State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Fine Mess
CIP audits show utilities are just getting started with securing the grid.
a huge no-no.
“Risk comes in a number of forms,” Ahern says. “Everybody talks about external risks. The CIA reported in January four cities in Central and South America were actually attacked by outsiders and held for ransom. ‘Either pay us X, or we’re going to shut the power down.’ On the heels of that and the Aurora Project [in which a U.S. national laboratory demonstrated how a cyber attack could damage a power plant, see “ Lessons Learned: Aurora Atack ," January 2008 ], people are talking about it. The question is: can an outsider really get in and do that? My opinion is no.”
Highfill is similarly circumspect about the level of external danger. “It’s a serious threat, but there’s no shortage of sensationalism out there,” he says. What we haven’t seen is a massive blackout that has irrefutably been traced to a malicious action. Or if we have, it has been covered up in fantastic fashion.”
Utilities and government authorities avoid sharing information on security incidents. No one wants to be perceived as vulnerable, so data on security breaches remains closely guarded.
As a result, utilities and regulators are left trying to address perceived threats from terrorists and even foreign governments, as well as the broader exposure of their own employees, with only scant baseline data on the attacks the industry has faced to date.
Ironically, one thing the industry has going for it is the result of its own slow-moving ways. Technologically, the waters are well-charted.
“The hacking industry is 25 years old,” observes Sill. “Other industries have learned a lot of lessons the hard way. So there are solutions out there that can be put into place very quickly. The path is known, but the challenge is culture.”
The industry’s control systems aren’t all that’s old-fashioned. It can be tough to get the necessary buy-in from systems operators who are set in their ways. Training employees and managing the cultural shift is a huge part of the puzzle.
“Raising awareness of vulnerabilities in the systems, let alone understanding the minds of hackers, is something that’s completely foreign to the people who are running systems today,” Sill explains. “There is a great deal of skepticism. These people have lived one way for decades, and now we’re telling them white is no longer white.”
There’s also a generation gap. Many operators are approaching retirement, with replacement workers in short supply. At the same time, IT professionals often jump to implement changes that can wreak havoc on 30 year-old control systems, without taking time to understand the tried-and-true technology.
In a typical enterprise environment, confidentiality of data is the highest concern, followed by integrity of data and finally the availability of data. In control systems, it’s the reverse: Availability is paramount, and until now confidentiality largely was ignored.
But with controls using internet protocols and becoming interconnected, the traditional security-by-obscurity model is changing.
“Interconnection, while it has been a huge boon to business, pretty easily allows a malicious entity to play hopscotch,” Highfill says. “They don’t have