Cyber and Physical Security:
Although NERC and other agencies are helping out, utilities still face internal obstacles.
With the terrorism threat level elevated ahead of the 2004 elections, utilities find themselves in an increasingly familiar position. The industry-targeted by Kalid Sheik Mohammad during the early planning of the attacks of Sept. 11, 2001, and which fell victim to a blackout caused by its own deficiencies last August-has refocused its efforts on physical and cyber security.
This new focus has revealed that despite improved levels of cooperation with the government and other private industries, coordination issues continue to dog efforts at improving utility cyber and physical security.
The challenge of meeting threats from outside the utility is complicated by each utility's own internal culture, and the sometimes adversarial relationship between the information technology (IT) staff and the operations staff.
"The IT organization owns cyber-security," explains Joe Weiss, executive consultant at KEMA. "They have the expertise about cyber. They have the funding to do something about cyber. There's only one problem: They have no responsibility or accountability for any control systems." These systems lie within the territory of the operations department, which Weiss says lacks knowledge about security, and "generally doesn't like IT at all."
Because these systems traditionally were isolated from each other, that wasn't always a problem. But with the advent of corporate WANs and LANs, the plant would use the corporate IT resources, Weiss says. "The problem is that ops is scared to death that IT is going to go in and do something that IT does all the time-diagnostics, patches, taking the server down for the weekend-and if you're talking about a plant's distributed control system where you need to keep lights on, these things can't go down. You can't have people playing with it."
Weiss remains alarmed by the industry's ignorance of the security threat to utility control systems, and frustrated by the chicken-and-egg nature of finding a solution for control-system security.
"We have a catch-22 right now: Our suppliers aren't supplying secure control systems because they don't see a market, and users aren't specifying secure control systems because they don't know how. And they don't want to pay extra because there isn't a driver yet."
But if the utility industry has been slow to catch on to the security threats to control systems, the government has stepped into the mix early, with the Department of Energy (DOE) and Department of Homeland Security (DHS) tasked with finding a solution.
"The government is stepping in to do this because they can't afford to wait until the market just gets there on its own," Weiss says.
The purpose of the National SCADA Test Bed-a joint venture between the Idaho National Engineering and Environmental Laboratory (INEEL) and Sandia National Laboratories-is to encourage vendors to test their equipment in an environment where, if something goes wrong, customers aren't affected, Weiss says. He cautions against reading too much into other vendor security testing, which he describes as too limited. "This is such a ticklish problem," he says. "People don't understand the magnitude."
Weiss makes no bones about his relationship to INEEL (he's under contract to the lab), but he hopes vendors will rise to his challenge. "I'm technology- and vendor-agnostic," Weiss says. "I don't have a product to sell. If [someone's] got a solution, hot damn. But if they do, they should take it out and prove it."
Weiss also finds little comfort in the North American Electric Reliability Council's work on a cyber-security standard. A consultant to NERC's Critical Infrastructure Protection Committee (CIPC), Weiss has choice words for the direction of the council's efforts.
"I'll be very honest with you. Unless NERC 1300 [the upcoming iteration of the NERC standard] gets substantially more detailed, it won't cover most [control systems]. It excludes all nuclear power plants and all distribution systems, and both have had intrusions. And yet, the NERC standard will explicitly exclude both." (Go to )
"People are trying to take a warm, comfy feeling that industry is doing something, and therefore we're better off. [But] when you explicitly exclude a third or more of the electric infrastructure, that shouldn't be a warm comfortable feeling.
"This has been brought up [at the CIPC meetings] and it has been turned down. Distribution has been said to not be under NERC's charter, only DOE told NERC, 'Your charter is the electric industry.' And there's a presidential decision directive that says the Nuclear Regulatory Commission is responsible for nuclear plants. Here's the conundrum. The NRC charter is to ensure that a nuclear plant can shut down and stay down. Their charter is not to keep a nuclear plant up. It's exactly opposite of what we need.
"It is my belief that our executives are not aware of this."
NERC: Defender of All?
NERC's mission of ensuring that "the bulk electric system in North America is reliable, adequate, and secure," has come under increased scrutiny in a post 9-11 world. Critics say that the organization lacks the regulatory authority to be effective.
In fact, in terms of reliability, the organization has openly called for Congress to give it mandatory enforceable reliability authority.
Even as its burden is shared, NERC relies on "reciprocity, peer pressure, and the mutual self-interest of all those" organizations that share its goals.
But Louis G. Leffler, manager of critical infrastructure protection at NERC, believes NERC is well prepared to help the industry prepare for potential threats.
He says the recent release of the 9-11 Commission's report has spurred NERC to greater levels of cooperation across government agencies and the private sector. Furthermore, he adds that initiatives to increase both physical and cyber security at utilities started several years ago under President Bill Clinton.
