Digital Terrorism: Holes in the Firewall?
"Before Sept. 11, the industry didn't realize the malevolence of potential attackers," says Paul Oman, senior engineer, research, with Schweitzer Engineering Laboratories. "Now," he says, "we recognize that things are different. Terrorist attacks come on multiple forms. We must ask ourselves how hardened are our critical targets, and how can existing technology be adapted to make them less vulnerable?"
In response the question of whether cyber security has improved since Sept. 11, Fortune says there has been "no change." But, he says, it's a complex answer to a simple question. Cyber security in the energy industry "is unfortunately certainly less than desirable, but honestly the complexities of improving in that kind of time frame were simply-well, you couldn't do it," he says. "Since September 11 it would not even have been possible to start putting security into all these systems" that experts in the industry have known were vulnerable for some time.
Security by Obscurity No More
The biggest cyber vulnerability to the energy industry arises in many ways from the same cause as Y2K: systems not designed for the 21st century. The Achilles' heel of all utility systems, including electricity, gas, and water, are SCADA (supervising control and data acquisition) systems. SCADAs control supply and delivery systems, making decisions in about 4 milliseconds, rather than in the seconds or minutes that human decision-making used to take. And SCADAs are integral to utilities' ability to cut costs and be more competitive, according to William F. Rush, assistant institute physicist at the Gas Technology Institute. For example, on the gas side, city gate stations used to be staffed with operators. Now, he says, "with the combination of available and relatively low-cost telecommunications technology, those stations now are often unmanned. As time is going on, there is a heavier and heavier dependence on that telecommunication function. It's driven by competition."
The same is true for electricity. As the North American Electric Reliability Council says in its publication, , "[a]s deregulation and competition drive utilities to reduce costs and provide a higher quality of service, many utilities are automating substation operations-employing intelligent electronic devices-so equipment can be remotely accessed."
The problem, according to Rush, is that automation systems were built starting 100 years ago, and they were all designed to function fairly automatically, but with no communications. "Basically in gas, water, and electric, you're looking at a mid-20th century system that has a late 20th century communication overlay on it," he says.
And the vulnerability to the infrastructure is that communications overlay.
"All of these systems, when they were developed, were developed for their functionality," Fortune says. Functionality can be defined, in simplistic way, as speed and accuracy. "Since these systems were developed for functionality, there was no real consideration given to security," he says. "The assumption was that if you were using that system, you were supposed to be there. And that has persisted to today. We have these systems running with little, if any, real security on them. So in a sense, they are vulnerable to cyber attack. And that's sort