Two years after 9/11, the industry remains vulnerable.
Two years ago the utility industry, like everyone else in America, was blindsided by the terrorist attacks of 9/11. In the aftermath, the rush to secure the grid was on, and the caps on security spending came off-at least for a little while.
Two years later, where are we? Is the grid better protected from attack?
It is, but not by much, according to the experts Fortnightly consulted.
"There have been definite improvements," says Paula Scalingi, president of The Scalingi Group, and the former director of the Department of Energy's Office of Critical Infrastructure Protection. "The level of awareness is significantly higher than before 9/11 in many, many respects." But "does that translate into increased security?" she asks. "The answer is no, not really."
In any kind of conspiracy investigation, the focus is on who, what, where, when, why, and how. Since 9/11, those questions are even harder to answer. Beyond the general labels of "terrorists" or "al-Qaida," the industry doesn't know who, specifically, to look out for. What, where, and when are even murkier-no one knows exactly what kind of damage terrorists are looking to inflict, let alone the location or time. Americans still largely don't understand the "why," and "how" remains the biggest mystery of all. Yet the answer matters a great deal to the industry, and to the infrastructure dependent on electricity and gas to function.
If the "how" is a physical attack on a few facilities, the industry is probably ready. Thunderstorms, tornadoes, and hurricanes regularly take down parts of the grid, and utilities know how to deal with that, the recent Northeast blackout notwithstanding. Utilities have placed considerable focus on physical protection of facilities, monitoring has increased, more security officers have been trained in counter-terrorism, and facility perimeters have greater protection.
But if the "how" is a coordinated cyber attack, then the risk of success right now appears substantial. No standards exist industrywide for assessing cyber risk. Nor have utilities reached a general consensus on how much security is enough. Not one expert consulted by Fortnightly would say that the SCADA [supervisory control and data acquisition] systems and EMS [energy management systems] used by the industry have been fortified appreciably since 9/11.
Moreover, the industry seems wedded to the idea of security by obscurity. It has devoted a good deal of energy to removing maps and similar data from the public view. But this past summer, a graduate student at George Mason University and an intern for the Gas Technology Institute independently showed that information on key utility facility locations and interconnections in the critical infrastructure remains accessible on the Internet, albeit through a sometimes circuitous route.
Fortifying the Fences
"There's a great deal of focus on physical protection. A lot of that is due to 9/11, a knee-jerk reaction that somehow you need to protect everything. Clearly, there is no way to do that," Scalingi observes. The industry is confronted, she says, with an unknown adversary who wants to do harm, but the where, what, and way of inflicting that harm is largely a mystery.
Jim Francis, vice president of the security services group at Kroll Inc., says he has seen improvements in physical security-more observation, camera monitoring, improvements in fencing, and greater training and definition of roles of those involved in security.
Security personnel trained in counter-terrorism become better reporters and observers of what is going on in and around facilities, Francis says. Since we now know from al-Qaida training manuals that its agents canvass their targets, Francis says that properly trained security guards know what indicators to look for. He's also seeing better crisis response times.
But Francis concedes that these improvements are bright spots in a picture that isn't uniformly sunny. For the industry at large, he says, it's more likely than not that the training of security officers is still a problem.
"Lots of utilities have in fact removed drawings, plant layouts, etc. from Web sites to prevent somebody from being able to find that Achilles' heel," notes Francis.
Yet those efforts appear to have had little effect on hiding information on the electricity and gas critical infrastructure from terrorists and others.
In July, The Washington Post reported that a local graduate student at George Mason University had mapped every business and industrial sector in the American economy, layering on top the fiber-optic network that connects them-including the connections used by power companies. The student, Sean Gorman, started the project as his dissertation. He compiled his map from materials found on the Internet, none of which were classified.
In early June, Bill Rush, assistant institute physicist at the Gas Technology Institute (GTI), asked a second-year engineering student, his summer intern, to try to map out an attack protocol on the gas distribution system. The instructions: Use only information found on Web sites. The intern had no expertise on the gas system when he started the project. Rush says that he and some others at GTI helped the intern with some questions. "But we didn't really know where to go either," Rush points out.
Before two months were out, the intern could map the pipelines, compressor stations-indeed, the entire system-of any gas utility company within eight hours.
But didn't most companies remove anything that looked like a facility map or location from their Web sites? And didn't the Federal Energy Regulatory Commission (FERC) and the Department of Transportation remove large swathes of similar information from their Web sites? Yes and yes.
So How Did the GTI Intern Do It?
Rush told the intern to look for the street addresses of key components and facillities in a gas utility system, particularly those related to SCADA system operation. Rush notes that information seemingly unrelated to operating a SCADA system can be pieced together from disparate sources to derive equipment location. Even free online mapping services can be a source of information about such facilities.
Once the list of likely addresses is developed, a reverse lookup directory-there are dozens, if not hundreds of these on the Web-can yield any phone numbers connected to that address. After that, it's a simple matter of calling the number. If the caller hears, "Hello, gas company," then it's not a SCADA number. But, Rush says, if the caller hears buzzing and hissing, he or she may have hit an entrée point into the company's SCADA system.
