Monday, May 26, 2008

GAO Report Rips TVA at “Implications of Cyber Vulnerabilities on the Resiliency and Security of the Electric Grid” Hearing

Scathing GAO testimony/findings from GAO's assessment of TVA cyber security should be of special interest for many electric utility organizations. TVA issues cited included problems stemming from lacking a corporate-level cyber security program and significant security posture weaknesses, unevenness in both operational and corporate network settings. All of which TVA’s COO (William R. McCollum, Jr.) reported significant focus and progress addressing with a strong commitment to continue improving.

The hearing is available for viewing (~90m) at C-SPAN Video Library: Security of the Electric Grid - May 21, 2008 (updated 1/23/2011)

In my opinion, looking hard at referenced NIST standards to further address specific cyber security topic areas makes sense for NERC CIPs as does looking at broader information security frameworks to help scope and tailor well governed corporate level programs based on recognized frameworks, .e.g. ISO 17799:2005 , COBIT, etc.

Anyone with a stake in cyber securing critical infrastructure will benefit from reviewing the hearing and a close study of the 62 page May 2008 GAO report "Information Security- TVA Needs to Address Weaknesses in Control Systems and Networks"


Sunday, May 18, 2008

Ira Winkler - love him, hate him- he's making headlines..

  • Experts hack power grid in no time - Network World
    Apr 9, 2008 ... "We had to shut down within hours," Winkler says... "

    Press releases around Ira Winkler's assertions regarding how easy it remains to hack from the Internet into the deepest parts of electric utility critical infrastructure has caught the attention of media, regulators, senior utility management, and security professionals. While Ira's comments go over the top in my opinon when it comes to nuclear reactors and more centered on distributed SCADA- he is a practitioner that doesn't pull punches.

    (1) RSA 2008 - Ira Winkler (ISAG) (7m). Was able to get to nuclear controls - that should have no business network connectivity? Also no "off switch for nuclear" (rant- WTH is he talking about... how about the "off" switch provided by independent safety systems and SCRAM functions??).

    Would you hire Ira to do your next organizational penetration testing? Please comment and/or vote.


Given all the excellent podcasts and blogs around information assurance aka cyber security, you may wonder why yet another security blog? For me, this is a commitment to post periodically my musings and more serious thoughts related to security with a focus on critical infrastructure topics. Those that are interested in the topics or sharing related views are welcome and encouraged to contribute in a reasonably civil manner - I'll work to hold myself to a simliar standard.