Power Grid Hack Highlights Where Government Cyber-security Efforts Fall Short

Ozzie Diaz, CEO of wireless security company AirPatrol, said the Obama administration is making the right moves by bringing the seriousness of cyber-security to the forefront.

"The next initiative is to establish a solid and accountable partnership between the public and private sector around innovation and solving the U.S. electric grid issues and those that will come in the future," Diaz said. "Today, bureaucracy inhibits results because the public and private sectors don't communicate as effectively as they should."

There are a few trends that have led to the nation's infrastructure being exploited by an advanced and persistent threat, said Jeff Nigriny, program manager for the TSCP (Transglobal Secure Collaboration Program).

"This increased exposure, for systems often assumed not to be on the Internet, arises from the fact that such critical infrastructure networks are interconnected and interdependent with other networks, e.g. service provider corporate networks, the Internet and 'SCADA'-like networks," Nigriny said. "One common finding of recent network audits [is they] show overly open and unmonitored gateways to be critical penetration and exfiltration points. In this way, an operator opening an e-mail, and they always will … [enables] these networks to be subject to the same attacks we read about every day, whether they are coming from state-sponsored or individual hackers. The U.S., other governments and critical infrastructure providers have been struggling to adapt and improve under increasing demands for higher returns on invested capital."

The cost savings imperative has also led to a related and arguably multiplicative threat vector—the convergence of computing networks and critical infrastructure networks, he added.

Rather than increased regulation, Nigriny advocated more cooperative efforts such as TSCP, which is a partnership between the government and the aerospace and defense industries.

"A single government providing the perfect regulatory environment alone … will not help solve this problem," he said, adding that very few networks exist only in one country. "Governments must be willing to address these weaknesses with some degree of unity, but this is exceedingly rare as national infrastructure protection is seen as a matter of national defense. TSCP … is one of, if not the only, example of a multigovernment and industry consortium working to define a common approach to securing critical resources."

To Dunlap, energy companies need to look at three key areas to improve their overall security. The first involves more sharing of ideas between plant operations and IT or information security. Another is tighter integration between physical security, information security, IT, plant operations and other groups as more technology is pushed down to the meter level. Finally, he said, companies need to do more than merely meet the minimum regulatory requirements that do exist.

"Too often I have heard from people, who have the best intentions, mind you, that they want to know what the minimum amount of effort that can be applied to regulatory mandate is so they can check a box on their list," Dunlap said. "When you are talking about the largest piece of machinery in the world [the electric grid], you should have an equally big picture view of how you are going to protect and manage it. This means taking into consideration the various pieces of the grid that may be beyond your direct sphere of control, but well within your sphere of influence.

"Reach out to your peers in other companies, share ideas. Push your vendors to incorporate security into their control systems; band together for a stronger voice if you can. I have sat in on a lot of conference calls with various utilities and there seems to be a certain air of defensiveness among many of the members. They seem reluctant to share beyond a certain point. We need more collaboration."