Sluggish movement on power grid cyber security

'Doesn't go far enough'

One year after the worst blackout in US history drew attention to the fragility of the North American power grid, progress on protecting the grid from computer intrusions has been slow in coming.

This week the North American Electric Reliability Council (NERC) - the not-for-profit industry group responsible for keeping electricity flowing throughout the United States and Canada - released a list of measures taken to shore up electric grid reliability in the year since the 14 August, 2003 northeast blackout, when a sagging high voltage line in Ohio cascaded into a failure that left 50 million people in eight states and a Canadian province without power.

Topping the cyber security portion of NERC's list, the council recently voted to renew for one year a set of rules, called the Urgent Action Cyber Security Standard 1200, that sets minimum cyber security requirements for utility companies in the US and Canada. But that standard - by coincidence enacted the day before the blackout - is relatively small in scope: it applies only to utility control centers, and specifically exempts substations, power plants, and the remotely-operated control systems and relays sprinkled throughout the grid. "It doesn't go far enough," acknowledges Tom Kropp, manager of enterprise information security at the Electric Power Research Institute, an industry think tank. "It is very, very limited in what it applies to."

The reason the standards don't reach further, says NERC cyber security chief Lou Leffler, is a pragmatic one: the industry didn't want to impose requirements on itself that it couldn't meet. "There are some area where the technology doesn't exist at this point in time to provide all the protection that we'd like," says Leffler.

Concern in Washington

SCADA (Supervisory Control and Data Acquisition) systems, in particular, allow utilities to remotely control and monitor generation equipment and substations over phone lines, radio links and, increasingly, IP networks. That makes them an obvious target for cyber attackers. But some existing SCADA systems can't economically be retrofitted with encryption or authentication technology without introducing unacceptable latency into the link, i.e., slowing down communications, Leffler says, voicing a sentiment heard often in the industry. "The devices to provide that kind of encryption, certification or what-not just do not exist," says Leffler.

In the wake of the northeast blackout, the narrow focus of the industry's cyber security standard even drew the attention of presidential candidate John Kerry, who, in his capacity as US Senator, asked the chairman of the Federal Energy Regulatory Commission to explain the omission of power plants and control systems from the NERC standard, and from a proposed federal standard that was never ratified.

"As you know, the increased integration of generation, transmission and distribution, and control and communications functions, makes the security of the power grid increasingly dependant on the security of its components," Kerry wrote, in a letter dated 8 September, 2003. "I strongly support your efforts to increase the protection of our electric power infrastructure, but I am concerned that the very systems used to control the safe and reliable operation of power generation have been excluded from the rule."

Responding to Kerry, FERC chairman Patrick Wood wrote that the failure of individual power plants is not a threat to the grid as a whole, and echoed NERC's position that control systems, while "clearly vulnerable points," could not be secured with cost-effective off-the-shelf solutions, and were therefore properly omitted from security standards.

Scattered Incidents

If the current rules are limited, observers expect more from the sequel: NERC is working on a new, permanent cyber security standard expected to be in place by the time Urgent Action 1200 expires, one year from now. "What NERC wanted to do with the current one is to set a threshold, give it a try, get the industry comfortable with it and then move on to a more stringent standard," says Kropp. "I think the intent is for [the next standard] to go farther ."

"It is my understanding that it will cover the SCADA connectivity, to the extent that there is existing technology to do that," says NERC's Leffler. "I hope that the industry, that the vendors, can develop cost effective security solutions for all of our control systems. I think that is one of the intents."

To that end, there are myriad efforts underway to develop SCADA security solutions. Working with NERC, the Department of Energy has produced written guidelines to help utilities voluntarily tighten their control systems, and the department funds a well-regarded National SCADA Testbed at the Idaho National Engineering and Environmental Laboratory. This year also saw congressional hearings and a GAO report on the issue of control system cyber security, and an announcement from at least one sizable computer security vendor jumping into the SCADA security market. "There's also a funded, focused effort within the Department of Homeland Security to address this," says Joe Weiss, a control system cyber security consultant at KEMA. "That is a big deal."

