You know, I have been working in the security space now for 10+ years and I like to think that I have encountered quite a few security vendors. One of the amusing aspects of my job is the vendor spin that has been liberally applied with respects to NERC standards. Namely the Critical Infrastructure Protection (CIP) standards. It is amazing to hear vendors tell me how their product will help ensure NERC compliance and upon a follow up question or two they admit that they are unaware of what exactly the NERC CIP standards actually say.
These standards are an attempt by NERC (and soon enough FERC) to drag the the electricity industry kicking and screaming into a secure posture. There has been a general apathy in the industry with regards to security as a whole. SCADA systems are historically designed for reliability with little focus on security.
Security is a growing concern in SCADA circles. I guess one could say that it’s better late than never. Recently the folks at Digital Bond created waves when they submitted a security vulnerability to CVE. For SCADA providers this is a new phenomenon. They had been used to flying below the radar but, with SCADA systems attaching to the internet more often (with negative consequences) security is on the front burner now.
I stumbled across this release today. Toronto Hydro announced that they have selected a firm (which I have never heard of) to help them meet their obligations for NERC CIP.
N-Dimension is working with Toronto Hydro-Electric System’s various departments to conduct an operational risk assessment that includes a review of elements related to physical security (access to facilities), human factors (training, adherence to policies), and information technology factors (cyber security). The cyber security review will comprise eight elements: access control, vulnerability management, perimeter control, layered approach, encryption, monitoring, back-up and recovery, as well as audits and logs.
N-Dimension Solutions Inc. may be very qualified but, with the looming deadlines in 2008 for NERC compliance, I’m worried. Why? I’m worried that fly by night operations will spring up to cash in on the overworked SCADA folks that might not be aware of which firms are qualified. I hope that operations like Digital Bond and Plantdata can educate/help folks out in short order.
[tags]SCADA Security, SCADA, NERC, CIP[/tags]