Monthly Archives: August 2011


Hello everyone.

Just a quick entry this week to bring to your attention the fact that our last webinar Q&A went too long for the time slot so we compiled all the Q’s and lined them up with nice A’s to share with you.  The document is now live and ready for download.

Remember please that the answers in the document are based on a combination of current standard language, our attendance at drafting meetings where we see what is discussed at length (or not), as well as personal and professional opinion and interpretation.  What is written in this document should be treated as guidance, not gospel.

I did notice that there are common themes among the questions.  There are a number that have to do with classification of sites and systems, which of course equals amount of effort or scope.  There are the obvious questions about specific controls (like AV or not AV but then what?) but there are also a lot of speculative questions like “will version 4 ever be applied” or “will the bright line criteria change”, etc.  To me, these point to a perspective of trying to stave off or avoid the standard as much as possible.

To that end, I have two questions for you and want to hear your thoughts.  The first is: what is your biggest concern with having to comply?  Is it the monetary cost?  Is it on-going administration once implemented?  Is it staffing levels?  Management support/buy-in?  What is the single biggest obstacle?

Second question:  Would you like to see a webinar whereby we run a number of scenarios through the current, proposed classification process in v5 to see what is in/out of scope on the other side?  And if you do, what scenarios would you propose?

Looking forward to hearing from you all.  Have a safe long weekend!

1 Comment
Posted in General, Power – NERC CIP. Bookmark the permalink.

August Grab Bag – Recent updates and Information Sharing: Accuracy versus Speed

Hello all.

First and foremost thank you once again to all who attended our latest NERC CIP webinar.  This time around we had Tom Alrich and Donovan Tindill go over a number of the more significant proposed changes in the current v5 effort being undertaken by the SDT.  If you want to download the recording it is now posted.  We also released the latest of our ever-popular open letters, which are a little more detailed (and opinionated!) but are ready now too.  There are three of them but they link to each other.  Just start with the first one and follow along!

Now to my topic of the day.  Recently I have seen a number of discussions about the need/desire to share information.  For those of you who have been following for a while now, you will remember we once wrote about the HSIN, which was attempting to provide an information-sharing website.  I liked the idea but questioned its ability to be successful.  Well, it would seem we are still where we were then in that there seems to be a great need/desire for information sharing and databases of information but the progress in pulling them together (or in enjoying their success) is mixed.  Recently Langner posted on his blog about the recent ICS-CERT regarding Beresford vulnerabilities and his observations about its accuracy.  Given his choice of sub-title (“Flawed Analysis, Misleading Advice”) you can guess what he thinks of the effort.  Joel Langill then offered an entry where he discusses some of the specifics of Langner’s article. Joel is in agreement with Langner when he states that he is “…a bit disappointed in how ICS-CERT is handling these reports in general especially in the way of offering sound, practical, ICS-based guidance on dealing with these threats.”   Both Langner and Langil are very good at what they do and their technical analysis is certainly fair.  What about their shared disappointment with the accuracy of the ICS-CERT effort?

This, to me, is the crux of the debate, and the burning question is:  What is more important: speed and breadth of communication or technical accuracy?  Anyone who has taken Project Management 101 will tell you everyone wants things cheap, fast and of high quality.  Well you can only have 2 out of 3 (or sometimes only 1)!  In this case we have speed, accuracy and confidentiality.  Which 2 out of 3 are most important to you?  For those who support efforts like HSIN, the speed of communication and awareness of emerging threats is potentially most important.  For ISC-CERT (which is not intended or structured to be real time) accuracy is most important.  And for those who are members of the RISI, confidentiality is potentially top of the list.  (It certainly was a HUGE concern for the industry efforts I have listened in on).

So what do you think?  It apparently can be done.  The DoD has found a way and is looking to expand it.  Anyone care to weigh in on how the DoD values accuracy over expedience?  Let me hear your thoughts!

Posted in General. Bookmark the permalink.

Update from the field – Latest from the SDT meetings

Good day everyone!  Today we get an interesting update from our man in the field, Tom Alrich.  He has been listening to the SDT meetings again (the source for our open letters) and has some pretty interesting observations.  The following excerpt is from his e-mail to me reporting in and I want to state very clearly here that these are Tom’s interpretations and opinions.  We are in NO WAY stating that the specific decisions, content, next steps, etc are etched in stone or even accurate.  Nonetheless, Tom is usually pretty close to bang on so please read at your leisure and let us know your thoughts.

 I attended the NERC CSO706 (CIP) Standards Drafting Team meeting at NERC headquarters in Atlanta this week.  I had wanted to attend mainly to make sure I was up to date on the latest developments in CIP Version 5, in preparation for our webcast.

I did certainly learn about the latest developments in V5, but I also learned something surprising: there is a much greater likelihood than I had thought that the current V5 will really be V4 – that is, that FERC will not approve (“remand” is the word that was used) what is now called V4, leaving the stage clear for what is now called V5 to be the next version of CIP.  In fact, I would put the chances now at greater than fifty percent.

We had thought this was a possibility earlier, of course (see our previous Open Letter on Version 4).  And I am not basing this new assertion on anything FERC said at the meeting.  There were three FERC staff members present, who participated actively in almost all of the discussions.  However, they were all silent on this topic.

