In case you've never read any of the discussion from NERC, NERC hasn't exactly moved quickly either, nor could they simply "stop on a dime". Look at how long it took them to develop CIP-001? Several very long years. I admit that the federal government has been rather lax about the whole thing, mostly because of interests from the various private sectors through lobbyists. There have been LOTS of discussions, but hardly anything has been written down, aside from the "we need to do [this]..." documents. No solutions, just alot of talk.

IT moves at a rate of about 4-6 months now, and newer technologies, vulnerabilities and risks are showing up weekly, daily, in most cases, hourly. Neither NERC nor the federal government, as a large-bodied entity, can move that quickly to maintain and sustain their levels of security. It's that simple.

Interestingly enough, if you have an organization that is defining a policy, or more specifically, a protocol, how long should that take? Also, look at probably who all is involved, or is typically involved in most corporate environments when it comes to defining policies and corporate protocols/standards: non-technical people. For an IT-related policy, one would think that IT people who are *seasoned* IT employees would be involved in the policy development lifecycle from start to finish, right? Wrong. This isn't always necessarily so.

Case in point, in the past 10 years for companies that I've worked with doing IT security related tasks, not once have I ever been involved in their policy development lifecycle, asked to develop documentation to develop [blah] about [blah], nor asked to even *attend* any of these meetings. The policies were defined by (mostly) managers, some of whom only worked in the IT arena for 3-5 years, or others who haven't been in a technical role for almost 15 years. None of the managers were ever in security, ever worked in law enforcement, or have been in the "new military", nor have any of them ever been a hacker, have a son or daughter who's a hacker, or know what it's like to be "owned". The point that I'm trying to make is that there are people who *think* that they know everything about something, are usually the ones who are the most ignorant of the lot, and therefore, cause the most problems when it comes to "crunch time".

This would lead me to believe that NERC is no different than any other organization out there who have no idea or clue what they're doing, and would rather just see all of this attention focused on them just -- go away -- quickly. Any bets that their CIP protocol documents were developed by non-IT people? Just read them and you'll see.

If SCADA were as important as NERC (and company) would say, why then do we:

(1) continue to have outages relating to "human error" (i.e.; sector worker accidentally touches a wire, causing a region-wide outage).

(2) continue to have load issues on most of the circuits nationwide that are at dangerous levels.

(3) continue to have issues with cascade-effect circumstances causing circuits to SCRAM affecting region-wide areas in lengthy outages.

(4) utilize newer technologies without thoroughly testing the impact of these technologies under existing or extreme conditions or circumstances.

(5) utilize current, very outdated technologies with newer technologies and simply thinking that layering technologies upon technologies will solve security issues (idea or notion that if more layering is applied to a given environment, this will make it harder for hackers to penetrate any given system or environment; old comp. sci. rule: "the more layers you add to any given system, the amount of risk is increased by that factor; that is, 2 layers increases the risk 2-fold, 3 layers, 3-fold, etc."

From the perspective of someone who does not work within the energy sector, it isn't all that obvious to most people if they don't look for it. For those, like me, who are conducting private research about this subject matter, this is a huge, gaping hole staring me down in the face. We have a serious issue, and the net effect is that nobody appears to be doing anything about it. If you simply think that passing a few laws and making it illegal to "digitally trespass" are going to stop hackers, think again. It's sort of like taking action with gun laws stating that it is illegal to possess a handgun in the city to protect yourself -- yet criminals still get guns. How is that? Same rules apply here...

-rad

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11351/32761#32761