The following text is copyright 2009 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Third annual scare story about the national power system
By: Scott Bradner
As far as the headline writers at the Wall Street Journal were concerned the battle was over and the US electricity grid is under control by the enemy -- "Electricity Grid in U.S. Penetrated by Spies." There has been a bunch of speculation in the blogisphere over just why this story came out when it did - this sort of thing is a fertile area for conspiracy theorists. But I'm more interested in the underlying issue and why its not actually getting the attention it should.
The underlying issue is the security of the US utility infrastructure -- electricity, water, gas, sewer, etc. Observers have been warning for a number of years that US utility companies seem to have a negative understanding of security when it comes to protecting their systems from non-physical threats. Yet stories like the one in the Wall Street Journal keep showing up. A quick look shows such a story each of the last three years. In June 2007 the US Department of Homeland Security leaked a video of the results of a cyber attack on a power generator. A year later a Forbes story headlined "Congress Alarmed At Cyber-Vulnerability of Power Grid." (http://www.forbes.com/2008/05/22/cyberwar-breach-government-tech-security_cx_ag_0521cyber.html) Now we get the WSJ article.
It looks like the utility folk have not been paying attention to the real world or are operating in utility-time rather than Internet time. Why else would you only be at the requirements stage of protecting utility infrastructure. (see "Smart grid, other environmental control systems not smart about security" http://www.networkworld.com/columnists/2009/033009bradner.html) And why else would you get Michael Assante, the chief security officer of the electric industry's North American Electric Reliability Corporation (NERC) (http://www.nerc.com/), say the day before the WSJ article, either as a coincidence or as a part of the conspiracy, that new thinking about security was needed from the utility companies. (http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf) Assante said that NERC was requesting that utilities "take a fresh, comprehensive look at their risk-based methodology" to evaluate the potential misuse of utility systems by "intelligent threat actors."
Why is it so hard to get these people's attention? I assume it is not that they just don't care. Maybe it's that the technology of data networks is so different than that of power generators that the comprehension is just not there. I can sympathize -- to some degree, I do not have the faintest idea on how to design an overload protector for a 133 megawatt generator (the size of the generators in Hoover Dam), but I do have an idea that such a device is needed. The utility managers seem to not have any idea that data security is needed.
I heard from Advanced Metering Infrastructure Security Task Force after my last column. I was invited to come talk to their next meeting about the need to develop real-world security requirements and technology. From the letter I received, it sounds like they do understand that the first set of requirements were not implemental enough. That is good news but the utilities are already in trouble, they are already deploying security-free (or at least security-challenged) systems. That needs to be fixed now, whether or not they are already controlled by Russian spies.
disclaimer: Whatever some politicians have said in the past I have seen no evidence that Harvard is controlled by Russian spies nor have I seen any opinion from the university on the (non)quality of utility security so the above rant must be mine.