Energy Central EnergyPulse Home
Home Subscribe Login Contribute to Energy Pulse Advertise on Energy Pulse About Energy Pulse Feedback to Energy Pulse
Search Articles:   
  You are here: Home > Communications & Security > Article Display


Free Newsletter
Sign up today for your free subscription to the EnergyPulse Weekly Update - delivered directly to your e-mail box.
e-mail:


 

Biofuels: The Promise of the Next Generations

Feb 10 2010 - 1:00 PM Eastern - Your location

The second wave of biofuels such as cellulosic ethanol, algae and others bypass the food vs. fuel controversy and are on the cusp of commercialization. This webinar will review the latest developments in the advanced biofuel space with leading companies more...

Conducting a distributed chorus

Feb 17 2010 - 12:00 Eastern - Your City

Join Intelligent Utility managing editor Kate Rowland, along with a panel from PHI including Rob Stewart, manager of technology evaluation and implementation, and Todd McGregor, AMI director, for an interactive discussion about this company's work to build a more intelligent more...

21st Century T&D: Building the Transmission Piece of Smart Grid

Feb 18 2010 - 12:00 Eastern - Your City

Join industry leaders and Marty Rosenberg, Editor-in-Chief of EnergyBiz magazine, for an interactive discussion about the critical relationship between transmission and distribution (T&D) investment and smart grid success. As the energy enterprise gets smarter toward the consumer end with smart more...

Transforming the Electrical Grid: Addressing Transformation Strategies to Implementing A Smart Grid

Feb 25 2010 - 3:00-4:00pm Eastern - Your City

This webcast should be attended by those individuals that are responsible for identifying, planning and evaluating Smart Grid solutions, including those that empower and engage consumers and are easily assimilated with existing or new technology and business processes. more...

Smart Grid Revolution

Feb 18 2010 - Feb 19 2010 - AUSTIN, TX - USA

ACI's Smart Grid Revolution February 18-19, 2010 A two day strategic event bringing together utility professionals, government & state officials & consultants involved in deployment of the smart grid. To learn strategies which will improve energy efficiency programs & operations, more...

EnergyBiz Leadership Forum 2010: Energy's Emerging Architecture

Feb 28 2010 - Mar 2 2010 - Washington, DC

In 2009, a global economic meltdown collided with an energy crisis to turn the world on its ear. In the United States we've witnessed an unprecedented spending on energy resource development and infrastructure. As a result, a new energy architecture more...

CERAWeek 2010

Mar 8 2010 - Mar 12 2010 - Houston, TX - USA

CERAWeek, IHS CERA's 29th Executive Conference, is recognized as a leading forum offering insight into the energy future. Each year senior policymakers, energy and power executives, and financial and technology leaders from over 55 countries engage with CERA experts in more...

2nd Annual Thin Film Solar Summit Europe

Mar 17 2010 - Mar 18 2010 - Berlin Germany

The conference will provide a comprehensive analysis of the thin film industry and its key challenges in an interactive manner. Leading companies will share their experiences through panel debates and high-level presentations. A great opportunity to network with the whole more...

Gas and Electric Business Understanding Seminar

Feb 24 2010 - Feb 25 2010 - New York, NY - USA

Gas and Electric Business Understanding provides a comprehensive overview of the natural gas and electric industries. Position yourself for career success by gaining a solid understanding of how each business works, including key physical, market and regulatory aspects, as well more...

Gas Business Understanding Seminar

Mar 1 2010 - Mar 2 2010 - Houston, TX - USA

Gas Business Understanding provides a comprehensive overview of the natural gas industry. Position yourself for career advancement by gaining a solid understanding of how the gas business works including key physical, market, and regulatory aspects and how market participants navigate more...

Electric Business Understanding Seminar

Mar 3 2010 - Mar 4 2010 - Houston, TX - USA

Electric Business Understanding provides a comprehensive overview of the electric industry. Position yourself for career advancement by gaining a solid understanding of how the electric business works including key physical, market, and regulatory aspects and how market participants navigate this more...

Gas Market Dynamics Seminar

Mar 3 2010 - Mar 4 2010 - Houston, TX - USA

Gas Market Dynamics offers participants an in-depth understanding of North American natural gas markets and how they function. Enhance your career by furthering your knowledge of market structure, supply and demand, services offered in gas markets, and how various participants more...

Energy Central
Power Network




Communications & Security


We know you have something to say!
There is an immediate need for articles on the hot topics in the Power Industry! EnergyPulse, like no other publication, also provides a means for our readers to immediately interact with experts like you.
 
Contribute Today!
Please view our Author Guidelines and send submissions to the editor.

