NERC's Latest Security Blunder And How To Fix It

It is important to note that NERC and the electric industry can only develop risk based security policies that deal with the risks they are aware of. 
-  Gerry Cauley, President and Chief Executive Officer North American Electric Reliability Corporation (NERC)

On February 11, 2011, Gerry Cauley, the new President and CEO of NERC testified before the House Armed Services Committee's Subcommittee on Emerging Threats and Capabilities. You can read the transcript here. I liked a lot of what Mr. Cauley had to say until I got to the section entitled "Information Exchange Is Critical" and read that NERC's security policy relies on known risks. Frankly, I'm stunned by the implications of that statement. Imagine what would happen if other organizations tasked with security adopted that posture? 
  • US Secret Service: "Mrs. Obama, we understand that you're upset however the Service cannot be held responsible for protecting the President against threats that we don't already know about."
  • TSA: "Don't blame us. No one had ever hid a bomb in their underwear before."
Actually, the TSA used to be as clueless as NERC about how to manage security until John Pistole took over in July, 2010. When your entire security posture is built upon the assumption that an adversary will repeat a past attack strategy that he's already used and that you're prepared to detect and defend against, you'll always be blind-sided by a novel attack.

In his testimony, Cauley goes on to stress the importance of increased information exchange with the federal government; that without "actionable intelligence", the companies that compose the Bulk Power Grid will always be "a step behind when it comes to protecting against potential threats and unknown vulnerabilities." On its face, this seems perfectly reasonable however if Cauley is expecting any federal agency to act like a cyber version of NORAD and alert NERC when a "cyber missile" is on its way to attack an energy provider in the Western Interconnect of the Grid, I'd like to have some of whatever he's smoking because that's never going to happen. 

NERC has so much that it must do to clean up its own house and redress its members' lengthy history of avoiding spending money on security by inventing ludicrous loopholes like "assumption of risk" and "reasonable business judgment" that Cauley's comments about increased information exchange are premature at best. A better approach might be a public commitment by CEO Cauley that NERC's entire membership will dedicate itself to implementing SANS 20 Critical Security Controls, regardless of the cost. There's no point in discussing how to anticipate future attacks when some Independent System Operators still don't have immutable audit logs or are afraid to apply patches for fear of breaking their antiquated networks. When the time comes that NERC and its membership is actually prepared to benefit from a forward-looking threat intelligence capability, the first thing that they should know is that the definition of security is managing risk from both known and unknown threat entities.