Power grid security is a bit like a scary movie. Things start out quite normally - a bunch of good-natured kids go for a weekend at a secluded lake house, and seem to be having fun - but then things end up going horribly wrong (and now, sometimes, in 3D). Viewers think: "Don't stay! Get in the car and leave right now, dummy! Don't answer the phone - and, for Pete's sake, don't go upstairs!" It is, of course, to no avail.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iThe power grid is in the early scenes right now. Nothing terrible has happened, but the signs are there. It is unclear if the guy in the hockey mask - a malicious hacker (or team of hackers) who takes down much of the nation - will show up. But the ingredients are there (to say that the power grid was not designed for the IP world is an understatement).
For instance, many utilities have networks that mix administrative and operational data. It is possible that a malicious person could gain access to highly sensitive servers and other devices through less well-guarded administrative entry points. Such a structure never was a good idea, but didn't seem like a big deal when utilities were discrete and unconnected islands. Now, of course, they are linked by the Internet and what happens to one may impact many. The addition of smart grid end points ratchets up the dangers, since they essentially deliver a potential entry point into the homes of the bad guys.
The good news is that the vulnerabilities of the power grid are well known to experts. This week, White House Cybersecurity Coordinator Howard Schmidt unveiled the Electric Sector Cybersecurity Risk Maturity Model Pilot. The post announcing the initiative said that it would be led by the Department of Energy and the Department of Homeland Security. The goal, according to the post, is to:
... help us identify how secure the electric grid is from cyber threats and test that model with participating utilities. Gaining knowledge about strengths and remaining gaps across the grid will better inform investment planning and research and development, and enhance our public-private partnership efforts.
One of the challenges facing electrical grid security efforts is that there are too many cooks in the kitchen. In the SC Security site story on the new initiative, Stephen Lawton wrote that the DOE and DHS share responsibility with the Federal Energy Regulatory Commission (FERC) and that the National Security Agency (NSA) has a say. This fuzziness could have a real-world impact if a major attack occurs. Lawton quotes Patrick Miller, the president and CEO of the National Electric Sector Cybersecurity Organization, a group that works within the energy sector:
Miller said the DOE initiative is a good first or second step in determining how to protect the power grid, but a critical issue that has yet to be addressed is response. "If an (infrastructure) owner is under attack, who do you call?" he asked.
Time is of the essence in confronting these problems. Mark Rowh, writing at CIO, looks at a December Pike Research study (which I also referenced in a post) that outlines many of the problems. He presents suggestions from Pike analyst Bob Lockhart on what can be done. There are five: multifactor authentication, isolation of the control network, application white listing, data encryption both for stored and traveling data and "event correlation."
Unlike a slasher film, the power grid doesn't have to end in crisis. It's important to remember that much of what leads up to the frantic last scenes in such a movie is trumpeted early on by showing the carelessness and lack of proper precautions by the eventual victims. Perhaps the folks responsible for power grid security should take in one of these films.