1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
title: State of the art is not enough: CCC demands independent evaluation of IT-securiy in the power grid
date: 2014-02-09 19:16:00
updated: 2014-02-12 08:04:48
author: vollkorn
tags: update, pressemitteilung
On Friday, the consultation phase for the proposed IT security catalogue [0] ends. The catalogue, presented by the German Federal Network Agency (FNA, "Bundesnetzagentur"), proposes regulations for electrical grid operators. Its goal is to secure the IT systems necessary for operating the power grid against attacks. However, the proposed measures primarily protect the grid operators' purses. The risk assessment is left to be done by the operators themselves - a fatal flaw, since conflicting interests are obvious. Instead of the operators' financial interests, the measure for the necessity for security measures should be the economical damage of a blackout. Therefore, the Chaos Computer Club demands the establishment of an independent organization to assess risks and to supervise the security measures.
<!-- TEASER_END -->
Instead, the security catalogue focuses on the grid operators'
interests. For example, it is sufficient for legacy systems - the
majority of currently installed systems - to be analyzed during a risk
analysis and to be secured on a "best-effort" basis. But excluding
legacy systems is naive: Those improvised measures only help to fulfill
the requirements on paper. End users constantly have to take care of
their computers' security - why shouldn't this apply to electricity
suppliers? If the power grid is controlled by computers, they have to
meet higher requirements: At the end of the day, one weak spot is enough
to allow attackers to manipulate the power grid.
Communication security is treated with similar simple-mindedness. While
private users have to secure their WiFi witch current encryption
mechanisms, grid operators can dodge such basic security measures.
Auditing potential threats exclusively on paper is not sufficient.
Regardless of where data is sent, it has to be protected by effective
ciphering methods. In addition, the possibility to operate old control
units with weak passwords or no password whatsoever testifies the lack
of awareness of the problem. The power grid operators' determination to
focus on finances must not cause traffic lights to malfunction, lack of
access to tap water, or gas stations to no longer sell gas.
The CCC not only demands an independent risk assessment, but also asks
for a publicly accessible index in which all grid accidents affecting
security have to be documented. This index will provide traceable
evidence which accidents happen to the grid providers. Access to this
information is vital to assess dangers to the power grid, and it
facilitates communication among grid operators. The index is essential
to be able to guarantee effectiveness of implemented security measures
and to evaluate which measures have to be revised.
The CCC contributes a statement to the consultation process \[1\].
Referenzen:
- \[0\] Bundesnetzagentur: "[Konsultation des Entwurfs eines
"IT-Sicherheitskatalog" zu § 11 Absatz 1a
EnWG](https://www.bundesnetzagentur.de/cln_1912/DE/Sachgebiete/ElektrizitaetundGas/Unternehmen_Institutionen/Versorgungssicherheit/IT_Sicherheit/IT_Sicherheit_node.html)"
- \[1\]
[Statement](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf)
[by the CCC for the consultation
process](/system/uploads/142/original/BNetzA-Konsultation-ITSicherheit-Stromnetz.pdf)
|