Lack of US Cybersecurity Across the Electric Grid

Lasrick writes: "Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center's Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector. Cyber attacks could come from a variety of sources, and 'a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.' ECGI is recommending the creation of a new, industry-supported model that would create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. The vulnerability of the grid has been much discussed this last week; McGuinness's recommendations are a good place to start."

Low hanging fruit

[AK+Marc]

I could take out a substation with parts found in any store and wouldn't trigger any alerts buying them. Heck, damage things with a bow and arrow and thick metal wire. There are cheaper/easier ways to take down power. Back a pickup truck into a tower. The "cyber" complaint is FUD. It may be true, but is still FUD because it's easier to attack the infrastructure in other ways.

Core competency

[PPH]

Companies want to concentrate on their core competencies. To an electric utility, IT isn't a core competency.

My power company can't be bothered to trim trees and replace rotten poles. That's all contracted out. Their core competency is collecting bills. Heck, they don't even read their own meters. That's contracted out.

So good luck with the whole 'secure the system' idea. Outages are all classified as 'Acts of God'. Maybe. I guess God has it in for corporate morons.

Re:Core competency

[delcielo]

Electric utility companies do have some interesting dynamics. Staff tend to have long tenures, so many of the plant operations folks remember days before they had to deal with IT folks to do their business. But, everybody (and I mean everybody) at this point understand the necessity and value of a strong IT staff. They may resent it, but they get it.

And, you can bet that the IT departments at electric utilities are as professional as any. Your assumption that they don't want to be good at it is utterly and shamefully false. Even if it were true, they have no choice. There's a lot going on at utility companies that these types of scare-mongering authors never talk about. She very briefly mentions the NERC-CIP regulations (glossed them over, really) without also mentioning the IT components of reliability audits, internal audits, internal exercises, external pen tests, coordinated exercises with regional entities, law enforcement, FERC, etc. Industry peer groups play a big role as well. Protecting the power grid is vitally important to us. Why on earth would it not be? We run a metered business. We can't bill if we aren't creating, transmitting and distributing power.

Is it vulnerable? Of course, as is the highway system, water, food distribution, agriculture, shipping, etc.

Now, I totally agree that NERC-CIP should be more assistive and less about pure compliance with standards; but "continuous improvement" is a concept that is constantly harped on by both staff and regulators. It's already there.

Re:Why not a separate WAN?

[bobbied]

Add to that how dumb some of the components of the energy grid are, and you have a situation where you really do have to prepare yourself for the worst. I think the overall chaos and complexity is likely the only thing that has protected it to date.

Now you are just pandering fear. You rightly observe that it would be an extremely complex problem to try and disrupt the power infrastructure in this country using what is connected to the internet. There are a multitude of systems, control types and locations, all of which are constantly changing over time. This makes trying to figure out how you could use these contact points to actually do something significant to the power grid using the internet a problem complex enough to be worthy of a supercomputer and a long time to research and catalog what was accessible would be required to feed such a computer.

But there is one thing you forget (or just don't know). MOST of the critical infrastructure, the really important stuff, is NOT unprotected. It is very much behind firewalls with encrypted VPN links. You might find access to some backup generator on the web, but a major power plant will be secured pretty well. They are not going to let some yahoo hacker mess with millions of dollars of equipment, but they might let the building manager monitor his emergency backup generator from home or something. The really critical stuff is protected. What's not, is the far flung stuff, the really remote substation, and how much damage are you going to do from there? Not much, certainly nothing of national significance or more than say an Ice Storm.

Cyber attacks are not that big of a risk... How do I know? Has it happened yet? Even on a small scale? Why? Because nobody thought of or tried it? No, because it's way too hard of a problem for just anybody to mount an effective attack, and if they HAVE done it, there was so little disruption in things as to be insignificant compared to other events which happen more often.