Cyber Security: A "Virtual" Reality
Two years after 9/11, the industry remains vulnerable.
Two years ago the utility industry, like everyone else in America, was blindsided by the terrorist attacks of 9/11. In the aftermath, the rush to secure the grid was on, and the caps on security spending came off-at least for a little while.
Two years later, where are we? Is the grid better protected from attack?
It is, but not by much, according to the experts Fortnightly consulted.
"There have been definite improvements," says Paula Scalingi, president of The Scalingi Group, and the former director of the Department of Energy's Office of Critical Infrastructure Protection. "The level of awareness is significantly higher than before 9/11 in many, many respects." But "does that translate into increased security?" she asks. "The answer is no, not really."
In any kind of conspiracy investigation, the focus is on who, what, where, when, why, and how. Since 9/11, those questions are even harder to answer. Beyond the general labels of "terrorists" or "al-Qaida," the industry doesn't know who, specifically, to look out for. What, where, and when are even murkier-no one knows exactly what kind of damage terrorists are looking to inflict, let alone the location or time. Americans still largely don't understand the "why," and "how" remains the biggest mystery of all. Yet the answer matters a great deal to the industry, and to the infrastructure dependent on electricity and gas to function.
If the "how" is a physical attack on a few facilities, the industry is probably ready. Thunderstorms, tornadoes, and hurricanes regularly take down parts of the grid, and utilities know how to deal with that, the recent Northeast blackout notwithstanding. Utilities have placed considerable focus on physical protection of facilities, monitoring has increased, more security officers have been trained in counter-terrorism, and facility perimeters have greater protection.
But if the "how" is a coordinated cyber attack, then the risk of success right now appears substantial. No standards exist industrywide for assessing cyber risk. Nor have utilities reached a general consensus on how much security is enough. Not one expert consulted by Fortnightly would say that the SCADA [supervisory control and data acquisition] systems and EMS [energy management systems] used by the industry have been fortified appreciably since 9/11.
Moreover, the industry seems wedded to the idea of security by obscurity. It has devoted a good deal of energy to removing maps and similar data from the public view. But this past summer, a graduate student at George Mason University and an intern for the Gas Technology Institute independently showed that information on key utility facility locations and interconnections in the critical infrastructure remains accessible on the Internet, albeit through a sometimes circuitous route.
Fortifying the Fences
"There's a great deal of focus on physical protection. A lot of that is due to 9/11, a knee-jerk reaction that somehow you need to protect everything. Clearly, there is no way to do that," Scalingi observes. The industry is confronted, she says, with an unknown adversary who wants to do harm, but the where, what, and way