9:55 pm
Hi Dale.
CIP 002 could me more prescriptive in terms of what makes up cyber assets and cyber critical assets. Having a tool to do discovery surveys that would deliver a criticality score would remove some of the controversy around the topic.
CFATS does a much better job in that regard. It gets very specific about the assets or entities that need to be included in risk assessments.
Pan Kamal, AlertEnterprise Inc.
Write a comment