The official government cybersecurity standards for the electric power grid fall far short of even the most basic security standards observed by noncritical industries, according to a new audit.
The standards have also been implemented spottily and in illogical ways, concludes a Jan. 26 report from the Department of Energy’s inspector general (.pdf). And even if the standards had been implemented properly, they “were not adequate to ensure that systems-related risks to the nation’s power grid were mitigated or addressed in a timely manner.”
At issue is how well the Federal Energy Regulatory Commission, or FERC, has performed in developing standards for securing the power grid, and ensuring that the industry complies with those standards. Congress gave FERC jurisdiction in 2005 over the security of producers of bulk electricity — that is, the approximately 1,600 entities across the country that operate at 100 kilovolts or higher. In 2006, FERC then assigned the North American Electric Reliability Corporation (NERC), an industry group, the job of developing the standards.
The result, according to the report, is deeply flawed.
The standards, for example, fail to call for secure access controls — such as requiring strong administrative passwords that are changed frequently. or placing limits on the number of unsuccessful login attempts before an account is locked. The latter is a security issue that even Twitter was compelled to address after a hacker gained administrative access to its system using a password cracker.
The report is particularly timely in light of the discovery last year of the Stuxnet worm, a sophisticated piece of malware that was the first to specifically target an industrial control system — the kind of system that is used by nuclear and electrical power plants.
The security standards, formally known as the Critical Infrastructure Protection, or CIP, cybersecurity reliability standards, were in development for more than three years before they were approved in January 2008. Entities performing the most essential bulk electric-system functions were required to comply with 13 of the CIP requirements by June 2008, with the remaining requirements phased in through 2009.
The report indicates that this time frame was out of whack, since many of the most critical issues were allowed to go unaddressed until 2009. For example, power producers were required to begin reporting cybersecurity incidents and create a recovery plan before they were required to actually take steps to prevent the cyber intrusions in the first place — such as implementing strong access controls and patching software vulnerabilities in a timely manner.
The standards are also much less stringent than FERC’s own internal security policy. The standards indicate passwords should be a minimum of six characters and changed at least every year. But FERC’s own, internal security policy requires passwords to be at least 12 characters long and changed every 60 days.
One of the main problems with the standards seems to be that they fail to define what constitutes a critical asset and therefore permit energy producers to use their discretion in determining if they even have any critical assets. Any entity that determines it has no critical assets can consider itself exempt from many of the standards. Since companies are generally loathe to invest in security practices unless they absolutely have to — due to costs — it’s no surprise that the report found many of them underreporting their lists of critical assets.
“For example, even though critical assets could include such things as control centers, transmission substations and generation resources, the former NERC Chief Security Officer noted in April 2009 that only 29 percent of generation owners and operators, and less than 63 percent of transmission owners, identified at least one critical asset on a self-certification compliance survey,” the report notes.
This is particularly troublesome, the report indicates, because entities connected to the power grid are dependent on one another, and “a breach at one entity could potentially have a negative impact on other entities and the power grid as a whole.”
Joe Weiss, an expert on security issues in the energy sector, has been trying to get the industry to address this issue for a while.
“If you don’t have any critical assets as defined by CIP, you don’t have to do anything for cyber,” he told Threat Level. “It turns out that more than 70 percent of the power plants in this country, including nuclear, are not considered to be CIP critical assets.”
In a response attached to the report, FERC chairman Jon Wellinghoff defended the agency’s efforts as providing a “baseline” for cybersecurity. Before the standards were enacted, “there were no mandatory reliability standards at all for cybersecurity,” he wrote.
The report, Wellinghoff argues, “minimizes the complexities inherent in imposing, for the first time, mandatory cybersecurity standards on the diverse entities that make up the users, owners and operators of the the bulk electric system.”
Photo of U.S. grid courtesy U.S. Commerce Dept.
See also
- Feds’ Smart Grid Race Leaves Cybersecurity in the Dust
- Did a U.S. Government Lab Help Israel Develop Stuxnet?
- Report Strengthens Suspicions That Stuxnet Sabotaged Iran’s Nuclear Plant
- Iran: Computer Malware Sabotaged Uranium Centrifuges
- New Clues Point to Israel as Author of Blockbuster Worm, Or Not
- Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage
- Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target
- SCADA System’s Hard-Coded Password Circulated Online for Years
- Simulated Cyberattack Shows Hackers Blasting Away at the Power Grid