EnergyPulse - Insight Analysis and Commentary on the Global Power Industry


	Webcasts Conferences/Shows Training Communicating Smart Meter Value Sep 9 2010 - 2010-01-01 12:00:00 - Your City If you are involved in Management or Customer Service and are responsible for communicating the value of smart meters to your utility customers, you don’t want to miss this online discussion - Communicating Smart Meter Value. more... Social Media: The new frontier in recruiting, communications and marketing Sep 13 2010 - 2010-01-01 12:00:00 - Your City Join social media mavens Matthew Burks and Amanda Shewmake as they provide an insider's perspective on how HR, communications and marketing professionals in energy companies can harness the power of social media to be more effective and productive. more... Eliminating Obstacles and Delivering the Benefits of the Smart Grid - IBM's Optimized Energy Value Chain (OEVC) Sep 14 2010 - 2010-01-01 12:00:00 - Your City The convergence of power and information technologies in the smart grid has created opportunities for finer grained and broader controls of energy flows. These opportunities can improve electric service in multiple dimensions: lower cost, greater reliability, greater customer satisfaction, and more... Achieving Operational Excellence - What to Consider Before Implementing or Upgrading Your Distribution Management Solutions Sep 16 2010 - 2010-01-01 12:00:00 - Your City Significant cost over runs. Changing business requirements. A well thought out plan is essential. Attend this free webcast discussion to hear inside hear three experts in utility operations discuss what utilities need to evaluate when they are considering upgrading or more... Outsmarting the Smart Grid: IT, Security and Communication Infrastructure Challenges & Opportunities for Utilities Sep 21 2010 - 2010-01-01 12:00:00 - Your City The smart grid is shifting the playing field for utilities. And when the game changes, it pays to be prepared. A nimble solutions partner can help you design the solutions that keep operations on track, even as new challenges come more... All Webcasts » 1st CSP Today Concentrated Solar Thermal Power Summit India Sep 7 2010 - Sep 8 2010 - New Delhi India Deliver a profitable, productive and commercially successful large scale CSP business in India. Building on the success of past events in USA, Europe & MENA, CSP Today brings to New Delhi the most relevant international experience for the concentrated solar more... Offshore Wind Energy in North America's Great Lakes Conference Sep 9 2010 - Sep 10 2010 - Toronto Two day conference that tackles the most important challenges. A blend of European knowledge from the companies who have been installing offshore wind turbines for the last decade alongside local state governing bodies and leading project developers. Permitting, securing long more... Autovation 2010 Sep 12 2010 - Sep 15 2010 - Austin, TX - USA Autovation 2010 is a not-to-miss educational forum that will attract utility executives from around the world looking for new ways to optimize their operations through automation technologies. more... Global Sustainable Bioenergy North American Convention Sep 14 2010 - Sep 16 2010 - Minneapolis, MN - USA The North American convention provides a remarkable opportunity to play a part in guiding renewable energy policy for the 21st century. Attendees will create a resolution that, along with similar resolutions already drafted on four other continents, will help set more... GridWise Global Forum Sep 21 2010 - Sep 23 2010 - Washington, DC - USA Hosted by the GridWise(R) Alliance and the U.S. Department of Energy, the GridWise Global Forum will convene thought leaders from the highest levels of government, business, NGOS, and academia from around the world to discuss the ultimate enabling potential of more... All Conferences / Shows » 1. Intro to Nat Gas Trading & Hedging 2. Option Applications in Energy Sep 20 2010 - Sep 23 2010 - Houston, TX - USA Introduction to Natural Gas Trading & Hedging - This program provides a comprehensive understanding of the structures that underlie Natural Gas trading. Beyond Essentials: Option Applications in Energy - This course provides a solid practical and conceptual (non-quantitative) understanding of more... Electric Business Understanding Seminar Sep 20 2010 - Sep 21 2010 - Houston, TX - USA Electric Business Understanding provides a comprehensive overview of the electric industry. Position yourself for career advancement by gaining a solid understanding of how the electric business works including key physical, market, and regulatory aspects and how market participants navigate this more... Electric Market Dynamics Seminar Sep 22 2010 - Sep 23 2010 - Houston, TX - USA Electric Market Dynamics offers participants an in-depth understanding of North American electric markets and how they function. Enhance your career by furthering your knowledge of market structures, pricing mechanisms, services offered in markets, and how various participants use the markets more... Gas and Electric Business Understanding Seminar Oct 5 2010 - Oct 6 2010 - Los Angeles, CA - USA Gas and Electric Business Understanding provides a comprehensive overview of the natural gas and electric industries. Position yourself for career success by gaining a solid understanding of how each business works, including key physical, market and regulatory aspects, as well more... All Training » View All Events »

Communications & Security

We know you have something to say!
There is an immediate need for articles on the hot topics in the Power Industry! EnergyPulse, like no other publication, also provides a means for our readers to immediately interact with experts like you.

Contribute Today!
Please view our Author Guidelines and send submissions to the editor.

Click For More Articles on Communications & Security

Strengthening Cyber Security: Center Advises Utilities

2.17.09

Alan Paller, Director of Research, The SANS Institute

Article Viewed 3705 Times
0 Comments

Remote attacks on systems that control power production and distribution are no longer hypothetical events. At least four utilities have been subjected to extortion demands by criminals who used the Internet to infect the utilities' computers and caused or threatened power outages. Cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. These are criminal acts, but nation-states are actively targeting utility computers, as well, so that in time of war they can turn off their adversary's power.

While all this is happening, most executives in the power industry are in a state of denial. They are not informed by their security staffs that these attacks are happening or that they are vulnerable to such attacks. As a result, they discount the problem and overstate their security readiness. At least one industry leader did just that, lying, under oath, to a Congressional subcommittee looking into the problem, and got caught.

In recent months, some utility industry executives have begun discovering just how bad the problem actually is. The head of MI-5, the Security Service in the United Kingdom, personally invited the top executives of key power companies to a classified briefing on the current wave of attacks and what is likely to come next. Although the U.S. government has not been as forthcoming, preferring not to admit the failure of its programs to protect the critical infrastructure, a few U.S. executives are also learning about the problem through personal relationships with people who have access to the relevant data. Whenever top executives are awakened to the actual threat, they almost invariably ask three questions: What do we need to do? How much is enough? Whom can I trust to give me those answers?

The U.S. government has done a good job of providing answers to these three questions -- good enough so they are being used by utilities in Europe and other countries around the world. The U.S. Department of Energy and the U.S. Department of Homeland Security have spent tens of millions of dollars on programs that identify the vulnerabilities in common control systems, determine how they can be exploited, and define the actions that the vendors and buyers of these control systems can take to mitigate the risks. Best of all, they have put the answers in forms that utilities can put to work immediately and effectively.

One program is called the National SCADA Test Bed (NSTB), operated primarily by the Idaho National Laboratory outside Idaho Falls, and funded by DOE. NSTB's goal is to improve the resilience of control systems associated with energy sector critical infrastructure. It conducts detailed laboratory assessments of Supervisory Control and Data Acquisition/Energy Management System control systems, communications protocols, and third-party security products used in U.S. energy sector installations in order to understand vulnerabilities and develop recommended mitigation strategies for system vendors. The assessments are very deep; each of the 10 control system assessments employed more than 800 hours of cyber research effort. The control systems they studies are from vendors that supply more than 80 percent of the control systems used in the U.S. power industry. Idaho National Laboratory also conducted seven on-site assessments at electricity transmission, generation, and oil and natural gas facilities to better understand real-world installations of the systems and provide mitigation strategies to vendors and asset owners. The team of cyber researchers, control systems engineers and network engineers at the lab is widely recognized as the world's most knowledgeable and effective center of excellence in cyber security of control systems.

The result of all these assessment programs is an unparalleled body of knowledge about vulnerabilities in control systems. To put that knowledge to work to protect the critical infrastructure, INL experts working at the Control Systems Security Analysis Center funded by DHS developed education courses that each asset owners and operators how to secure these systems. They recently completed a very effective new program called the control system cyber red and blue team advanced training course giving students hands-on understanding of how the vulnerabilities are exploited, what attackers can do, and how users may be able to mitigate the risk.

Even more valuable than the training is the Idaho National Laboratory's innovative "Cyber Security Procurement Language for Control Systems document," available at www.msisac.org. Again with funding from DHS, the lab and New York State Office of Cyber Security worked together to translate the findings from assessment projects into very specific contract clauses that asset owners can employ to require the vendors of these systems to bake security into new control systems they are delivering.

We have a long way to go to even begin to protect our control systems effectively. Attacks are accelerating from both criminal organizations and malicious nation-states. But the work of the Idaho National Laboratory, supported by the Department of Energy and the Department of Homeland Security, provides the outlines of a road map to real progress in reducing the risk.

Subscribe to EnergyBiz magazine today.
EnergyBiz magazine is the thought-leading, award-winning publication of the emerging power industry. This article originally appeared in the November/December 2008 issue.

Do you agree or disagree with this article? Send in your own article.