Blog

Last week, we had the opportunity to attend the SANS SCADA 2008 Summit in New Orleans. As my first trip to New Orleans since Katrina, I felt like so much of what we were hearing was overshadowed by the utter failure to properly handle disaster recovery in this city. Today, much of the city still is vacated, businesses boarded up, houses empty, and little being done in many areas to rebuild. Such a shame.

The summit, however, was a decent enough event. Attendance was high with lots of government and asset owners. While it would still be nice to see more asset owners and more advanced security discussions, these shows still do offer benefit to repeat or first time attendees. Several key items came out of the meeting, notably the announcement of FERC’s acceptance of NERC CIP and the announcement by a member of the US CIA about successful hacking against power infrastructures outside the US. I’ll deal with this first.

The CIA announcement I found personally to be woefully underpowered. Telling the audience of successful hack attacks is old news, even if they clearly state that power was lost through these extortion attempts. Notably absent are any details useful to an asset owner or vendor about what to go “do” about security based on these events besides general and well known guidance. I am also aware of at least two similar extortion attempts in the power industry in the US as well, but they weren’t even mentioned. While I am grateful members of the US government are willing to stand up and mention such issues, I am frustrated that they still continue to keep any useful information under wraps. It is not enough to tell us what we already know. If we know the attack profile, we can plan for it, create risk management plans, and technical mitigation strategies. Hopefully we will start to see more meaningful data in the near future.

As for the FERC announcement…. For utilities that were in a “wait and see” mode, thinking that NERC would be overhauled or thrown out, its time to pay attention. FERC has accepted the NERC CIP documents as written, and confirmed the original timeline for NERC CIP compliance. They did provide some caveats that will be released at a later time, but these will be in REV 2 for NERC CIP and the existing documents stand as they are. I spoke with a member of the NERC CIP team today and he indicated that the team has been waiting for this approval, and now REV 2 will probably start.

I applaud this decisive move from FERC. While I have often said that NERC CIP is not a complete picture and insufficient for an overall security program, I am still a supporter in that it does provide some decent guidance and is at least a great first step for an organization with little past focus on security. With FERC accepting the documents as written, now utilities can start focusing on implementing these documents. Most companies I have seen implement or audit for NERC CIP have at least raised awareness, which is great for starting the process. Bravo FERC, and we look forward to working with utilities in NERC CIP compliance!

To learn more about the SANS SCADA Summit 2008, please visit: http://www.sans.org/scada08_summit/.

To view more information on the CIA’s announcement, check out: http://www.informationweek.com/news/showArticle.jhtml?articleID=205901631.

For additional details on FERC’s announcement, visit: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp.

- Bryan