When a federal court ordered the DOE to develop more than 20 energy-efficiency rules, the first rule DOE created was a commercial rule for energy transformer distribution equipment. The new DOE...
Digital Terrorism: Holes in the Firewall?
of the bottom line."
The industry imposes very tight requirements on SCADA speed, around a 4 millisecond message rate. It's the very speed of the SCADA systems that makes the problem of securing SCADA systems difficult. "What works on IT systems-that don't have that speed requirement-wouldn't work on our systems," Fortune says. Packet-type encryption will simply not work on SCADA systems because it is simply not fast enough, according to Fortune. For many of the systems, hardware already operates at such slow speeds, e.g. using 286 processors, that if security protections were added on top, the processing time would be unacceptably delayed.
In the past, Fortune points out, SCADA systems have been relatively secure, because they had "security by obscurity." They were developed by vendors using proprietary protocols, software, and hardware, he explains. SCADAs were fairly isolated, and ran the system. Anyone who did try to penetrate a SCADA system "would have had a great deal of difficulty getting in, and if you did, understanding what was going on, because it was all proprietary. That is not the case today," Fortune says. With the deregulation of the utilities, grid operators and power marketers need marketing information that resides in such systems, such as what plants are running, whether they are running at full power, and whether they have been taken offline, among other things. So now, Fortune explains, there is a movement to tie what had once been isolated systems into corporate business systems. These corporate business systems are also Internet connected. "Now your threat has just escalated exponentially. The minute you tie into the Internet, there are over 200 million users, estimated, and you sort of have to assume there might be one or two out there that might have some malicious intent, right?" Fortune asks.
As Oman puts it, "if you have remote access, for example networks and telephone lines, you have vulnerability. Any time you have access, there is a threat of electronic intrusion."
No Quick and Easy Fix
Oman says that there is a lot of technology available on the market that can be used to harden systems to cyber attack. But many of these security methods and technology must be adapted and improved from commercial grade to industrial grade, he says. Most modems and virtual private networks (VPNs-a device that encrypts communications between set points) are commercial grade, not industrial. Industrial grade equipment requires a -40° C to 80° C temperature range, and shock resistance to withstand earthquakes, he explains.
Security varies across industry on SCADA systems, Oman says. Most of industry before Sept. 11 had some level of password access, he says, though maybe only 1 level. Many were catching up to 2-level password standard. Some of the newest devices, including Schweitzer's, have 4-level password security, with more authentication and security built in.
But password protection is simply not enough to protect SCADA systems. What is really needed is encryption and intrusion detection systems that operate at the same speeds as SCADAs. While there are many encryption algorithms available that suit IT and corporate enterprise system