The much anticipated white paper entitled "Critical Infrastructure: Attacks, Actors, and Emerging Threats" by the Project Grey Goose team has just been released, and I wanted to spend a moment to discuss some of its content in the context of much of what has been published on the topic over the past year. This is a topic that is near and dear to me due to my daily dealings with many users of industrial control systems; and it was with great hope that the Grey Goose white paper would set the record straight regarding many of the false innuendos that exist in this domain.
To begin, the title of the white-paper (Critical Infrastructure: Attacks, Actors, and Emerging Threats), suggests an exhaustive analysis of the threats posed to the many components which constitute national critical infrastructure. Generally, these include financial infrastructure, the military, transportation, and of course energy. The media (and often even security industry) tend to miss-use the term Critical Infrastructure to refer to what is often a very small component of the nations over all CI. The fact that the authors of the white paper made the very same mistake raises a big red flag, as it demonstrates a lack of understanding on the topic.
Moving past this without prejudice, the introduction posits "whether there has been any successful hacker attacks against the power grid, both domestically and internationally". The answer to this question is possibly one of the most debated, and often heated discussions within the automation security community, and so it is with great interest that many will read this document in the hopes of finding concrete evidence in support of one side or the other.
Unfortunately, the white paper falls far from short on answering this question, and sights mostly existing media references which are widely disputed in regards to their accuracy. The PGG white paper then concludes in its key findings that many nation states (the usual suspects, PRC, RF, Turkey etc) are "almost certainly" targeting and penetrating critical infrastructures (remember, this means a lot of industries, not just power). Further it states that attacks against the bulk power grid will "almost certainly" escalate over the next year.
The remainder of the white-paper sights a number of existing publications regarding power grid security, the so-called 'smart-grid' and the water utility security. It also contains incorrect statements, such as stating that the power industry does not have to comply with NERC/FERC regulations. This is untrue, and anyone working in the IT security space within transmission or generation providers will tell you that their last twelve months have revolved almost entirely around CIP compliance efforts (and associated compliance deadlines/audit activities).
In summary, there is nothing new here, and the document does not answer any of the questions that it asks in the introduction. At best, it is a collection of existing materials and thoughts. Statements such as "almost certainly" in my opinion are a cop-out, and indicate a lack of certainty amongst the authors concerning the conclusions they might otherwise like to draw. This is a great shame, as a concise report backed up by new, and corroborated evidence on the real threats to energy generation and transmission would be a great guide to the many, in and outside of Washington, DC who are trying to figure out where best to spend their security dollars in 2010.