The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has issued an alert on February 3, 2012, concerning SSH scanning activity that is targeting control systems. The agency states that this Alert is being issued  to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell(SSH), a scanning of Internet facing control systems.

As recently as this week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks. The full alert is available for review here.

On February 1, the House Homeland Security Subcommittee on Cybersecurity approved by voice vote an amended version of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011. In keeping with the House Cybersecurity Task Force Report released last year, the bill focuses on improving and incentivizing information sharing between the government and the critical infrastructure on cyber threats and incidents. PRECISE would establish DHS as lead federal agency for the coordination of federal and critical infrastructure cybersecurity efforts, the development of a national cybersecurity strategy, and the formulation of voluntary cybersecurity guidelines. Read more »

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

In collaboration with the White House, the Department of Homeland Security (DHS) and electric company senior executives, the Department of Energy (DOE) formally launched a new initiative to develop a more comprehensive and consistent approach to protecting the nation's electric grid. Called the Electric Sector Cybersecurity Risk Management Maturity Project, DOE is seeking to leverage private industry and public sector expertise to develop an adaptable and scaleable model for measuring current capabilities and analyzing gaps in cyber defenses. The model will be based on a cybersecurity risk management process guideline developed with public and industry input and finalized in October 2011.

In a statement accompanying the project launch, White House Cyber Security Coordinator Howard Schmidt commented, "This effort will be focused on performance-based strategies and concrete steps to measure progress of cyber security in the electric sector. It is important to understand the sector's strengths and remaining gaps across the grid to inform investment planning and research and development, and enhance our public-private partnership efforts."

A series of workshops with industry representatives is planned for the next several months to draft the maturity model. A pilot program to test the model's effectiveness and validate results is planned for late spring/early summer with about a dozen electric utilities and grid operators participating. Based on the results of the pilot program, a final risk management maturity model is expected to be made available to the entire electric sector late summer. Read more »

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has released an interim Version 4.0.1 of the Cyber Security Evaluation Tool (CSET). This new version of the tool can be downloaded from the CSSP website:

http://us-cert.gov/control_systems/satool.html 

This interim Version 4.0.1 release addresses some minor issues identified in report formatting and corrects a problem with Zone Security Assurance Level (SAL) calculations. In addition, this release incorporates a new sub-report to isolate and show user comments in a single location, includes modifications to clarify how firewall analysis is performed, and improves the gap analysis for pass/fail standards.

In an email to the National Institute of Standards and Technology's (NIST) Smart Grid Cybersecurity Working Group (CSWG), it was announced that the CSWG Testing and Certification subgroup has completed the draft SGIP document, “Guide for Assessing the High-Level Security Requirements in NISTIR 7628, Guidelines for Smart Grid Cyber Security.” The document provides a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements. The agency released the smart grid security guidelines in the NISTIR 7628 document in 2010, but some utilities have struggled with using the document in order to create real world security policies. This guide is written to provide a foundation to facilitate a security assessment based on the NISTIR 7628 high-level security requirements implemented within an effective risk management program. Read more »

U.S. utilities are structuring intelligence into their networks with the aim to make power distribution more efficient; however these efforts are getting caught in the myriad of regulations that leave their security efforts incomplete, inadequate and uncoordinated. According to a new report released by researchers at the Massachusetts Institute of Technology (MIT), a single federal agency should be in charge of the nation’s critical infrastructure security, instead of being spread across a group of organizations, as it currently is. The findings also stated that this greater reliance on data communications in the grid increases the importance of standardization for interoperability and of cybersecurity and raises serious issues of privacy. Additionally, the report also discussed the potential risk factors to the grid from the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy. It largely stated that with the right policy measures, the grid would be able to handle the influx of electric vehicles as well as renewable generation sources including wind and solar. Read more »

The Industrial Control Systems Joint Working Group (ICSJWG) has created a consolidated document; a sector independent roadmap. This Cross-Sector Roadmap was conceived and developed over the last two years by industry and government thought leaders that saw the need for a unifying Roadmap to secure control systems across all critical sectors. Version 3 of the consolidated roadmaps is available for download. The document aids entities in creating a cybersecurity plan that incorporates the unique environment of control systems. The document is an excellent addition to a utility’s cybersecurity reference library and is available here.
  Read more »

The commission seeking greater authority over the cybersecurity of the nation’s electric grid has security problems of its own. A recently released audit of Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program by the Inspector General (IG) of the Department of Energy (DOE) has revealed much room for improvement. While acknowledging that the commission has improved since DOE’s FY2010 evaluation, the audit cited continued weaknesses related to timely remediation of software vulnerabilities, and failure to implement FERC’s own Vulnerability Management Program (VMP) as the reasons for its findings. 

The audit stated that “specifically, we noted that 32 of 70 vulnerabilities we identified were rated "high risk" by the vendor and/or the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division.” Nine of the issues identified impacted a  significant number of the 45 servers and/or 236 workstations tested, and were primarily associated with third-party productivity and internet applications.  “All of the "high risk" vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old. Furthermore, we identified several instances where the Commission was using software that was no longer supported by the vendor.”

While FERC budgeted approximately $3.8 million during fiscal 2011 to secure its information technology assets, FERC cited “budget and resource constraints” as the reason for not following its own VMP. In addition, FERC said that some patches were not instituted because of adverse operational impacts.