CIP: Creating a 'culture of compliance'?
Dave Norton works on critical infrastructure protection for Entergy in New Orleans and he's concerned about unintended consequences to regulatory oversight of cyber security.
You may recall we featured Norton's cyber security mantras in a column following the IEEE PES 2010 conference in New Orleans last month. I wanted a more granular picture of the challenges, so I gave him a call.
In our conversation, Norton focused on the industry's perspective on cyber security, security priorities and access points for malicious actors. Naturally, there was more - Norton is engaging and has opinions - but as far as I'm concerned, off-the-record is simply off-the-record.
"What we want is a 'culture of security,'" Norton told me. "But the unintended consequence of mandatory and enforceable regulations with financial penalties for failure to comply gets utilities' legal and compliance oversight staffs involved. This can result in fine-point adherence to the literal language of the standards instead of the spirit of the standards."
"The good news," Norton continued, "is that the regulators got the industry's attention on cyber security with mandatory, enforceable regulations. The bad news is that we've created a culture of compliance, not security. If you focus on the security, you'll be really close to compliance. But if you're focused on compliance, you may not be all that secure."
Norton's version of priorities?
"We definitely have to protect our control centers," Norton said. "We have to use rigorous, current methods to protect 'control host sites' - those data centers where both transmission and generation control systems alike are running. Those are obviously places where we need to expend our energies, because these computing infrastructures are usually mainstream commercial off-the-shelf (COTS) and subject to the same threats as those found on the Internet."
"The second part is the field - the far-flung transmission and, in some cases, distribution substations," he continued. "Transmission is like the interstate highway system, where bulk electricity goes out over a wide area. I'm talking about the central, bulk electrical system core."
"There are three kinds of communications networking used to manage the bulk transmission system," Norton said. "There are the legacy protocol serial lines. Then, we're also starting to put in more TCP/IP [transmission control protocol/Internet protocol] communications networking, which are the Internet protocols that get hacked. The third is dial-up, which is scary in its own way."
"The serial stuff is not readily hacked - one, it's not that easy in a practical sense, and, two, compromising it would have limited impact on grid reliability as a whole," Norton said. "A malicious attack could cause some loss of visibility in limited areas, but that can be easily restored."
"It's all about navigability and 'reachability,'" he added.
"A 69-kilovolt substation in a swamp running TCP/IP scares me more than a 500-KV substation running serial protocols, because the IP communications circuit can provide an attack vector into control host data centers," Norton noted. "It makes a difference what the protocols are. Bad guys don't have to come in through the main gate, they can come through some little access point out in the boonies with an TCP/IP connection. That concerns me a lot."
"Wherever we have the old serial protocols running, there's a risk," Norton concluded. "But that risk is way smaller than anywhere we're running TCP/IP protocols. That would be in the data centers, in the control system hosts, and in any field networking using TCP/IP. There's a genuine threat there. That's where we need to focus our attention and put serious measures in place. No question about that."
Intelligent Utility Daily