Power grid cybersecurity: $60 piece of software could bring mass chaos

If your power went out and everything stayed down, could you envision chaos and rioting? We've heard chaos and cyber mayhem tossed about frequently in the last couple weeks, so it may come as no surprise that Pike Research reported [PDF], "Utility cybersecurity is in a state of near chaos." While Pike estimated $14 billion will be pumped into the smart grid from now through 2018, with 63% of that for control system security, a "$60 piece of software can bypass an entire defense-in-depth implementation."


If 'security is bolted on' to the aging elements of the smart grid, securing these legacy systems would require "a substantial backward looking research project," reported Pike Research [PDF].  "Sophisticated attackers will look for holes in between secure components."

Security-by-obscurity is not going to cut it. Homeland Security warned that with all the hacking conferences and common pen testing software, the industrial control systems that are connected directly to the Internet could be easily located and hackvists could point, click and destroy. DHS was not talking about hackers with mad skills either, instead it could be "accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations."

"The threat is not science fiction," Digital Communities reported. A staged attacked was released as a video, showing, "an electrical power generator is hacked and damaged remotely." While this was way back in 2007, DHS acknowledged the "experiment involved controlled hacking into a replica of a power plant's control system." Kenneth Van Meter, Lockheed Martin's general manager of Energy and Cyber Services, warned, "By the end of 2015 we will have 440 million new hackable points on the grid." Pike Research concluded that power grid cybersecurity is "way behind," and "cybersecurity for industrial control systems (ICS) will grow faster than security for smart meters."

In fact, Pike's Utility Cyber Security [PDF] stated that the lack of enforceable smart grid security standard requirements "leads to a scene of mass chaos in utility cybersecurity....It is possible to have a "system in which 100% of the components are secured, but the system as a whole is not secure at all. Cybersecurity works to protect a whole entity and attackers look for holes. The strongest adversaries are not going to waste time attacking a component device that is known to be a fortress. One cyber defense expert said, 'Do not fear hackers. Fear engineers who hack.' Security is only as strong as its weakest link and the best attackers know instinctively to look for that weak link."

Mark Weatherford, vice president and chief security officer, North American Electric Reliability Corp, believes, "The interoperable design of smart grids, unless carefully planned and operated, can provide avenues for intentional cyber-attack or the unintentional introduction of errors that impact bulk power system reliability." He's not alone in saying the cybersecurity dangers to the grid are neither hyperbole nor sci fi.

After nature got vicious and electricity was snuffed by Tropical Storm Irene and then the snowstorm this Halloween, 1 million Connecticut homes and businesses sat in the dark on two different occasions. Hartford Business reported, "Cybersecurity of the power grid is an often overlooked issue that could bring Connecticut, New England and possibly the country to its knees." Joel Gordes, president of West Hartford consultant Environmental Energy Solutions, said, "Our entire society is dependent on two things: electricity and telecommunications. It makes us vulnerable. Remember, we are linked into one large grid, so if one goes down, it could all cascade." Where would that take us but chaos?

Stuxnet showed, 'assume nothing' and 'security by obscurity will no longer be acceptable'. Now there's a potential new threat, the son of Stuxnet, Duqu, and cybersecurity experts are worried there may be other more malicious worms on the way. Gordes stated, "That is it in a nutshell; be scared, be very scared. You can trim the trees all you want, but this is a big concern." For now, cyberwarriors will take on the daunting challenge of stopping cyberspies and cyber mayhem, including protecting the grid; and America's infrastructure is pretty darn important.

The protection to critical infrastructure will be tested and measured this week, November 15-17. The Smart Grid Security blog reported that this grid security exercise will "test NERC's and the electricity industry's crisis response plans, and validate current readiness in response to a cyber incident. The exercise also will serve as an opportunity to enhance collaboration and strengthen industry security processes and capabilities." There is also a request for public comment on NIST  Framework and Roadmap for Smart Grid Interoperability Standards since "everyone with a stake in the new grid" — utilities, manufacturers, equipment testers and regulators all must "have a common understanding of its major building blocks and how they interrelate."

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon