An interview with Ralph Masiello
and Sue Scott of ABB
The big, traditional projects in automated meter reading have really stalled, because utilities are no longer assured of a...
industry, the security implemented in utility industry will lag and deployment will be inconsistent," Sample says.
Fortune is not quite so ready to call in the regulators. "I think, now that it's on the radar scope, [industry leaders] are starting to ask the right question, what does it cost to do this, to do that?" At the end of the day, he says, industry needs to develop the technology, including encryption algorithms that allow encryption of real-time operating systems, and intrusion detection technologies.
Fortune also says that the industry needs to redirect some of its thinking against different types of attacks. While often the focus is on physical attacks, a recent exercise conducted by EPRI using Department of Defense techniques to assess likely targets of the electric system revealed that eight out of the top 10 likely targets are subject to cyber attack.
But Fortune is by no means an alarmist. "The electric system is extremely robust, in a way. It handles hurricanes and natural disasters, so I have a large and abiding confidence that what gets thrown at us, we'll be able to develop work-arounds, because that's our history. I don't think any other industry has a 99.99 reliability factor ... so that fact that I tell you that we're vulnerable today-and I mean that-doesn't mean that if we got attacked, we couldn't quickly get back into service." Fortune says he is confident that industry will develop the technologies necessary to protect the system.
Code of Silence
In the wake of Sept. 11, even discussing cyber security issues can be difficult. GTI's Rush says, "[o]ne of the scary things about this is, in some cases people won't let you talk about security. The thing about it is, the people who have the technical capability to launch these attacks, know all about them, they know more about it than I do. But, I can't tell anybody who's a victim." Indeed, during interviews for this story, NERC officials asked that problems with SCADA systems not be discussed-although such problems are mentioned prominently in some of NERC's own documents that are available on the Web. NIPC declined to be interviewed, but its Web site clearly states that SCADA systems and OASIS communications networks present vulnerabilities.
A Google search for "SCADA systems vulnerability" conducted by Fortnightly in early February found 684 hits, many highly relevant and more technically detailed than any of the information presented here. Some might suggest the solution is to remove information from the Web, and indeed the Federal Energy Regulatory Commission (FERC) and NIPC have suggested that the energy industry closely examine what types of materials are available on their Web sites. FERC last October announced that it would limit access to public documents, mostly those detailing specifications of energy facilities licensed or certificated.
As Leffler points out, there's a lot of information out there. The question is, is there too much? In the last three months, he says, NERC has been looking at what data is available on Internet sites, and in other places. Information, he says, "should be made