In 1997, Clinton's Commission on Critical Infrastructure issued a report, which would be followed by the President's Decision Directive 63-indicating the need for more formal critical infrastructure protection "It didn't limit itself to cyber security," Leffler says.
What the Commission Said
With the recent elevation of the terror threat level ahead of U.S. elections this November, the industry is racing to implement the recommendations of the commission's report. "The U.S. border security system should be integrated into a larger network of screening points that includes our transportation system and access to vital facilities, such as nuclear reactors," the report states. (p. 387) The commission also "encourage(s) widespread adoption of newly developed standards for private-sector emergency preparedness-since the private sector controls 85 percent of the nation's critical infrastructure." (. 20)
Mitch Singer with the Nuclear Energy Institute says the industry, by the end of 2004, will have poured $1 billion into physical and cyber-security upgrades, including the installation of additional barriers and jersey walls at nuke plants. The security guard force also has been increased since 9/11 by about 35 percent. "It's over 7,000 guards," Singer says. "They're basically paramilitary forces. Most of them have previous experience either in the military, state and local police, or in other industrial security settings."
When suspicious activity does occur, NERC looks for help to broadcast it across the different agencies responsible for America's critical infrastructure.
"This is a two-way street of information," Leffler says. "We would expect that if there is intelligence focusing on the industry, that they would communicate it to the industry, directly to the asset owner and/or through the electric sector ISAC" ()-the Information Sharing Analysis Center- through which NERC distributes threats to electricity sector infrastructure. But first the information has to get to NERC. That's where the Critical Infrastructure Protection System comes in.
"It runs on a secure Web," Leffler says, and "it provides the ability for people in the field, of which there are hundreds, to communicate with the ISAC and also with the Department of Homeland Security if there are incidents.
"We developed a program called Indications, Analysis, and Warnings-a list of some 15 items, physical and cyber, which should be reported within a stated amount of time."
"The thing we report the most … are incidents of what's called surveillance, or social engineering, where pictures are being taken, people are asking questions. … In some cases they're taking pictures, and they're obviously not tourists because when they're approached by a plant security officer, they toss the camera in the car and take off. That happens. [Security officials] get the license plate. Local law enforcement and the FBI get together and they track these things down, and most of the time it's nothing, but these are the kinds of things that are very important to report because, in the event a terrorist is going to attack a facility, part of their modus operandi is to figure out what site they want to attack … and do surveillance: take pictures, make notes, observe guard rotations. Then they come back, make their plans, and before they do the attack they go back and make sure nothing's changed.
"So one of the things we tell our people is, 'Change your appearance to the outside world, and 'Survey the outside world so you know what's going on out there.' Because if these things are happening and they do get reported … that can lead to tracking down one of these [attacks] and stopping it dead in its tracks."
Adapting New Software to Operational Realities
The threat of cyber-security attacks has sent utilities to different vendors in search of solutions. When Peoples Energy wanted to upgrade its protection against attacks, the company looked to a familiar name in online security: Symantec.
Gary Sevounts, director of industry solutions for electric power at Symantec, downplays fears of terrorist attacks on utility systems. Instead, he says the recent spate of Internet "worms," which slow systems to a crawl or paralyze them altogether, represent the primary vulnerability for utilities that rely on real-time data to respond to system disturbances.
Sevounts says that vulnerability boils down to one main culprit at most utilities: SCADA systems. "SCADA security is probably the biggest issue that there is today from a cyber-security standpoint," Sevounts says. "The SCADA environment uses different protocols and different applications to work from those that IT networks use. Taking an IT security product and putting it into a SCADA environment without testing and validating it could disrupt operations. For example, if an antivirus adds a 5-second delay, in a SCADA environment that means that communication is not real-time anymore. A 5-second delay responding to something shutting down may be the difference between uninterrupted operations and a blackout, or a disruption in operations. That's really the difference with a tested, validated, configured solution makes.
"With Sept. 11 and the blackout, even though none of them have direct connection with cyber-security attacks, those events bring a stronger focus on the cyber-security and what effect a major incident may have on major utilities."
Symantec teamed up with Areva T&D Corp. and Pacific Northwest National Lab (PNNL) to test Symantec's cyber-security products earlier this year. "After we set up the lab, we invited PNNL to independently test the results," Sevounts recounts. "Areva and Symantec worked on setting up the lab, coming up with configurations, etc. PNNL watched what we were doing and did their own tests, making sure that what we did made sense."-C.A.H.
Articles found on this page are available to subscribers only. For more information about obtaining a username and password, please call our Customer Service Department at 1-800-368-5001.
Cyber and Physical Security: