News reports that the U.S. electric grid was penetrated by hackers arrive as lawmakers continue to debate the need for an expanded role for government in securing critical U.S. infrastructure. But are more regulations really the answer to the challenges ahead?
Reports that the
U.S. electric grid was penetrated by foreign spies
may on the surface seem
shocking. But as Brightfly Managing Director of Research Brandon
Dunlap knows, attempts at cracking the networks of U.S. utilities are not new. Brightfly is a consulting
company specializing in advising on security and governance, risk and
"While I was running the information protection program at
Constellation Energy, we expanded our sensor network dramatically, on the order
of 800 percent, allowing us to get very granular and expansive information
about malicious activity," Dunlap recalled. "What struck us almost
immediately was the sheer volume of activity originating from well beyond our
national borders. Many of these events were coming from foreign universities
and large corporations."
decide how best to improve U.S. cyber-security,
Dunlap noted cultural
issues at play within the utilities industry that affect its security posture and
extend beyond the reach of government regulation.
"Over the past few years, I have had the privilege to speak with
numerous utilities across the U.S.
and I have found that most NERC [North American Electric Reliability
Corporation] CIP [Critical Infrastructure Protection] efforts seem to be driven
from the plants and wires sides of their businesses," Dunlap explained.
"This is a holdover from the days when the utilities kept plant systems
segregated from corporate IT resources and when information security operations
were relegated to dealing only with corporate-level systems and functions. As
the industry has moved to more and more off-the-shelf hardware to run plant
controls systems, as well as the trend in increased data sharing, this
functional line has blurred.
"While the network borders have become more porous between plant and
corporate systems, the old lines of operational activity [have] largely
remained as they were years ago," he continued. "This has resulted in
less information sharing between plant operations and information security,
which I think is a tragedy since both sides have a lot of knowledge that can be
shared. In my opinion, this is a cultural phenomenon and one that cannot be
addressed by government intervention. It has to start from within the utility
Just how wide the scope of regulations aimed at securing the nation's
infrastructure should be is the subject of debate on Capitol Hill. News of
the electric grid hack comes as lawmakers consider the Cybersecurity Act of
which calls for, among other things, a threat and vulnerability
assessment of government systems and of
the corporations that own the nation's utilities, energy and
Security researchers from IOActive briefed the Department of Homeland
Security in March on vulnerabilities in "Smart Grid" infrastructure.
According to IOActive, Smart Grid technology is vulnerable to well-known issues
such as protocol tampering, buffer overflows and rootkits. Still, the nation's
utilities have largely signed on to the concept of the Smart Grid and are already
installing millions of automated home meters across the country, the first
phase of Smart Grid deployment.