The shortcomings of the cyber security of the grid are a latent nightmare that hangs over society. The seeming impact of a successful attack would be significant, even catastrophic.
At the same time, there hasn’t seemed to be too much overt reaction from the government or the utility sector. It’s a broad and amorphous category, with almost endless potential entry points for malware (“attack vectors”). That’s not to say, of course, that experts haven’t been trying to strengthen the system. By definition, it’s better to keep the steps that are being taken quiet.
Thus subtlety usually is the case. However, the U.S. Energy Department and the energy sector decided to make a little noise. It may be intended to both reassure us and send a message to the bad guys. Late last week, The Department and industry companies from seven states announced a series of initiatives that will total $39 million.
The participating companies are ABB Inc. (Cary, NC) Electric; Electric Power Research Institute, Inc. (Palo Alto, CA); Foxguard Solutions (Christiansburg, VA); Georgia Tech Applied Research Corporation (Atlanta); Grid Protection Alliance (Chattanooga, TN); National Rural Electric Cooperative Association (Arlington, VA); Schweitzer Engineering Laboratories, Inc. (Pullman, WA); TT Government Solutions, Inc. (Red Bank, NJ) and Viasat, Inc. (Carlsbad, CA).
Slashdot provides the backstory on the initiative. Essentially, we are in a lot of trouble:
In a survey of U.S. utility companies in May, the Department of Energy found that cyberattacks had become either daily or constant at a dozen utilities, and were rising fast at the others. In a report following the survey titled “Electric Grid Vulnerability,” (PDF) the agency further reported that, during 2012, the number of cyber attacks on federal agencies had increased 68 percent from the year before.
There is hope, however. In a Q&A at Green Tech Media, Andy Bochman, an ex-IBM security executive who now heads his own advisory firm, suggested that there is a lot of work to do, but all is not lost. The entire interview is worth reading. The bottom line is that things are heading in the right direction, but that it is a big industry with significant vulnerabilities:
There are so many utilities — approximately 3,500 — and such a wide variety of utilities across the U.S. that it takes an uncomfortably broad brush to paint an answer to this. But in short strokes, I’d say, in the aggregate, better than often portrayed in the press, and improving. But as they are so interconnected and interdependent, we want most, or all, of them to be pretty solid.
The initiative will build on 2011 requirements from the North American Electric Reliability Corp. (NERC). Compliance has been spotty, according to the story. Most utilities, the story says, complied with requirements while bypassing optional suggestions.
The security of the utility industry is vitally important. The $30 million initiative is good news. Let’s hope it contains a lot more that we haven’t heard of yet.