Cybersecurity Issues in Power Systems

1. Cybersecurity Issues in Power Systems Securing Legacy Systems to Meet NERC CIP and NISTIR Requirements By Erfan Ibrahim Founder & CEO The Bit Bazaar LLC – A Marketplace for Digital Ideas

2. Problem Definition • Legacy Systems in the electric grid have limited memory, processing capability and networking features • NISTIR 7628 and NERC CIP requirements for interface and overall systems cybersecurity are often too stringent for legacy systems to meet • Technical Feasibility Exceptions (TFE) from NERC CIP requirements bring legacy systems into regulatory compliance but don’t secure • “Forklift upgrades” from legacy systems to modern systems in the electric grid to meet stringent cybersecurity requirements is not economically viable

3. Possible Mitigations • “Bump in the wire” type security technologies • Integrating GumStix Technologies with Legacy Systems to introduce modern cybersecurity technologies in legacy systems communications • Re-architecting power systems to create more redundancy and resiliency to reduce interface cybersecurity requirements for legacy systems to meet

4. Critical Issues to Consider • Availability is more critical than confidentiality in power systems • Compliance does not assure security • Interface level security does not provide system level security • Cybersecurity requirements coming from use case analysis don’t take into account asymmetric attacks by smart hackers • Cybersecurity technologies are only part of the solution. Network architecture, data management, personnel training and proper enforcement of security policy are necessary for power system protection