April 11th, 2003, 10:54 PM
NERC Proposes Mandatory Security Standard
An article on SecurityFocus discusses the issues with the North American power grid and its susceptability to a cyber attack. After a major blackout took out electricity to 30 million people in 1965 NERC (North American Electrical Reliability), a non-profit group, was formed to guarantee that it didn't happen again.
The government has proposed imposing security standards, but NERC stepped in hoping to keep the mandatory standards in the family and keep the government out of it.
"They've added requirements for compliance monitoring, with sanctions for noncompliance."
Full Article: Sparks over Power Grid Cybersecurity
That worries Kenneth Hooper, a protection engineer at NB Power, an electric company serving the Canadian province of New Brunswick. He says mandatory continent-wide security measures are too blunt an instrument for the job.
I don't personally feel that the government should impose *mandatory* standards, but you have to start somewhere. This is an industry self-regulating rather than having the government step in, but its close to the same.
I don't think its unreasonable though for this organization or the government to establish mandatory minimum baselines. If not them, then who? Someone has to set the baseline and establish a standard by which to measure others. If an electrical company failed to execute minimum reasonable security precautions and caused a portion of the power grid to crash I think they should be held accountable.
I am not 100% decided, but I tend to lean toward corporations and ISP's being held accountable for not taking basic security precautions if their networks end up propagating the next Nimda or such. The question is- who gets to decide what the minimum reasonable requirements are??? Who will pay the costs to bring things up to the minimum baseline? Who will police the world and impose the penalties?
April 11th, 2003, 11:07 PM
Take a look at the actual standards that they are recommending. While they might be better than nothing, I feel that they are pretty loosely defined. Also at this time, the "Sanction" consists of a letter stating that you are not in compliance.
I see the NERC standards as an interim stopgap until the more comprehensive FERC standards (another energy-sector regulatory body) are adopted in the next year or so.
You can get the text of NERC Urgent Action Standard 1200 - Cyber Security at NERC Standards Here.
If you look through this you'll see that it's a lot less stringent and detailed than say the HIPAA standards.
For what it's worth if a power company did not exercise due diligence and an incident occured causing an outage, I strongly suspect that the repercussions would be severe for that company. Between a bunch of Governmental and Industry regulatory bodies looking for a scapegoat, loss of consumer confidence, and loss of investor confidence - I believe you would see a real messy situation for that company. I would guess that the companies know this already.
April 12th, 2003, 02:10 AM
AZ - I agree with most of your points.
I wasn't necessarily saying that the NERC standards were too loose or too strict. My intention was more to raise the philosphical question of whether there should be imposed standards and how we decide what those standards are and who the governing body of the standards should be.
While there is choice in theory, to my knowledge I don't have options for electricity. If Detroit Edison crashes the power grid I can be one pissed off customer, but I can't go to the competition so they don't really need to care what I think.
But, on the larger issue of standards in general, or minimum acceptable security measures for corporations, I think its theoretically a good idea and it would be nice if a recognized governing body would put out guidelines to establish a baseline. I have seen the NSA docs mentioned here a few times and those are pretty good (although many seem to distrust them because of their source :-) ).
Then there is the problem that even if corporations followed standards and met minimum guidelines there are millions of broadband home users connected 24/7 with no concept of security.
April 12th, 2003, 03:30 AM
Well the utilities are a rather different breed. There have state and federal oversight. Additionally, as you noted - they have a relatively high level of self-regulation within the industry. Each of the participants in the electric grid belong to a regional authority or ISO that kind of oversees the grid.
I agree that regulations are a good thing in principle, but can be hard to implement in practice. I'm hoping that some of the newer government/industry joint programs pick up steam. I think that's going to be the best bet in the long run for guidelines or standards for the private sector.
Some of the hurdles:
-Not every company in a given industry runs the same way.
-Requirements or guidelines are good to specify a general requirement but should be structured to prevent identifying only one solution to achieve that requirement (ie, it is very good to say there is a requirement that all data transitting a public network (internet) should be encrypted to a minimum of x. It would be bad in my opinion to say that all data transitting a public network should be encrypted using Joe's Encryption Software.) I think there is some security in having a heterogenous approach to systems.
-There is a cost associated with having security and with not having it. Unfortunately I think that smaller shops and companies struggling to stay alive will always cut corners due to economic realities. This is good in that maybe they will be able to keep making payroll, but it is bad in that the network is in a great extent only as strong as its weakest link. I know a couple of hospital IT guys and they have had some headaches trying to figure out how to foot the bills for HIPAA. It's not just new technology but auditing, consulting, design, plus hardware, software, remediation, training.....
-We are getting into the realm of liability. Not only criminal, but civil. Take a good look at the medical profession with malpractice insurance costs. I have already seen some companies offering "cyber" insurance. What happens when your company is used to stage a DoS attack on my company. You have followed best practices, but you got caught, compromised, and used. Now my lawyer is going after you and your insurance company. Ugly ugly scenario. That's probably the day I pack it in and go open a bait shop...
-As you mention there are an ever increasing number of broadband SOHO users. What about them. If I am running Kaazaa and IM and leave a PC up 24/7 and it is used as part of a zombie net to target you, am I to be held liable? What if I'm a single mom who just didn't know better? What if I'm in Mexico City or Baghdad? National borders and jurisdictions don't really pertain so well on the net. Yet there is no less threat posed by my unsecured PC in New England than some guy in Peru.
-What about the ISP's? My cable bills at home and bandwidth costs at work continue to escalate. What about looking at the carriers? Architecturally it's not something that would be easily accomplished right now - but since we're talking about replacing BGP and moving to IPv6, why not fix that too? The best place to limit DDoS and Worm activity is at the major junction points - which are the carriers. I'd be much happier writing the bigger check each month if I actually saw some increase in service and/or technology from the providers.
Just some thoughts to think and/or comment on. I think we're on the same page here.