|
|
|
Before Grid Hack Reports, NERC Advises Industry on Cyber Assets
By: Brian Prince
2009-04-09
Article Rating: / 3
There are 2 user comments on this Network Security & Hardware story.
Before news reports of a hack on the electrical grid in the United States began to circulate, NERC advised the industry to pay careful attention to identifying critical cyber assets. In a letter, NERC told the industry to take a fresh look at their methodology for identifying such assets with a broader perspective towards the consequences to the system if the asset is used maliciously.The day before reports of foreign spies penetrating the
U.S. electrical grid hit the news, the North American Electric
Reliability Corp. advised energy companies to take a comprehensive look
at how they identify critical cyber assets.
The North American Electric Reliability Corporation (NERC) is a
non-profit, international company that works to develop industry
standards as well as improve the security and reliability of bulk power
systems in the United States, Canada and part of Mexico. In a letter addressed to the industry,
NERC Chief Security Officer Michael Assante expressed concern some
energy companies may not have properly identified some assets in a
self-certification compliance survey for NERC Reliability Standard CIP-002-1 Critical Cyber Asset Identification.
Of particular concern are qualifying assets owned and operated by
Generation Owners and Generation Operators, only 29 percent of which
reported identifying at least one CA (critical asset), and Transmission
Owners, fewer than 63 percent of which identified at least one CA, he
wrote.
Only 23 percent of separate (i.e. non-affiliated) entities reported they had at least one critical cyber asset.
While Assante noted the number may be low
because most smaller entities registered with the NERC do not
own or operate cyber assets that would be deemed high priority, he
advised companies to start with the assumption that all assets are
critical and then work backwards to rule them out.
One of the more significant elements of a cyber threat,
contributing to the uniqueness of cyber risk, is the cross-cutting and
horizontal nature of networked technology that provides the means for
an intelligent cyber-attacker to impact multiple assets at once, and
from a distance, he wrote in the letter. The majority of reliability
risks that challenge the bulk power system today result in
probabilistic failures that can be studied and accounted for in
planning and operating assumptions. For cyber-security, we must
recognize the potential for simultaneous loss of assets and common
modal failure in scale in identifying what needs to be protected.
This is why protection planning requires additional, new thinking on top of sound operating and planning analysis, he added.
The letter preceded news reports this week that foreign spies had
allegedly penetrated the U.S. electric grid and left behind programs
that could potentially disrupt the system.
Patrick Peterson, chief security researcher at Cisco, commented that
NERCs risk-based approach to identifying and protecting key parts of
the United States energy infrastructure are sound.
The most critical step to protecting critical assets is to make
sure they are all identified, he said. The critical cyber asset
paradigm is new to NERC's members and the letter clearly states members
need to redo their assessment with a new approach. Starting with the
assumption that an asset is not critical will always tip the scale
especially when staff is ever-busy and faces a deadline. The
letter's request to invert the burden of proof and prove the asset is
not critical will go a long way toward achieving NERC's goals.