What makes me believe this scenario is likely is two observations.  First, there seems to be broad industry support – at least among the SDT members and observers at the meeting – for doing this.  Second, it was pointed out (by SDT member Rich Kinas of Orlando Utilities) that FERC wasn’t really looking for Version 4 (i.e. what was delivered to them in February after NERC approval) – and that they had expressed surprise at receiving it in their Data Request RM11-11 (which I can’t find on either NERC’s or FERC’s web site, but which I can send if you email me at 

I had been under the impression that FERC had really been behind the fact that V4 was pushed through last year as an interim step (see our previous Open Letter for more on this).  But that may not have been the case; it may have really been NERC’s nervousness about what they perceived to be FERC’s wishes that drove V4.  Just my guess.  But when you think about it, jettisoning the current V4 and going straight to V5 makes the most sense.  The only difference between the current V4 and V3 is the “bright-line” criteria for Critical Assets.  These criteria are essentially repeated verbatim in V5.  In addition, everything else (all of the controls that get applied to cyber assets) in V5 is radically changed from V1-3 (and those changes are there to address the remainder of FERC’s requests in Order 706).  Why make the industry go through the big effort to gear up for two more versions, when FERC can get everything they want with one version, namely the version currently called V5? 

The only thing that gives me pause is the fact that there is still a long way to go before the SDT has a consistent, defensible set of standards to present to the NERC membership for a ballot at the end of this year – that was another thing I was surprised about at the meeting.  But this SDT works very hard, and I think they’re up to the task.  The real question is whether FERC will wait to go through the whole NERC approval process (scheduled to be finished next June), or whether they’ll short-circuit the process (see the first Open Letter cited above for how they could do this) and just impose V5 once it’s developed to their satisfaction.  Stay tuned.

1 Comment
Posted in General, Power – NERC CIP. Bookmark the permalink.

CIP Version 5: A Whole New Ball Game Webcast

Hi all.

Just a couple housekeeping items for this week. The first item is to invite you all to our upcoming webcast on the latest version of NERC CIP, Version 5.  During this webcast, Tom Alrich and Donovan Tindill will be discussing what the impact Version 5 will have on the manageability of a CIP program, the potential improvements over Versions 1-4 and the possible timing and compliance strategies. Sign up is available here.

The second item is to inform you that we will be posting to our website in the very near future three more open letters written by our man Tom Alrich.  These open letters will focus on NERC CIP Version 5 and I will let you know when they are available.

Have a great rest of the week!

Leave a comment
Posted in NIST, Power – NERC CIP. Bookmark the permalink.

Cyber Security Regulations: Hinder or Facilitate?

I came across the AGA newsletter this week and a particular excerpt caught my attention. It relates to the blog I posted a couple weeks ago, “From Power to Pipeline: History Repeating?”

According to the AGA newsletter, they have recently participated in a U.S. Government Accountability Office (GAO) study on the current cyber security standards used in the oil and natural gas sector. The focus of the study is to understand how cyber security regulations would impact (and potentially improve) the current cyber security position within the oil and natural gas sector. Interestingly enough, the AGA’s stance on cyber security regulations is that regulations would not improve the cyber security position and the current industry standards and guidelines are sufficient in protecting the oil and natural gas sector.

So the question is, “does regulation hinder or facilitate cyber security?” In my opinion, the answer is not so simple, and there are multiple factors that come into play. I agree there are existing industry standards and guidelines that are sufficient in protecting critical infrastructure. In particular, INGAA and TSA have done an exceptional job with their pipeline security guidelines. However, just as the title states, they are only guidelines. Organizations have the option to opt in or out. Guidelines and standards are sufficient only if they are used (and used properly, for that matter). As a result, the organizations that choose not to follow any standards are no further ahead in reducing or mitigating the cyber security risks and moreover, this may introduce the “weakest link” concept.

With that being said, regulation sounds like the right path to take in order to compel critical infrastructure owners to implement cyber security controls. So let’s have a look at an existing regulatory standard – NERC CIP standards in the power industry. Since the NERC CIP standards have been in effect, power companies have primarily approached the standards with avoidance and resistance. At present, there are only a small percentage of power companies who participate in the compliance to the current NERC CIP standards (version 3). The primary reason for the lack of participation is due to the loopholes in the current version.

For the compliant power companies, some have viewed the regulation as only a “compliance checkbox,” therefore implementing the required security controls to avoid fines rather than implementing the necessary security controls to avoid (or reduce) the risks. As a result, NERC is making very small strides in achieving its goal of regulation by improving the power industry’s cyber security position. NERC is in the process of revising the CIP standards to substantially increase the number of power companies who are required to comply and with the intentions that in the future, every power company in North America will be required to implement a minimum level of security controls.

At the end of the day, regulation or not, critical infrastructure needs to be protected. Organizations must assess their own risks and implement security controls to reduce or mitigate their risk. If this has to be enforced through regulation, we should approach the development of regulatory standards using our lessons learned from the NERC CIP standards. Regulation should not be viewed as just another “checkbox” nor should it be viewed as a silver bullet in protecting critical infrastructure. Cyber security has to become engrained in our workplace culture and to do this; regulation (if approached properly) may be a significant step in the right direction to cultivating this culture.

Let me know what your opinion is on regulation, do you think it is necessary or unnecessary?

Leave a comment
Posted in General, ISA, NIST, Nuclear, Petrochemicals – CFATS, Power – NERC CIP. Bookmark the permalink.