Among the many initiatives aimed at providing cyber security for the nation’s critical infrastructure, the effort that led to a January 2006 document known as “The Roadmap to Secure Control Systems in the Energy Sector” stands out as one involving significant public/private sector collaboration.

The Roadmap, which lays out a 10-year vision, has been recommended by the National Infrastructure Advisory Council as a model for other industries to follow in developing their own sector-specific roadmaps. In March this year, the Water Sector Coordinating Council Cyber Security Working Group published a “Roadmap to Security Control Systems in the Water Sector,” which lays out a similar 10-year vision.

Hank Kenchington, a senior manager with the U.S. Department of Energy’s Office of Electricity Delivery and Energy Reliability (OE), was a member of the Control Systems Roadmap Steering Group for the Energy Roadmap, and is called out in the foreword for his “outstanding leadership” on the project. Kenchington serves as program manager for the OE’s National SCADA Test Bed (NSTB), which is playing an important role in achieving the Roadmap vision.

To get an update on the Roadmap initiative as well as the latest NSTB activities, Automation World Managing Editor Wes Iversen recently submitted a series of e-mail questions to Kenchington.

Automation World: The Roadmap to Secure Control Systems in the Energy Sector was published in January 2006. Can you briefly describe the genesis of that document?

Hank Kenchington: The importance of adequately securing control systems has been known for some time. In 1998, the President’s Commission on Critical Infrastructure Protection highlighted the criticality of control systems and the increasing risk of energy disruptions due to cyber attack. In 2003, the Bush Administration elevated the issue, stating in its “National Strategy to Secure Cyberspace” that “securing SCADA/DCS is a national priority” (in reference to supervisory control and data acquisition/distributed control systems).

The Department of Energy’s (DOE’s) Office of Electricity Delivery and Energy Reliability (OE) has been working with the private sector to enhance critical infrastructure protection since the 1990s. In 2003, the Bush Administration, through the DOE, initiated the development of the Roadmap, working in partnership with the oil, gas, and electricity industries. At that time, a number of activities designed to help secure control systems were underway. However there was no clear vision or strategic framework for coordinating these diverse activities. Moreover, while a number of reports recognized the threat and potential consequences of a cyber attack on control systems, the control system security needs of private sector asset owners and operators were not being addressed. The private sector – which collectively owns and operates approximately 80% of U.S. energy sector assets – lacked a compelling business case to support investment in cyber security. Coupled with the scope and complexity of the problem, these issues underscored a significant need for increased public-private partnership to maximize limited resources and effectively enhance control system security. Private- and public-sector energy stakeholders alike recognized that securing energy sector control systems was a shared responsibility.

To develop the Roadmap, DOE collaborated with the U.S. Department of Homeland Security (DHS), and Natural Resources Canada to facilitate a two-day workshop in 2005. We worked closely with industry leaders through a 17-member Roadmap Steering Group to design and conduct the workshop and synthesize the results, careful to ensure that the resulting Roadmap was an industry-driven plan. Accordingly, the majority of the workshop’s 55 participants were electricity, oil, and natural gas asset owners and operators, while the remainder consisted primarily of control systems vendors, national laboratories, and academia. The final Roadmap was published in January of 2006.

In 2003, Homeland Security Presidential Directive-7 (HSPD-7) designated DOE as the Sector-Specific Agency responsible for coordinating activities with the energy sector to enhance protection of Critical Infrastructure and Key Resources (CI/KR). These activities are carried out within the framework of the DHS National Infrastructure Protection Plan (NIPP). As noted in the Energy Sector-Specific Plan of the NIPP, the Roadmap established the key cyber security goals addressing the “full spectrum of cyber security priorities in the energy sector.”

AW: The overriding vision stated in the Roadmap is that in 10 years, control systems for critical applications will be designed, installed, operated and maintained to survive an intentional cyber assault with no loss of critical function. At just beyond two years into that 10-year period, how would you assess the early progress toward that goal?

Kenchington: I think we are making progress along several fronts. From a technology perspective, 85 projects from nearly 20 public and private ...