Electrical utilities regularly undergo the NERC CIP self certification (NERC CIP is an IT security standard for real time SCADA monitoring and management technology) but that does not mean they are safe.
Why?
1. Because their self certification is a point in time snapshot and does not take into account how well the IT security policies and procedures are enforced ongoing, or even if the documents are written.
2. The NERC CIP standard does not address many security issues – it is more of a general guideline. From an executive perspective NERC CIP may seem very detailed but from the perspective of a technologist it is more of a general guideline.
We know SCADA technology is vulnerable attack simply by reading reports of Stuxnet affecting thousands of computers – they may not have been NERC CIP compliant but they certainly appeared to be in a very critical nuclear infrastructure in Iran. http://homelandsecuritynewswire.com/experts-stuxnet-game-changer
Stuxnet hasn’t taught us anything we don’t already know; it just makes all the concerned folks think about impact. Stuxnet targets Siemens SCADA systems, by exploiting vulnerabilities in Windows and by leveraging stolen certificates. The current speculation is that at team of 5 -10 experts researched and wrote Stuxnet over a period of months. So the reader may wonder if that sort of targeted, skilled attack is defendable. I say yes.
Even before Stuxnet arrived on the scene, there have been (justifiable) concerns about whether Smart Grid technology will exploited. According to the proceeding sin the Black Hat conference in Las Vegas a few months ago in July, improperly configured Smart Grid technology could provide vulnerabilities for cyber attacks on homes and the electrical grid. http://homelandsecuritynewswire.com/smart-grid-offers-target-rich-opportunities-hackers
According to Le Xie, an assistant professor of electrical and computer engineering at Texas A&M University, speaking at the IEEE SmartGridComm2010 conference in Gaithersburg, Maryland, hackers could profit at the expense of electricity consumers by influencing electricity markets by making the grid unstable and by causing blackouts. As utilities move over to open communications standards, as part of the migration to the "smart grid," it could get even easier to intercept communications or hack into systems remotely. http://www.technologyreview.com/energy/26472/?p1=Headlines
Oh, what are we to do?
Many IT security professionals employed by electrical utilities know and have known what to do for a long time. They do not require external consultants to point out all their security vulnerabilities. The real problem is they generally need larger budgets and the attention of their executives in order to execute. Perhaps with the event of Stuxnet, executives will be more attentive to their employees’ requests for larger IT security budgets to address:
* How deploying Smart Metering technology may threaten to compromise the SCADA network.
* How to isolate Smart Meter traffic from the SCADA network.
* How to ensure IT security policy is adequately stringent.
* How to ensure IT security policy is enforced uniformly and continuously. Hopefully there is a bright side to Stuxnet that executives of Grid utilities will not forget about IT security compliance until their next NERC CIP compliance audit.
Have a secure week. Regards, Ron Lepofsky CISSP, www.ere-security.ca