|
|
�������x}r8s;�iW1ŋKmiXTF((�ئH�Iҽ�~f�M�JsNl��Df"H$#�I"nZΘ\̦dwꚃ�>}K$w�B}��N��UQR C7((�bP�<�HwO7n[cQ0�R�a���᳙*,�Q � tjGt0]2x�6�k:&o4veki cߨ_�[&``1Z�|R �j��9iݑ |i @I>R(áh]
](
Ѽ��e�MGQR`N
Cw*�Nul9�Q��)+X^DP~�FDM:ǎ-4rwA�̚0/Pcw��Ҵ���v[P�;U�{Q5hw��/E�@^���cBȡ[Boi�=7dc7.���{$�͑�w2K*-a{е�:�9�z�u
v}�j:GJ�73ҧ
}KH;R@}k��y�>5I
i�b�1lp2�JH
n>�, \�ZIa^_y�
yN
�=:t^䖡�_ֽyo@סn}w�d&a-vQKw T6'�>6�L(�|H�Bɤ:�ZdQ}9e,�f4öۢCCٰo�5RrXJyYr_�ӽ�l˙=X8^p?�/Εiѻ]�H�QPw;@
VVa(.:^O.�ac'H
H~7&
LT*jZ*�NL�@aBjL�q9�uz�P��%oFe_�P+).C#-b|+0CF_8ri�OgsK߾ڤ>>;O}1�fPk5M�~"3h
ؕgxg�4X:nNOn9n:'ݛ�9^qŝN4p3
Zʿ�\vO]�SQ?�&�:aZ+}I-IM&!usL
,ߔeBqֿ8'�} ,�-�)Ttܿ��/Rzhf5
t�@C�X&%Ge)"���:u
�P;|sƒNm҄&
�9B:%ϙu(��7�>hr�
Q@e)#8?�݇I��hJq�䨉k>ذ�1�"%��iJyO�Ջ�"�}Et"AͩO�W�%ތ�1E|r'�ef"ȅ�Q.%M���Ć�>L�y%Kuu7p�W-czhNԖڂ1W|{g?/1e�ޡ:it>!e.ڽ^c�8^%g�5F4�i�e4%!�8W5MGVOL絯Tf~X�}U9-z�Qn�ʼnl�:2X�
jXR7HaQ�gt�A`�:)ҧ!>RӚM�CqRO#Gs�>H2胎6mb8�-�"�
,70}HOqI�4 Qx�٭�lE%_�¤�<�)
FA��=H:]6(Z\?`c
V�C@B뎂9��{�ޚB�"�QޒС4�a���q�j =�*~3��=w}
�
�
@�l�߃5�#~[-[�Z6x�O͙A }�(~~9-R���C1��"# E�EK�y3@� $h�-4`��z.��=�
�ŊHݑ�vZ)J��Pl=!ԑt݁Z!4ӇiЈ4XĽǦ�Yguϳ-j�G�r�Ǹ%�q�9an5�ʉ�=Mj=$"�ǰ@7�Z�`N)^HISНj!D�9zѧl�)�s--%ւek{_�No6�ʞ~aXZ
@E�Y
mc-W00^�Ԣ.,P|U$"!�l��siɰC
/0|��MȆТ~چx�T���Sk�u
��
XTM._`�}dҶ9�Mj$٬ X;l d
�A qF�Iݔ`�@GVLl9TZW),֩z@��}&/H{{LM'!�K��|�X[��*���W(
��+�G�е�;ʰw^\�v˖?~F|2^ۄ��歨C�=�1Չf*3�a2�Y6�T�,q�?7:Hy�&
үgjE)jB4�P�/#Y%�/�m0ܑk}>eD�6'#QZ^-B.,g��
\�mpj
\�FZ�.L�AqA02]y�5/r�T~�1,4�ra,1 D��R�5V2Swh�u鯦G�T+�pzNIQ)0�kMxg��9oLq3ۊ��iȈ0Aq�_8R" @�4��
y�� *�Oz� �
[
(h
[zpSE��+n
`bIu?I B�M!rB�3�]==1��挮~`Gt!R_O�aYj8+0ϸo��GN yX '1h'0^)V`@|Y�e_�a>]Ik0 3le`Sxt(�b[7\W4Uud�¹�`����Y���Mt��Ak[�,���0YE,tOhp�
9^R˶SN�jf h�
#!f~�+ˣ��e
֟gi#6�
Ma�FžiJm^R+{9i`6,DlCc$ D!���2!:ѵ�%%�f1N+Í'&Z3c Ҋ�k+4C
�㔁�z3M�dhHwV0o�_�/_qm(}�g^�L̺>~W2ñ"9E]ۏ6WR�=>`
Ti�4_ڂ��Fn�9.^٤�Ĉ�E;@<�uU*)3L=��;LF�;�0\=>w6EN 5#� c��پ�{Q�4dtP.bWa�߇l¼h..]>9lf#<,��hn�͵]
�7f�q�D��v?)%E�z��ԺvťTj��W�HUWt�,,#?�Sq:g?UU�{My�Uf̈*+A�jM�a10r�-wqI E1gS�N�,Yfe�0Lvjj_�aqVZ��U.R`�U!T�P_>yc_7)~�TCykm�{~&K�節e�:T'7-FRV�%fͳII#G.ɢ6A)M`ɒ8�+hs)�sp:'S6PFz�%R�!wi#�yF(#!��w�g�OPlB�=2tbiw�:[+��y6�a2N8[G�ҮIG:��b��F*ݔ[Y�sVR$gI#c/=fQ[E�:Jb{Ix"N=}ym_1_qe�b`��<"�I?;�p@7�|�} �o6eM+v@lkZpW\(2M�5���G�0\�'
�UVگp.g$
�,�$��,tZ<���&MMx)G��A`r0qq3(��-E<9�K�8L
xϰL�ty'JUVqe?s<�c��Sw�Wvv�Z]}��EI2@DJ?%s�?��Ѝ �F)X1&MK�E])w7�)il{ٗN[�/�xńyu�[�t'_u{~{y[;�QA^�vи:`�>*u.O8 C�_>^w?]H6?�pȁ�JM$(��X���,I!s_^Y�{{:9\~;�y��10Z�|/>hQ^�8�돝K%yF;$˶u�߽�o= rH�/;�/�X�F�a9>oC~O�M1+�0fhRb�1fF<$FMT�!PR".5g����|�}X�n�sdQ5Õh�&l揝%/a�
Bf-�3�b!�bN<ޅAPC��{ r
H)'4�-�'yK|*93Ğw[}Lg��!�,�:Ua2"穔(BS.hDO�g4}ܽnqcslo�}AFJN�^v�Z-g[M7S+t,#?]/8�ʊ��=�?E�.��N:|&=Br�^'18�;=h)���I�"21xc�|o}�AZd~n_��eԉ9%2�\@��{6-~=���rv��G�P2)Z�)�IZ[Ũ"
ݖ2`�9s:)�Oz.�p��|Ni+'i^VӲQ6T$��4%�44ҁLN�C]B+d7g�һj]nNpV�H�po6_xvImK$�(:r"kEv�e85(~u�M�H��mQFiIw
3DJ^KkhVˮU^ǂ�?<��)x1� fR�_,�wгO]5bw�|G:Q,gF'q?Imظ�2Ut�3X6
w{�{B�s��?݁CO6v���4wX�]{gE�Ww�N{}d�a�}?H+Fy�c(!�SiR٘NB�ERTUuklko(�b�YpJeOV
;x`�,�hEg��,n���P2Q^;pG %c�cmf�}ݸ;w{f�1vi�nw�P%(b|�AcI�U~(TR�n
νfO�"J鲇\v%��(c|MU^RRMJ>]'k���@" bY_B�IKwvzYV��N
ئw=13�~�O� O=q�Զ١ǎ��X�
?�*�4lo
azW`[ʅ=RH3�a
d�OC%F�euw#�S�'gSc3/HF#xg��O(6-lF�@|P���
;a6
*|�b1�\<�E�) W_M7⎍zkQy{�rx�|SqZ'�+' g|o#&ڿ�
kN���7�_C_b��JKдg=.0(Q�/�4
�K[��^]:lMo
%n!�Щ*Ͷ1.C>˰$7-:U}e_�k+�Y!?qŎtP<+N�9Ս0�qާ�Q�#w/�kpZRO ]
iOuN-c�g�I�t!nY#Ý<;A+*Z�Y7V8P;)��*91$rU�+Iٛ4@�͜�9psE_cy)a[9Q}t&5ccB7!
