Cybersecurity Issues in Power Systems

Securing Legacy Systems to Meet NERC CIP and NISTIR Requirements

By Erfan IbrahimFounder & CEO

The Bit Bazaar LLC – A Marketplace for Digital Ideas

Problem Definition

• Legacy Systems in the electric grid have limited memory, processing capability and networking features

• NISTIR 7628 and NERC CIP requirements for interface and overall systems cybersecurity are often too stringent for legacy systems to meet

• Technical Feasibility Exceptions (TFE) from NERC CIP requirements bring legacy systems into regulatory compliance but don’t secure

• “Forklift upgrades” from legacy systems to modern systems in the electric grid to meet stringent cybersecurity requirements is not economically viable

Possible Mitigations

• “Bump in the wire” type security technologies• Integrating GumStix Technologies with Legacy

Systems to introduce modern cybersecurity technologies in legacy systems communications

• Re-architecting power systems to create more redundancy and resiliency to reduce interface cybersecurity requirements for legacy systems to meet

Critical Issues to Consider

• Availability is more critical than confidentiality in power systems

• Compliance does not assure security• Interface level security does not provide system level security• Cybersecurity requirements coming from use case analysis

don’t take into account asymmetric attacks by smart hackers• Cybersecurity technologies are only part of the solution.

Network architecture, data management, personnel training and proper enforcement of security policy are necessary for power system protection