: Power Grid Defense Is Weak”> In the wake of the Idaho National Laboratory test that blew up an electrical generator with a simulated cyber-attack and revealed the fragility of the nations electrical infrastructure, a congressional panel on cyber-security is calling for an investigation into how well electric sector owners and operators have implemented security mitigations developed by the U.S. Department of Homeland Security and Department of Energy.
The danger is growing, many say, given the increasing number of touch points between the United States power infrastructure and the wild and dangerous world of the Internet.
“Once largely proprietary closed systems, control systems are becoming increasingly connected to open networks, such as corporate intranets and the Internet. As such, the cyber-risk to these systems is increasing,” said Rep. Jim Langevin, D-R.I., chairman of a House of Representatives cyber-security panel, in an opening statement for an Oct. 17 hearing devoted to the cyber-threat to utility control systems and the stronger regulations that are necessary to secure the electric grid.
According to Langevin, whats at stake is a power system worth more than $1 trillion, comprising more than 200,000 miles of transmission lines and more than 800,000 megawatts of generating capability that serves over 300 million people through the United States and Canada. The effective functioning of this infrastructure is highly dependent on control systems, which are computer-based systems used to monitor and control sensitive processes and physical functions.
“Intentional and unintentional control system failures on the bulk power system could have a significant and potentially devastating impact on the economy, public health and national security of the U.S.,” Langevin said in his opening statement, which is posted here.
Airports are turning to full-body scans. Click here to read more.
“For a society whose every function depends on reliable power, the disruption of electricity to chemical plants, banks, refineries, hospitals, water systems and military installations presents a terrifying scenario. We will not accidentally stumble upon a solution to these problems. Instead, we must dedicate a lot of hard work and resources to secure our systems,” he said.
To that end, the Federal Energy Regulatory Commission has proposed implementing a set of reliability standards developed by the North American Electric Reliability Corp. However, members of the cyber-security committee have found those standards to be woefully inadequate, Langevin said. “The NERC standard focuses on the reliability of the bulk power system as a whole, ignoring the homeland security impact that loss of power in a region can have,” he said.
The House committee faults the standards for a failure to cover a “significant number of assets” that are critical to keeping the nations electricity flowing—specifically, they neglect any requirements regarding electric sector owners and operators securing generation units, distribution units or telecommunications equipment.
“But we know from countless real-world examples that these units are highly vulnerable to intentional and unintentional cyber-events,” Langevin said. “Knocking any of these units off could affect the power supply to our nations critical infrastructure.”
The proposed NERC standards would require certain users, owners and operators of the grid to establish plans, protocols and controls to safeguard physical and electronic access to systems, to train personnel on security matters, to report security incidents and to be prepared to recover information.
The Idaho National Labs formerly classified demonstration of blowing up a generator, revealed by Homeland Security officials in September and subsequently aired in part by CNN, was a dramatic illustration of how control systems can be used to inflict critical damage onto physical structure—specifically, a turbine.
Reality Is More Complicated
That scenario has been tested and known about for some time, according to Amit Yoran, CEO of NetWitness and former director of the DHS National Cyber Security Division. The reality is a bit more complicated, however, than the sensationalistic, smoking-equipment video clip reveals, he told eWEEK in a recent conversation.
“Utilities and equipment that rely on control systems—[i.e.,] computer or electronic equipment attached to mechanical equipment—broadly in the power sector or in other utilities or other critical infrastructure, thats a very complex system or set of systems, and their interaction is very complicated, not only in the case of power if youre talking about generation, or transmission, or distribution, all these things are very complicated in and of themselves, and when you start intertwining them, it gets very complicated.
“[Add to that] regulatory issues, industry standards and best practices, [and] sometimes seemingly competing requirements between availability and redundancy and what we think of as a standard that says you shalt not set a password on this system because if Joe is at home or hit by a bus and power goes down, we dont want people to have to crack a password to get power.”
Thus the systems that control the grid get increasingly interconnected, Yoran said, and the disparate lines that were once more or less stand-alone get put together and deployed in ways that “may be lacking from a security perspective,” he said.
Still, nobody should assume that one turbine blowing up in the controlled situation of a lab should be taken to mean that all control systems are vulnerable to this type of attack, he said.
“Many infrastructures have both electronic as well as physical measures to protect equipment, for public or operator safety. They have spillover valves, auto shut-off valves. Some of those are not electronic; some have mechanical protective measures. I dont think a valid conclusion is because one turbine is destroyed all critical infrastructure is vulnerable to this attack. Its important, its dramatic, its a good indicator of a bad-case scenario, but it shouldnt be interpreted as a pervasive and definitive conclusion for all control systems.”
At any rate, getting control systems vendors to comply with a rigid set of standards doesnt fit in well with the reality of the world of control systems, Yoran said. Control systems themselves have complex and long deployment cycles. A control system may be an application with a warranty that the control system vendor put together and offered on a particular operating system where the control system was tested and validated. As vulnerabilities are discovered, those who run control systems run into scenarios wherein they well might void their warranty, such as when a security patch is applied. Thus, in some cases, operators are caught between a rock and a hard place, having to choose between improved security versus the desire for a valid warranty and support services.
“The control system world is a very complex one. We cant say, Charge forward and by next Tuesday patch everything and well be protected. It takes a lot of detailed study of control systems and interactions with the infrastructure before” the grid overall can be improved vis-à-vis its safety from cyber-attack, he said.
Citrix opens security holes in military and federal Web sites. Read more here.
The NERC is well aware of the complexity of the situation. Joseph McClelland, director of the Office of Electric Reliability at the FERC, said at the Oct. 17 hearing that overly prescriptive standards run the risk of becoming a “one-size-fits-all” solution that ignores “significant differences in system architecture, technology and risk profile.”
“A major concern with cyber-security is the prevalence in the industry of legacy equipment which may not be readily adaptable for purposes of cyber-security protection,” he said. “If this equipment is left vulnerable, it could be the focal point of efforts to disrupt the grid.”
Replacing the grids antiquated equipment or retrofitting it to incorporate cyber-security protection could be costly, McClelland said, “but a successful cyber-attack could damage our bulk-power system and economy in ways that cost far more.”
The Homeland Securitys cyber-security czar Greg Garcia reportedly said on Oct. 17 that his agency will be passing out cyber-security self-assessment guidelines to control systems operators, will offer training to workers in the field, and will be distributing suggestions for mitigations against real-world attacks similar to the one enacted on the Idaho National Lab video.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.