Selected Government Interactions Related to Control System Cyber Security

1
Selected Government Interactions Related to
Control System Cyber Security
ISA 2002 October 21, 2002 Chicago, Illinois Joe
Weiss KEMA Consulting jweiss_at_kemaconsulting.com (
408) 253-7934
2
The Government

• National Strategy to Secure Cyberspace
• Nuclear Regulatory Commission (NRC)
• DOE
• National Test Bed Initiative
• Other Lab Activities
• NIST
• PCSRF
• Test bed
• DOD
• EPA
• FBI/NPCI
• FERC
• Legislature

3
FERC

• Issued Notice of Public Rulemaking on Standard
  Market Design
• Includes cyber security requirements
• The wholesale electric market relies on the
  continuing reliable operation of not only
  physical grid resources, but also the operational
  infrastructure of monitoring, dispatch and market
  software and systems. Because of this mutual
  vulnerability and interdependence, it is
  necessary to safeguard the electric grid and
  market resources and systems by establishing
  minimum standards for public utilities that own,
  control or operate facilities used for
  transmitting electric energy in interstate
  commerce as well as entities that use these
  facilities. Finally, when the SMD Tariff is
  implemented, we propose to extend the requirement
  to cover the additional services being provided
  by the Independent Transmission Provider. At
  that time, any customer seeking to buy or sell
  through the markets operated by the Independent
  Transmission Provider or take transmission
  service under the Network Access Service would be
  required to demonstrate that it has a basic
  security program in place.We expect that these
  standards will be revised and refined over time
  in light of changes in technology and operational
  experience with the standards.

4
NRC

• Order in February requiring some action on cyber
  (interim Compensatory Measures)
• Completed in August
• In process of assessing cyber security at
  selected pilot plants
• Starting 4th quarter

5
National Strategy to Secure Cyberspace

• Sponsors
• Critical Infrastructure Assurance Office (CIAO)
• Homeland Security
• Status
• Draft document issued 9/25
• Input from all sectors
• Includes control systems
• Requesting comments
• www.securecyberspace.gov
• Electric Industry Sector Providing Comments
• Technical Issues with Sections Dealing with
  Control Systems

6
DOE

• Lead agency for energy industry
• Developing national testbed initiative
• Issued 21 Steps to Improve Cyber Security of
  SCADA Networks
• Industry providing comments on document

7
DOE Labs

• Idaho National Engineering and Environmental Lab
  (INEEL)
• Joint INEEL/SANDIA National SCADA test bed
• Large Scale SCADA system testing
• SCADA/EMS factory assessment
• National Critical Infrastructure Program test bed
• Sandia National Lab (SNL)
• Joint INEEL/SANDIA National test bed
• SCADA protection profiles
• Encryption technology
• Critical infrastructure RD
• Pacific Northwest Lab (PNNL)
• Utility Industry security assessments
• Control system RD

8
NIST Process Controls Security Requirements Forum
(PCSRF)

• Goal Increase the security of industrial
  process control systems through the definition
  and application of a common set of information
  security requirements for these systems (based on
  the ISO 15408)
• Meeting at ISA 2002
• http//www.isd.mel.nist.gov/projects/processcontro
  l/

9
DOD

• NSA
• NERC CIPAG support
• PCSRF support
• Security RD
• Secure Linux
• IDA
• Red Teams
• Other DOD Organizations
• Supporting Industry Standards Efforts

10
EPA

• Funding water company security assessments

11
Legislature

• Has several appropriation bills with respect to
  cyber
• Control systems not addressed
• Testimony to Congressional Subcommittees (KEMA)
• Expect further interest from Congressional and
  Senate Subcommittees
• Review of Congressional Research Service Report
• Has serious technical flaws and draws erroneous
  conclusions