Location: New York
Author: Ken Silverstein, EnergyBiz Insider, Editor-in-Chief
Date: Friday, September 5, 2008
The public may be aware of increased efforts to beef up grid reliability, but it isn't focused on the work being done to secure the bulk power system from cyber attacks.
According to the General Accountability Office, the nation's wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people. While this system was once proprietary and closed to others, it has become increasingly connected to the outside world through the Internet and corporate intranets. This leaves it vulnerable to intrusions that can cause major disruptions.
The spotlight is on control systems, which can be used to manage and run the generation, transmission, and distribution of electric power. Basically, that hardware and software collects operational data from the field before processing and displaying it. The information is then relayed to local or remote equipment.
Consider the Browns Ferry nuclear plant in Alabama: In August 2006, two recirculation pumps at Unit 3 tripped and forced the unit to be manually shut down. The loss of the pumps was then traced to excessive traffic on the control systems, possibly caused by the failure of another device. Therein illustrates regulators' concerns, which is networks are more susceptible to attack -- whether intentional or not -- as they become increasingly interwoven through the Internet.
"Cyber security is a critical component of grid reliability, but is, by its nature, fundamentally different from any other reliability concern we currently address through our standards, analysis, or enforcement programs," says Rick Sergel, chief executive of the North American Electric Reliability Corp. (NERC). "It therefore requires a different approach; one that allows for more expedient treatment of critical information, urgent action on standards, and more thorough threat analysis and risk assessment."
The U.S. Department of Energy has designated NERC as the electricity sector coordinator for critical infrastructure protection. It now works closely with homeland security and the Public Safety and Emergency Preparedness of Canada to ensure integrity of every power plant and transmission line.
The reliability group adopted its cyber security standards in 2006, which have been incorporated into the nation's electric reliability standards. It has recently enhanced those safety standards. Among the many requirements listed, each utility should prioritize its facilities and assets as well as characterize potential risks based on historical accounts. Furthermore, emergency plans should be prepared and practiced.
More Vigilance
Small-scale intrusions cannot be ignored. While the disruptions may be minimal, they clearly demonstrate that vital information and control systems can be violated. Indeed, malicious acts are a real threat. According to the FBI, the possible invaders include foreign nations, domestic criminals, hackers and disgruntled employees. Government studies show that a cyber attack that had ramifications of three months would have an economic cost of $700 billion.
"For a society that runs on power, the short-term or long-term disruption of electricity to chemical plants, banks, refineries, hospitals, water systems and military installations presents a terrifying scenario," writes Rep. Bennie Thompson, D-Miss., chair of the Committee on Homeland Security and Rep. James Langevin, D-RI, chair of the Subcommittee on Cyber Security.
Right now most of the standards are voluntary and not mandatory. But given the essential nature of the grid, the two congressional chairmen go on to say that federal law must be revised: The Federal Energy Regulatory Commission needs the authority to enact cyber security measures during emergency situations so as to protect the bulk power system.
Utilities, meanwhile, are trying to adapt to this changing world. The evidence suggests that while no company has ignored earlier advisories, those entities have varied understandings of what it required of them. In fact, all of the utilities interviewed by government regulators have requested more information as it relates to how they could be attacked and what mitigation efforts are available to stop such breaches.
Power companies, of course, are different. Some are wires companies while others are focused on generation. Each year, though, they are supposed to certify with FERC that they have developed robust systems that can continue to generate and deliver power if attacked. A failure to meet that target could result in being denied the privilege of participating in the wholesale market, or the right to buy and sell power as well as interface with systems that do transact commerce.
"From our exposure to the leadership in the utility industry, there is widespread agreement among risk, security and information technology executives that the new standards do not -- and perhaps cannot -- cover the whole waterfront of vulnerability," says Neal Westermeyer, chief operating officer for Aegis Technologies. "At the same time, Wall Street analysts who cover the utility industry will tell you privately they are concerned about investor-owned utilities not going far enough to protect themselves from threats that range from cyber-mischief to cyber-mayhem."
Regulators are now working closely with the power industry to avert potential disruptions of the bulk power system. It's a huge order and one that is now overwhelming many companies. Much remains to be done but increased vigilance, communication and coordination are the keys to staying one-step ahead.
Copyright © 1996-2006 by CyberTech, Inc. All rights reserved.