Re: Congress Alarmed At Cyber-Vulnerability Of Power Grid

["Kurt Grutzmacher" <grutz () jingojango net>]

To be fair, the TVA report came from the GAO and I've yet to read a GAO
report on "cyber security" that wasn't bad news for the organization being
audited. If they were to go to any other utility company in the world I'm
sure they'd find similar issues as their standards are (rightfully so) very
high.

That's not to say there aren't problems at TVA as I'm sure there are. NERC
is more concerned on keeping the power running which includes things like
life and health safety, flowing electricity between long distances and
different companies, making sure generation is there, etc. Cyber security is
on the list and if companies don't follow their CIP standard they face huge
fines (up to $1m a day of non-compliance).

Suffice to say power companies are an old lot here in the US and as such
have an air of self-importance which leads to the "we know what's best"
syndrome. After all, they have to keep the lights on and the hospitals
running.



On Sun, Jun 1, 2008 at 9:58 PM, Juha-Matti Laurio <
juha-matti.laurio () netti fi> wrote:

> From Forbes.com:
>
> ".....
> I think we could search far and wide and not find a more disorganized
> response to a national security issue of this import," said Rep. James
> Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats,
> Cybersecurity and Science and Technology.
> He pointed a finger to several groups: the DHS for giving scanty details of
> its video-taped simulation; the power industry for working too slowly to
> mitigate the threat; and the North American Electric Reliability
> Corporation, an industry group, for failing in its role as the
> self-regulatory body assigned to ensure a consistent national power supply.
> "Everything about the way this vulnerability was handled … leaves me with
> little confidence that we're ready or willing to deal with the cyber
> security threat," he said.
>
> The House's criticisms focused primarily on the electric utility industry
> group, NERC. They argued that the advisories issued by NERC are ineffective
> and that it has repeatedly misled the House in its investigation of the
> Aurora vulnerability."
> --clip--
>
> More at
>
> http://www.forbes.com/technology/2008/05/22/cyberwar-breach-government-tech-security_cx_ag_0521cyber.html
>
> And CNN's Study finds TVA vulnerable to hacking:
> http://www.cnn.com/2008/US/05/21/cyber.attack/
>
> "The Tennessee Valley Authority, which supplies power to almost 9 million
> Americans, "has not fully implemented appropriate security practices to
> protect the control systems used to operate its critical infrastructures,"
> leaving them "vulnerable to disruption," the Government Accountability
> Office found."
> --clip--
>
> There are many readers (including me) happy now about living outside of
> US...
>
> Juha-Matti
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.