Bill’s Security Blog

From Electric Light & Power:
FERC proposes to close nuke cyber security gap

In an April 8, 2008 public joint meeting of FERC and the NRC, NRC staff indicated that the agency has proposed regulations to address cyber security at nuclear generating plants, but raised a concern about a potential gap in regulatory coverage because the requirements only will be directly associated with reactor safety security and emergency response, and will not extend to power continuity systems.

I’ve pondered the ramifications of this for a while.

One company, two regulatory bodies.

In the end, I believe that safety and security will be the casualty.

Nuclear power generating facilities in the US are regulated by the United States Nuclear Regulatory Commission.

Over the last year, NRC has gotten on the cyber security bandwagon. They have released a draft regulatory guide that, in theory, will increase the cyber security posture of nuclear power facilities.

In the absence of broad guidance, the industry has been operating under a policy developed by the industry, and approved by the NRC as an acceptable approach for ensuring cyber security.

Both these documents (much to my distress) are withheld from public disclosure.

The NRC’s job is to oversee the nuclear fleet (and other non-military nuclear related industry) and protect the public from potential harmful effects of radiation. After all, nuclear power plants in the US are using a radioactive isotope of Uranium (U235) as a heat source.

Since safety is the NRC’s primary mission, continuity of power concerns may be secondary.

The Federal Energy Regulatory Commission, on the other hand, is tasked with ensuring the safety, security, and continuity of the power grid.

In non-nuclear facilities, there is not an additional regulatory body concerned with the fuel source. The entire scope of operations falls under the regulatory oversight of the FERC.

The gap in regulatory oversight of nuclear generating facilities lies in the area between those set of assets that can be considered “safety related” and those that are considered non-safety related, but are important to continuity of power.

And things get really ugly when certain devices play both roles.

And that’s where this ball of wax gets really out of hand.

NRC is developing one set of standards for securing safety systems, and FERC (via NERC) has developed standards to ensure continuity of power.

Anyone who’s made it past basic algebra knows you can’t maximize two variables in an equation. You can maximize safety, or you can maximize your ability to ensure continuity of power, but not both.

Having grown up in Washington, I think I can smell which way the wind is blowing here.

The result will be that many systems will be under the regulation of two different entities, both with competing interests.

In the end, the operator will have to make a choice, and no matter which he chooses, he fails at achieving the requirements of either body.

In the situation, the best the operator can do is to shoot for the minimum set of configurations that meets all the requirements that match both sets of regulation.

I have to tell you, given that we are talking about a nuclear power reactor, I’d rather the operator not skimp on safety to ensure continuity of power.

What should be done?

It’s my opinion, having read the NRC’s draft regulatory guide, and spent some time looking over the NERC CIP’s that what we really need to do is take a step back.

I believe that continuity of power is a byproduct of the secure operation of any power facility.

I believe as well that safety is a byproduct of the same secure operation.

That said, I believe that what is best will be the development of a set of cyber security policies and procedures that are facility agnostic, and that ensure that digital systems within power generating facilities are secured.

Let the chips fall where they may. Implementing such a plan my require major modifications to the regulatory framework, but if it is what needs to be done, it needs to be done.

I can assure you that crackers do not care if FERC or NRC is running the show.

Bill

Quoting pieces from PC Magazine’s “Electrical Grid Vulnerable to Hackers, House Told”

“The harm could extend not only to the economy and the health and welfare of our citizens, but event to the ability of our military forces to defend us, since many military installations rely on the bulk power system for their electricity,” said Joseph Kelliher, chairman of the Federal Energy Regulatory Commission (FERC).

The Energy Policy Act of 2005 gave FERC the authority to approve reliability standards regarding the nation’s bulk power system. But FERC can only approve standards; it cannot actually craft them. That job falls to the North American Electric Reliability Corporation (NERC), which worked with the industry to develop standards it presented to FERC in August 2006. FERC gave those standards its final approval in January 2008.

That type of timeline is acceptable for most issues relating to the nation’s power system, but when it comes to possible cyber attacks, the government needs to be able to act within hours or days, not three years, Kelliher said.

FERC is limited by the paper shuffling and red tape created by the 2005 legislation. If FERC identifies a problem, it can order NERC to develop a solution within 60 days, but Kelliher said he is not sure NERC “could meet this schedule in practice.”

FERC “does not have sufficient authority to guard against national security threats to reliability of the electric system,” Kelliher said.

He said FERC should also be able to compel utilities to make changes, and the commission’s power should perhaps extend beyond the bulk power system, which at this point does not include Alaska, Hawaii, or local distribution facilities, which include major cities like New York and Washington, D.C.

Ok.

So after NERC’s lambasting in front of congress a few month’s ago, FERC probably feels like it needs to flex it’s muscles a little. You know, show us that it’s relevant in the space.

