As proposed by the North American Electric Reliability Corp., the new critical infrastructure protection (CIP) standards charge utilities with identifying their own critical assets and related...
Silicon Crisis? How Info Tech Poses Risk for Electric Restructuring
in a deregulated market. Similar considerations apply to many of the computer system specialists.
If the confluence of the Year 2000 problem and the schedules for restructuring were not enough, there is at least one other potential computer-related issue that will need to be addressed. The restructuring is creating financial incentives for malicious intrusion into electric power industry computer and communications systems. This issue was essentially "out of scope" in the efforts of the President's Commission on Critical Infrastructure Protection (PCCIP), which focused on the potential for hobbyists, terrorists, and others to cause massive power blackouts in a quest for bragging rights, political goals, or strategic advantage.
The restructuring is making information competitively valuable that previously had no value to anyone but its owner. The potential intruders would be working for interests such as rogue traders in the power market or unscrupulous speculators in the futures market. Traders and speculators can profit by early knowledge of when the price of electricity will increase. There are two ways to acquire that knowledge by computer intrusion. One is by eavesdropping on communications or penetrating computer systems to gain superior inside information. The other is to damage equipment to cause the price to increase.
There must be a relationship between the duration of the price increase and the profit-making transaction. For example, for a sponsoring speculator to profit in the futures market, the intruder must cause damage that will begin prior to the delivery month and be perceived by the market as lasting through the delivery month. The potential profits from computer intrusion are of sufficient magnitude to justify investment of millions of dollars in sophisticated intrusion technology, such as codebreaking equipment. This potential investment in attack technology must be matched by protective measures on the part of the electric power industry.
The electric power industry is unaccustomed to providing serious information security protection to its facilities, other than the customary protection afforded business data processing systems. Also, some of the potential vulnerabilities and methods of attack that can produce profits for traders and speculators are of little use in producing blackouts, which would be avoided in all these attacks as being unprofitable. The needed protections will include much closer coordination between the information security authorities and the regulatory agencies that conduct market surveillance. The first indication of computer intrusion could come from either detection of the intrusion itself or identification of unusual profits being made in the market. Investigation of power system disturbances should routinely include both a review of relevant information security records and a review of any unusual profits that may have resulted.
The Antidote: A Moratorium?
It is abundantly clear from all of these considerations that legislators and regulators must greatly increase their awareness of the implications of their activities on electric power industry computer systems. They should carefully take into account the changes that their decisions will require and the effort needed to implement these changes. They should build these factors into the implementation schedules they mandate. It may also be prudent to seriously consider a moratorium on