Feeds

Sparks over US power grid cybersecurity

Security? What Security!

  • alert
  • submit to reddit

3 Big data security analytics techniques

A new measure aims to protect the networks that control electric power distribution throughout North America. But not everyone is juiced over plans to hold utilities accountable to tight security practices, says Kevin Poulsen, of SecurityFocus.

The organization responsible for keeping electricity flowing throughout the United States and Canada took its first serious step this week to shoring up cybersecurity on the Byzantine computer networks that control electric power distribution.

That portions of the power grid are vulnerable to hack attack has been known since at least 1997, when a six month vulnerability assessment by the White House's National Security Telecommunications Advisory Committee found basic security flaws in the computerized systems that control generators, switching stations and electrical substations.

Among other things, the committee reported that operational networks controlling critical portions of the grid were accessible through electric companies' corporate LANs; some digital circuit breakers could be remotely tripped by anyone with the right phone number; and fixed passwords for remote vendor access went unchanged for years.

Despite the vulnerabilities, the report noted that physical attacks against utilities pose a greater threat than cyber attacks, and years later there are still no known cases of hackers causing service outages. But closing the cybersecurity holes in "critical infrastructures" took on new urgency after September 11, and the Federal Energy Regulatory Committee (FERC), which regulates the electric industry in the U.S., began talking about imposing security requirements on power companies.

Not surprisingly, the power companies prefer to regulate themselves. On Wednesday, the North American Electrical Reliability Council (NERC) unveiled a proposed mandatory security standard for the electric industry. A not-for-profit group that umbrellas electric utilities in the U.S. and Canada, NERC formed in the wake of the catastrophic 1965 blackout that knocked-out power to 30 million people in the northeastern United States. Its mission is to keep the lights on.

Based on the same broad standards that the government was contemplating, the NERC security rules -- which will face a vote in May -- aren't exactly revolutionary: companies would have to launch cyber security training programs, write security policies, identify their critical "cyber assets," etc... But electric workers say that making the rules an official standard changes everything for the 100-year-old industry. "That's a big deal -- to be the NERC standard," says David Norton, a cyber security consultant to the industry. "They've added requirements for compliance monitoring, with sanctions for noncompliance."

That worries Kenneth Hooper, a protection engineer at NB Power, an electric company serving the Canadian province of New Brunswick. He says mandatory continent-wide security measures are too blunt an instrument for the job. "We feel that security is an issue, but each area should be allowed to address it as they see fit," says Hooper. "Our security issues are not nearly as great as Boston or New York, or one of the major load centers like that."

Risk Management

Hooper isn't worried about the language of the new standard so much as what will replace it. Under NERC's bylaws, the emergency measure setting the rules will expire two years after passage, and the group has promised regulators that a more specific security standard will be in place before then. No one knows what that will be, but a parallel NERC effort has drafted a new official, but non-binding, cybersecurity "guideline" that Hooper says is a likely candidate to become the next standard.

The draft guideline offer a much more detailed prescription for curing the power grid's security ills: "Set dial-out modems to not auto-answer," reads one pointer. "Automatically lock accounts or access paths after a preset number of consecutive invalid password attempts," suggests another.

"All of the new products that we use these days are microprocessor controlled and they have serial ports on them, so they can be accessed remotely by modem, and also by an intranet connection over Ethernet," says Hooper. "So some of these things would impact us, like rotating passwords, and some of the things mentioned in the guide... Who want to have their company's name being published all over the world as being noncompliant with a NERC standard?"

Shouldn't equipment that controls the flow of electricity at least have its passwords changed periodically, as suggested by the guideline? Hooper says it's a matter of risk management -- even if a malicious hacker gained access to his company's systems, the attacker wouldn't be able to cause any problems that the utility isn't prepared for anyway. "Say that someone hacks into some of my protecting relays, and makes it so it could trip when it shouldn't trip," says Hooper. "We already live with that risk of happening every day, so we have things in place that mitigate the impact."

Norton agrees that there are downsides to the measure -- for one, he says some power companies will have trouble paying for the cyber security enhancements. "They'll need to go to some government agency and build a case for why consumer rates need to go up." For that reason, he believes that rural and municipal utilities should be given extra time to implement the security standard, and its eventual sequel, before facing sanctions.

But Norton also describes the power grid's fractal network of interdependent systems. "There's incredibly variety of equipment, generationally, vendor-wise, because it's kind of been cobbled together as neighborhoods get bigger," he says. "You've got increasingly sophisticated control centers and increasingly sophisticated microprocessor-controlled equipment, and linking them are unencrypted 1200-baud lines."

An industry drive to make that tangled web more secure is long overdue, he says. "The alternative is to the have the NSA and NIST, or somebody who manages rates, FERC, basically coming in without really understanding what the electric power business is all about."

© SecurityFocus Logo

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.