An expert on electric power infrastructure and cyber-security says we lack the regulatory authority, political muscle and requisite skill sets to do much of anything about a U.S. power grid thats ripe for attack or failure.
A video from the Department of Energys Idaho National Labs—released to the Department of Homeland Security and subsequently shown in part on CNN in September—showed shocking footage of a simulated cyber-attack managing to subvert physical controls and blow up a turbine.
Shocking, yes, but not as shocking as the fact that experts have known about the security problems of system controls in the U.S. electric power infrastructure for years.
Read more here about the claim that the power grid defense is weak.
Why hasnt anything been done about those problems? According to Joe Weiss, an expert on control system cyber-security whos testified before Congress about the multiple threats the nations electric power infrastructure faces, one of the biggest hurdles is that weve got a federal regulatory agency—the Federal Energy Regulatory Commission, or FERC—with absolutely no power to mandate change in the industry.
We also have an industry that doesnt want to spend the money to change, Weiss told eWEEK in a recent interview. To make matters worse, this country is suffering an acute dearth of the skill sets needed to deal with these antiquated systems, and no amount of security knowledge regarding Windows, Unix or Linux is going to help.
Heres what it boils down to: When it comes to security, Weiss said, the system control industry is 20 years behind the IT industry, and Congress lacks the muscle to push the industry toward the future—and toward a safe, reliable power infrastructure. Heres what else he had to say on the matter.
How realistic is the scenario of doom and gloom painted by the Idaho video?
That video was completely reflective of whats out there. Thats why people are concerned.
[The vulnerability demonstrated in the tape] is an important vulnerability. This is not the only important vulnerability. This just happens to be one. The issue is that this is very, very much representative of whats out there.
The labs have been demonstrating vulnerabilities for years. They just havent made a tape showing how they could blow up a machine. Because it was released to CNN, thats why everybody is going ape.
What makes the systems that control electric power so prone to cyber-security risk?
There are numerous alarms and interlocks to make it obvious to the operator if something is going wrong. What weve normally done is weve focused on physical things. Is the temperature going up? Is the pressure going up? Is the fluid level going down? … What weve never tried to do is ask ourselves, Did anybody try to do that?
Weve never looked at communication. We focus on physical things: pressure, temperature, levels, flows. Not somebody sending something to try to create that. Thats what makes this different and difficult. This isnt trivial.
These systems were designed and developed years ago, before there was ever any reason to think about security. They were developed to be reliable and available and efficient. Whats worse, security will drive them in the wrong direction. We need to have systems talking to each other. These things have to be responsive immediately. The more you secure things, the less they can talk and the more time it takes. It goes in the opposite direction.
Next page: What Are We Doing Wrong?
What are We Doing
Wrong?”>
What are we doing wrong when it comes to securing these systems?
The operator interfaces—where you see pictures of control rooms and whatever—the screens, thats Windows. Or Unix. Or Linux. You can secure that the way youre used to having systems secured. The devices that basically feed those interfaces—the actual controllers, the sensors, the things in the field—are not Windows. They dont have secure operating systems. They are very computer-resource-limited. You cant do or apply the type of things you would to secure Windows.
What people have done is theyve taken the normal approach, the old CIA approach with confidentiality, [etc.], and in the traditional computer world, [where] the thing youre most concerned about is confidentiality.
You spend your time trying to develop encryption. If you want confidentiality, you dont want people to be able to read things. Doesnt matter how many times you send things, as long as when it finally gets there, nobody could figure out what your credit card number was.
In a control system, this thing has to operate within milliseconds. If you send something and it doesnt get there or it gets misinterpreted, bad things happen. Either things malfunction or it shuts down.
So rather than keeping these control systems from revealing data, as is the concern in data security, we should be more worried about being able to determine if commands coming in are legitimate?
Were concerned that wherever this data is coming from is where it said it came from. We care if output is 60 percent and not 6 percent. Thats what we care about.
All this work on encryption is good, but its not all that relevant. Wheres the work on authentication and integrity? Theres very little [of that work being done].
So what youre saying is that security just doesnt translate well from the PC world into the system controls world?
[Right.] Another thing is that we use different protocols. Were not just IP. You dont have all day to do a stateful inspection and try to figure out whats in there. Its very different. The technologies we need are specific to these systems. And we dont have that many people who know these systems.
We have people developing Windows firewalls for control systems. How many of those do we need?
Not many, Id think.
Were not getting the things developed that we need developed.
First and foremost, these systems need to be treated with at least as much security as you treat your mainstream IT systems. And thats what theyve refused to do.
The industry?
Neither NERC [North American Electric Reliability Corp.] nor the utilities are. They have refused to address [these issues]. Were trying to force the issue, myself, NIST [National Institute of Standards and Technology] and some others. NERC and the industry have made clear they dont want it at all. This whole thing is forcing what they didnt want to have happen.
Some of it isnt even programming. A lot of it is getting the people who run these systems to work with people who know security but not control systems and come up with teams to do this.
The bottom line is that the utilities simply dont want to do very much, and, consequently, what theyve done is written a standard that provides all sorts of exemptions and exceptions and ambiguousness so they can do as little of what they consider necessary and not have to do anything.
Next page: How Does the Industry Get Away With Doing Nothing?
How Does the Industry
Get Away with Doing Nothing?”>
How is the industry getting away with doing nothing?
NERCs [standards], the industry voted on them. They created them themselves.
The NERC standards are set up in such a way that … the first is the scoping document. If you determine that a piece of equipment is to be considered a critical cyber-asset, you have to go through and do the security program for it. If, on the other hand, you say its not a critical cyber-asset, you dont do anything more. Period. Youre done. You dont have to look at it anymore.
So what utilities are doing, and NERC has given them the ability to do, is basically to say, “I dont have” or “I have very, very few” critical cyber-assets. Then they dont have much to do besides a paper exercise.
[NISTs proposed standard] says you dont have exclusions or exceptions. You have to assess these things. Same as for mainstream IT systems. [Industry wants] to exclude even looking.
Could you please explain whats going on in Washington?
Congress is going back and working with FERC. The reason is that, in the energy policy act, … [theres] effectively a poison pill to prevent FERC from being able to act like a regulator. Its prevented them from writing standards or rules. All it said was they can approve them.
So the industry submitted NERC [rules] to FERC. FERC has a problem with them. FERC is going to send them back to NERC and say this is unacceptable, and then NERC has to put it back out for ballot. If they put out for ballot what FERC has told them to put in, it will be rejected. The only thing theyll approve is something watered down with minimal value.
[I predict that] what youll see is an endless “do loop” [in Congress] and the grid being vulnerable for I dont know how long. Congress is working with FERC to determine how they can essentially be in the position to do their job and regulate and mandate.
[But] to amend the energy act, that will probably take years. To get the energy act through in the first place took years. People are trying to [figure out], How do you get this fixed now, not 5 years or 10 years from now?
And thats whats going on in Washington.