IT security in energy sector to come under scrutiny
Massive blackout highlights need for better security protections
Computerworld - WASHINGTON -- As the blame game continues surrounding Aug. 14's regional blackout, Congress is planning a series of hearings not only to find out what caused the cascading power failure but also to examine a pressing security issue that experts have been warning of for years: the power grid's vulnerability to intentional cyber-based disruptions.
During the first week in September, the House Committee on Energy and Commerce plans to hold hearings into the massive power failure that struck the Northeast, Midwest and parts of Canada to determine the likely causes and what can be done to prevent future failures. In a letter, committee Chairman W.J. "Billy" Tauzin (R-La.) requested information on the blackout from all of the utility companies and various industry councils affected.
In addition, officials from the House Committee on Government Reform want to study the security of the national power grid's cyber-based control systems. The concern is that an equally devastating series of failures could be triggered by relatively minor disruptions to the control systems that manage the power grid, a Capitol Hill source said.
Such incidents are exactly what security experts from the IT and energy industries have been warning about for years. The issue came to the forefront during the California energy crisis in 2001. For 17 days, between April 25 and May 11 of that year, hackers managed to remain undetected after they breached the network of the Folsom, Calif.-based California Independent System Operator (ISO), which manages that state's electric grid. Although no damage was reported, officials traced the intrusion back to a system in China (see story).
The problem, however, is that electrical grids such as California ISO's are highly integrated and dependent on other regional grids, and all are managed using technology known as Supervisory Control and Data Acquisition (SCADA) systems. Once highly proprietary, SCADA systems are increasingly being deployed using commercial off-the-shelf technologies that rely on public Internet protocols and connections for ease of management and cost savings, experts said.
"The [energy] sector has always contained security vulnerabilities, but these vulnerabilities have been compounded by the introduction of new networking technologies, deregulation and structural changes in the industry," according to a report released in December by the Institute for Security Technology Studies at Dartmouth College. "There have been dozens of cases where [SCADA] systems -- in the electric power, water, wastewater, oil, gas and paper industries -- have been intentionally or unintentionally impacted by electronic means," the report states.
In addition, testimony received by the institute from utility companies "clearly shows that the electric energy sector is
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- IT Security - Fighting the Silent Threat "IT Security - Fighting the Silent Threat" is a global report into business attitudes and opinions on IT security. Download the report now...
- Cutting Complexity - Simplifying Security This white paper looks at how the latest IT Systems Management solutions can simplify and automate a vast range of routine IT management...
- Your Data under Siege: Defeating the Enemy of Complexity Even if you have adequate antivirus protection, are there still holes in your IT security armor? Is lack of bandwidth to manage the...
- Build Your IT Security Business Case In this latest whitepaper from Kaspersky Lab, you'll find useful facts, examples and business case arguments to help you get buy-in and commitment...
- Pre-Engineered solutions from VCE Simplify Core Infrastructure Implementation In this video, the CTO of Purdue Pharma, a privately held pharmaceutical company explains how Purdue transformed their data center infrastructure with VCE.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now All Disaster Recovery White Papers | Webcasts