Utilities Cyber Threat Legislation on the Rise
Operational systems like SCADA and DCS [1] that control plants, refineries of all sorts and the flow of electricity in power grids, are now interconnected in a complex virtual ways, with erased physical network boundaries.
They’re increasingly based on a standard communications infrastructure that greatly increases efficiencies – but also the vulnerabilities to malicious intent.
“Today’s new breed of hacker, who is sophisticated, educated, and well funded, may have less difficulty getting into the network of a utility or energy company system and staying there, undetected,” says a PricewaterhouseCoopers report.
Usman Sindhu, Senior Research Analyst at IDC Energy Insights, cites the 2010 Stuxnet worm in Iran and Night Dragon malware in the Americas, Europe and Asia as recent examples of advanced persistent threats that have kept the potentially catastrophic effects of a utilities shutdown the front burner for business leaders and governments alike.
“The contemporary era of critical infrastructure protection really began in the late 1990s when governments realized there were a growing numbers of threats and that policy and self-policing by the utilities themselves were no longer adequate,” says Sindhu.
Since then, The North America Electric Reliability Corporation (NERC) was certified by the Federal Energy Regulatory Commission to develop and enforce standards throughout the United States and Canada.
This situation was made even more complex by the fact that countless systems that went “smart grid” – thanks to 2009 Recovery funds for modernizing power systems – have had the downside of potentially opening the door to all sorts of intruders.
Be prepared
In 2011, the London Evening Standard and The New York Times gave low marks to the United Kingdom’s and the US’s utilities’ cyber threat preparedness, citing low priority compared to protecting against general system downtime, lack of money to secure both, not enough personnel with combined smart-grid/industrial knowledge and traditional security skills in the marketplace, and jurisdictional disputes as the reasons.
According to Sindhu, the US Congress has recently introduced 50 cyber-related bills for protecting electric utilities, oil, gas, and water companies with significant ramifications.
“First, NERC guidelines are no longer considered enough, so companies will be responsible for sustaining a robust security architecture, and a third party auditor will need to test its cyber security plans.
“Second, utilities will need to share information about incidents with Department of Homeland Security and their industry. Third, utilities are already struggling to control security in the smart grid deployments, with this legislation in place; they have to intensify their efforts. And fourth, consumer information may be a key issue, introducing mandates for privacy and data breach notification for the smart grid ecosystem,” he says.
Many levels of expertise
Many countries, such as Canada, the UK, and Australia are pursuing legislation similar to that of the US, but according to Sindhu, most of the bills address physical security only indirectly.
It is up to security managers at utilities to realize that the smart grid will demand four levels of interconnected expertise.
From the physical aspects – covering entry, cameras, alarms, real-time feeds – to the network security part – components in communication with each other over IP networks – to the data that has to be constantly secured, to the applications that need to be kept running and secure, increasingly on mobile devices.
Change is afoot globally for legislation aimed at the spectrum of utilities companies–small and large, public and private.
[1] SCADA – Supervisory Control and Data Acquisition
DCS – Distributed Control Systems
By Derek Scheips