NERC’s June 2, 2010 report identifies  potential paths to destruction of our North American Electrical Grid (www.ere-security.ca and    http://www.nerc.com/ ).  These paths include co-ordinated cyber / physical / blended attacks, pandemic illness, geomagnetic disturbances and electromagnetic pulses.

In my opinion, while  NERC (North American Electric Reliability Corporation, www.nerc.org ) has managed to accurately identify real security risks it has missed the main point.

Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005 ( http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003 ).   And yes the NERC CIP 01 – 09 security standard (http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html and http://www.nerc.com/page.php?cid=2|20 ) for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.

However, the fundamental recommendation of the report calls for better co-ordination between US power-grid providers and the government.  To me, government co-ordination is an oxymoron.  We can all see how well government co-ordination is working on the Gulf Oil Spill.

To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.

I think the path to grid deliverance is for the government to substitute co-ordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.

Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the “here and now” concerns expressed by their own SCADA IT security staff.  We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.

So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty.  Then executives can re-evaluate their security ROI business cases to include the new downside penalty.

In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means.  Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses.  Somebody with a six foot ladder and a laptop could potentially do just as much damage.

The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on  sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).

While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.

Maybe it’s time to think again.

Have a secure week.

Ron Lepofsky,   CISSP,  B.A.SC. (mech eng)

President,

ERE Information Security and Privacy Auditors

Tags: Energy Grid, Information Security, Internet Security, IT Security, NERC, Power Grid, Security Risks

This entry was posted on Wednesday, June 9th, 2010 at 12:03 pm and is filed under Security Postings. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.