The Bulk Power System of the United States must comply with NERC standards CIP-002 through CIP-009.
The standards are setup so that CIP-002 has a significant influence over the need for standards CIP-003 through CIP-009. It requires a regulated entity to use a risk-based assessment methodology (RBAM) to identify critical assets. In other words, a RBAM is meant to set how much of an environment is within scope of review.
This is not a unique approach. If you are familiar with PCI this is like saying a regulated entity has to determine the systems that process, transmit or store cardholder data to set the scope.
As a result of audits conducted over the past couple of years through the CIP compliance monitoring program, NERC has found instances where entity methodologies are not sufficiently comprehensive to produce a complete and accurate list of critical assets. This suggests greater clarity is needed in either NERC standards or industry guidelines to provide a more accurate identification of entity critical assets. While in many cases, functional entities had similar methodologies, substantial differences were evident even amongst entities within the same registered function. In certain cases, this has led to audit findings of non-compliance.
Stuxnet has shown up in CSO magazine with a fingers-scratching-on-chalkboard title:
If Stuxnet was cyberwar, is U.S. ready for a response?
Interesting question. Why should we consider Stuxnet cyberwar? No analysis provided in the article. In the same vein we might as well ask if Stuxnet was water soluble, is the US ready to drink it? If Stuxnet was mixed into oatmeal, is the US ready to taste it?
Then comes the CSO article teaser:
The complex Stuxnet worm proved attacks on SCADA and other industrial control systems were possible. Are we ready if one comes our way?
First, I would not call Stuxnet complex, as I have written and presented many times. The attack was arguably complex, but Stuxnet not so much. I suppose we also could debate the meaning of the word complex but even Langner (who first discovered it) says Stuxnet was a simple and not well-written exploit.
Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well
Second, it did not prove attacks on SCADA and other control systems are possible. It was well-known in the late 90s, as demonstrated by US Executive Order 13231 of October 16, 2001 “Critical Infrastructure Protection in the Information Age”, as well as Executive Order 13284 on January 23, 2003. In my BSidesSF presentation I explained the controversy Mudge started in 1999 when he told the press he could shut down 30 grids. So, from the “sophisticated” Maroochy Shire attack in 2000 to the “sophisticated” Aurora attack in 2007…there have been many proofs before Stuxnet.
Third, we know of reliability issues and failures already in control systems. I pointed out in my BSidesSF presentation three shutdowns of major nuclear stations in the US Northeast in early 2011. The question “are we ready” can be answered in the present tense for threats instead of a hypothetical. We know, for example, why more than 50 power plants were knocked offline in Texas recently. They were unprepared for threat conditions to their availability, despite forecasts. Moreover, the Governor of that state showed exceptionally poor judgment and a lack of situational awareness in his response.
Speaking of “ifs”, I am reminded of a Will Rogers quote:
If stupidity got us into this mess, then why can’t it get us out?
The CSO article would be far better if it tried to explain why, after more than ten years of warnings, critical infrastructure in America is still so susceptible to failure. Proverbs about chickens come to mind. Why is Stuxnet being phrased with terms of (sky-is-falling) cyberwar? Is that the most appropriate way to get a response from management?
Here is how I would have put the question: if we called Stuxnet the same kind of threat that we have been tracking and known about for years, albeit executed more carefully, would US critical infrastructure be any better prepared than they have been for lesser threats that seem to knock them offline?
Provocative title? Although I originally am from Kansas I spent several years working and living in Wisconsin so I know the area fairly well. Remember the book called “What’s the Matter with Kansas” by Thomas Frank? It seems like he might want to publish a new edition that takes a look at the roots of the current crisis in Madison.
…the rules were developed after years of research and public input, including extensive stakeholder input from farmers, municipal water treatment systems, manufacturers, food processors, local governments and environmental groups. Organizations that supported passage of the rules included the Wisconsin Farm Bureau, the Dairy Business Association, the Potato and Vegetable Growers Association, the Wisconsin State Cranberry Growers Association, the Wisconsin Corn Growers Association, the Wisconsin Pork Association, the Wisconsin Cattlemen’s Association, the Municipal Environmental Group (representing local wastewater systems), Clean Wisconsin, Midwest Environmental Associates, the Wisconsin Association of Lakes, the Wisconsin River Alliance, Wisconsin Environment, and the Sierra Club.
[DNR Secretary Matt] Frank added, “We are currently working with all stakeholders on implementation guidelines as well as the design of a pollutant trading system that will lower the cost of compliance even further.”
Wow, that’s a broad-base of industry and organizations who have taken a careful and long-term approach to managing risk. Frank offers this explanation for the popular support.
“Wisconsin’s lakes and rivers are the foundation for our economy, our environment and our quality of life. Stakeholder groups came together to preserve that foundation by addressing phosphorus pollution comprehensively. Under this rule, Wisconsin can look forward to cleaner beaches, more swimmable lakes, improved public health, healthier fisheries and wildlife habitat.
Cleaning up waters polluted by excessive phosphorus is crucial to protecting our $12 billion tourism economy and our $2.75 billion fishing industry. Reducing phosphorus will protect private property values and local tax base, as shown by state and national research linking higher property values with water clarity.
Ok, the quality (safety) of water is essential to the state economy. This is not just based on conjecture and theory. Milwaukee has had a host of water contamination issues from heavy metals to a catastrophic water crisis of 1993.