xI��]]�%.�6dP�R]l!154q�@%-�r;16|p,uYD>*8�F!�g%?�ۊS*ga>NkbSb` �;�Z;pMr-,WxT�tIt+NnnU%!��*ԡ�LivZ\O2�_LygWf9cK�g¿/RE�mσw��ˮ�*�=5bF�&G�!�@m��9$`4U�7q)1h�h�Z#|�8yXTpѤwx?�?�ʞ@m64$�hEkI�ނ6�_w�Z7R;N�"�ys�`l�MP��WsF[5v�VݙmJ ;`HQ�UcbZ:[vR�ج^��#�0]{X60�@'�:'V;"�t>����pL2ª)6�QYTi>�vX6aZ>mÚ˱&z '`K=[�Q-4%Lg�]MRQJ1"�!�H
�h�@�=�6@A-yEJZeS^)�cY(@b+Do �E�R'�y!>�kN|I' �G�&57�S$UMLqOuL']wk*�`Z�VW5�1�p��b-q�f!�IQ7eʋKJ�t�Cep�dz�@Sݶ�>kj\-0UJȰ5FXk$iMQA4�FXko^�
_n��}l(kjQ[2Д5��5�$�̽$ef� зÎ/I9�|*m{CV{1�|�(wR �YbvXx���[oİ�b\vzo^K,gP"`6WҶ���
>30И�_vm.rr?yϤ�4A#|��_��=N`03)8ǣ$ZElȣWSu�,z3�3KWi~�G�xb.I+E�7?>Ds��4*OwiW1�+++++W\m_q*ƥ�R츎�ST�Ʊ��?P;m����f08lp�!�G���Z=��̯8y�1-onv�^0t-�H8N(v7/�U!�"nG�q��(5W�sE�}Hx#کg��?Kу�� Ex:竏Ѝ0]^sM�VF?<0>1�]9"
8�i?�-0ìSJrUf1(�X�S�>��q'Qu�g
SKp)6_i7�+�ȸ�m�å;�DG�O�"��{O�'bc\U^࣋P7�OEM*y�S�p|uU�Fg
PNt:�k%EjygН�;�ߋ�zsqaW�t[ܹ�4IZU|_ڋKۨ_h�T_$;XF̫y$}�q�1�&���1Y|�Gj�w�OQ5FY.fGs�!,*T7|mq?l��
L4.N-£�E���LUo|֊�OZήҳ=��_�@dzgc0Q2,$tIz� i�EO�/
:â?$Lq7�ͦ���l1a�6���uM|l|�#o-?&�u(,�D%|��D~뇺��~��}
jqh!A4�`}*oZ%24:^UP+)�Z�z�ʋzhN�u_�ZהV/`�eE�X�T�uɵF�5��9��>Ϲ,�'c�0/';k0Tr^`}�TXA�,�z 9�T�J:<}Q-mEJ)!g�?9qc0��ǖC0%n4,�1ac:>Ss=E
�0K{EMF^[AO5XtD? 0ډ�J J���3RmF�Ν,X�뛫u��x�,9+9Z`3+nsl+ZKɶ8+YlwNQgg)q8�@�ə莥��ra\t G
Ki�~RJHUTb!oD�~x#nϪ5q5�Tbx�d'�OobD))�m2윶BwG#ˠO�kטP�0eL!F"S��O L-!�H!,�7�\C�P�|,Sw�Wp+T}V7!kj��]=ҁ�`+qܖ.�!ܶir�#:�&|���)::]Б���ߕjmO*IgO.4��}\ ��Pm̼DGRSx�
&�ԛZiӘ̥7b?= θ�8��ǃ""a=X 2>n�de�H��4O8=}D��S��;"�p�77/�9l~��V�14<3�2�aQq�}G4Ns�#a�=��ye1q1U?�fC7,>�1�
>�B$!�i"4oF˞0]$s~�!��g��L-
Dʴ"c�)41GJ["1}ɹ���cMN퓔px�XҚ:�d� k(E�$�A*v#n#BLk4�3D�4kXaL~A_;my^<'^zu|v�0[/� T6CĊ�1�gOiX$_A1J�Bzc��T~�t]\T�P�*@H��>S�|XP؟�S?pk2�ꥦHbmu�~+�g6#p���"(3[��]ă08]S0lOpW'ACju`�b6�\�]:vN���5j'
