NERC’s reliability oversight is bogged down on two fronts—standard-setting and compliance oversight. Progress depends on improving unwieldy process.
Protecting critical assets in a hazardous world.
as other utilities such as drinking water and sanitation systems.
Unfortunately, the energy industry uses process control systems that lack a proficient, organization-wide incident-reporting mechanism, which makes them less reactive to any advanced persistent threat. The awareness and importance of finding ways to better protect our nation’s critical infrastructure changed overnight when the towers of the World Trade Center fell nearly 10 years ago.
Since the September 11 terrorist attacks, the energy industry has taken special measures to ensure the reliability of the North American bulk power systems—especially as it relates to emerging threats of cyber attacks. For instance, the North American Electric Reliability Corp. (NERC), certified by the Federal Energy Regulatory Commission (FERC), developed standards for NERC members’ critical infrastructure protection (CIP). These standards have been prepared to ensure the reliability of the bulk electric system in North America and include stipulations about cyber security.
In addition, the U.S. Nuclear Regulatory Commission (NRC) issued security rules that added cyber attacks to the adversary threat types nuclear plants must be able to defend against. According to the NRC’s “Protection of Digital Computer and Communications Systems and Networks” (10 CFR 73.54), nuclear power plant licensees are nowadays mandated to submit a cyber security plan and remediation strategy. The U.S. nuclear industry’s trade group, the Nuclear Energy Institute (NEI), went even further by inviting more than 20 cyber security experts from the nuclear industry to build NEI 08-09, “Cyber Security Plan for Nuclear Power Reactors.” NEI 08-09 looks very similar to the NRC guidelines and focuses on ensuring that approximately 650 controls derived from the National Institute of Standards and Technology (NIST)—NIST 800-53—are used to verify the cyber security of critical digital assets in commercial nuclear plants.
Obviously, the energy industry has taken proactive steps to secure critical infrastructure against threats such as cyber attacks. However, when it comes to the implementation of cyber security plans, the industry is still facing a dilemma as utilities’ current measures are unable to keep up with the evolving exploits, including perimeter intrusion detection, signature-based malware, and anti-virus solutions. Often, these security tools operate in a silo-based approach and aren’t integrated and interconnected to achieve a closed-loop process and continuous monitoring. Another shortcoming lies in the fact that a majority of security programs lack a risk-based approach, whereby vulnerabilities and associated remediation actions are based on the risk to the organization and its infrastructure.
Attackers and Tactics
Undoubtedly of utmost concern in the energy industry is the vulnerability of industrial control systems, specifically supervisory control and data acquisition (SCADA) systems that are used to control geographically dispersed assets from a central command center. Historically, SCADA systems were isolated and used to control processes for a single site. However, advances in computer technology as well as the liberalization of the energy industry have led to an interconnected environment. As a result, SCADA systems become inherently vulnerable to cyber attacks, such as viruses, worms, trojans, and malware. However, without connectivity to the outside world, energy companies wouldn’t be able to share their production and reserve capacity with other providers.