Power Grid Cybersecurity: Who's In Charge?
Dec 16, 2011 5:00 AM PT
Cybersecurity experts have been murmuring for some time that the United States' power supply is open to cyberattacks.
"If someone were to think about attacking another nation, the first thing they'd do is take out the power grid, since it's the hub around which other infrastructure spokes revolve," Patrick Miller, president and CEO of the National Electric Sector Cybersecurity Organization (NESCO), told TechNewsWorld.
An MIT study released recently by MIT seems to be bringing matters to a head.
Among other things, the report calls for the establishment of one organization to head cybersecurity efforts for the U.S. power infrastructure. It states that, essentially, there are far too many organizations overseeing different aspects of power supply cybersecurity.
The report followed news in early November that someone had hacked into a small water-utility serving Springfield, Ill., from Russia.
The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has since stated there was no evidence of a cyber intrusion into the utility's SCADA system or, essentially, that anything bad had happened.
What's going on with our power supply?
Too Much Information
Advances in technology such as new so-called smart meters utilities have contributed to the cybersecurity mess dogging America's power supply.
Millions of new communicating electronic devices, from automated meters to synchrophasors, will introduce new options for attack that could result in anything from loss of control over grid devices to loss of communications between utilities or control centers, or even blackouts, the MIT study found.
Over the next 20 years, the growth of data flowing through grid communications networks will far exceed that of electricity flowing through the grid in percentage terms, the study said. In other words, if the amount of electricity grows by x percent, the amount of data would be a multiple of x.
Many Hands Don't Make Light Work
Another part of the problem is that nobody's in charge.
Both propose a single agency to oversee cybersecurity for the electric power system. However, the Obama administration seems to want to put Homeland Security in charge, while Congress is opting for the Department of Energy and the Federal Energy Regulatory Commission.
That split is evident lower down in the food chain. FERC has the responsibility for adopting standards under the Energy Independence and Security Act of 2007, but the U.S. Government Accountability Office, according to the study, has found that FERC lacks an approach to monitor industry compliance to standards it adopts.
The main regulations governing grid cybersecurity are the North American Electric Reliability Corporation (NERC)'s Critical Infrastructure Protection standards.
Although the two sets of standards may not overlap substantially because of their different areas of focus, their very existence might create confusion. The Federal Communications Commission has identified the potential for conflict between the CIP and other standards and said the resulting ambiguity was slowing utilities' decision making and deployment of new technologies.
Responsibility Without Authority
Further, standards-setting organizations such as NIST don't have the muscle to ensure adherence to their recommendations.
"NIST was legislatively given responsibility for coordinating the development of standards but does not have regulatory or operational authority," Jerrold Grochow, a research affiliate with the MIT Energy Initiative, which conducted the study on cybersecurity in the nation's power system, told TechNewsWorld.
There Can Only Be One
"We believe that what is most important is that it be made clear that some agency is in charge across all aspects of the grid: the bulk power system, which is currently regulated by FERC; the investor-owned distribution system, which is currently regulated by individual state PUCs; and cooperative and municipal distribution systems," MIT's Grochow said. [*Correction - Dec. 20, 2011]
Improving cybersecurity will "require a coordinated approach to standards and regulation across all aspects of this increasingly interconnected grid," Grochow cautioned.
The confusion may be exacerbated by internecine disputes.
An audit earlier this year by the DoE inspector-general criticized FERC for approving CIP standards that didn't contain commonly used security practices and adopted a poor approach to implementation, the MIT study asserted.
What About SCADA?
Another important part of the power infrastructure -- supervisory control and data acquisition (SCADA) control systems -- is often ignored in conversations about cybersecurity.
As a rule, SCADA systems tend not to be protected.
"This is just an area of industry that simply had not experienced the level of scrutiny that, say, makers of desktop applications or operating systems had faced, so they had never created a process or internal dedicated teams to deal with the issue," Parveen Jain, CEO of RedSeal Networks, told TechNewsWorld.
"When it came to protecting clients in a number of instances, the advice from vendors was to unplug the SCADA solution from anything connected to the Internet or any public network," Jain added.
Things are changing for the better, partly because of growing pressure from regulators. Still, "it's a big problem where you have old systems, sometimes unresponsive vendors, limited resources and yet [a technology that's] a tremendous source of risk to almost everyone," Jain stated.
Few in the power-generation industry really understand supervisory control and data acquisition (SCADA) control systems, Joseph Weiss, managing partner at Applied Control Solutions, who's an expert on control systems security, told TechNewsWorld.
"We don't have enough people who even know what the problem is," Weiss explained. "How the heck can we have a plan when we don't know what the problem is?"
*ECT News Network editor's note - Dec. 20, 2011: In the originally published version of this article, Jerrold Grochow was misquoted as saying, "We believe that what is most important is that it be made clear that some agency is in charge across all aspects of the grid, including the bulk power system, currently regulated by FERC, and the investor-owned distribution system, which includes cooperative and municipal distribution systems, currently regulated by individual state public utility commissions."
In fact, cooperative and municipal distribution systems are not part of investor-owned distribution systems, and therefore are not regulated by public utility commissions.