Reported cases of power grid cyber security incidents are rare, but not unheard of. In the most dramatic incident, early last year the Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours. According to an industry report, the same worm downed a utility's critical SCADA network after penetrating a control center network through a VPN connection, and, separately, disrupted a power company's SCADA traffic by consuming bandwidth on a shared facility.

The northeastern blackout was not causes by cyber attack, but a software bug contributed to its scope. A silent failure of the alarm function in an Ohio utilities computerized Energy Management System (EMS) is listed in the joint US-Canada report on the blackout as one of the direct causes of the outage. In April the makers of the software, GE Energy, told SecurityFocus the failure was caused by a race condition in the EMS software that has since been patched.

In all, utilities have had enough work to do on basic reliability, that cyber security has taken a back seat over the last 12 months, says EPRI's Kropp. "What I think people have done is they've taken the reliability aspects and the maintenance aspects more seriously," Kropp says. "I think companies are looking at the tools they have to monitor the grid. They're taking much more seriously the preventive maintenance aspects, like cutting tree branches, and making sure the transmission lines are intact and in good shape... They've been taking a second look at their software to make sure there aren't any problems with it. Those all had to be done before they could start worrying about security."

Copyright © 2004, 0

Related stories

Tracking the Blackout bug
Software bug contributed to blackout
IT Failures In The Great US Blackout
Sparks over US power grid cybersecurity
NCSP drafts secure code guidelines
Cyber security alliance sets sights on Washington
Leeds Uni, MS teach undergrads to write secure code

Other stories you might like

  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading
  • China-linked Twisted Panda caught spying on Russian defense R&D
    Because Beijing isn't above covert ops to accomplish its five-year goals

    Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

    The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

    In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

    Continue reading
  • FTC signals crackdown on ed-tech harvesting kid's data
    Trade watchdog, and President, reminds that COPPA can ban ya

    The US Federal Trade Commission on Thursday said it intends to take action against educational technology companies that unlawfully collect data from children using online educational services.

    In a policy statement, the agency said, "Children should not have to needlessly hand over their data and forfeit their privacy in order to do their schoolwork or participate in remote learning, especially given the wide and increasing adoption of ed tech tools."

    The agency says it will scrutinize educational service providers to ensure that they are meeting their legal obligations under COPPA, the Children's Online Privacy Protection Act.

    Continue reading
  • Mysterious firm seeks to buy majority stake in Arm China
    Chinese joint venture's ousted CEO tries to hang on - who will get control?

    The saga surrounding Arm's joint venture in China just took another intriguing turn: a mysterious firm named Lotcap Group claims it has signed a letter of intent to buy a 51 percent stake in Arm China from existing investors in the country.

    In a Chinese-language press release posted Wednesday, Lotcap said it has formed a subsidiary, Lotcap Fund, to buy a majority stake in the joint venture. However, reporting by one newspaper suggested that the investment firm still needs the approval of one significant investor to gain 51 percent control of Arm China.

    The development comes a couple of weeks after Arm China said that its former CEO, Allen Wu, was refusing once again to step down from his position, despite the company's board voting in late April to replace Wu with two co-chief executives. SoftBank Group, which owns 49 percent of the Chinese venture, has been trying to unentangle Arm China from Wu as the Japanese tech investment giant plans for an initial public offering of the British parent company.

    Continue reading
  • SmartNICs power the cloud, are enterprise datacenters next?
    High pricing, lack of software make smartNICs a tough sell, despite offload potential

    SmartNICs have the potential to accelerate enterprise workloads, but don't expect to see them bring hyperscale-class efficiency to most datacenters anytime soon, ZK Research's Zeus Kerravala told The Register.

    SmartNICs are widely deployed in cloud and hyperscale datacenters as a means to offload input/output (I/O) intensive network, security, and storage operations from the CPU, freeing it up to run revenue generating tenant workloads. Some more advanced chips even offload the hypervisor to further separate the infrastructure management layer from the rest of the server.

    Despite relative success in the cloud and a flurry of innovation from the still-limited vendor SmartNIC ecosystem, including Mellanox (Nvidia), Intel, Marvell, and Xilinx (AMD), Kerravala argues that the use cases for enterprise datacenters are unlikely to resemble those of the major hyperscalers, at least in the near term.

    Continue reading

Biting the hand that feeds IT © 1998–2022