State commissions can select from a toolkit of regulatory approaches to promote desired utility cybersecurity behavior. One approach is to allow the industry to selfregulate, and another approach...
A Fine Mess
CIP audits show utilities are just getting started with securing the grid.
Bad news from the front lines in the cyber-security war: Little meaningful progress has been made toward safeguarding the nation’s electric grid from malicious attacks. Initial cyber-security assessments and audits suggest few companies really are ready to implement the first wave of NERC critical infrastructure protection (CIP) standards, despite the fact the utility industry drafted the regulations.
“I honestly don’t believe the industry placed a high probability on the standards becoming law,” says Brian M. Ahern, president and CEO of security vendor Industrial Defender. The resulting anxiety has been a boon to companies like Ahern’s, whose phones are ringing off the hook.
“The industry is in a frenzy,” he says. “These regulations have passed. They have real teeth, to the tune of a million dollars a day in fines. They have some milestone dates looming, June 30th being the first. Yet very few utilities have done anything beyond assessing their level of risk.”
The initial CIP phase largely is procedural, covering personnel background checks, password protection and auditability. As fundamental as those things might seem, they’re big news to the industry, and the broad language of the rules is open to much interpretation.
“A number of utilities have gone back to NERC and FERC looking for clarification,” says Robert Sill, CEO and president of security firm Aegis Technologies.
Approaches used by utilities to handle security falls across a wide spectrum. At the most mature organizations the security function is managed enterprise-wide at the executive level. But more frequently security is pushed down the org chart, creating a kind of organizational balkanization, with predictable duplication of efforts and vulnerabilities.
Add to the equation the industry’s capital constraints, aging infrastructure and cultural resistance to change, and the result is a potentially dangerous cocktail. The only clear things are the many obstacles that stand between utilities and effective cyber-security.
The Enemy Within
Despite prevalent fears of terrorist hackers, or the pimply-faced otaku bent on taking down the grid for kicks, experts say the biggest threat is both more familiar and more pervasive.
“We had an incident last summer in L.A. where a disgruntled worker came in and basically slammed his fist down on the red button labeled ‘Don’t Push,’” says Darren Highfill, a security architect at EnerNex Corp. “Fortunately, it was on a Sunday and it didn’t cause anywhere near the problems it could have.”
Inside actors still present the greatest security risk. Ahern says only 10 to 15 percent of the total risk profile comes from external threats. The rest involves people who have intimate knowledge of—and access to—mission-critical systems. The examples of their impact are chilling.
“We’ve found laptops taped underneath desks, deploying malware attacks against servers with the malicious intent of taking down plants,” Highfill says.
At the other extreme are well-intentioned people who simply make mistakes. Ahern tells of an IT intern who inadvertently punched through a firewall and deployed antivirus software,