Joe Weis had an interesting blog over on ControlGlobal.com yesterday. He had a brief report about NERC forming a team called Hydra. This would be a network of 200 electric-utility cyber-security subject matter experts (SME) that would be used to respond quickly to “fast-moving threats to the bulk power system”. Joe’s response to that was his comment that: “I believe there are currently less than 100 control system cyber security experts world-wide, in all industries.”
I can’t quibble about his number; I just don’t have enough contacts in that part of the industry to judge. Joe writes about cyber security issues for ControlGlobal.com so I would suspect that he knows what he is talking about. In any case, unless he is off by at least an order of magnitude, this calls into question how much NERC really understands about cyber security.
One of Joe’s readers, Ralph Langer, raises another interesting question; how does one identify a control-system cyber-security expert? There are no degree programs offered in this field; I suspect there are even few courses taught yet in this area. I know of no certification program conducted by the ‘cyber security industry’.
This is a major problem for the electric utilities. They are in the process of trying to get their SCADA security systems in place so they can be certified as having met the Federal Energy Regulatory Commission (FERC) Critical Infrastructure Protection (CIP) standards issued last year. The utilities have no in-house SME’s so they have to turn to consultants; but which consultants (if any) have any real experts on hand?
In the coming weeks a bunch of high-risk chemical facilities are going to start looking at the same problem when they try to address their control-system security issues for their site security plans.
I hate to raise problems in this blog without providing solutions, but I just don’t have one for this problem. Time will ease the problem, but DHS is not going to give the facilities that time.
One thing is almost certain to be true. The cyber security plans in the first go round of the site security plans will be looked back upon with derision in the coming years. The only good thing, from the facility point of view, is that DHS has no more expertise in this area than does the industry. Hopefully, the same will also be true for the terrorists attempting cyber attacks on the control systems at those facilities.