The massive outbreak of waterborne cryptosporidiosis in Milwaukee, Wisconsin in 1993 is an example of how contaminated water distributed through a municipal water system can lead to a major public health crisis. As a result of the Cryptosporidium contamination, an estimated 403,000 Milwaukee residents developed diarrhea reflecting an attack rate of 52% of the population with more than 4,000 requiring hospitalization. Cryptosporidiosis was listed as the underlying or contributory cause of death in 54 residents following the outbreak, severely impacting susceptible populations most at risk. An estimated 725,000 productive days were lost as a result of the water contamination event and more than $54 million in lost work time and additional expenses to residents and local government resulted from the waterborne disease outbreak
So Wisconsin has some very real and local data on the harm from a failure to protect their water supplies, which include death and economic disaster. The 2010 Water Quality Report shows warnings for mercury and industrial contaminants for most of the state and shows how regulations have helped document, assess and reduce risk.
It all makes sense so far. Here’s the problem: Republicans in both the House and Senate of Wisconsin recently have tried to kill a bill that regulates phosphorous pollution in their water — a bill wanted by industries to protect and preserve water quality.
Believe it or not, despite the data and analysis I quote above, the Republicans argue that protecting water is too expensive a burden to the economy. They think municipal governments can not afford the security.
But their analysis fails on two very obvious and simple points:
It is far more expensive and disruptive to clean up pollution in the environment than to prevent it.
The state has developed their own localized approach after careful study and time for comment and feedback. A failure to follow-through will set themselves up for hasty and less palatable reaction to a disaster (e.g. 1993). A federal approach may also become necessary. An unwillingness to solve obvious health risks at the state level will not make solutions any easier or less expensive.
Perhaps the real reason they are intent on stopping state regulation is because they do not fear #2. They believe there will not be any federal investigation or regulation to prevent the next water quality crisis because of recent legal decisions, such as Rapanos vs. the United States in 2006, that block the government from testing for contamination in “non-navigable” water.
New York’s Assistant Commissioner for Water Resources James M. Tierney told The New York Times that the court decision creates a big problem. “There are whole watersheds that feed into New York’s drinking water supply that are, as of now, unprotected.” The EPA says that over 100 million Americans are drinking water that comes from unguarded sources.
Gov. Scott Walker has proposed exempting a parcel of Brown County wetlands owned by a Republican campaign donor from water quality standards.
The donor is said to seek the Governor’s assistance with relaxation of state security standards because he intends to fill in 2 acres of wetlands and build…a Bass Pro Shops store to sell fishing supplies. Really.
WTF is wrong with Wisconsin?
The Governor seems to think that ruining the security and economic base of the state by ignoring long-term damage from the contamination and destruction of resources is a good business plan. That’s like lighting your store on fire and then charging admission to watch it burn down. Not the best business strategy. You might end the day with a few more dollars in your pocket, but then what?
Applying just a tiny bit of common sense would make fishing store developers want to preserve and protect natural resources. I mean perhaps the Governor could use the same emphasis he has put into halting wind energy innovation (supposedly based on concern for the purity of the environment) and just apply it to water?
The V60 PHEV has three main modes of operation: hybrid, all-electric, and power. The modes are selected by pressing the respective selection button on the car’s center console. A fourth mode, which can be entered at any time and is only used when the car’s traction control system needs it, enables an all wheel drive (AWD) system to give the V60 PHEV sure-footed manners in poor road conditions.
The diesel and electric engines together give 285 horsepower and 472 pound feet of torque; 0-60 under 7 seconds. Ford should have been the one to announce this amazing vehicle, back when they made the stunning Jaguar diesel, but oh well. It could have been a Cadillac, but oh well. It even could have been a group of talented high-school students…but instead here is the new V60:
The diesel hybrid has many important advantages over electric or gasoline hybrid vehicles, as I have written before.
First, diesel fuel can be produced by anyone practically anywhere so there is no dependency on a grid, processor, exploration or infrastructure.
Second, it runs on fuel already widely available so there is no range limitation. The opposite, actually, as fuel stations today serve vehicles that can travel less than 400 miles on a tank. With nearly double the range this car can skip a lot of time wasted on recharge and refueling stops. Imagine filling up once a month instead of one a week (gaining at least 0.5 hours a week).
Third, even small diesel engines have the power to handle the weight of a family on vacation. Volvo says it is designed to pull up to 2 tons with a hitch, carry five passengers as well as 11 cubic feet of luggage, all while staying within the designed gross vehicle weight.
…will U.S. buyers want a plug-in Diesel hybrid? Diesels have gained more acceptance of late, but we feel Diesels still have a long way to go before the V60 PHEV is received by the U.S. general public with open arms.
Are they f#$%^@@#^ng kidding me?!
I could buy ten of these at sticker price today and sell them in the US for a profit two years from now, guaranteed. When I bought my diesel wagon in 2004 it was less expensive than the gasoline engine. I found four years later I still could have sold it for far more than I paid; it actually appreciated in value while the gasoline model resale price dropped. Craigslist ads have been filled with “TDI wanted”. Mechanics told me year after year they had a line of people asking them where they could buy a new diesel and they offered me cash. On top of all my anecdotal evidence, when Audi and VW diesels were finally reintroduced they (as predicted) crushed the gasoline sales numbers and boosted Audi’s bottom line. The data and trend is obvious. Americans love the new diesel cars.
Yet, some still ask if America is ready for diesel? Please.
The US is more ready than Europe for this technology. Just think about it. The US has wide open roads and long distances, trailers and heavy passengers, tough and rapidly changing driving conditions…a diesel hybrid all wheel drive wagon is the ideal car for America. Imagine commercial fleets that replace their pickups and vans with the efficient and roomy yet powerful design of hybrid diesel wagons and recoup the cost in under three years.
Yes, yes, yes, more than ready. I can think of more than a dozen Americans willing and able to buy one today.
I took a few liberties with their advertising campaign, but I think this might work. It’s goodbye bio-hippies who want to do the right thing; hello cyberpunks who desire innovation in highly-efficient power.
“There’s more to life, that’s why”
a blog about the poetry of information security, since 1995
