Dear friends in the electric power industry: this CIP-010 and CIP-011 draft baffles me. I had a heck of a time trying to audit the first one and this new one leaves me deeply sympathetic for the poor auditors I left behind (sorry guys). You have no idea how challenging it is to call a ball or strike with CIP-002 through CIP-009 as an auditor. Well you might have an idea because you had to implement it - or should have anyway. With that, I hope you see my point that inserting additional flexibility and vagueness will only make your job implementing these requirements even harder. It will also make your auditor's job more difficult. These two facts increase your risk.
So, what happens if you get this one wrong? What happens if FERC remands it? Will it cause a ripple effect that could possibly spell the end of the ERO's oversight of security for the industry? Will Congress decide that our industry can't self-regulate, therefore they need to step in and "save" the grid from the cyber-boogeyman? Sure, these are extreme cases but they are still in the realm of the possible. And if we have an incident, think ESA. Remember what happened to the airline industry. You may not be able to enter a substation unless you've gone through a full body imaging scan and your liquids and gels are all less than 3.4 ounces in a one quart clear baggie.
- Define stuff. If you haven't defined your terms, you haven't written a standard. "Annual" is only one of the many words you need to clarify.
- Attackers aren't constrained by budget and time. If we are, they have the advantage.
- Remember Moore's Law. Technology will transform significantly within ten years. Consider more realistic implementation deadlines. In fact, make it simple and give us a single [sane] date.
- Write the standards in such a manner as to eliminate the need for a Technical Feasibility Exception.
- Access points matter. Allowing anything is like saying a shoji screen is equivalent to a steel door.
- Terms like boundary, border, perimeter are all acceptable. Most professionals know that this means "preventive control." Removing the ESP and PSP language may do more damage than good, despite the pre-existing confusion. Require a perimeter, with a DMZ.
- Low impact systems deserve protection. Packets don't care about arbitrary labels.The way it is currently designed, "stupid" would be a compliant password for low impact systems. Minimize the potential for gaming the system and labeling everything "low."
- Be thinking, with every requirement you construct, "how would someone evidence this?"
Electric sector, just go secure your systems. It will cost you money. It will take time and resources from other projects. Accept it. Embrace it. The sooner the better. If you start securing your stuff now, you will have less work to do when someone finally hands you a security standard. The situation won't get better in the future. There aren't enough security professionals who can spell R-T-U. The Feds aren't going to let sloppy or weak security standards prevail. The economy isn't going to turn around tomorrow with lavish profits to pay for it all. Somehow, you're going to have to find a way to do it anyway. The time is now.
Furthermore, we owe it to ourselves to step this up. We owe it to ourselves to get it right. We are engineers, operators, security professionals and generally very smart people. We can do this. We've solved harder problems before. The reality, however, is that we will only solve problems we want to solve.
Oh, and Hello World. This is my first official blog post.