Feeds

Sluggish movement on power grid cyber security

'Doesn't go far enough'

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

One year after the worst blackout in US history drew attention to the fragility of the North American power grid, progress on protecting the grid from computer intrusions has been slow in coming.

This week the North American Electric Reliability Council (NERC) - the not-for-profit industry group responsible for keeping electricity flowing throughout the United States and Canada - released a list of measures taken to shore up electric grid reliability in the year since the 14 August, 2003 northeast blackout, when a sagging high voltage line in Ohio cascaded into a failure that left 50 million people in eight states and a Canadian province without power.

Topping the cyber security portion of NERC's list, the council recently voted to renew for one year a set of rules, called the Urgent Action Cyber Security Standard 1200, that sets minimum cyber security requirements for utility companies in the US and Canada. But that standard - by coincidence enacted the day before the blackout - is relatively small in scope: it applies only to utility control centers, and specifically exempts substations, power plants, and the remotely-operated control systems and relays sprinkled throughout the grid. "It doesn't go far enough," acknowledges Tom Kropp, manager of enterprise information security at the Electric Power Research Institute, an industry think tank. "It is very, very limited in what it applies to."

The reason the standards don't reach further, says NERC cyber security chief Lou Leffler, is a pragmatic one: the industry didn't want to impose requirements on itself that it couldn't meet. "There are some area where the technology doesn't exist at this point in time to provide all the protection that we'd like," says Leffler.

Concern in Washington

SCADA (Supervisory Control and Data Acquisition) systems, in particular, allow utilities to remotely control and monitor generation equipment and substations over phone lines, radio links and, increasingly, IP networks. That makes them an obvious target for cyber attackers. But some existing SCADA systems can't economically be retrofitted with encryption or authentication technology without introducing unacceptable latency into the link, i.e., slowing down communications, Leffler says, voicing a sentiment heard often in the industry. "The devices to provide that kind of encryption, certification or what-not just do not exist," says Leffler.

In the wake of the northeast blackout, the narrow focus of the industry's cyber security standard even drew the attention of presidential candidate John Kerry, who, in his capacity as US Senator, asked the chairman of the Federal Energy Regulatory Commission to explain the omission of power plants and control systems from the NERC standard, and from a proposed federal standard that was never ratified.

"As you know, the increased integration of generation, transmission and distribution, and control and communications functions, makes the security of the power grid increasingly dependant on the security of its components," Kerry wrote, in a letter dated 8 September, 2003. "I strongly support your efforts to increase the protection of our electric power infrastructure, but I am concerned that the very systems used to control the safe and reliable operation of power generation have been excluded from the rule."

Responding to Kerry, FERC chairman Patrick Wood wrote that the failure of individual power plants is not a threat to the grid as a whole, and echoed NERC's position that control systems, while "clearly vulnerable points," could not be secured with cost-effective off-the-shelf solutions, and were therefore properly omitted from security standards.

Scattered Incidents

If the current rules are limited, observers expect more from the sequel: NERC is working on a new, permanent cyber security standard expected to be in place by the time Urgent Action 1200 expires, one year from now. "What NERC wanted to do with the current one is to set a threshold, give it a try, get the industry comfortable with it and then move on to a more stringent standard," says Kropp. "I think the intent is for [the next standard] to go farther ."

"It is my understanding that it will cover the SCADA connectivity, to the extent that there is existing technology to do that," says NERC's Leffler. "I hope that the industry, that the vendors, can develop cost effective security solutions for all of our control systems. I think that is one of the intents."

To that end, there are myriad efforts underway to develop SCADA security solutions. Working with NERC, the Department of Energy has produced written guidelines to help utilities voluntarily tighten their control systems, and the department funds a well-regarded National SCADA Testbed at the Idaho National Engineering and Environmental Laboratory. This year also saw congressional hearings and a GAO report on the issue of control system cyber security, and an announcement from at least one sizable computer security vendor jumping into the SCADA security market. "There's also a funded, focused effort within the Department of Homeland Security to address this," says Joe Weiss, a control system cyber security consultant at KEMA. "That is a big deal."

Reported cases of power grid cyber security incidents are rare, but not unheard of. In the most dramatic incident, early last year the Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours. According to an industry report, the same worm downed a utility's critical SCADA network after penetrating a control center network through a VPN connection, and, separately, disrupted a power company's SCADA traffic by consuming bandwidth on a shared facility.

The northeastern blackout was not causes by cyber attack, but a software bug contributed to its scope. A silent failure of the alarm function in an Ohio utilities computerized Energy Management System (EMS) is listed in the joint US-Canada report on the blackout as one of the direct causes of the outage. In April the makers of the software, GE Energy, told SecurityFocus the failure was caused by a race condition in the EMS software that has since been patched.

In all, utilities have had enough work to do on basic reliability, that cyber security has taken a back seat over the last 12 months, says EPRI's Kropp. "What I think people have done is they've taken the reliability aspects and the maintenance aspects more seriously," Kropp says. "I think companies are looking at the tools they have to monitor the grid. They're taking much more seriously the preventive maintenance aspects, like cutting tree branches, and making sure the transmission lines are intact and in good shape... They've been taking a second look at their software to make sure there aren't any problems with it. Those all had to be done before they could start worrying about security."

Copyright © 2004, 0

Related stories

Tracking the Blackout bug
Software bug contributed to blackout
IT Failures In The Great US Blackout
Sparks over US power grid cybersecurity
NCSP drafts secure code guidelines
Cyber security alliance sets sights on Washington
Leeds Uni, MS teach undergrads to write secure code

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.