Public Utilities Reports

PUR Guide 2012 Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Cyber Security: A "Virtual" Reality

Two years after 9/11, the industry remains vulnerable.
Fortnightly Magazine - September 15 2003

damage they would want to cause," he says. For such an attack to occur, terrorists would need to learn the SCADA and EMS systems for 35 to 40 companies, he points out. "There's a much simpler, straightforward approach," he says. Placing bombs near substations, for example, "is much more of a terrorist mindset than [seizing] control of different systems," he maintains.

But isn't ruling out a well-coordinated, ambitious attack on the grid and gas distribution systems similar to pre-9/11 thinking? Tyler says no. "Unlike 9/11, with only a few planes, they didn't have to get into 35 or 40 different companies' SCADA and EMS," he argues. It goes back to intent, he says. "They probably want as much physical damage as possible, because it takes longer to recover from physical damage than from a normal black out." If a number of transmission towers or pipelines are blown up, Tyler points out, it could be days or even weeks before utilities get to black-start status.

Rush disagrees that a cyber attack is too bold or too difficult for terrorists to carry out. After all, his intern developed an attack protocol inside of two months. While it's possible for a terrorist group to target numerous critical points in the utility infrastructure with dynamite or bomb hits, he says, to carry out such an attack would require a large number of people on the ground. But with more people involved comes an increasingly higher risk that the conspiracy will be discovered by the FBI or other authorities.

A cyber attack is fundamentally different, Rush maintains. The entire attack can be pieced together over a period of months, he says. And much of the research and planning can be done via the Internet, outside the United States, with only a handful of people, Rush says.

"A highly detailed understanding of the gas system is not hard to get," Rush claims. In addition to information on the Web on SCADA systems and pipelines, almost every country has a core group that knows how such systems work. And, failing that, it wouldn't be too difficult to find those with knowledge of American utility systems, according to Rush. It would simply take an ad seeking a highly skilled gas system or transmission operator.

Such an ad wouldn't say that the person sought would be working for al-Qaida, Rush says. Instead, the operative might say that he is forming a consulting company and wants help writing a proposal. Certainly, the industry is currently awash with laid off employees seeking new jobs.

And it likely wouldn't be difficult to find a disgruntled former utility employee or current employee who could be blackmailed, as well. Like any other company in America, utilities have unknowingly hired employees who have serious financial difficulties, marital problems, gambling problems, drug habits, or compromising pictures floating around.

Too Much Information?

So what's the solution? Take anything that might be used to attack utilities and the rest of the infrastructure off the Internet?

You could do that, Rush says. "But I think we already did say that, and