Yet, even with all this information, a terrorist still would not be able to attack a utility's SCADA system. To infiltrate, one needs to know the secret communications protocol.
As Terry Tyler, a partner in business consulting services at IBM, points out, the fact that the majority of SCADA systems pre-date the Internet offers a layer of protection. The older SCADA and EMS facilities are programmed in BASIC or FORTRAN. These languages are proprietary, while most hacking tools utilize Java, C++, or Microsoft-inspired programming languages. "Terrorists may find a way in, but once inside, their [hacking] tools don't work," Tyler maintains.
Assuming that terrorist hackers can navigate past the programming language for a particular SCADA system, they would still need to know a company's naming nomenclature to know how to trip a breaker or shut down a high-voltage feed. Terrorists would need to have a great deal of system understanding once inside to really cause a lot of damage, Tyler says. "There are simpler ways to get the same consequences," he observes. "It's too much learning to go through to actually get at a SCADA system," Tyler says. "Bombs are easier."
Rush concedes that if the intent of terrorists is to simply close down a few valves, critics like Tyler are absolutely right. But, he argues, the industry needs to think about what the objective of terrorists might be. "As tragic as 9/11 was, it was not fundamentally a strategically damaging event," Rush says. "But in terms of economic impact, I don't think we're over it yet."
The Myth and Reality of a Coordinated Cyber Attack
It's certainly not a stretch to think that lasting economic damage could be a goal of al-Qaida and other terrorist organizations, as well as hostile nations. Rush says that terrorists likely would aim to inflict a large amount of technical damage. What would be particularly crippling, Rush adds, is to focus on destroying very old equipment critical to system operation that would be difficult to repair. It could take weeks or month to repair or repace such equipment.
Damage to critical components at one or two companies would not affect the entire nation, says Rush. But what if there were a coast-to-coast, simultaneous, co-ordinated attack on multiple utilities? In this kind of attack, some have suggested as many as 40 companies could be targeted. If that happened, many companies would be in the same line waiting for new equipment-some would have to wait several years, assuming the same manufacturing rate. "That's the sort of attack that could be crippling to the economy," Rush argues.
Yet Tyler dismisses the likelihood of such a coordinated attack. "It would have to be a very well-coordinated terrorist attack, to go in and seize control of enough transmission, SCADA, and EMS, to really cause the kind of widespread damage they would want to cause," he says. For such an attack to occur, terrorists would need to learn the SCADA and EMS systems for 35 to 40 companies, he points out. "There's a much simpler, straightforward approach," he says. Placing bombs near substations, for example, "is much more of a terrorist mindset than [seizing] control of different systems," he maintains.
But isn't ruling out a well-coordinated, ambitious attack on the grid and gas distribution systems similar to pre-9/11 thinking? Tyler says no. "Unlike 9/11, with only a few planes, they didn't have to get into 35 or 40 different companies' SCADA and EMS," he argues. It goes back to intent, he says. "They probably want as much physical damage as possible, because it takes longer to recover from physical damage than from a normal black out." If a number of transmission towers or pipelines are blown up, Tyler points out, it could be days or even weeks before utilities get to black-start status.
Rush disagrees that a cyber attack is too bold or too difficult for terrorists to carry out. After all, his intern developed an attack protocol inside of two months. While it's possible for a terrorist group to target numerous critical points in the utility infrastructure with dynamite or bomb hits, he says, to carry out such an attack would require a large number of people on the ground. But with more people involved comes an increasingly higher risk that the conspiracy will be discovered by the FBI or other authorities.
A cyber attack is fundamentally different, Rush maintains. The entire attack can be pieced together over a period of months, he says. And much of the research and planning can be done via the Internet, outside the United States, with only a handful of people, Rush says.
"A highly detailed understanding of the gas system is not hard to get," Rush claims. In addition to information on the Web on SCADA systems and pipelines, almost every country has a core group that knows how such systems work. And, failing that, it wouldn't be too difficult to find those with knowledge of American utility systems, according to Rush. It would simply take an ad seeking a highly skilled gas system or transmission operator.
Such an ad wouldn't say that the person sought would be working for al-Qaida, Rush says. Instead, the operative might say that he is forming a consulting company and wants help writing a proposal. Certainly, the industry is currently awash with laid off employees seeking new jobs.
And it likely wouldn't be difficult to find a disgruntled former utility employee or current employee who could be blackmailed, as well. Like any other company in America, utilities have unknowingly hired employees who have serious financial difficulties, marital problems, gambling problems, drug habits, or compromising pictures floating around.
Too Much Information?
So what's the solution? Take anything that might be used to attack utilities and the rest of the infrastructure off the Internet?
You could do that, Rush says. "But I think we already did say that, and people took off everything they thought of." Obviously, much information remains. Rush points out that he instructed his intern to stop looking for sources of information if it could be found on two or three Web sites. "My guess is that if you took all those things [the intern found] off, he'd just find another set."
Rush also says that there is considerable information in libraries, on paper. Old maps, old magazine issues, and the like all have information that could be used by terrorists.
