News & Analysis
New cybersecurity specs target power grid
Sheila Riley
1/25/2008 4:36 PM EST
The new standards will require energy companies to identify and document risks and vulnerabilities, and establish controls to secure critical assets from sabotage.
They also mandate that energy companies report "security incidents" and set up emergency recovery plans, according to the North American Electric Reliability Corp. NERC, which ensures reliability of the bulk power system, proposed the standards.
Energy industry watchers approved the move.
"They're the most comprehensive operations technology governance for the industry that's available," said Bradley Williams, an analyst with IT researcher Gartner.
NERC and FERC have told utilities that they must improve cybersecurity, he said. "This is good for the industry. We have seen that the operations technologies have not kept up with the governance required around these complex IT systems," Williams said.
Utilities will have to come up with plenty of cash to do what NERC asks. "It's a major investment required for many of the large utilities to comply," Williams said. Funds will go to backup recovery systems, test environments, monitoring and compliance, he said.
Enhanced security measures are necessary because the cyber terrorism threat is real, said Central Intelligence Agency analyst Tom Donohue, who spoke at a security conference on Jan. 16 in New Orleans. Attacks on utilities outside the U.S. have already occurred, he said in his remarks to the security summit.
"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," Donohue said.
Attacks were most likely executed with inside help. In one instance, attackers successfully targeted more than one city.
"We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. In at least one case, the disruption caused a power outage affecting multiple cities," Donohue said.
The attackers, who remain unknown, worked through the Internet. "We do not know who executed these attacks or why, but all involved intrusions through the Internet," he said.
The new standards, which require compliance by 2010, will become mandatory in March. They require policies, plans, and procedures in eight areas:
TECSys provides software used mainly by energy sector system operators to secure the U.S. cyber infrastructure. Other industries already have taken similar steps, he pointed out. "Nuclear facilities did all this years ago," Johnson said. "Being responsible is what it boils down to."
The 1995 bombing in Oklahoma City and Sept. 11 opened the eyes of government officials to infrastructure vulnerabilities, Johnson said. Natural disasters such as the 2003 northeastern states blackout further confirmed them, he added.
Cyber intrusion protection systems are built to work when a network or operating systems are operational. But, often for benign reasons, when operating systems or networks are down or a computer is taken off the network. Perhaps a vendor is applying fixes, or a server is being repaired or being moved within a data center.
When networks or operating systems are shut down for maintenance, for example, the systems can't collect forensic data. That means Scada, or Supervisory Control and Data Acquisition, devices, which connect to service processors and are used to measure physical activity such as oil flow through a pipeline, are at risk.
"What's happening in the nation's infrastructure is that people are trying these exploits, and they're getting into machines that run these Scada systems," Johnson said.
TECSys' software blocks access to serial ports, which can offer access to Scada devices.
The Department of Homeland Security has funded testing of Scada vulnerability by the Idaho National Laboratories. "Tests have shown Scada hacking can work," Johnson said.
"Our government, the CIA, believes that one of our biggest threats is state-funded agencies or hackers working toward getting access to our nation's critical infrastructure," Johnson added.
The energy industry, which has been slow to adopt new technologies, has a complex job ahead and little time to accomplish it, he said. Managers "can't just take new technology and drop it into their world without all kinds of testing, verification, documentation and everything else before they even think about production," Johnson said.
Huge benefits could follow adoption of the new standards, according to one industry voice. "The NERC regulations might well trigger a golden age of security in the energy industry," said Anton Chuvakin, "chief logging evangelist" with LogLogic (San Jose, Calif.).
"The rules are mandatory, they are specific--more than a lot of other regulatory security guidance--and there is an enforcement body that can make life miserable for those not complying," Chuvakin said.
"Security engineers at energy companies know what they need to do," he added. "But their bosses' bosses may need extra motivation in the form of the NERC rules."
