Security Lessons Learned from California Power Outage

John Walker
The 9th of September 2011 saw a power outage in the U.S. affecting 5 million people in the area of Southern California - the root cause analysis of which is said to have been one single employee switching out a piece of problematic equipment. The upshot of this single act is nevertheless extremely worrying, as it manifested in traffic chaos, cancelation of flights, the shutting down of two nuclear reactors, a widespread impact on business, and on the residents.

This event does, however, raise a number of questions and points back to the long debate about the security of Supervisory Control and Data Acquisition (SCADA) systems, which are considered, in some cases, to host a soft underbelly for cyber attacks. There is also the question of timing - whilst I do understand the public notice, let us be honest here - if this were anything other than a mistake by an employee, would the public really expect to be told? Additionally, if a single employee's mistake, with just one piece equipment can have such a devastating consequence on what is national critical infrastructure, then what does this tell us about security, change management, and of course, business continuity?

The timing of this event may not, in my opinion, be a complete coincidence, coinciding as it did with the 9/11 memorial - an event that cost the lives of many innocent, ordinary people - and an event that changed the world forever. While it is not being suggested for one moment that this is the consequence of a cyber attack, in my mind the jury is still out and it is a concern I am not able to satisfactorily resolve. It may also be worth noting that in the UK, the time/date format is 9/9/11.

I believe this event again places focus in the frailties of an infrastructure that is subject to targeting by extremists who are seeking to cause disruption, to create chaos, and to possibly follow through with loss of life. It must also be accepted that to place a cyber warfare attack capability alongside a conventional theatre of war would seem to make a great deal of battle field sense - causing widespread disruption, outage of power, followed by what I would expect to be opportunist public disorder.

One last point of interest here is, only last week I was sent an image by one of my many distant contacts - and as I recall the message said, 'You may find this interesting' - it was a picture of New York in a blackout condition.

To conclude: Regardless of a mistake or cyber attack, the time has arrived to reassess just what security is surrounding the various critical national infrastructures (CNI) around the world, and to place them, where possible, in an enhanced profile of security hardening. It may also be beneficial to revisit the standard operational practices around such areas as change management, and of course business continuity. Last but not least, I am sure this has been considered, but if Al Qaeda can get one of its radicalised operatives into a prime position of flying an aircraft, gaining employment with a power company in some capacity should prove to be a much less onerous objective. As I have said before in many articles, it is time for the security professionals to take a more proactive stance and look at what needs to be done.

The first task must be to get serious about the landscape of security that surrounds these systems that we rely on to service the CNI. And here I don't just mean applying a few policies, and then following them with the religious contempt that we so very often see practiced in some sectors of IT governance, in the form of tick box security and lip serviced compliance. I am talking about serious programmes that are commensurate to the potential risk and impact posed against, and by these key point infrastructures and assets.

I am asserting that the induction processes for selecting employees into these key point areas are both robust, and consistent throughout all organisations that supply such critical services. If not, then now would be a good time to rethink the recruitment processes.

In closing, I see a need for more security professionals with a willingness to go to the next level and embrace this specialist area of SCADA systems, applications and infrastructures security. And more importantly, for these professionals to immerse themselves in learning and specialising in these environments, in particular, relative to their foibles and challenges. Possibly here, there may even be a future for focused training certification to be created specific to SCADA environments. One thing is for sure, these systems, applications and infrastructures are not just run of the mill. They are the very lifeblood of the global economy, business and our communities, and they demand special treatment to secure and govern their profiles. Nothing less will suffice.


Add Comment      Leave a comment on this blog post
Sep 17, 2011 12:09 PM Anonymous Anonymous  says:
Dr. Walker, this is more than just a "specialist area." It is the tip of a very large and dangerous iceberg. The first rule of any control system is DON'T GET IN THE WAY OF SAFETY! To do that, you have to be intimately familiar with the process you're protecting. This is not some office application where you can back up all your data and restore it if something goes wrong. Restoring a control system will not fix the industrial mess, injuries, and even deaths you'll have made if things don't go right. The study of control systems is very much more detailed than most IT experts realize. It is an amalgamation of many engineering disciplines, just like IT security is an amalgamation of many IT disciplines. We have a long road ahead and it will take some very bright and very practical people to make progress here. I doubt any two hour test could possibly cover even a reasonable fraction of this domain. That's why the certification hasn't happened yet and it won't gain traction until the people involved get much more serious about this. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.