State of the art is not enough: CCC demands independent evaluation of IT-securiy in the power grid

2014-02-09 19:16:00, vollkorn

On Friday, the consultation phase for the proposed IT security catalogue [0] ends. The catalogue, presented by the German Federal Network Agency (FNA, "Bundesnetzagentur"), proposes regulations for electrical grid operators. Its goal is to secure the IT systems necessary for operating the power grid against attacks. However, the proposed measures primarily protect the grid operators' purses. The risk assessment is left to be done by the operators themselves - a fatal flaw, since conflicting interests are obvious. Instead of the operators' financial interests, the measure for the necessity for security measures should be the economical damage of a blackout. Therefore, the Chaos Computer Club demands the establishment of an independent organization to assess risks and to supervise the security measures.

Instead, the security catalogue focuses on the grid operators' interests. For example, it is sufficient for legacy systems - the majority of currently installed systems - to be analyzed during a risk analysis and to be secured on a "best-effort" basis. But excluding legacy systems is naive: Those improvised measures only help to fulfill the requirements on paper. End users constantly have to take care of their computers' security - why shouldn't this apply to electricity suppliers? If the power grid is controlled by computers, they have to meet higher requirements: At the end of the day, one weak spot is enough to allow attackers to manipulate the power grid.

Communication security is treated with similar simple-mindedness. While private users have to secure their WiFi witch current encryption mechanisms, grid operators can dodge such basic security measures. Auditing potential threats exclusively on paper is not sufficient. Regardless of where data is sent, it has to be protected by effective ciphering methods. In addition, the possibility to operate old control units with weak passwords or no password whatsoever testifies the lack of awareness of the problem. The power grid operators' determination to focus on finances must not cause traffic lights to malfunction, lack of access to tap water, or gas stations to no longer sell gas.

The CCC not only demands an independent risk assessment, but also asks for a publicly accessible index in which all grid accidents affecting security have to be documented. This index will provide traceable evidence which accidents happen to the grid providers. Access to this information is vital to assess dangers to the power grid, and it facilitates communication among grid operators. The index is essential to be able to guarantee effectiveness of implemented security measures and to evaluate which measures have to be revised.

The CCC contributes a statement to the consultation process [1].