Click For More Articles on Communications & Security
 
Strengthening Cyber Security: Center Advises Utilities
2.17.09   Alan Paller, Director of Research, The SANS Institute

Article Viewed 2494 Times
0 Comments
E-mail Article Printer Friendly
 
Remote attacks on systems that control power production and distribution are no longer hypothetical events. At least four utilities have been subjected to extortion demands by criminals who used the Internet to infect the utilities' computers and caused or threatened power outages. Cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. These are criminal acts, but nation-states are actively targeting utility computers, as well, so that in time of war they can turn off their adversary's power.

While all this is happening, most executives in the power industry are in a state of denial. They are not informed by their security staffs that these attacks are happening or that they are vulnerable to such attacks. As a result, they discount the problem and overstate their security readiness. At least one industry leader did just that, lying, under oath, to a Congressional subcommittee looking into the problem, and got caught.

In recent months, some utility industry executives have begun discovering just how bad the problem actually is. The head of MI-5, the Security Service in the United Kingdom, personally invited the top executives of key power companies to a classified briefing on the current wave of attacks and what is likely to come next. Although the U.S. government has not been as forthcoming, preferring not to admit the failure of its programs to protect the critical infrastructure, a few U.S. executives are also learning about the problem through personal relationships with people who have access to the relevant data. Whenever top executives are awakened to the actual threat, they almost invariably ask three questions: What do we need to do? How much is enough? Whom can I trust to give me those answers?

The U.S. government has done a good job of providing answers to these three questions -- good enough so they are being used by utilities in Europe and other countries around the world. The U.S. Department of Energy and the U.S. Department of Homeland Security have spent tens of millions of dollars on programs that identify the vulnerabilities in common control systems, determine how they can be exploited, and define the actions that the vendors and buyers of these control systems can take to mitigate the risks. Best of all, they have put the answers in forms that utilities can put to work immediately and effectively.

One program is called the National SCADA Test Bed (NSTB), operated primarily by the Idaho National Laboratory outside Idaho Falls, and funded by DOE. NSTB's goal is to improve the resilience of control systems associated with energy sector critical infrastructure. It conducts detailed laboratory assessments of Supervisory Control and Data Acquisition/Energy Management System control systems, communications protocols, and third-party security products used in U.S. energy sector installations in order to understand vulnerabilities and develop recommended mitigation strategies for system vendors. The assessments are very deep; each of the 10 control system assessments employed more than 800 hours of cyber research effort. The control systems they studies are from vendors that supply more than 80 percent of the control systems used in the U.S. power industry. Idaho National Laboratory also conducted seven on-site assessments at electricity transmission, generation, and oil and natural gas facilities to better understand real-world installations of the systems and provide mitigation strategies to vendors and asset owners. The team of cyber researchers, control systems engineers and network engineers at the lab is widely recognized as the world's most knowledgeable and effective center of excellence in cyber security of control systems.

The result of all these assessment programs is an unparalleled body of knowledge about vulnerabilities in control systems. To put that knowledge to work to protect the critical infrastructure, INL experts working at the Control Systems Security Analysis Center funded by DHS developed education courses that each asset owners and operators how to secure these systems. They recently completed a very effective new program called the control system cyber red and blue team advanced training course giving students hands-on understanding of how the vulnerabilities are exploited, what attackers can do, and how users may be able to mitigate the risk.

Even more valuable than the training is the Idaho National Laboratory's innovative "Cyber Security Procurement Language for Control Systems document," available at www.msisac.org. Again with funding from DHS, the lab and New York State Office of Cyber Security worked together to translate the findings from assessment projects into very specific contract clauses that asset owners can employ to require the vendors of these systems to bake security into new control systems they are delivering.

We have a long way to go to even begin to protect our control systems effectively. Attacks are accelerating from both criminal organizations and malicious nation-states. But the work of the Idaho National Laboratory, supported by the Department of Energy and the Department of Homeland Security, provides the outlines of a road map to real progress in reducing the risk.

Subscribe to EnergyBiz magazine today.
EnergyBiz magazine is the thought-leading, award-winning publication of the emerging power industry. This article originally appeared in the November/December 2008 issue.

For information on purchasing reprints of this article, contact Tim Tobeck ttobeck@energycentral.com.
Copyright 2010 CyberTech, Inc.
 
Contact The Author
Email the author
E-mail Article Printer Friendly
 
  • Click Here For More Articles on Grid Security


  • Click Here For More Articles By Alan Paller
  • Do you agree or disagree with this article? Send in your own article.

     

    Add your comments:
    Please log in to leave a comment!

    Top

        Home | Register | Subscribe | Contribute | Advertise | About Us | Feedback
       Copyright © 2002-2010, CyberTech, Inc. - All rights reserved. Read our Terms of Service.