The DOE's recent audit of power grid security contends that many power plants are slacking when it comes to identifying critical assets-underscoring a key challenge facing risk-based security approaches.
A recent audit from the office of the U.S. Department of Energy's
Inspector General painted a not-so-rosy picture of efforts to
secure the nation's power grid. But it also highlighted something
of a conundrum in the world of compliance-how to take a truly
risk-based approach when organizations have an incentive to underreport risk
Inside the report (PDF),
department states its audit, which was conducted between October 2009
and November 2010, found existing CIP (critical infrastructure
protection) standards do not always include controls commonly
protecting critical information systems. But another problem was much
more basic-the standards did not include a clear definition of what
constitutes a critical asset.
"When outlining what attributes should be considered when proposing
reliability standards, the (Federal Energy Regulatory Commission) noted
in Order 672...that CIP reliability standards should be clear and
unambiguous regarding what is required and who is required to comply,"
the report states. "The Commission noted that such clarity was
necessary because users, owners and operators of the bulk electric
system must know what they are required to do to maintain reliability.
Despite this guidance, both Commission and NERC (Nuclear Energy
Regulatory Commission) officials stated that they believed entities
were under-reporting the number of critical assets and associated
critical cyber assets."
For example, the DOE notes that in April 2009, then-NERC Chief Security Officer Michael Assante reported that only 29 percent
power generation owners and operators - and less than 63 percent of
power transmission owners - identified at least one critical asset on a
self-certification compliance survey. Subsequent filings by
organizations have not shown significant improvement in the reporting
of critical assets, despite the fact those assets could
include such things as control centers and transmission substations,
the report adds.
"Every so-called risk-based security plan starts with: 'identify
your critical assets'," said Richard Stiennon, chief research analyst
at IT-Harvest. "This never works in IT organizations because it
requires someone to admit that the assets they are responsible
(for) are not critical. Of course the DBAs (database
administrators) say their Oracle database servers are critical, the
e-mail guys say e-mail is critical, the Web team says the Web servers
are critical. So you do not get the weighted differentiation you hoped
When regulations are involved there can be the opposite effect as
businesses look to avoid some of the costs associated with compliance,
"If you have to disclose a breach of critical health care
information or PII (personally identifiable information) immediately
none is critical," he said. "If you have to archive critical
communications, suddenly no communication is critical. This is why
regulation based on risk does not work either."