100 EnErgyBiz September/October 2008

» TECHNOLOGy FrONTIEr

dealing with cyber ThreatsENERgy COmPANiES STEP UP PREPARATiON

By PAUL KORzENiOWSKi

the attacks On 9/11 illustrated how terrorists’ minds work. their approach

was not simply to kill as many individuals as pos-sible; it was to cause as much disruption to the u.s. way of life as possible. in the days after the attack, airlines were closed, companies closed up shop, and the aftereffects were seen in the stock market for many months. in examining what they could attack to cause similar damage, the nation’s energy grid emerges as a possible target, one with many potential entry points.

in the aftermath of 9/11, the government as well as energy providers took stock of the possible damage and have been trying to close up possible holes. “a lot of work has been done to secure the energy grid but more is needed,” said Joseph bucciero, senior vice president of kEMa, an interna-tional energy consulting company.

the limitations of the efforts stem as much from the breadth of the challenges found with cyber security as from the industry’s response itself. a terrorist only needs to find one security hole in a complex network while energy companies have to seal all possible entry points.

the nature of the energy business complicates the security task. “unlike most companies, energy corpo-rations run two separate networks: one that controls the flow of energy and a second that supports their administrative functions,” said chuck newton, president of newton-Evans market research firm.

the more vulnerable area may be with the former, and part of the reason is recent technical advances. in the old days, power companies had technicians go from manhole to manhole to determine which part of their grid had problems. now, they have automated systems that monitor and control the flow of energy from place to place. lately, they have been expand-ing the reach of these systems. Power providers have been reaching into businesses and consumers’ homes, so they have more knowledge about demand.

While these changes enable energy companies to streamline their operations, they create new security challenges. in most cases, supervisory

Plant engineers subsequently removed all physical connections between the two systems, but cyber experts noted that this type of problem can occur when corpo-rate computer systems are connected to sensitive control systems that were never designed with security in mind.

although these incidents were relatively harmless, the idea that nuclear plants are so vulnerable to such unintended consequences — which could someday include a catastrophic release of radiation — won’t reas-sure a jittery public that still hasn’t gotten over the 1979 meltdown at three Mile island.

nRc’s communications policies are hardly reassuring. nRc’s event notification report for the March 24 indian Point incident doesn’t mention the role of the digital camera at all, only a loss of speed in the feed pump. Entergy’s incident report also neglected to mention the digital camera. it’s like the old joke of saying someone died of heart failure due to a bullet through the heart. it was only when the local press got wind of the incident in June that nRc promised an information notice.

still, as nRc’s sheehan notes, the plants themselves performed as required by automatically shutting down. “that’s what they’re designed to do if there is any sort of anomaly involving any security feature,” he says.

teChnology Frontie r

Gatherings www.energycentral.com/events

to view any of these events, please go to www.energycentral.com/quicklink and type the quick link code ( ) into the quick link box.

oCtober 1-2 | World energy engineering Congress Washington E17886

1-4 | eolica expo 2008 Rome E17241

13-14 | Utility tech Congress dubai, uaE E18261

15-18 | knowledge 2008 Utility Cio Summit napa, calif. E18277

21-23 | amrChina dalian, china E18525

26-29 | Sap for Utilities san antonio E17784

27-29 | t&d World University dallas E17839

noVember 3-6 | Southeastern electricity metering association clearwater beach, fla. E18028

19-21 | reneXpo® South-east europe bucharest, Romania E18611

26-28 | hydropower plants vienna, austria E17976

102 EnErgyBiz September/October 2008

» TECHNOLOGy FrONTIEr

control and data acquisition (scada) devices support energy dispersion, and these systems often lack basic security elements, such as support for authentication and encryption.

one reason for the shortfall is that these devices were designed decades ago. at that time, vendors developed proprietary protocols that monitor and control switches, valves, pressure gauges and ther-mometers, but they are often based on standards that even predate Windows and therefore lack sophistication. also these systems were engineered to be run on closed networks, but they are not iso-lated anymore, according to sean McGurk, director of the control systems security program for the u.s. department of homeland security (dhs).

not only are these devices insecure, but also the individuals managing them often lack needed expertise. While they understand how to manage the devices, they may not be familiar with the steps needed to ward off sophisticated cyber attacks.

Many energy providers face the problem of secur-ing these devices. nearly 1,700 of the 3,200 power utilities have some sort of scada system in place, according to newton-Evans. in some cases, com-panies do not even have a firewall separating their control from their corporate network, leaving the systems open to attack from the internet. also many energy providers do not keep detailed access and network-data logs, which help companies determine if someone is trying to break into their networks.

however, awareness of the problem has been on the rise. concern about the security of the nation’s power plants was heightened last year when a dhs video demonstrated how a hacker could damage a power generator using only code, a problem that has since been referred to as the aurora vulner-

ability. such scenarios aren’t merely theoretical. in January, cia senior analyst tom donahue stated that online attack-ers had caused at least one blackout in a city outside of the united states.

the energy industry has responded to the news. the north american Electric Reliability council (nERc) has been for-mulating cyber security standards, including those centering on scada

devices. Early this year, the first set of specifications was completed, and the agency has been given power by the federal government to levy penalties against companies that do not comply. “the fines could be as much as $1 million per incident per day,” stated Rick sergel, president and cEo of nERc.

While much of the attention has centered on the distribution network, there are also issues

with energy companies’ administrative networks. at the beginning of the year, the Government accountability office found security at the tennessee valley authority lax. the federal govern-ment agency identified close to 20 holes, items such as ineffective software patching systems and improperly secured remote workstations.

the agency claims to have addressed the prob-lems, but the report illustrates a major concern. “Most energy companies are probably in similar position as tva,” stated Justin lowe, a managing consultant in Pa consulting Group’s energy practice.

that is true even when companies try to be vigilant. one problem is that cyber threats change so quickly. funding can also be a problem. “Energy company executives feel more comfortable spending their money on marketing campaigns that would raise revenue than security improvements, which have a tenuous connection to the bottom line,” noted newton.

yet even the resisters are beginning to understand the need to secure energy systems. companies are becoming more willing to spend on security, but unfortunately, the challenges presented in today’s control and administrative networks are also increasing. as soon as one hole is filled another one opens up.

NewsFlashRussia’s nuCleaR puRsuit

russia is intent on developing the next generation of nuclear power between now and 2025, according to the Daily News Bulletin of Moscow.

the effort will include researching new ways to reprocess nuclear fuel and the development of a commercial fast neutron reactor that would result in low levels of radioactive waste, according to prime minister Vladimir putin.