Operations personnel at many energy companies feel the pressure of achieving compliance with the NERC CIP standards. Some worry that they are not aware of the problems and security incidents that...
Cyber and Physical Security:
Although NERC and other agencies are helping out, utilities still face internal obstacles.
With the terrorism threat level elevated ahead of the 2004 elections, utilities find themselves in an increasingly familiar position. The industry-targeted by Kalid Sheik Mohammad during the early planning of the attacks of Sept. 11, 2001, and which fell victim to a blackout caused by its own deficiencies last August-has refocused its efforts on physical and cyber security.
This new focus has revealed that despite improved levels of cooperation with the government and other private industries, coordination issues continue to dog efforts at improving utility cyber and physical security.
The challenge of meeting threats from outside the utility is complicated by each utility's own internal culture, and the sometimes adversarial relationship between the information technology (IT) staff and the operations staff.
"The IT organization owns cyber-security," explains Joe Weiss, executive consultant at KEMA. "They have the expertise about cyber. They have the funding to do something about cyber. There's only one problem: They have no responsibility or accountability for any control systems." These systems lie within the territory of the operations department, which Weiss says lacks knowledge about security, and "generally doesn't like IT at all."
Because these systems traditionally were isolated from each other, that wasn't always a problem. But with the advent of corporate WANs and LANs, the plant would use the corporate IT resources, Weiss says. "The problem is that ops is scared to death that IT is going to go in and do something that IT does all the time-diagnostics, patches, taking the server down for the weekend-and if you're talking about a plant's distributed control system where you need to keep lights on, these things can't go down. You can't have people playing with it."
Weiss remains alarmed by the industry's ignorance of the security threat to utility control systems, and frustrated by the chicken-and-egg nature of finding a solution for control-system security.
"We have a catch-22 right now: Our suppliers aren't supplying secure control systems because they don't see a market, and users aren't specifying secure control systems because they don't know how. And they don't want to pay extra because there isn't a driver yet."
But if the utility industry has been slow to catch on to the security threats to control systems, the government has stepped into the mix early, with the Department of Energy (DOE) and Department of Homeland Security (DHS) tasked with finding a solution.
"The government is stepping in to do this because they can't afford to wait until the market just gets there on its own," Weiss says.
The purpose of the National SCADA Test Bed-a joint venture between the Idaho National Engineering and Environmental Laboratory (INEEL) and Sandia National Laboratories-is to encourage vendors to test their equipment in an environment where, if something goes wrong, customers aren't affected, Weiss says. He cautions against reading too much into other vendor security testing, which he describes as too limited. "This is such a ticklish problem," he says. "People don't understand the magnitude."