IT security in energy sector to come under scrutiny

Massive blackout highlights need for better security protections

WASHINGTON -- As the blame game continues surrounding Aug. 14's regional blackout, Congress is planning a series of hearings not only to find out what caused the cascading power failure but also to examine a pressing security issue that experts have been warning of for years: the power grid's vulnerability to intentional cyber-based disruptions.

During the first week in September, the House Committee on Energy and Commerce plans to hold hearings into the massive power failure that struck the Northeast, Midwest and parts of Canada to determine the likely causes and what can be done to prevent future failures. In a letter, committee Chairman W.J. "Billy" Tauzin (R-La.) requested information on the blackout from all of the utility companies and various industry councils affected.

In addition, officials from the House Committee on Government Reform want to study the security of the national power grid's cyber-based control systems. The concern is that an equally devastating series of failures could be triggered by relatively minor disruptions to the control systems that manage the power grid, a Capitol Hill source said.

Such incidents are exactly what security experts from the IT and energy industries have been warning about for years. The issue came to the forefront during the California energy crisis in 2001. For 17 days, between April 25 and May 11 of that year, hackers managed to remain undetected after they breached the network of the Folsom, Calif.-based California Independent System Operator (ISO), which manages that state's electric grid. Although no damage was reported, officials traced the intrusion back to a system in China (see story).

The problem, however, is that electrical grids such as California ISO's are highly integrated and dependent on other regional grids, and all are managed using technology known as Supervisory Control and Data Acquisition (SCADA) systems. Once highly proprietary, SCADA systems are increasingly being deployed using commercial off-the-shelf technologies that rely on public Internet protocols and connections for ease of management and cost savings, experts said.

"The [energy] sector has always contained security vulnerabilities, but these vulnerabilities have been compounded by the introduction of new networking technologies, deregulation and structural changes in the industry," according to a report released in December by the Institute for Security Technology Studies at Dartmouth College. "There have been dozens of cases where [SCADA] systems -- in the electric power, water, wastewater, oil, gas and paper industries -- have been intentionally or unintentionally impacted by electronic means," the report states.

In addition, testimony received by the institute from utility companies "clearly shows that the electric energy sector is vulnerable to cyber impacts, and indications are that terrorists, hostile nation-states or malicious computer hackers pose a threat to the sector," said the report.

"More coordinated attacks against regional power networks are also possible in light of current vulnerabilities," the Dartmouth institute's study concludes. "Attacks that in some way disrupt the national power grid appear possible, but too little information is currently available to accurately assess the potential impact of cyberattacks on the national grid. Therefore, it is imperative to support and expand testing and research in this area."

In an interview shortly after the blackout, Howard Schmidt, former chairman of the President's Critical Infrastructure Protection Board and now chief security officer at eBay Inc., said the IT security technology capable of protecting real-time control systems, such as SCADA systems, from hackers doesn't yet exist. Commercial technologies, such as firewall systems, aren't capable of operating in the real-time control environment of the power grid, said Schmidt.

"It is an urgent research and development issue that was put in the National Strategy to Secure Cyberspace and one that can help mitigate the vulnerability," Schmidt said.

As part of that national strategy, released by the Bush administration on Feb. 14, Schmidt and his former boss, Richard Clarke, recommended a robust R&D program in SCADA system encryption and authentication. But responsibility for that program was assigned to the Office of Science & Technology Policy (OSTP), which senior sources at the National Security Council (NSC) have criticized for ignoring the SCADA system problem.

"Some of the people [at OSTP] we dealt with were in denial," said a former senior NSC staffer who spoke on condition of anonymity. "Some went so far as to say that regional power outages would not be a big issue."

Schmidt, however, said he fears that future terrorist-induced power failures could result in U.S. fatalities, especially if such failures are followed by coordinated suicide bombings or chemical attacks in the streets of major cities, where tens of thousands of people coalesced during Thursday's blackout. "We know from computers that were seized so far during the war on terrorism that these groups have been studying the vulnerabilities of SCADA systems," Schmidt said.

First Energy was hit by slammer in January

Meanwhile, a spokesman for Akron, Ohio-based First Energy Corp., which is under scrutiny for possibly being the site of the root cause of the blackout, told the Associated Press today that in January the Slammer worm had infected the utility's main computer network as well as computers at its Davis-Besse nuclear plant. However, the spokesman said the worm did not infect any sensitive control systems.

In an interview after the blackout, First Energy CIO Ali Jamshidi said the company's corporate IT systems operated flawlessly throughout the crisis.

"To withstand the kind of outage we had was tremendous and a testament to the investment we've made in disaster recovery," said Jamshidi said. "We had no applications down, no customer calls that we could not answer, and we knew where all of our outages were."

Copyright © 2003 IDG Communications, Inc.

  
Shop Tech Products at Amazon