Scalingi also votes no. "You need to balance security with necessary openness," she argues. Utilities need to trade information with suppliers and customers, she points out. How can that happen if utilities are forbidden to share any information about their systems? And, Scalingi asks, how do you educate the industry on shoring up SCADA systems, if no one can get information about what the weaknesses are?
"You can make it harder and harder," Rush argues, "but one, I doubt you can get it all, and two, there's some reason we want to have that information," Rush argues. For example, he says that topographical maps show where gas pipelines are located. Taking them off those maps would hide them not only from terrorists, but also from those in the industry who might plot a new pipeline over an old one without realizing it.
Scalingi says that the pendulum has swung to keeping everything secret and out of the public domain. "But in doing so, we are really harming ourselves, in terms of understanding what we need to do in a post-9/11 environment."
Or, as Rush puts it, "If we are less willing to communicate, the more closed our society becomes." Taking information away from the public comes with a cost, both he and Scalingi agree.
The Search for Standards
So the threat is real. But does that make an attack likely?
"I don't feel the homework has been done," Scalingi says, speaking of the myriad security measures proposed since 9/11 for the utility industry, including encrypting SCADA systems. She insists that all security proposals must be examined in terms of both economic feasibility, and how much security they would buy the industry and individual companies.
"This is a tough issue," Scalingi says. "Everyone says that you need to be more secure, but what does that mean?" Companies need to ascertain their optimal level of risk, and it would be nice to have a benchmark for doing just that. But is there a risk assessment approach that takes into account what utilities need to do to be secure in a post-9/11 environment? "We don't have it," she says.
The International Organization for Standardization has adopted a standard for information management, ISO-17799. The standard is based on a British standard for data security. As Allen Brill, senior managing director of technical services at of Kroll Inc. points out, the ISO standard gives a starting point for organizations asking themselves how to measure cyber security-how much is enough? Brill says that before the adoption of ISO 17799, there wasn't a good answer to that question. "Now, there is," he says.
But ISO-17799 does not address the utility industry directly. With real-time systems like SCADA, the utility industry cannot rely on standards that were created for systems that work far more slowly than a 4-millisecond message rate used in SCADA.
The federal government needs to provide more direction on security standards, Scalingi argues. "We need a minimum security standard, developed [by government] in conjunction with industry. We don't want the government alone deciding, because that's not where the expertise lies," she says.
"My sense is that people are floundering because they don't have guidelines that would be useful," Scalingi says.
Yet, so far, there have been few standards developed, and what has been developed isn't mandatory. Last year, the North American Electric Reliability Council (NERC) prepared a set of minimum requirements aimed at securing the electronic exchange of information needed to support grid reliability and market operations. These requirements were included in FERC's standard market design proposal (SMD). But because SMD implementation has been delayed, NERC instead developed a minimum cyber security standard for the industry.
In August, shortly before press time, NERC's board adopted a temporary cyber security standard that would be effective for a year. NERC expects the temporary standard to be replaced with a permanent one.
Utilities are expected to comply with the new cyber standard by March 2004. But that compliance may not comfort everyone. Companies are permitted to self-certify their compliance with the standard; neither the regions nor NERC will conduct audits on that self-certification. As with all NERC standards, no monetary sanctions will be assessed if a company is not in compliance.
FERC has the power to fine companies that break its rules, and to investigate violations. Will the commission step in and issue standards? Don't count on it any time soon. As Scalingi says, "Progress at FERC is glacial." The agency remains mired in issues related to standard market design, its investigation into California market manipulation, and now the blackout.
Assuming that Scalingi is right, and that the expertise on utility cyber security resides with the utilities, the question remains: What are utilities doing to protect themselves? According to Brill, there are some companies who have improved their security. But "some slept through the wake-up calls before 9/11, and slept through 9/11," he says. "They're waiting for another wake-up call. They're sound asleep."
Brill backs up his assessment with observations from a recent Chief Audit Officers meeting he attended. When the practical issues of cyber security came up on the agenda, "a lot of people walked out. It was not important to them," he says. He hears rationales such as "It always happens to someone else, not me," "We're small, we're not going to be a target," and "We haven't been hacked before. Why now?" Brill notes that far too often, he finds organizations that claim they haven't been hacked actually have been, and don't even know it.
One of the smartest things companies can do to improve their overall security, IBM's Tyler says, it to put physical and cyber security, and risk management, all under the management of a chief risk officer. By doing so, security issues would get attention at the executive level. Tyler suspects less than half of all utilities have made that kind of organizational change.
Scalingi agrees. Cutting across the stovepipes-the different physical, cyber, and other security departments-enhances a company's overall ability to meet any kind of threat, she says. Scalingi sees some companies integrating their security efforts, "but it's precious few."
So, two years after 9/11, the industry is now more aware of its security problems. But it has spent relatively little money to fix them. The real-time systems that form the backbone of the industry are still vulnerable to cyber attack. At least half of the companies in the industry have yet to organize their security function to make it a top management issue, instead of an afterthought. And compulsory standards for cyber security likely won't emerge any time soon.
Is this any way to run a network?
Articles found on this page are available to subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.