Reports that the U.S. electric grid was penetrated by foreign spies may on the surface seem shocking. But as Brightfly Managing Director of Research Brandon Dunlap knows, attempts at cracking the networks of U.S. utilities are not new. Brightfly is a consulting company specializing in advising on security and governance, risk and compliance.
"While I was running the information protection program at Constellation Energy, we expanded our sensor network dramatically, on the order of 800 percent, allowing us to get very granular and expansive information about malicious activity," Dunlap recalled. "What struck us almost immediately was the sheer volume of activity originating from well beyond our national borders. Many of these events were coming from foreign universities and large corporations."
As lawmakers decide how best to improve U.S. cyber-security, Dunlap noted cultural issues at play within the utilities industry that affect its security posture and extend beyond the reach of government regulation.
"Over the past few years, I have had the privilege to speak with numerous utilities across the U.S. and I have found that most NERC [North American Electric Reliability Corporation] CIP [Critical Infrastructure Protection] efforts seem to be driven from the plants and wires sides of their businesses," Dunlap explained.
"This is a holdover from the days when the utilities kept plant systems segregated from corporate IT resources and when information security operations were relegated to dealing only with corporate-level systems and functions. As the industry has moved to more and more off-the-shelf hardware to run plant controls systems, as well as the trend in increased data sharing, this functional line has blurred.
"While the network borders have become more porous between plant and corporate systems, the old lines of operational activity [have] largely remained as they were years ago," he continued. "This has resulted in less information sharing between plant operations and information security, which I think is a tragedy since both sides have a lot of knowledge that can be shared. In my opinion, this is a cultural phenomenon and one that cannot be addressed by government intervention. It has to start from within the utility companies themselves."
Just how wide the scope of regulations aimed at securing the nation's infrastructure should be is the subject of debate on Capitol Hill. News of the electric grid hack comes as lawmakers consider the Cybersecurity Act of 2009, which calls for, among other things, a threat and vulnerability assessment of government systems and of the corporations that own the nation's utilities, energy and transportation infrastructure.
Security researchers from IOActive briefed the Department of Homeland Security in March on vulnerabilities in "Smart Grid" infrastructure. According to IOActive, Smart Grid technology is vulnerable to well-known issues such as protocol tampering, buffer overflows and rootkits. Still, the nation's utilities have largely signed on to the concept of the Smart Grid and are already installing millions of automated home meters across the country, the first phase of Smart Grid deployment.