To me this smells of “bureaucrat seeks to increase his power using fear-mongering and scare tactics.”

The problem with granting FERC these additional powers will be obvious to anyone working in a regulated environment. Currently NERC issues standards to which utilities must comply. FERC is now seeking the ability to issue additional regulatory requirements.

You can’t serve two masters.

FERC is seeking these responsibilities under the guise that they need to respond to “urgent and sudden” threats.

But in reality, if they gain this power, it’s my contention that the situation will be worse, not better. An alternate approach should be considered.

So, what constitutes the kind of threat that would trigger a FERC requirement? Would it be the kind of threat that triggered the TSA to stop allowing passengers to carry any liquids on air-planes?

One core problem I see is that rapid, non-vetted changes in a system increases overall risk.

If this wasn’t the case, then why are our bulk power generation facilities setting up sophisticated configuration management (CM) procedures to ensure that their systems don’t move into an inconsistent state without sufficient vetting?

Additional regulation and mandate will not get us to a true, lasting security.

The regulatory environment is just plain broke in just about every instance that I see. The answer is not more regulation and oversight, the answer is using a different approach.

Achieving confidence in the security posture of the electrical grid requires a few simple things, that as of yet, are not done:

• Define what “a secure grid” looks like. A realistic view can help drive where we want to go. Security for security’s sake is a waste of time, effort, and money. Tell the industry where it needs to go.
• Build smart, responsible regulation that pushes the industry in a measurable way toward that goal.
• Develop tools and resources to facilitate this migration. For example, develop generic contract language that companies can use when making software and hardware purchases that shifts the burden of secure product development onto the appropriate party.
• Develop financial incentives to motivate the change. In the corporate security arena, you see a rapid movement toward data security in the wake of very costly data disclosures. Power operators don’t make money when the lights are out, but you can also incentivize good performance through corporate tax credits for up-time and availability.
• Foster an environment of open communication where all parties can come together to enhance their practices, policies, and procedures.

The writing is on the wall if the bulk power generation industry does not see the light and start moving aggressively toward showing a significant commitment to security.

Other industries should take note.

Bill

Computer World Security reprinted a 2003 CIO.com article entitled: 2010: The Future of Security.

While I don’t like articles/news that engage in fear mongering, this article does lay out some likely outcomes of the growing perception of insecurity in computer system.

I say “growing perception” not to say that things are all fine and dandy in the security arena, but to indicate that the average Joe, and Joe’s elected official, are starting to notice.

Two things I’d like to address.

First, the article cites some work and quotes from perhaps one of my favorite software engineers, Watts Humphrey:

 We’re letting creative artists build bridges, he says, then trying to stabilize them with unlicensed laborers while they’re collapsing.

“I want the technical community to become professionals,” Humphrey says, “to say, This is how we do our job.”

TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.

Humphrey also has conceived of even more radical changes, including a software engineering curriculum modeled on medical school, complete with professional internships.

Now, I’m not bashing Microsoft here, I’m trying to make a point.  Microsoft engaged in the endeavor to increase their security and reliability because of customer demand.  People got sick and friggin tired of the crap they were being fed for huge cost.

A big driver of this frustration was the infamous BSOD.  The blue screen of death put a tangible face to the problem.

The insecurity inherent in our digital world is mostly faceless.  This fact, in my opinion, will make it harder to get wide-scale changes to happen.

If we want to eradicate the enemy of insecurity, we have to put a face on it…

Second, the article describes how we go from “free and open” to a “police state” very well.  Summarizing:

1. The first response is litigation.
2. After litigation comes regulation.
3. “What follows regulation?” asks Jeff Schmidt. “Standards.”
4. The final phase of the corrective response to the digital Pearl Harbor will be a reformation, a cultural shift toward better, more proactive security.

But the article fails in taking this picture to it’s logical end.

I don’t believe 3 and 4 will happen.  What will happen is “governmental oversight” stemming from regulations.

Lets look at the track record of, say, the TSA.  Are we prepared to have an organization like that managing our country’s networks and infrastructure?

Likely, however, we’ll end up there.  The sad truth is, that TSA has done little to improve transportation security, and future governmental organizations will do just as ineffectively.

But the general public can SEE the TSA, and though they hate it, are somehow drinking the cool-aid and believing that things Must be more secure.

The result - why do something else?  “The TSA is there, we’re safe, aren’t we?”

In my mind, that’s the end fallacy of governmental regulation.  It:

• gives a false sense of security
• puts organizations in the position where they’ll do the bare minimum to comply.

I do believe that government can do things to change how this whole security thing shakes out, but their track record is very bad.

The best thing the government can do, in my opinion, is demand security, built-in, from the bottom-up, in everything they do.  Every contract they develop, every system they buy, every contractor they hire.

The government’s initiative in this arena would give vendors the financial incentive they need to build security into the process.

The effect is that everyone benefits.

Bill