�P=:Yؽ)s!aZ;:LQIJ�u�XZFB(�s�
V&�H��o�u7@F�`��p���3�W�VjMDO"ӁRs]��j%u\]�㠿YU^&*_9Ӕ^*BI��/ �(HZ�
�W{}G=�`��fڟ�,BuuuvI^ۤw|ݹw}Q֒E�_gn՝ɗesd>�|i5<ח6�xteAN/[�mf(�T3\h�^EqɃw�g;飱8?�/�f5ҝ'Q韯�E_C�ĸҫSeץ?Uz
[''^O˧VRk!?gg:^Z�9v�!xYM�/ǭ��}h�j4=V0<��(�hO1u{qt/ۅfdRRs`__לk(^]~�NmwS_]~�48i�CSi�}>B?'(ShuVwN
IN9?t.sʡ+4/�y�|�9s�_�/�}/r{�ȡ��E�^�^'e�sN�
S~��909{ s#?0~9ׅws�?]/�r�q�WU?9�{9�^�}~��X] S�}y�>�>�oʁor�ڿi�&s$CPʑ�.N�pr+Q�T/ޯ<�4|�sYU�~vïUX^йZ*4�ˑ*Kҿ�2~62A\�wO
aq�ʍz�^S_xڞꖽpLڭe]�9hq_l �^bϽ�s^楽< x�EB+�g�ٔ�@#X{#uO'NW6#�ﹺsd^)Wsr>V=ןbM�edGE⬏G\%�[n3'r��U?�QǒGЬ��]#=D)K�s�e.o� �`r$q =�Pޛ.�v�)�n7�'�pK|���SG0��nsOkz>s<[~r^<^ȬU.�5l�NA�m!O9y}2�o�فOh]��ߒč,y��%�h00(\��?�}x��j'܌3�X�ǟ;/i7�i__�WmЙM�%�Æ>a#^*��B8D�#wo0��H=�?Ѱs�31蘿7CtzsH|3f?�90l��H�͆Rie�jR��ߑJxYGDd�1| ̈ɪ"+uW9
8]�V*r
`"�
*�s>P�`24UF`
Ԋ�z!�J1
=4�`֭tKo1;BDO"O�ӱ7;fCnWeL=eƋ&�æʗጽJ/D�ʑ�$`
�pL\�Psg~� =u]
YI���Sn� aNʬc��6�%`ή�1v�gu̿O6г~pН= ?n
3ɕ@y�
�hbգ�wh9ıPr�O�eL���X!ꞠW��KgD��r&)=tφ����T/ADZe *��3˸ [2lZ jXJr�
9;��!�ɉؼ!ً60BRhfNX?�/�Cܢ|�o�?f*0y.6��Ťe�@�
ż ޙ�n'qgF-̸ƒ_b��|�Ӯk �" >���1&Ơ�ֽ��T#9Zc7X�n`@,o=,6"f/Wܞ3��,
wwV.}�ʅ�Ï �CqzvwұDLܧqg0r&/T�B�#�l}uމ�[{�Id����b2OZ>ಓJ_�`�-+3mS&f%b P|_�|n9�vL��yC͞c�fsH�!L�&l�W�&�%fI'�;-��#%0uo��z{F�$>}T.I
�sE�yב�y,&Jh݄/X�sJ�dB�}�M)o���9eoE52FXk[MA�c>7q�>+s�o�_xc�:�
cT��F\�gȌQ)gƠN� h
km!�t\зkdQ9Hz&z�e x$.7=/k"1��:
gCJ'rBzc{[/EI)�H[QʹT6vm
}c"1b9?���"ㅰx!�ZQy�mcl#Yұ�ߞR
TDO�m+�Ѝ��O|3'�ȱ
ya1 g�{yW=?5j��l�3Ga:9YʐL\kD�I
Ik-.,wv�Ua4,Lb1��"[\'QI�8`R�жX�3��"@a)5|d�n�~ӧ�f<�4W�6IĶq��ytʵ-���˱=�U
.^3Ơ`{e��7��5�SF
%h�2b5��#ʧ3�~q��(X��+n:�'��X;E�B(O}u9rC*gUE�7z_Q}BeFBl4.�$7dzy:�?C[7nyQO'RTFYzhI:v��J]NN:��P7 r�̳��ś|G`bhPlyPVK�G�36HZ�\֓}\/mt�Ǎo=��F駰a9TU>\J�\SK4%X/VgЧTN�&N⇅ �wm&l2)v}mb-c6�C-;�T+��
|
Network Security & Hardware 
