NERC gets Aurora slap on the wrist
A major US energy overseer has been boxed around the ears by a US policy maker over its handling of a vulnerability in US critical national infrastructure security.
US Representative James Langevin, chair of the House Subcommittee on cybersecurity, took the Federal Energy Regulatory Commission (FERC) to task over its efforts to mitigate a cyber vulnerability known as 'Aurora'.
Aurora is still proof of concept, but is basically using computer systems to overload and blow up electricity systems -- the remote destruction of power generation equipment through cyber attacks.
Langevin got upset at both FERC and the Department of Homeland Security. In a Statement on Electric Grid Cyber Vulnerabilities made to the subcommittee last Wednesday, Langevin said:
"I think we could search far and wide and not find a more disorganized, ineffective response to an issue of national security. Everything about the way this vulnerability was handled – from press leaks, to DHS’s failure to provide more technical details to support the results of its test, to NERC’s dismissive attitude, to the industry’s half-hearted approach towards mitigation – leaves me with little confidence that we are ready or willing to deal with the cybersecurity threat."
"As time passes, I grow particularly concerned by NERC, the self-regulating organization responsible for ensuring the reliability of the bulk power system," Langevin continued. "Not only did they propose cybersecurity standards that – according to the GAO and NIST – are inadequate for protecting critical national infrastructure, but throughout the Committee’s investigation they continued to provide misleading statements about their oversight of industry efforts to mitigate the Aurora vulnerability. If NERC doesn’t start getting serious about national security, it may be time to find a new electric reliability organization."
Langevin also criticised security controls put in place (or rather, not put in place) by the Tennessee Valley Authority (TVA), the largest US public power company. In a report released this month by the US Government Accountability Office (GAO) the TVA was roundly criticised:
"TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures," commented GAO. "Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA’s corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA’s critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats."
It's a tricky one, that. I suppose it all comes down to an organisation's appetite for risk, together with a balanced assessment of the likelihood of a successful attack.