Monday, February 28, 2011

Are the NERC CIPs a roadmap for attacking the electric grid?

By Joe Weiss

The NERC CIPs have a number of characteristics that make them a roadmap for attacking the electric grid. - They were developed by the NERC consensus process. The process is long, arduous, and inherently a “low bar”. As such, the process results in trying to make it easier on the “attackee” than trying to make it more difficult on the attacker.


  • The CIPS are public and can be easily found on the Internet. Not only are the CIPs available, but so are the discussions behind the development of the CIPs. This is no different than other open standards processes.
  • The CIPS are applied “uniformly” across all electric utilities in North America. What works against one can utility can work against multiple utilities.  As Mike Assante stated in his recent Senate testimony, the NERC CIPs are static and predictable. This means the CIPs cannot be responsive to newly discovered threats such as Stuxnet. Consequently, a successful, coordinated cyber attack, especially with new threats, is very possible.
  • The CIPS identify what is in scope, but more importantly what is out of scope. This defies all logic for security as a potential attacker now knows what is left unprotected. The attacker can use the unprotected asset to get at the “protected” asset. So much for securing critical assets.
  • The CIPs provide a timetable for implementation. Consequently, a potential attacker knows how much time is available to develop an attack for those assets in scope. Those assets out of scope have no timetable.
What more can an attacker ask for?  What can the public ask for?
  • End-to-end security of the grid – no exclusions
  • Use available technology to secure control systems and develop appropriate technology where needed
  • Mandate development of control system cyber security policies
  • Regulate cyber security of the electric grid
  • Hold executives accountable
Blog originally published Feb. 25, 2011 by Joe Weiss in Control Global's "Unfettered" Blog
http://community.controlglobal.com/content/are-nerc-cips-roadmap-attacking-electric-grid

1 comment:

  1. This isn't the only thing we should be worried about. A guy named Reza Kahlili was undercover in Iran for the CIA and he has talked to many different people about their plans and what he's been through. I think that people need to prepare for something like this NOW. So many people are unaware. There are so many more ways that we can lose our Power Grid. Anyways, he's going to be on EMPact America on Wednesday the 29th to talk about what he went through and what Iran’s plans are and whatnot. Here’s the link for people to check it out: http://www.blogtalkradio.com/empact-radio/2011/06/29/pvp55--reza-kahlili-author-of-a-time-to-betray

    ReplyDelete