Page 2 of 4
These factors make it difficult to install existing security technologies without seriously degrading the performance of the control system. Complex passwords and other strong password practices are not always used to prevent unauthorized access to control systems, in part because their use could hinder a rapid response to safety procedures during an emergency. As a result, weak passwords that are easy to guess, shared or infrequently changed are reportedly common in control systems.
Sometimes a default password, or even no password at all, is used.
In addition, although modern control systems are based on standard operating systems, they are typically customized to support control system applications. Consequently, vendor-provided software patches are generally either incompatible or cannot be implemented without compromising service by shutting down “always-on” systems or affecting interdependent operations. Although technologies such as robust firewalls and strong authentication can be employed to better segment control systems from enterprise networks,
The National Electric Reliability Council (NERC) was formed in 1968 and operates as a voluntary industry organization charged with ensuring that the bulk electric system in North America is reliable, adequate and secure. NERC also operates the Electricity Sector ISAC (ES-ISAC), which works with the Department of Homeland Security (DHS), DOE and other entities to help protect the North American electric system from cyber and physical attacks. It is the responsibility of NERC to gather, disseminate and interpret security-related information, operating between industry and the government and among all the sector entities. In addition, the ISAC posts advisories, alerts, warnings and the current threat alert levels for the DHS Advisory System, the DOE and the electricity sector.
Wireless plant security, especially when interfacing with the DCS has become a regulatory issue with the advent of the NERC Cyber Security Standards. Since a wireless infrastructure usually requires an interface between the corporate local area network and the DCS network, system security and data protection becomes critical. Finally, the requirement for the management of the wireless network for maintenance, intrusion detection, software and firmware upgrades, real-time system health reporting and competent technical expertise in this technology becomes critical to the success of a new technological installation.
Critical power plant physical and cyber assets
NERC, with its focus on reliability of the bulk power system, is responsible for establishing and enforcing cyber security requirements and inspecting those digital assets that can affect the continuity of electric power generation. Figure 4 shows the overall relationship between critical assets, cyber assets and the bulk electric system as they relate to the NERC Cyber Security Standards.