NERC CIPRegulatory Compliance

U.S. Dam Data Breach and NERC CIP Standards

United States intelligence agencies have uncovered a data breach that targeted and compromised the  U.S. Army Corps of Engineers’ National Inventory of Dams (NID) starting back in January.

The database itself contains classified information on vulnerabilities on 8,100 dams across the United States, including rankings of hazard levels for each dam. It has been mentioned in the media that U.S. officials have made claims tracing the attack to the Chinese government, but no additional information has been provided regarding these statements.

The information from the National Inventory of Dams in the wrong hands could provide a road map for cyber attacks from a hostile state, or terrorist group to target dams, as well as disrupt the power grid.

National Inventory of Dams Map

The National Inventory of Dams data could provide attackers with information on what NERC (North America Electric Reliability Corporation) the entity for enforcing reliability, security and compliance for the bulk power system, would classify as Critical Assets (CA) and the Critical Cyber Assets (CCA)  that control them.

National Inventory of Dams Vulnerability Data

NERC’s Critical Infrastructure Protection (CIP) provides standards for cyber security that the power industry must follow to keep these assets secure ranging from continuous monitoring, security configuration management, incident detection amongst other topics. But one wonders how secure NERC CIP, or any standards hold up in real-world attacks where the adversary has a mapping of critical infrastructure and potential vulnerabilities.

Tripwire will be providing more information regarding NERC CIP in the coming months. Tripwire has a long history working with hundreds of entities not only helping with NERC audits, but also ensuring security of the electronic perimeter, and providing management of critical systems.

Here is a list of some additional educational resources regarding NERC and securing the nation’s power grid:

Previous post

LivingSocial Hacked - 50 Million Records Compromised

Next post

Game of Pwns: Syrian Electronic Army and Information Warfare

Ken Westin

Ken Westin

Your Pundit of Paranoia