As I sit here in blustery Boston taking a break from SecureWorld for a bit, I’m actually brought back to some of the talks given at other conferences this year. I’ve been going over some of the recent talks at RSA and Shmoocon covering ICS security and frankly, I’m not as impressed as I thought. Sitting where I do in the industry, I see plenty of cyber and physical risks to the electric utility industry that should be addressed. Waving them off as being less important than squirrels isn’t doing the industry any favors. Now every utility and generation executive gets to wave that article around in the faces of their security team as an excuse to cut their desperately needed budget.
First I want to emphasize that compliance != security, it just means you successfully checked enough boxes to satisfy a regulatory agency. This argument may not hold nearly as much weight as it used to, as NERC CIP, PCI, and other regulatory standards have grown more robust in the last few years. Are the regulations covering enough of our critical infrastructure to protect against a nation-state level attack? I still don’t believe we are. There is little information sharing, and what is shared is often retrospective at best. And regulatory enforcement has some pretty big holes in it. For instance, how many generators don’t have to comply with any of the NERC CIP rules at all? So why expend a lot of effort on attacking the big critical generators directly when you can bring all the small guys and black start capacity offline? If you overtax the system in a weakened state, it goes offline just as well either way.
Utilities invest heavily in the “walled garden” approach and continue to believe that will keep out the bad guys. Now there is nothing wrong with this approach, and I actually endorse it for field equipment that exists in substations, control rooms, etc. But you can’t just build a wall around all your internet of crap devices and believe they will be protected. All of the substation equipment I’ve ever dealt with, from the high end to the low, suffers from many of the same defects that consumer-grade internet of shit devices do. And manufacturers have almost no incentive to develop easy security out-of-the-box when they can milk lucrative service contracts out of utilities trying to stay compliant. And for those who don’t have the compliance issue, those devices sit unpatched and vulnerable. Nothing will change until security is mandated to be baked in before the unit is sold, and manufacturers are held as accountable as Takata has been for selling faulty airbags.
(Edit 12/29/17 – I decided to post backdated now after finding it in my notes. My opinion remains the same, however, I do believe security is moving to the forefront in the utility space. A great deal of work remains before I would feel truly secure.)