Magazine article National Defense

Power Companies Struggle to Maintain Defenses against Cyber-Attacks

Magazine article National Defense

Power Companies Struggle to Maintain Defenses against Cyber-Attacks

Article excerpt

(*) When experts rank U.S. industries' abilities to ward off potentially damaging cyberattacks, the electric utilities are normally near the bottom.

And that is troubling, these same network security professionals say. Taking down an electric grid, especially one thatserves a major city, could do real damage to die economy and may indirecdy cost lives.

One of the issues is diat there is no sense of alarm. A terrorist group or nation state has heretofore not switched offa power grid.

That doesn't mean that they aren't vulnerable, said Curt Aubley, chief technology officer and North American vice president at McAfee.

"The good news is that the energy companies and power companies recognize this and they are putting plans in place and forming security partnerships," he said in an interview.

But at this point, the industry is lagging, others interviewed agreed.

And new smart power grids, which will rely on Internet protocols to connect homes and businesses to the energy plants, may complicate matters.

Maria Horton, CEO and founder of EmeSec, a network security firm that works with the Department of Homeland Security and odier government agencies, said part of the problem is cultural change.

The energy grid is one of die nation's oldest pieces of critical infrastructure, she noted.

"Many of the folks who have worked in energy believe that they have designed a system that has worked very well for 40,50, 80 years since the delivery of national electricity. They are not necessarily comfortable with modern day information systems," she said.

The supervisory' control and data systems, or scada - the specially designed computer programs that operate industrial machines - have been since tiieir creation unconnected to networks. But they are being modernized through attrition, she said. Many of the technicians who operate the systems are reluctant to update the software because they don't know what thefull impact will be on the grids they run, she said.

Aubley said this is just how die industry grew over time. Power plants have separate network and control systems created just to operate that infrastructure.

To infiltrate such a stand-alone system, die perpetrator of an attack would have to physically install rogue software in the system, similar to what happened in Iran when the Stuxnet virus was allegedly placed by an insider in the scada systems that ran the centrifuges for that nation's uranium enrichment program.

"In some ways that is a little safer because it is not connected to the Internet," Aubley said. "But w'ith the economic challenges that everyone has - and the fact that they want to expand their business - many power companies are starting to connect to the Internet so diey can provide more automation and ... more optimization of delivery," he said.

They want to provide more value to customers, but once their systems cross that line, they are vulnerable, he said.

Vincent Berk, CEO of network security firm FlowTraq, said tiiere is another problem that isn't talked about: money. Utilities just don 't have big budgets to spend on cybersecurity.

"They are pinching pennies so hard the copper is coming off," he said. "They have very little to spend. It's not only an expertise problem. ... They are trying to get by with the least amount of resources they have and do die best job possible."

The industry relies on custom systems specifically created for managing an infrastructure. Operating systems built withoff-the- shelf software such as Microsoft's are harder to defend, Berk said.

Grids are built to last for decades. Employees forget to update die computer programs as time goes on.

Like the odier experts interviewed, Berk said there is an increasing realization in the energy sector that it has a problem.

Awareness is key, said Aubley. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.