Dear friends in the electric power industry: this CIP-010 and CIP-011 draft baffles me. I had a heck of a time trying to audit the first one and this new one leaves me deeply sympathetic for the poor auditors I left behind (sorry guys). You have no idea how challenging it is to call a ball or strike with CIP-002 through CIP-009 as an auditor. Well you might have an idea because you had to implement it - or should have anyway. With that, I hope you see my point that inserting additional flexibility and vagueness will only make your job implementing these requirements even harder. It will also make your auditor's job more difficult. These two facts increase your risk.
So, what happens if you get this one wrong? What happens if FERC remands it? Will it cause a ripple effect that could possibly spell the end of the ERO's oversight of security for the industry? Will Congress decide that our industry can't self-regulate, therefore they need to step in and "save" the grid from the cyber-boogeyman? Sure, these are extreme cases but they are still in the realm of the possible. And if we have an incident, think ESA. Remember what happened to the airline industry. You may not be able to enter a substation unless you've gone through a full body imaging scan and your liquids and gels are all less than 3.4 ounces in a one quart clear baggie.
CSO706SDT, especially after listening to the recent Version 4 Workshop, I implore you to listen to the auditors. They are not the enemy. A few points that bear repeating:
- Define stuff. If you haven't defined your terms, you haven't written a standard. "Annual" is only one of the many words you need to clarify.
- Attackers aren't constrained by budget and time. If we are, they have the advantage.
- Remember Moore's Law. Technology will transform significantly within ten years. Consider more realistic implementation deadlines. In fact, make it simple and give us a single [sane] date.
- Write the standards in such a manner as to eliminate the need for a Technical Feasibility Exception.
- Access points matter. Allowing anything is like saying a shoji screen is equivalent to a steel door.
- Go ahead and call it a firewall.
- Terms like boundary, border, perimeter are all acceptable. Most professionals know that this means "preventive control." Removing the ESP and PSP language may do more damage than good, despite the pre-existing confusion. Require a perimeter, with a DMZ.
- Low impact systems deserve protection. Packets don't care about arbitrary labels.The way it is currently designed, "stupid" would be a compliant password for low impact systems. Minimize the potential for gaming the system and labeling everything "low."
- Be thinking, with every requirement you construct, "how would someone evidence this?"
Electric sector, just go secure your systems. It will cost you money. It will take time and resources from other projects. Accept it. Embrace it. The sooner the better. If you start securing your stuff now, you will have less work to do when someone finally hands you a security standard. The situation won't get better in the future. There aren't enough security professionals who can spell R-T-U. The Feds aren't going to let sloppy or weak security standards prevail. The economy isn't going to turn around tomorrow with lavish profits to pay for it all. The time is now. Grab a spoon and start eating the elephant.
We owe it to ourselves to step this up. We owe it to ourselves to get it right. We are engineers, operators, security professionals and generally very smart people. We can do this. We've solved harder problems before. The reality, however, is that we will only solve problems we want to solve.
Oh, and Hello World. This is my first official blog post.
So, people on the SDT said before during and after they want to hear from the auditors re: auditability.
ReplyDeleteThey have heard, and received a standing offer to hear from auditors anytime they want to phone a friend. The team can't say auditors didn't participate or that they're too busy to participate.
Auditors may also may also throw in a reliability concern or two, because, after all their audit authority bears directly under Sec. 215 of the FPA to matters of BES reliability.
A question arises: Are these standards as proposed a step in the wrong direction, a hint towards "Unreasonable Business Judgment" if you will?
If so, why not consider tuning CIPv3 instead. Those of us with ears in the back of the room heard a lot of whispers in this direction: Tune CIPv3, add additional standards (10, 11, 12, etc.) which enhance protection, reliability, auditability.
Hint: Think Smart Grid, and DP,LSE DP/LSE -specific standards and requirements, giving a hand to the small entities who will have big impacts in the future.
Develop more effective compliance guidance, using best-of concepts from current SDT work (and there some morsels of improvement to be acknowledged within the present, failed work). Some of the "revise v3 tea party" sentiment actually seems to have some sound reasonable business judgment and economics behind it - referring to the substantial, but necessarry compliance costs incurred to date dealing three versions of standards which not perfect, are becoming known unknowns within the compliance realm.
I think the DT and participants should consider those immortal words from Gene Kranz, said to his team on the ground dealing with Apollo 13: "..Failure is not an option!" - Later, he wrote a book with the same title.
I have no doubt Electric Control Room System Operators around the country have similar stories and will to offer in support of such resolve in pursuit of their duties keeping the grid running. In my personal opinion, The 706 SDT should have no less resolve in support of this important effort. Failure is not an option.