summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--updates/2014/BNetzA.en.md52
1 files changed, 52 insertions, 0 deletions
diff --git a/updates/2014/BNetzA.en.md b/updates/2014/BNetzA.en.md
new file mode 100644
index 00000000..4ef19b80
--- /dev/null
+++ b/updates/2014/BNetzA.en.md
@@ -0,0 +1,52 @@
1title: State of the art is not enough: CCC demands independent evaluation of IT-securiy in the power grid
2date: 2014-02-09 19:16:00
3updated: 2014-02-12 07:54:00
4author: vollkorn
5tags: update, pressemitteilung
6
7On Friday, the consultation phase for the proposed IT security catalogue [0] ends. The catalogue, presented by the German Federal Network Agency (FNA, "Bundesnetzagentur"), proposes regulations for electrical grid operators. Its goal is to secure the IT systems necessary for operating the power grid against attacks. However, the proposed measures primarily protect the grid operators' purses. The risk assessment is left to be done by the operators themselves - a fatal flaw, since conflicting interests are obvious. Instead of the operators' financial interests, the measure for the necessity for security measures should be the economical damage of a blackout. Therefore, the Chaos Computer Club demands the establishment of an independent organization to assess risks and to supervise the security measures.
8
9<!-- TEASER_END -->
10
11Instead, the security catalogue focuses on the grid operators'
12interests. For example, it is sufficient for legacy systems - the
13majority of currently installed systems - to be analyzed during a risk
14analysis and to be secured on a "best-effort" basis. But excluding
15legacy systems is naive: Those improvised measures only help to fulfill
16the requirements on paper. End users constantly have to take care of
17their computers' security - why shouldn't this apply to electricity
18suppliers? If the power grid is controlled by computers, they have to
19meet higher requirements: At the end of the day, one weak spot is enough
20to allow attackers to manipulate the power grid.
21
22Communication security is treated with similar simple-mindedness. While
23private users have to secure their WiFi witch current encryption
24mechanisms, grid operators can dodge such basic security measures.
25Auditing potential threats exclusively on paper is not sufficient.
26Regardless of where data is sent, it has to be protected by effective
27ciphering methods. In addition, the possibility to operate old control
28units with weak passwords or no password whatsoever testifies the lack
29of awareness of the problem. The power grid operators' determination to
30focus on finances must not cause traffic lights to malfunction, lack of
31access to tap water, or gas stations to no longer sell gas.
32
33The CCC not only demands an independent risk assessment, but also asks
34for a publicly accessible index in which all grid accidents affecting
35security have to be documented. This index will provide traceable
36evidence which accidents happen to the grid providers. Access to this
37information is vital to assess dangers to the power grid, and it
38facilitates communication among grid operators. The index is essential
39to be able to guarantee effectiveness of implemented security measures
40and to evaluate which measures have to be revised.
41
42The CCC contributes a statement to the consultation process \[1\].
43
44Referenzen:
45
46- \[0\] Bundesnetzagentur: "[Kon­sul­ta­ti­on des Ent­wurfs ei­nes
47 "IT-Si­cher­heits­ka­ta­log" zu § 11 Ab­satz 1a
48 En­WG](https://www.bundesnetzagentur.de/cln_1912/DE/Sachgebiete/ElektrizitaetundGas/Unternehmen_Institutionen/Versorgungssicherheit/IT_Sicherheit/IT_Sicherheit_node.html)"
49- \[1\]
50 [Statement](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf)
51 [by the CCC for the consultation
52 process](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf)