results. Interested vendors work with DOE through a Cooperative Research and Development Agreement (CRADA). Vendors provide approximately 50 percent in cost-sharing to perform the tests. The vendor and DOE develop a test plan with specific targets of evaluation and goals for the assessment. Researchers then install the system in the test bed and assess it using the most up-to-date security exploits and provide a report to the vendor identifying the identified vulnerabilities along with recommendations to mitigate the vulnerability. Thirteen system assessments have been completed so far, and another four are underway. NSTB has conducted system vulnerability assessments in partnership with vendors including ABB, Areva, GE, OSI, Siemens, Telvent, PacifiCorp, and Teltone.

Vendor and asset owner interest in NSTB assessments continues to grow. Twelve utilities from the U.S. and Australia have formed a consortium with ABB, a SCADA system vendor, to privately fund advanced research and testing through the NSTB. The newly formed consortium will fund testing of the latest assessment targets for ABB’s SCADA/EMS product, NMR3, and ensure that all previously discovered vulnerabilities have been mitigated. The assessment will be completed this year. Utilities making up the consortium include: Austin Energy, Detroit Edison, Indianapolis Power & Light Company, ITC Transmission, Kansas City Power & Light (KCP&L), LCRA, the New York Independent System Operator (NYISO), Snowy Hydro Ltd., and Tri-State G&T Association.

The NSTB program has also been recognized by other organizations. In December of 2007, the SANS Institute released a report highlighting the NSTB as one of six federal projects that have had the most success in increasing the nation’s capacity to secure cyberspace. The report noted that the test bed has “already substantially and measurably improved the security of systems that control much of the nation’s most critical infrastructures.”

AW: To what degree, to your knowledge, have controls system and SCADA vendors taken steps to “harden” their products, based on NSTB test results?

Kenchington: Eleven control system vulnerability assessments have been completed to date, and another four are currently in process. Vendors have shared details of the assessments with their users, and some have shared the assessment reports directly. Vendors have also rapidly acted to create system fixes and alert operators of security threats, and six vendors have developed next-generation hardened systems. One vendor who is working with NSTB to improve system security has now sold its improved systems to 21 customers who collectively control more than 235,000 MW of electrical power—about 5.8 percent of net U.S. generation in 2005. Another vendor reported that 82 of its utility customers have downloaded its vendor-specific security patch developed using mitigations recommended by NSTB. The remaining vendors have implemented or are in the process of implementing the recommended mitigations on their systems

12) Where can interested parties find out more about the Roadmap and other topics discussed in this interview?

Hank Kenchington
Program Manager, National SCADA Test Bed
U.S. Department of Energy
Office of Electricity Delivery and Energy Reliability
1000 Independence Ave., SW
Washington, DC 20585
202-586-1878
henry.kenchington@hq.doe.gov

National Laboratory Contacts:
Jeff Dagle
Pacific Northwest National Laboratory
jeff.dagle@pnl.gov
509-375-3629 Wayne Manges
Oak Ridge National Laboratory
mangesww@ornl.gov
865-574-8529 Shabbir Shamsuddin
Argonne National Laboratory
shamsuddin@anl.gov
630-252-6273
Dave Kuipers
Idaho National Laboratory
david.kuipers@inl.gov
208-526-4038 Bob Pollock
Sandia National Laboratories
rdpollo@sandia.gov
505-844-4442

Useful Links:
• DOE Control Systems Security ( www.oe.energy.gov/controlsecurity.htm)
• Roadmap to Secure Control Systems in the Energy Sector ( www.controlsystemsroadmap.net)
• Interactive Control Systems Roadmap (ieRoadmap) ( www.pcsforum.org/roadmap)
• Argonne National Laboratory ( www.iac.anl.gov)
• Idaho National Laboratory ( www.inl.gov/scada)
• Oak Ridge National Laboratory ( http://www.ioc.ornl.gov/welcome.shtml)
• Pacific Northwest National Laboratory ( homeland-security.pnl.gov/cip.stm)
• Sandia National Laboratories ( www.sandia.gov/scada)
• DHS National Cyber Security Division ( http://www.dhs.gov/xabout/structure/editorial_0839.shtm)
• Process Control Systems Forum ( www.pcsforum.org)
• U.S. Computer Emergency Readiness Team (U.S.-CERT) ( www.us-cert.gov)