(December 2011) Lafayette Utilities System selects Elster’s EnergyAxis as its AMI system; ABB wins contract from Hydro-Quebec; Sapphire Power Holdings acquires...
Digital Terrorism: Holes in the Firewall?
Plugging cyber security holes isn't as easy as everyone wants to think.
It's the elephant in the room in this post-Sept. 11 era. When asked, many in the know claim the energy industry's cyber security is fine, mostly, and the industry is working diligently to fix the few problems that remain. But some who say that the energy industry can no longer practice security by obscurity also caution against revealing even the most basic outlines of problems that confront the industry.
Research scientists at EPRI, Gas Technology Institute and Schweitzer Engineering Laboratories were willing to talk extensively to about the state of cyber security and energy infrastructure. The fact is, they say, there are significant vulnerabilities to the cyber infrastructure in the energy industry that, if left unaddressed, will continue to expose the grid to attacks. Some of the vulnerabilities cannot be fixed with any currently available technology-hardly a comforting thought. The good news is that much of what can currently be done to defend against attacks-in cyberspeak, to "harden" systems and networks-is either in place, or available at a fairly modest cost. And the technology that can plug the remaining gaps in energy industry cyber security may be on the market within a year or two.
Old Vulnerabilities and New Levels of Malevolence
Well before Sept. 11, there was concern in both government and industry about the vulnerability of the energy infrastructure to cyber attack. In 1997, President Clinton issued Presidential Decision Directive 63 (PDD-63), which named the energy industry as a key critical infrastructure component. PDD-63 also established the National Infrastructure Protection Center (NIPC), a federal agency housed within the FBI to provide warnings of threats to the nation's critical infrastructure. NIPC in particular works with the North American Electric Reliability Council (NERC), which was designated the lead agency for electricity by then-Energy Secretary Bill Richardson.
Part of the concern about critical infrastructure, in the energy industry as well as in other sectors, grew out of the need to address the problem of Y2K. And though Y2K was a hugely expensive headache for the energy industry, it appears that it will offer a silver lining two years later. "Y2K exposed a lot of infrastructure problems that companies might have had," says Jayne Brady, spokeswoman for Edison Electric Institute.
According to Jim Fortune, area manager for enterprise infrastructure security at EPRI, the industry learned a lot about its systems during Y2K remediation. "We also developed mitigation strategies, in case something did happen, such things as alternate forms of communication," he says. Preparations, like having alternative forms of communication and contingency plans in place, and making plans for which personnel to bring in to diagnose problems, he says, are directly applicable to a terrorist cyber attack. "Much of Y2K will pay dividends for this type of activity we're engaged in now," Fortune says.
Yet cyber security and infrastructure problems were being addressed at a far less urgent pace than Y2K had been. Fortune notes that "September 11 really did start to get the sensitivity at the senior level among utilities" on cyber