State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
Waiting on NERC: What's Next for Cyber-Security?
As NERC’s CIP standards advance, utilities move ahead, haltingly, with implementation.
NERC standards. Transmission talks to the distribution. Substations serve both. But we’ve excluded distribution.”
Weiss says the standards need to be broadened to address the fact that legacy systems—whether SCADA systems, power plants, or legacy substations—have different technical capabilities than do new systems.
Workers at the SCADA test-bed, part of the Idaho National Laboratory, are doing their part to shore up the industry against cyber attacks.
The test bed, a joint program with Sandia National Laboratories and backed by the Department of Energy, received its first dedicated funding in May 2004 and now works with four SCADA vendors: GE, ABB, Areva, and Siemens.
“We’re in discussions with two more [companies],” says James Davidson, principal investigator at the lab. “It’s been gradually expanding. It started with ABB. They were the first ones in the door and were just tremendous at helping us get started. And then Areva followed, then GE, and Siemens. It’s just continued to build over the past couple of years.
“Our purpose is to identify potential vulnerabilities in systems, find mitigating strategies, and look for commonalities across platforms that are indicative of a farther-reaching problem. Then to take what we learn and get it back into the vendor and user communities—lessons learned and best practices.”
During testing at the site, Davidson and his colleagues discovered numerous areas of weakness that open the door to system attacks. Among the problems: unencrypted communications, account management, communications authentication, general coding practices, and unpatched components.
Bill Brownlee, vice president of marketing at Emerson’s Power and Water Solutions division, says his company wasn’t convinced of the benefits of participating in the test-bed program. Emerson’s Ovation system is used by numerous major utilities, including Dominion, Southern Co., AEP, TVA, Excel, Duke, Entergy, FPL, Exelon, and Progress Energy.
“We knew early on which direction [the NERC CIPs] were going and could react as they changed. When June 1 came ... we were already compliant. The new systems we ship today, the [security requirements] come built into the system.” A recent deal with Symantec adds other key abilities, such as virus protection.
To meet NERC’s compliance deadlines, Brownlee says users need to begin work now to work any expenses into their budget cycle.
Even so, Brownlee says, “You can never guarantee beyond a shadow of a doubt that you have fool-proof security, but there is a reasonable level where you can say, ‘We’ve done everything reasonably achievable to provide a level of security in this infrastructure,’ so that the level of effort somebody would have to make in order to hack into the system is not worth the result.”
Davidson echoes that thought. “There’s no such thing as a secure system. The key to any cyber-security is ‘defense in-depth.’ You can liken it to setting up multiple barriers, to where an attacker has to get across barrier after barrier after barrier before they can actually get into the SCADA system. So they’re more likely to go somewhere else. Just like locking your door. If your door is locked a burglar is liable to go next door,