Let’s welcome the electric power industry

by Rick Dakin, CEO, Coalfire

When financial services, retail, healthcare, and government sectors adopted cutting-edge security programs to address rapidly escalating cyber threats and more demanding regulatory compliance, the electric power industry relied more on the segregation of proprietary control systems from shared networks like the Internet.

However, the need for smarter systems to increase efficiency and make our power systems more “green” has introduced Commercial Off the Shelf (COTS) systems into a network- connected power generation, transmission and distribution ecosystem. These smart systems offer huge benefits but also contain the threats and vulnerabilities faced by other systems.
 
Just a few months ago, electric power systems went from potential targets of terrorism to actual targets. The Stuxnet virus has proven to be a sophisticated attack platform that requires no network connectivity to deliver its payload at a power generation site. The unclassified version of the story is that nuclear power plants in Iran were severely incapacitated by the Stuxnet virus. While this may have been good for all mankind, the fact that the virus has been captured and is heading back to America is troubling.
 
Many of you will find that the road ahead for the electric power industry mirrors what you have already experienced over the past few years. And some of you will want to update your own disaster recovery plans after reading about the challenges facing the utility sector.
 
The Government Accountability Office (GAO) recently completed an assessment of smart grid cyber security. Most of you could have written the findings without preparation. It’s interesting to note that even highly reliable utility-focused systems are still subject to some of the same threats and vulnerabilities that each of you face.
 
With respect to the challenges for securing smart grid systems, the GAO identified the following six key challenges:

  1. Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cyber security.
  2. Utilities are focusing on regulatory compliance instead of comprehensive security.
  3. The electric industry does not have an effective mechanism for sharing information on cyber security.
  4. Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.
  5. There is a lack of security features being built into certain smart grid systems.
  6. The electricity industry does not have metrics for evaluating cyber security.

The most critical finding is that the awareness of security issues was so low that risk mitigation was not anticipated to be timely or efficient. We can all understand this given our experiences with developing new security programs and then training IT and business stakeholders on the importance of adhering to those controls. The bottom line is that progress is being made on cyber security guidelines within the utility sector, but key challenges remain to be addressed and there’s a need for a lot of education.