http://www.networkworld.com/news/2007/121007-energy-companies.html By Ellen Messmer Network World 12/11/07 In an effort to improve security in the nations electric power grid, the Washington-based Federal Energy Regulatory Commission is poised to issue new rules to compel energy companies to use practices such as patch management and strong authentication to secure their industrial control systems against attackers, sabotage and unauthorized use. If FERC at its Dec. 20 meeting approves the so-called Critical Infrastructure Protection (CIP) standards for physical and cybersecurity of the electric power grid, it will flip the switch on a regulatory regime where electric-power companies have to ensure the most critical parts of their system control and data-acquisition (SCADA) systems meet security requirements more associated with corporate computer best practices. But because many SCADA systems in place today to control the bulk-power grid may not be readily adapted for cybersecurity protection, IT managers at energy companies say they face the prospect of a wholesale replacement of their SCADA systems to meet regulatory goals. There are SCADA systems out there for forty or fifty years and theyre running fine, says Patrick Miller, chair of the electric-utility user group called Energy Security Northwest, whose membership hails from 20 utilities. The energy companies across the country, he says, expect the upcoming FERC decision to influence whether they will need to wholly replace SCADA systems to meet new security regulations. Some energy companies say it seems unavoidable. The almost 20-year-old control systems made by Televant Farradyne used by the Eugene Water & Electric Board in Oregon to throw switches and move power are going to be phased out, though replacements havent been selected yet, says senior security specialist Mark Ellister. This is ancient technology, you cant patch this, says Ellister. Power struggles To add to the anxiety, even as FERC prepares to establish new security rules for the electric power industry as it must under a Congressional law passed in 2005, its unclear whether the commission will adopt outright the eight CIP standards that were proposed last year by the organization called the North American Electric Reliability Corp. (NERC). FERC chose NERC to do the job of submitting standards and later start auditing for them and looking for possible violations, which could mean steep fines, over the next few years. Joseph McClelland, director of the newly formed Office of Electric Reliability at FERC, recently told Congress it may ask NERC to tighten the proposed standards, which as now written allow for some laxness in following them, especially if theyre not technically feasible for legacy equipment which cant be upgraded to meet cybersecurity requirements. If this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid, McClelland told Congress in October. In addition, the National Institute of Standards and Technology (NIST) is arguing that it should be the one setting the standards. NIST has clear authority to set security standards for both the business and SCADA systems in federally operated electric utilities such as the Tennessee Valley Authority and Bonneville Power Authority, notes Stuart Katzke, senior research scientist at NIST. The federal ones have to meet the NIST standards guidelines, says Katzke. They also have to meet FERCs regulations, whatever they will be. NIST wants FERC to approve NIST security guidelines for industrial controls, which are out for comment until mid-December. NIST says its proposed standards are tougher and better than the ones proposed by NERC. Where is SCADA security? Caught in the middle of this power struggle, the industrys IT managers say that many SCADA systems in use today, whether based on Windows, Unix or older proprietary operating systems, simply arent designed to accommodate processes like patch management in the round-the-clock operations of managing the nations power grid. Plus giant SCADA systems traditionally arent just swapped out. With SCADA, you do it with very small pieces over a very long period of time, Miller says. It runs the power grid. Miller says the older workhorse systems and even new equipment seldom meet the high expectations of the eight CIP standards under review by FERC, which may take a hard line in not allowing exceptions. Miller adds hes seen scant evidence that SCADA manufacturers, other than Schweitzer Engineering Laboratories, are seeking to adapt to the new security requirements. The American Public Power Association (APPA), the Washington-based trade association representing 2,000 publicly operated utilities, supports the security standards effort but hopes FERC will allow a technical feasibility exception for older equipment in substations and generating plants which is incompatible with certain cyber-security measures, including software updates and patches. Utilities should be able to take advantage of the useful life of existing equipment from a reliability standpoint, APPA said in its official comments to FERC. APPA also noted there are risks with using vendor patches as well as using software with a known flaw. Even NERC, whose executive vice president, David Wheatley, testified before Congress in October, expressed worry that promulgating standards for the bulk power system that draw too closely on the standards appropriate for secured business systems could result in a less reliable bulk-power system, either because of decreased operations or decreased security. Wheatleys testimony cited as examples how use of password-protected screen savers could block visibility of real-time operations that have to be constantly observed, or mistyped passwords could lock out access to operations controls. NERC declined to discuss this but said the Congressional testimony reflects its current views. Allen Mosher, APPAs senior director of policy analysis, said the security standards process is likely to be one that gets updated every three years or so, and the NIST proposals might get adopted over time. Whatever the outcome of the FERC security standard rule-making, there will be a lot at stake as NERC starts to do audits over the next two years or so and reports any security violations and noncompliance to FERC. Fines could be up to $1 million per day per violation, Mosher concluded. All contents copyright 1995-2007 Network World, Inc. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Tue Dec 11 2007 - 22:31:21 PST