Analyzing Energy Sector Security Preparedness


11.20.07 Ken Miller, Senior Consultant, Ensuren Corporation

In terms of the U.S. energy sector's readiness to block attacks by cyber terrorists and domestic hackers, there is some good news. Overall, most of the nation's oil and gas refineries are moving quickly to repel attempts to disrupt their operations. While this doesn’t mean that refineries are operating at a “best practices” level with respect to physical and cyber security, they are taking on-line threats seriously.

Conversely, based on observations at numerous facilities and investigations by the North American Electric Reliability Corp. (NERC), the U.S. power industry is behind in implementing security programs to keep cyber terrorists and recreational hackers from disrupting their operations. The Department of Homeland Security’s recent successful cyber attack on a scale-model power generator, which subsequently failed, is a prime example of how power generation can be interrupted, and why cyber security is so important.

NERC has stated it is widely known in the power industry that small-scale online intrusions have been successful in breaching security. These types of intrusions result in minimal disruption to the infrastructure mainly because they can be attributed to recreational hackers who probably were unaware they had compromised a controls system versus a business system. Again, NERC states, “However, these episodes clearly illustrate that electronic pathways do exist that lead to the control systems of our most critical infrastructures.”

Disruption From Within

In terms of cyber attacks on critical infrastructure, all critical controls environments must be vigilant against intrusion by malformed software called Malware. There is a high propensity for the propagation of Malware through control networks, either intentionally or unintentionally, that can bring down view and control of critical processes.

It is not uncommon during security examinations to be able to directly access Programmable Logic Controllers (PLCs), which manipulate valves, switches and gauges that control fluids, fuels, steam and other hazardous elements. These low-level controls are some of the most critical components that affect daily production. These types of controls often are Ethernet-based and directly connected to core controls environments, allowing for further propagation of Malware.

When you lose view and control of critical controls such as PLCs, catastrophic events can happen very quickly. The most likely security threat to a controls environment is from an unintentional release of Malware that causes a widespread Denial of Service (DOS). A DOS quickly leads to loss of view and control. One technique that helps contain Malware propagation is “compartmentalization.” Compartmentalizing controls networks (much like bulk-heading in a ship) greatly reduces the opportunity for Malware propagation across interconnecting networks.

Why the Variation in Security Preparedness?

Even with increased pressure from NERC, the power industry appears to be moving at a much slower pace than the refining industry with respect to implementing comprehensive security programs.

Why the difference in security preparedness between the refining and power industries? One answer could be that large conglomerates that own most of America’s refining capacity have the resources, knowledge, and sophistication to implement comprehensive security programs. In the mid-tier and smaller refineries, this effort is moving at a slower pace; however, they still have progressed further in security than the power industry. There tends to be a heightened awareness for security in refining because loss of view and control in this industry can lead to greater loss of life and property.

Overall, it would require a relatively small investment on the part of the power industry to reach the level of security common in refining. While controls technology in refining is similar to that in the power industry, there are some important differences that may explain the variation in security preparedness:

  • In a refinery, there is more sophistication and discipline with respect to security and network architecture, and more effort put into system hardening.
  • In the power industry, you are more likely to find controls environments in unsecured areas, easily available to anyone who has access to the plant.
  • You may find more technicians working on controls systems in the power industry, while you tend to find more engineers working on controls systems in refining.
  • All of these differences can be reconciled once the power industry moves to proactive security.

What Needs to be Done?

NERC is proposing fines of up to $1 million per day for failure to comply with new reliability regulations. The power industry needs to focus more attention on securing all layers of the controls environment – facilities, personnel, networks, and systems. At some locations, as soon as you enter the property, you realize that physical security is so weak that cyber security almost becomes moot. The problem is that many of the “at-risk” facilities are feeding directly into regional power grids, which can result in a cascading affect both on the availability and stability of the nation’s power grid.

The power industry’s fundamental approach to security must become more proactive. The attitude that securing access to controls facilities, networks, and systems is moot when there are so many other ways to bring down a power plant is unacceptable in an industry where uninterruptible production is required.

Cost of Compliance vs. Security Events

Because refineries can maintain some short-term inventories, taking a refinery offline may not necessarily cause immediate shortages. Of course, having a refinery offline can cost several million dollars a day in lost production which can devalue the company. On the other hand, the power industry can’t store electricity, so the impact of losing generation capacity is an immediate and potentially cascading event. In the power industry, lost production is more catastrophic because of the cascading effect on both local and regional grids. Losing a 2,200 megawatt generation facility that feeds a major backbone may indirectly cause a cascading event that affects the entire U.S power grid.

The expense of inadequate security in the power industry can be in the millions or tens of millions of dollars per day if a plant experiences an outage. Also, there can legal issues for the power company due to the inability to deliver its contracted demand load. There can be regulatory scrutiny, and worse yet, loss of faith by customers and stockholders in the company’s financial stability. In the end, cyber terrorism may be more about financial than operational disruption. By contrast, installing “best practices” layered security can cost in the hundreds of thousands of dollars, versus the tens of millions of dollars in losses from a security event; the choice seems to be quite simple.

Copyright © 2002-2006, CyberTech, Inc. - All rights reserved.