In May 2, 2006, the NERC board of trustees adopted the Critical Infrastructure Protection Cyber Security Standard. This article provides some answers to questions in the form of security program...
Protecting critical assets in a hazardous world.
Recent news of an advanced persistent threat at Oak Ridge National Laboratory, 1 a U.S. Department of Energy lab that studies nuclear fusion and biotechnology, and hosts one of the nation’s most powerful supercomputers, has once again brought the issue of cyber security to the top of not just the news, but the mind of many information technology (IT) and security experts in the energy market.
The cyber security challenge is becoming increasingly important for the people responsible for securing the electrical grid, as well as nuclear power generation facilities, oil refineries and gas pipelines. Considering the system complexity they are dealing with, their job isn’t easy. When combating network threats in the forms of viruses, trojans, and worms, many organizations fail to address vulnerable interfaces between their diverse systems or consider how their security infrastructure functions as a whole.
Integration is essential to managing today’s complex security systems. One option for IT administrators is to develop an information security risk management (ISRM) program that interconnects systems, processes and people, helps provide greater visibility, and enables operators to make more intelligent decisions as they relate to the security of an organization. An ISRM program enables organizations to increase system-wide efficiencies and reduce incidents, and ultimately the overall cost.
Security and Compliance
As computer software has become the backbone of modern civilization, organized cyber criminals, state sponsored cyber attackers, and terrorist organizations try to exploit design flaws and weaknesses in the applications in order to generate revenue and carry out criminal activities. The growing number of cyber attacks has become one of the most serious economic and national security threats our nation faces.
Recent news of sophisticated and targeted cyber attacks against such world-class organizations as the International Monetary Fund, Sony, Amazon, Google, and Lockheed illustrate the seriousness of this threat. But while such attacks garner headlines, energy providers operating electric grids, gas pipelines and nuclear power plants have known for years that they are prime targets for advanced persistent threats. If allowed to succeed, these attacks could have a wide impact on the nation’s economy and civil stability.
Over the past decade, a series of events has highlighted the vulnerability of the electric grid and other energy infrastructure to cyber attacks. Extensive blackouts in the northeast U.S. and in parts of Europe in 2003, 2 as well as sophisticated exploits such as Stuxnet, 3 a computer worm that targeted nuclear plant operators last summer, are just the tip of the iceberg. A recent survey conducted by McAfee and the Center for Strategic & International Studies, 4 reveals that 80 percent of critical infrastructure providers have faced threats ranging from denial-of-service attacks to extortion, and advanced persistent attacks.
While most attention is usually focused on threats to the electric grid, in reality there’s little difference in vulnerabilities between electric grids and other energy infrastructure, such as natural gas pipelines, petroleum pipelines and district heating, as well