Lack of US Cybersecurity Across the Electric Grid

Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

Low hanging fruit

[AK+Marc]

I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.

Re:Low hanging fruit

[AK+Marc]

A guy did about a million dollars of damage with a gun on the Alaska pipeline (the smaller-leak set off detectors, but wasn't as identifiable as larger leaks, and was in a remote area for complicated cleanup). But I've seen a few hundred thousand dollars of substation taken out by a snake. Throwing a water mellon over the fence with exceptional aim would have a similar effect.

The benefit of the cyber attacks is untouchability. Perform the attack from a place with no extradition, and you'll be fine. Also, you can hit multiple places at once, something that would take a small army to do in person.

But for "effort for damage" buying a watermelon and thowing it over the substation fence onto a transformer probably has cyber beat.

Windows and SCADA

[symbolset]

OK, that's enough nightmare fuel for one day.

Profit!

[eyepeepackets]

But, but...what about the poor baby profits?

Seriously, you won't see these corporations do anything like this until they are forced to do so with heavy regulations, potential heavy fines and the real possibility of criminal prosecution upon proof of criminal negligence by a prosecuting attorney.

MBA school teaches them this: costs equal profits taken out of your pocket, so anything you can do to put the costs anywhere else is the profit in your pocket. This is how they think and how they operate. This is why you don't want business running and maintaining your infrastructure.

Core competency

[PPH]

Companies want to concentrate on their core competencies. To an electric utility, IT isn't a core competency.

My power company can't be bothered to trim trees and replace rotten poles. That's all contracted out. Their core competency is collecting bills. Heck, they don't even read their own meters. That's contracted out.

So good luck with the whole 'secure the system' idea. Outages are all classified as 'Acts of God'. Maybe. I guess God has it in for corporate morons.

Re:Core competency

[delcielo]

Electric utility companies do have some interesting dynamics. Staff tend to have long tenures, so many of the plant operations folks remember days before they had to deal with IT folks to do their business. But, everybody (and I mean everybody) at this point understand the necessity and value of a strong IT staff. They may resent it, but they get it.

And, you can bet that the IT departments at electric utilities are as professional as any. Your assumption that they don't want to be good at it is utterly and shamefully false. Even if it were true, they have no choice. There's a lot going on at utility companies that these types of scare-mongering authors never talk about. She very briefly mentions the NERC-CIP regulations (glossed them over, really) without also mentioning the IT components of reliability audits, internal audits, internal exercises, external pen tests, coordinated exercises with regional entities, law enforcement, FERC, etc. Industry peer groups play a big role as well. Protecting the power grid is vitally important to us. Why on earth would it not be? We run a metered business. We can't bill if we aren't creating, transmitting and distributing power.

Is it vulnerable? Of course, as is the highway system, water, food distribution, agriculture, shipping, etc.

Now, I totally agree that NERC-CIP should be more assistive and less about pure compliance with standards; but "continuous improvement" is a concept that is constantly harped on by both staff and regulators. It's already there.

I remember Y2K, do you?

[bobbied]

So here we go again... Some uncontrollable thing is going to disrupt our electric grid and technological infrastructure!

Just over a decade ago it was Y2K. Folks where stockpiling food, water and fuel for generators in fear that the electric grid was obviously going down at 12:00AM January 1, 2000 when all their 2 digit year clocks rolled over.

Since then, I've heard stories about people who fear an EMP that will take out the grid and are out stocking up on food, water, fuel getting ready to live without power for years..

Last week, here on slashdot, we had a story on a huge solar storm powerful enough to bring down the grid... Folks where encouraged to stock up, by food, water, fuel and prepare for weeks without power..

So, here we are today discussing a cyber attack on the power grid that could bring the grid down.... Need I type the rest?

Really? Look, it would *really* suck if the power grid in North America went down. Yes people would die and it would be a huge mess to fix with disruptions in food supplies and fuel. Of all the ways the grid could be disabled, cyber attack is the least likely and the one easiest to fix. It's unlikely to take the whole grid down unless the saboteurs where extremely crafty and organized. They would have to first find enough infrastructure to access, manage to break in, understand how all the stuff they could control was interconnected and what failures they could induce and THEN coordinate all the individual attacks well enough to actually do something more than just local damage before they cut power to enough infrastructure they needed to continue the attack. How all the infrastructure is connected and interrelates are not easy problems to solve.

We have bigger fish to fry than fearing some mythical cyber attack on infrastructure like the power grid. I won't say it will NEVER happen, but you are talking about something that his bordering on impossible. This is like Y2K. A bunch of Chicken Little's that don't have a clue about how things *really* work or how resilient things really are overall, stoking up panic over small things. So, go stock up on food, water and fuel, just don't do it because you fear some cyber attack on the power grid.

Energy Control Systems Online?

[BoRegardless]

After 10 years of HEAVY security articles & discussion, remind me again why ANY critical infrastructure SCADA system should be allowed to be online?

Come on now. Why? Are we talking total incompetence at the top of these orgs and their watchdogs?

Re:Energy Control Systems Online?

[mlts]

I wonder what ever happened to the concept of the data diode. That way, stuff can be monitored... but it would take someone physically there for action [1]. I've done this on a low bandwidth basis by using two machines on physically separate networks, a serial cable that has one line cut (so it could only send signal one direction), syslog on one side, and a redirect from the serial port to a file on the other side.

[1]: Of course, this isn't 100%, someone can pretend to be a manager or upper muckety muck, but it is a step up from a remote attacker just typing in blkdiscard /dev/sda on an embedded machine that got exploited.

Re:Why not a separate WAN?

[bobbied]

Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.

Now you are just pandering fear. You rightly observe that it would be an extremely complex problem to try and disrupt the power infrastructure in this country using what is connected to the internet. There are a multitude of systems, control types and locations, all of which are constantly changing over time. This makes trying to figure out how you could use these contact points to actually do something significant to the power grid using the internet a problem complex enough to be worthy of a supercomputer and a long time to research and catalog what was accessible would be required to feed such a computer.

But there is one thing you forget (or just don't know). MOST of the critical infrastructure, the really important stuff, is NOT unprotected. It is very much behind firewalls with encrypted VPN links. You might find access to some backup generator on the web, but a major power plant will be secured pretty well. They are not going to let some yahoo hacker mess with millions of dollars of equipment, but they might let the building manager monitor his emergency backup generator from home or something. The really critical stuff is protected. What's not, is the far flung stuff, the really remote substation, and how much damage are you going to do from there? Not much, certainly nothing of national significance or more than say an Ice Storm.

Cyber attacks are not that big of a risk... How do I know? Has it happened yet? Even on a small scale? Why? Because nobody thought of or tried it? No, because it's way too hard of a problem for just anybody to mount an effective attack, and if they HAVE done it, there was so little disruption in things as to be insignificant compared to other events which happen more often.

Article and Associated Reports Misunderstand

[jofny]

That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.

First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.

Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.

Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)

Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.

Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.

Re:Why is this crap on the internet

[Em+Adespoton]

Ah; but the guy down at the station babysitting the PLC probably wants to get his Facebook fix too -- so he hooks up a wireless USB stick and presto! The entire national WAN is now online....

And the next day, he finds a pink slip waiting for him.

You have much faith in his local IT managers and their managers... I've seen places run for months with such a setup with nobody noticing... and then when something happens as a direct result of the rogue router, it still takes significant time to isolate it and take appropriate steps. Sometimes, the guy who set up a system like this doesn't even work for the company by the time they realize what is wrong. This despite the fact that on paper, it should be as you say -- something logged and flagged up, resulting in a pink slip less than 24 hours later.