IT security in energy sector to come under scrutiny

Computerworld - WASHINGTON -- As the blame game continues surrounding Aug. 14's regional blackout, Congress is planning a series of hearings not only to find out what caused the cascading power failure but also to examine a pressing security issue that experts have been warning of for years: the power grid's vulnerability to intentional cyber-based disruptions.
During the first week in September, the House Committee on Energy and Commerce plans to hold hearings into the massive power failure that struck the Northeast, Midwest and parts of Canada to determine the likely causes and what can be done to prevent future failures. In a letter, committee Chairman W.J. "Billy" Tauzin (R-La.) requested information on the blackout from all of the utility companies and various industry councils affected.
In addition, officials from the House Committee on Government Reform want to study the security of the national power grid's cyber-based control systems. The concern is that an equally devastating series of failures could be triggered by relatively minor disruptions to the control systems that manage the power grid, a Capitol Hill source said.
Such incidents are exactly what security experts from the IT and energy industries have been warning about for years. The issue came to the forefront during the California energy crisis in 2001. For 17 days, between April 25 and May 11 of that year, hackers managed to remain undetected after they breached the network of the Folsom, Calif.-based California Independent System Operator (ISO), which manages that state's electric grid. Although no damage was reported, officials traced the intrusion back to a system in China (see story).
The problem, however, is that electrical grids such as California ISO's are highly integrated and dependent on other regional grids, and all are managed using technology known as Supervisory Control and Data Acquisition (SCADA) systems. Once highly proprietary, SCADA systems are increasingly being deployed using commercial off-the-shelf technologies that rely on public Internet protocols and connections for ease of management and cost savings, experts said.
"The [energy] sector has always contained security vulnerabilities, but these vulnerabilities have been compounded by the introduction of new networking technologies, deregulation and structural changes in the industry," according to a report released in December by the Institute for Security Technology Studies at Dartmouth College. "There have been dozens of cases where [SCADA] systems -- in the electric power, water, wastewater, oil, gas and paper industries -- have been intentionally or unintentionally impacted by electronic means," the report states.
In addition, testimony received by the institute from utility companies "clearly shows