Step 1. Issue press release.
Step 2. Insert buzzwords liberally (ex. China, Russia).
Step 3. Gauge public reaction. NB. Cracking open skulls and feasting on brains == Win!
From The Wall Street Journal:
Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.
The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”
Run screaming.
The FUD approach is an unfortunate one. Let’s be honest and call this what it is. It’s an attempt to raise support for the Senate Bill S.773. The bill can be found by searching the THOMAS Search engine from the Library of Congress. At this point the full text has (still) not been uploaded yet. Draft copies have been seen in the wild. I’m unclear as to the legality of posting the drafts so, you won’t find them here.
Here description from the THOMAS site:
A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.
So, a crew of contractors to build a DeathStar? Heh.
The best part is that amidst this cloud of FUD, a breather. The CSO for NERC, Michael Assante released a letter to NERC entities. The long and the short of it is that the “come to $deity time” is upon them and they are gonna have to belly up to the bar with respects to their compliance reporting. For the ones that stuck their heads in the sand they will soon have a boot in their ass.
From Digital Bond:
NERC entities declaring no critical assets may want to take another look at their risk based assessment methodologies. Michael Assante, NERC CSO, issued a letter to industry today that challenges self certification survey results that show only 31 percent of all entities declared at least one critical asset. Only 23 percent reported having at least one critical cyber asset. I don’t think there is anyone who can justify numbers that low. (Although I would be interested to hear it!)
And that’s the rub. Some entities will cook up some wild ass logic to avoid (in their minds) having to comply with NERC CIP.
They will fail.