An expert on electric power infrastructure and cyber-security says we lack the regulatory authority, political muscle and requisite skill sets to do much of anything about a U.S. power grid thats ripe for attack or failure.
A video from the Department of Energys Idaho National Labs—released to the Department of Homeland Security and subsequently shown in part on CNN in September—showed shocking footage of a simulated cyber-attack managing to subvert physical controls and blow up a turbine.
Shocking, yes, but not as shocking as the fact that experts have known about the security problems of system controls in the U.S. electric power infrastructure for years.
Read more here about the claim that the power grid defense is weak.
Why hasnt anything been done about those problems? According to Joe Weiss, an expert on control system cyber-security whos testified before Congress about the multiple threats the nations electric power infrastructure faces, one of the biggest hurdles is that weve got a federal regulatory agency—the Federal Energy Regulatory Commission, or FERC—with absolutely no power to mandate change in the industry.
We also have an industry that doesnt want to spend the money to change, Weiss told eWEEK in a recent interview. To make matters worse, this country is suffering an acute dearth of the skill sets needed to deal with these antiquated systems, and no amount of security knowledge regarding Windows, Unix or Linux is going to help.
Heres what it boils down to: When it comes to security, Weiss said, the system control industry is 20 years behind the IT industry, and Congress lacks the muscle to push the industry toward the future—and toward a safe, reliable power infrastructure. Heres what else he had to say on the matter.
How realistic is the scenario of doom and gloom painted by the Idaho video?
That video was completely reflective of whats out there. Thats why people are concerned.
[The vulnerability demonstrated in the tape] is an important vulnerability. This is not the only important vulnerability. This just happens to be one. The issue is that this is very, very much representative of whats out there.
The labs have been demonstrating vulnerabilities for years. They just havent made a tape showing how they could blow up a machine. Because it was released to CNN, thats why everybody is going ape.
What makes the systems that control electric power so prone to cyber-security risk?
There are numerous alarms and interlocks to make it obvious to the operator if something is going wrong. What weve normally done is weve focused on physical things. Is the temperature going up? Is the pressure going up? Is the fluid level going down? … What weve never tried to do is ask ourselves, Did anybody try to do that?
Weve never looked at communication. We focus on physical things: pressure, temperature, levels, flows. Not somebody sending something to try to create that. Thats what makes this different and difficult. This isnt trivial.
These systems were designed and developed years ago, before there was ever any reason to think about security. They were developed to be reliable and available and efficient. Whats worse, security will drive them in the wrong direction. We need to have systems talking to each other. These things have to be responsive immediately. The more you secure things, the less they can talk and the more time it takes. It goes in the opposite direction.