Experts have been saying for over a decade that the energy industry needs better infrastructure control and management systems. But change has been slow and now there’s a report that the system has been compromised.
Grid in U.S. Penetrated By Spies says a report in the The Wall Street Journal today. That much is breaking news, but the ongoing modernization of the U.S. energy industry has been slowed by a dilemma involving tradeoffs between security and efficiency that were first recognized over a decade ago.
The threat is all too real today, as the Journal reports, “Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.”
The news comes as the smart grid is expected to grow as the government’s stimulus package allocates funds to its expansion. But it’s unlikely that threats to the smart grid will derail its deployment, experts said.
What’s the potential damage? We don’t know. We don’t know whether or not it’s possible to create a “three mile island-type incident,” said Eric Knight, senior compliance engineer at compliance software company LogRhythm. However, he added, any penetration of the U.S. grid was likely detected by software systems that monitor networks in much the same way as activity monitors protect enterprise IT systems.
“Energy and power supply systems do have vulnerabilities,” said Tiffany Jones, Symantec director of public policy and government relations who served as Deputy Chief of Staff of the President’s Critical Infrastructure Protection Board in 2002. “We’ve seen it in tests and red teaming.”
The issue is that many systems were not designed to be connected to the Internet. In addition, they were designed for reliability and efficiency. “Adding security onto these systems can slow things down,” she said. “We need more research and development.”
The slow development of standards
The federal government and regulatory agencies have been working for years to address the issue, but progress has been slow.
In 2003, Dr. Arden Bement, director of the National Institute of Standards & Technology, was able to point to years of warnings about the grid in his keynote speech to the NSF Workshop on critical infrastructure protection for SCADA & IT. He noted the following warnings: the 1997 report Critical Foundations: Protecting America’s Infrastructures prepared by the President’s Commission on Critical Infrastructure Protection; the 1998 signing of Presidential Decision Directive 63 calling for a national strategy to protect America’s critical infrastructures, particularly its cyber-systems, and creating the Critical Infrastructure Assurance Office; and Executive Order 13231 of October 2001 on Critical Infrastructure Protection in the Information Age.
Bement also referred to “that incident in the Spring of 2001 when hackers broke into computer systems of CAL-ISO, California’s primary electric power grid operator and apparently were not discovered for 17 days.”
He called for “new or revised standards to address control system security . . . design guidelines and standards to address the need for interoperability, redundancy, and security . . . control system test beds to validate new approaches to security” and concluded, “We need to be able to retrofit the systems we have to provide the necessary level of security — but without compromising performance and reliability.”
Wired‘s Threat Level blog said that the issue dates back as least as far as June 10, 1999 (in a story published almost exactly a year ago), referring to an incident in which a computer failure prevented control room workers from releasing pressure in a pipeline to prevent its rupture. The resulting flood ignited a river, killing two ten-year-old boys and an 18-year-old man.
“These are the first fatalities from a control-system cyber-event that I can document, and for a fact say that this really occurred,” said Joe Weiss, managing partner at Applied Control Solutions.
Next page: Will the industry respond?
Page 2 of 2
Will the industry respond?
LogRhythm’s Knight said that the industry’s self-regulatory body, the North American Electric Reliability Corporation (NERC), has the authority to levy fines of up to $1 million dollars per day, but added that the NERC standards only require minimum security levels.
NERC claimed in a statement today that there have been no actual reported security incidents and said that the industry takes the issue seriously and is working on it. “Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of.”
The Journal story makes note of a document that is a warning from NERC to its energy industry member companies.
The warning notes that most security plans for the energy infrastructure assume that the threat is a natural one, attacking one element of the grid, and do not account for the possibility of a cyber attack hitting every element of the grid at once. Furthermore, says the note, many members are not in compliance with NERC standards — and compliance audits will begin on July 1, 2009. NERC has a backlog of about 2,000 violations that it is currently processing.
Given a decade of warnings about the issues, those responsible will be eager to assign blame. “The ‘I-told-you-so’s’ will start coming,” said LogRhythm’s Knight.
There’s already some paranoia in the industry due to “red teaming” attacks in which benign entities test the strategies they anticipate will be used by hackers. After one such attack a year ago in which a team harvested the names and addresses of key industry professionals from a Web site, a member of a SCADA list serv recommended that members avoid using their real names on the list.
As for the attack, Knight noted that infiltration is possible with standard malware technology, which is freely available to any tech-savvy government. He added that if any government has unknown technology that is capable of attacking the energy infrastructure, it will be only used once, because once used, it can be reverse-engineered. He said he talked to a member of the military who noted that some bad guys would love to shut down a military base without any loss of life, but that once you do so, you lose the element of surprise.
Knight added that because attackers can use simple malware, it will be difficult to tell whether a government conducted the attack or whether individuals were responsible.
Indeed, earlier this year, InternetNews.com reported that the Georgian government was never able to identify the relationship between the hackers who attacked it online and the Russian government with which it fought a war.
Inquiries to the U.S. Department of Homeland Security, the DC Embassy of the Russian Federation and the DC Embassy of China were not replied to at press time.