The bottom fell out in the hearing room at FERC on April 5 when witness Joseph Bowring let it slip that, yes, he might well prefer more independence from his employer in his role as chief of the...
Setting the Standard
NERC’s new cyber security rules may minimize cost of compliance, but they leave utilities guessing on how to identify risks.
or replacements of legacy control systems?
NERC proposes to change the term “technical feasibility” to “exception for reliability.” That would reflect the overriding industry sentiment that, in comparison to control centers and modern corporate IT systems, many legacy control systems used for field assets (substations, gen plants) employ UNIX programs or pre-Internet, pre-desktop applications that, quite simply, cannot be patched without threatening operations and jeopardizing reliability.
National Grid Attorney Joel deJesus explained the problem in his company’s written comments to FERC: “Most equipment covered by the CIP standards, such as relays and remote terminal units, utilizes proprietary embedded software that has absolutely no common heritage with the typical desktop PC environment.
“Such proprietary and closed environments,” he continued, “often do not include desirable security features (authentication, filtering, virus scanning, logging, etc.) and simply cannot be upgraded to include such feature without extensive vendor co-operation and/or wholesale equipment replacement.”
Software engineers voice dismay at such claims. Consider the Instrumentation Systems and Automation Society, now at work on a comprehensive set of cyber security standards (the ISA99 project). The project’s five-man leadership team (four of whom were members of NERC’s standards drafting team) filed written comments at FERC:
“It is not acceptable, in our view, to identify unacceptable risks, and then leave them because the existing equipment cannot be appropriately hardened.”
Entergy offers an interesting solution: It proposes that NERC’s cyber security standards in the near term should apply only to control or data centers, which more likely employ more up-to-date software applications, to allow time for the standards drafting team to better define risk assessment methods for field assets. (Entergy also recommends using the NIST standards.)
Back at National Grid, attorney deJesus sees a hidden silver lining. He notes that the older proprietary software found in legacy utility control systems marks “a positive attribute from a cyber security point of view, in that the ubiquitous malware targeted at the typical desktop PC environment will not function.”
“While it is true,” he says, “that ‘security via obscurity’ is not a sufficient defense, such obscurity is a valuable addition layer.”