Critical infrastructure including power plants and utilities has become an increasing target of cyber attack over the past five years or so. In fact, the CIA has linked at least one widespread power outage affecting multiple cities outside of the United States to cyber attack.
While attacks by criminals and terrorists are most alarming, threats can also come from other groups such as disgruntled employees or competitors. Cyber incidents can also occur by accident without the involvement of third parties. For example, last summer, a botched software update on a single computer caused a power plant in Georgia to shut down for two days, strongly revealing the need for airtight security policies and employee training for all utilities.
At the same time that criminals and terrorists begin to hone in on utilities as targets of sophisticated cyber attacks, utility networks are becoming more open and connected to the Internet to achieve self-healing smart grids. Smart grid can be defined as an intelligent system of automated devices and advanced sensors that create a self-healing network and allow for the incorporation of alternative energy sources into the grid to provide more sustainable energy for the future. A large component of smart grid is the use of Supervisory Control and Data Acquisition (SCADA) technology, which allows for the remote control of systems via the Internet. While most systems in the IT world are now more secure and prepared to handle the evolving threat landscape, control systems were not built with these types of sophisticated attacks in mind and therefore do not contain the same safeguards as other systems. Connecting them to open business systems makes them very vulnerable to intrusions. In other words, the smart grid is unfortunately not yet smart enough to resist cyber attacks.
Additional factors contributing to the severe danger of cyber incidents on utilities include the fact that cyber attacks are often not easily recognized, and can therefore be difficult to identify and remediate, as well as the fact that utilities like water and electricity are vital to our daily lives, and their disruption can cause significant equipment and environmental impacts including death.
In addition to dealing with evolving threats, utilities are now forced to take a closer look at cyber security due to impending legislation that will make it a requirement. Government agencies such as the Federal Energy Regulatory Commission (FERC), self-regulatory organizations like the North American Electric Reliability Corporation (NERC), and state public utility and service commissions currently regulate and enforce reliability standards and policies for electricity generation and transmission. All of these organizations are in the process of investigating and developing more advanced cyber security and critical infrastructure protection (CIP) policies, as well as potentially moving into the regulation of electricity distribution.
All of these factors, combined with the Obama administration's heightened focus on critical infrastructure protection, of which cyber security will play a major role, are creating a perfect storm for utilities operators in terms of cyber security. It is simply a facet of doing business for utilities that can no longer be ignored or downplayed.
Key steps in developing security plans include:
- identifying critical assets and assessing the risk of each asset to attack;
- developing security management controls such as proactive risk mitigation, enforcement of security policies, change management, centralized control of the security infrastructure, access management, Intrusion Prevention Systems (IPS), Network Access Controls (NAC), Network Access Protection (NAP), application whitelisting, etc.;
- conducting vulnerability tests and remediating weaknesses with tools such as firewall and intrusion prevention technology;
- incorporating security into the product development cycle;
- developing plans, policies, processes and procedures for continued protection;
- developing and executing recurring cyber security awareness and training programs;
- implementing physical security plans for the protection of critical cyber assets;
- developing a standard plan for recording and responding to incidents.
A comprehensive, multi-pronged security approach not only provides utilities with robust protection against attacks and other incidents, but also enables organizations to achieve compliance with necessary government and industry mandates. It is expected that such cyber security mandates and requirements will continue to expand in the coming years, making the development of a comprehensive security plan at the present time even more crucial for all utilities.
Overall, the main message to utilities is that the time to develop, revamp or re-evaluate your cyber security plan is now. As both cyber attackers and utility grids become smarter, security is evolving as a crucial piece of the puzzle. Without a comprehensive security plan, the resiliency and self-healing aspects of the smart grid become obsolete, leaving us with a grid that is not only very porous and unintelligent, but also quite dangerous.