Ken Silverstein
EnergyBiz Insider
Editor-in-Chief
Read Ken's Blog

Federal and industry experts say that the technology that allows utilities to run their operations is more vulnerable now than ever before. Because those networks are becoming increasingly standardized and linked to other centralized systems, they can be more easily breached and the resulting disturbances can be enormous.

The spotlight is on control systems, which can be used to manage and run the generation, transmission, and distribution of electric power. Basically, that hardware and software collects operational data from the field before processing and displaying it. That information is then relayed to local or remote equipment.

"Over the past few years, federal agencies have initiated efforts to improve the security of critical infrastructure control systems," says Greg Wilshusen, director of information systems for the Government Accountability Office. "However, there is as yet no overall strategy to coordinate the various activities across federal agencies and the private sector. Further, the Department of Homeland Security (DHS) lacks processes needed to address specific weaknesses in sharing information on control system vulnerabilities."

Consider the Browns Ferry nuclear plant in Alabama: In August 2006, two recirculation pumps at Unit 3 tripped and forced the unit to be manually shut down. The loss of the pumps was then traced to excessive traffic on the control systems, possibly caused by the failure of another device. Therein illustrates the agency's point, which is networks are more susceptible to attack - whether intentional or not - as they become increasingly interwoven through the Internet.

In 2003, the National Strategy to Secure Cyberspace reported that the disruption of control systems could have significant consequences for public health and safety and made securing these systems a national priority. It then directed homeland security and the Department of Energy to work with industry to increase awareness and to recommend steps to safeguard the nation's computer networks.

Toward that end, Congress had asked accountability office to make further suggestions. At a congressional hearing recently held, it suggested that the DHS develop performance measures and overall goals. It also said DHS should establish a rapid and secure process for sharing sensitive control system information with vendors, owners and operators.

For its part, the electricity industry has recently implemented standards for cyber security while a gas trade association is preparing guidance for members to use encryption to secure control systems.

Guard Up

It's widely acknowledged that the transmission system has vulnerabilities ranging from overt terrorist activity to random computer hackers. Regulators now have their guard up. The National Association of Regulatory Utility Commissioners, for instance, has formed a permanent committee to educate members through workshops and conferences as well as to develop tools to coordinate planning, prevention and response protocols among all relevant federal, state and local entities.

"Our mission has evolved beyond emergency planning and responsiveness, such as terrorism and hurricanes," says Sandra Hochstetter, former chair of Arkansas Public Service Commission, chair of the commissioners' committee. "This committee will be proactive in terms of identifying needed improvements to our nation's utility infrastructure and making it more resilient and less vulnerable."

Because electric transmission grids are interconnected, a failure at one critical point could trigger a partial collapse of the system. The 2003 Blackout, for example, proved that a non-malicious failure of a transmission line could cause 50 million people to go without power. Similarly, the wholesale market-a network of transactions and interdependencies-depends upon a reliable transmission grid and all the hardware and software that make it run efficiently.

In a simulated attack, folks at the Energy Department's Idaho National Laboratory were able to maneuver their way into a power plant control system and subsequently cause the destruction of those operations. The threat, however, is more than theoretical. In October 2006, a foreign hacker penetrated security at a water filtering plant in Harrisburg, Pa. The intruder planted malevolent software that infected the water treatment program there.

The Energy Department has designated the North American Electric Reliability Council as the electricity sector coordinator for critical infrastructure protection. It now works closely with homeland security and the Public Safety and Emergency Preparedness of Canada to ensure integrity of every power plant and transmission line.

The council adopted its cyber security standards in 2006, which have been incorporated into the nation's electric reliability standards. Among the many requirements listed, each utility should prioritize its facilities and assets as well as characterize potential risks based on historical accounts. Furthermore, emergency plans should be prepared and practiced. A failure to meet the council's benchmarks could result in being denied the privilege of participating in the wholesale market, or the right to buy and sell power as well as interface with systems that do transact commerce.

"It's not easy to hack your way in but with the linkage of more and more networks to the Internet, companies' risks are increasing," says Kevin Perry, former chairman of the NERC Critical Infrastructure Protection Advisory Group, in a prior talk with this writer.

Much has been done. And more is necessary. But, now, federal and state policymakers are beginning to get in synch with industry to create protocols to deter the disruption of critical infrastructure. According to the experts, vigilance, communication and coordination are the keys to staying one-step ahead.



 

Copyright © 1996-2006 by CyberTech, Inc. All rights reserved.