Last week Infosec Island published the article, Report Shows Energy Infrastructure Susceptible to Attack. The article discusses a recent report, The State of IT Security: A Study of Utilities and Energy Companies, issued by the Ponemon Institute.
Did we really need a study to tell us that? Even the utilities themselves acknowledge this. What really caught by attention was this quote from Larry Ponemon:
research revealed that utilities and energy companies in our study are more concerned about preventing downtime than stopping a cyber attack. In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority. Most surprisingly, only 16 percent of respondents believe that their organization’s existing controls are designed to protect against exploits and attacks through the smart grid.
We should hope that utility and energy companies “are more concerned about preventing downtime than stopping a cyber attack”. A cyber attack is just one of a large number of factors that can cause an outage, and quite honestly most of the other factors are still much more likely to cause an outage than a cyber attack based on historical data.
Running electric generation, transmission and generation is extremely complex. Even the sensors and actuators and data and displays in SCADA and DCS are only a part of it; remember this is a physical process full of interworking physical components that must maintain operation over the long periods of time. The same is true of pipelines and refineries. The complexity of many of the systems is amazing when you are on site, as is the fact that most of them run with little or no availability issues for years.
More attention to DCS / SCADA security and control system IT is needed – – it is what this blog has been about for the last seven years. But when the ICS security community starts thinking that security is THE PRIMARY CONCERN in a control system, we have lost perspective.