From d17bf7ca3ac21b04445a0d0263eff2ac7c246113 Mon Sep 17 00:00:00 2001 From: vollkorn Date: Wed, 12 Feb 2014 07:54:00 +0000 Subject: committing page revision 1 --- updates/2014/BNetzA.en.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 updates/2014/BNetzA.en.md (limited to 'updates') diff --git a/updates/2014/BNetzA.en.md b/updates/2014/BNetzA.en.md new file mode 100644 index 00000000..4ef19b80 --- /dev/null +++ b/updates/2014/BNetzA.en.md @@ -0,0 +1,52 @@ +title: State of the art is not enough: CCC demands independent evaluation of IT-securiy in the power grid +date: 2014-02-09 19:16:00 +updated: 2014-02-12 07:54:00 +author: vollkorn +tags: update, pressemitteilung + +On Friday, the consultation phase for the proposed IT security catalogue [0] ends. The catalogue, presented by the German Federal Network Agency (FNA, "Bundesnetzagentur"), proposes regulations for electrical grid operators. Its goal is to secure the IT systems necessary for operating the power grid against attacks. However, the proposed measures primarily protect the grid operators' purses. The risk assessment is left to be done by the operators themselves - a fatal flaw, since conflicting interests are obvious. Instead of the operators' financial interests, the measure for the necessity for security measures should be the economical damage of a blackout. Therefore, the Chaos Computer Club demands the establishment of an independent organization to assess risks and to supervise the security measures. + + + +Instead, the security catalogue focuses on the grid operators' +interests. For example, it is sufficient for legacy systems - the +majority of currently installed systems - to be analyzed during a risk +analysis and to be secured on a "best-effort" basis. But excluding +legacy systems is naive: Those improvised measures only help to fulfill +the requirements on paper. End users constantly have to take care of +their computers' security - why shouldn't this apply to electricity +suppliers? If the power grid is controlled by computers, they have to +meet higher requirements: At the end of the day, one weak spot is enough +to allow attackers to manipulate the power grid. + +Communication security is treated with similar simple-mindedness. While +private users have to secure their WiFi witch current encryption +mechanisms, grid operators can dodge such basic security measures. +Auditing potential threats exclusively on paper is not sufficient. +Regardless of where data is sent, it has to be protected by effective +ciphering methods. In addition, the possibility to operate old control +units with weak passwords or no password whatsoever testifies the lack +of awareness of the problem. The power grid operators' determination to +focus on finances must not cause traffic lights to malfunction, lack of +access to tap water, or gas stations to no longer sell gas. + +The CCC not only demands an independent risk assessment, but also asks +for a publicly accessible index in which all grid accidents affecting +security have to be documented. This index will provide traceable +evidence which accidents happen to the grid providers. Access to this +information is vital to assess dangers to the power grid, and it +facilitates communication among grid operators. The index is essential +to be able to guarantee effectiveness of implemented security measures +and to evaluate which measures have to be revised. + +The CCC contributes a statement to the consultation process \[1\]. + +Referenzen: + +- \[0\] Bundesnetzagentur: "[Kon­sul­ta­ti­on des Ent­wurfs ei­nes + "IT-Si­cher­heits­ka­ta­log" zu § 11 Ab­satz 1a + En­WG](https://www.bundesnetzagentur.de/cln_1912/DE/Sachgebiete/ElektrizitaetundGas/Unternehmen_Institutionen/Versorgungssicherheit/IT_Sicherheit/IT_Sicherheit_node.html)" +- \[1\] + [Statement](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf) + [by the CCC for the consultation + process](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf) -- cgit v1.2.3