Communications & Security

Remote attacks on systems that control power production and distribution are no longer hypothetical events. At least four utilities have been subjected to extortion demands by criminals who used the Internet to infect the utilities' computers and caused or threatened power outages. Cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. These are criminal acts, but nation-states are actively targeting utility computers, as well, so that in time of war they can turn off their adversary's power.

While all this is happening, most executives in the power industry are in a state of denial. They are not informed by their security staffs that these attacks are happening or that they are vulnerable to such attacks. As a result, they discount the problem and overstate their security readiness. At least one industry leader did just that, lying, under oath, to a Congressional subcommittee looking into the problem, and got caught.

In recent months, some utility industry executives have begun discovering just how bad the problem actually is. The head of MI-5, the Security Service in the United Kingdom, personally invited the top executives of key power companies to a classified briefing on the current wave of attacks and what is likely to come next. Although the U.S. government has not been as forthcoming, preferring not to admit the failure of its programs to protect the critical infrastructure, a few U.S. executives are also learning about the problem through personal relationships with people who have access to the relevant data. Whenever top executives are awakened to the actual threat, they almost invariably ask three questions: What do we need to do? How much is enough? Whom can I trust to give me those answers?

The U.S. government has done a good job of providing answers to these three questions -- good enough so they are being used by utilities in Europe and other countries around the world. The U.S. Department of Energy and the U.S. Department of Homeland Security have spent tens of millions of dollars on programs that identify the vulnerabilities in common control systems, determine how they can be exploited, and define the actions that the vendors and buyers of these control systems can take to mitigate the risks. Best of all, they have put the answers in forms that utilities can put to work immediately and effectively.

One program is called the National SCADA Test Bed (NSTB), operated primarily by the Idaho National Laboratory outside Idaho Falls, and funded by DOE. NSTB's goal is to improve the resilience of control systems associated with energy sector critical infrastructure. It conducts detailed laboratory assessments of Supervisory Control and Data Acquisition/Energy Management System control systems, communications protocols, and third-party security products used in U.S. energy sector installations in order to understand vulnerabilities and develop recommended mitigation strategies for system vendors. The assessments are very deep; each of the 10 control system assessments employed more than 800 hours of cyber research effort. The control systems they studies are from vendors that supply more than 80 percent of the control systems used in the U.S. power industry. Idaho National Laboratory also conducted seven on-site assessments at electricity transmission, generation, and oil and natural gas facilities to better understand real-world installations of the systems and provide mitigation strategies to vendors and asset owners. The team of cyber researchers, control systems engineers and network engineers at the lab is widely recognized as the world's most knowledgeable and effective center of excellence in cyber security of control systems.

The result of all these assessment programs is an unparalleled body of knowledge about vulnerabilities in control systems. To put that knowledge to work to protect the critical infrastructure, INL experts working at the Control Systems Security Analysis Center funded by DHS developed education courses that each asset owners and operators how to secure these systems. They recently completed a very effective new program called the control system cyber red and blue team advanced training course giving students hands-on understanding of how the vulnerabilities are exploited, what attackers can do, and how users may be able to mitigate the risk.

Even more valuable than the training is the Idaho National Laboratory's innovative "Cyber Security Procurement Language for Control Systems document," available at www.msisac.org. Again with funding from DHS, the lab and New York State Office of Cyber Security worked together to translate the findings from assessment projects into very specific contract clauses that asset owners can employ to require the vendors of these systems to bake security into new control systems they are delivering.

We have a long way to go to even begin to protect our control systems effectively. Attacks are accelerating from both criminal organizations and malicious nation-states. But the work of the Idaho National Laboratory, supported by the Department of Energy and the Department of Homeland Security, provides the outlines of a road map to real progress in reducing the risk.

Subscribe to EnergyBiz magazine today.
EnergyBiz magazine is the thought-leading, award-winning publication of the emerging power industry. This article originally appeared in the November/December 2008 issue.