|Forty-one percent of cyber incidents involved the energy sector|
The Bipartisan Policy Center, the Industrial Control Systems Cyber Emergency Response Team, which is part of the U.S. Department of Homeland Security, reports responding to 198 cyber incidents in fiscal year 2012 across all critical infrastructure sectors. Forty-one percent of these incidents involved the energy sector, particularly electricity, according to a February 2014 report. Considering the enormity of the system, it soon becomes clear that 198 events is the very tip of an enormous iceberg.
Greg Foss, senior security research engineer for Boulder, Colo.-based LogRhythm, a security intelligence firm, says “an average breach lasts 480 days before a company knows they’ve been attacked.” He also says that most utilities are slow to address the problem because of upgrade costs, and that “some of them are still running Windows 98.”
There is much talk about creating a “smart grid,” which, according to the Department of Energy is “computerising” the electric utility grid and includes adding two-way digital communication technology to devices associated with it. As DoE says: “Each device on the network can be given sensors to gather data (power meters, voltage sensors, fault detectors, etc.), plus two-way digital communication between the device in the field and the utility’s network operations center.”
A key feature of the smart grid is automation technology that lets the utility adjust and control each individual device or millions of devices from a central location. Therein is the problem.
The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation.
Much of the equipment in the “smart grid,” including transformers and generators, are operated by SCADA (supervisory control and data acquisition), which is a system that operates with coded signals running over communication channels. The whole concept of a SCADA system is that it provides a way to monitor a number of items within one facility, and it has worked so well that many companies run everything into a computer to control all facets of operation.
“SCADA monitors devices on the grid many times per second and was never intended or designed to have virus protection or security protocols,” says Dave Hunt, an independent homeland security consultant and a founding member of the National InfraGard Electromagnetic Pulse special interest group. In fact, continuous monitoring makes it virtually impossible for a SCADA system to validate a security protocol. Adding to the misery is that an evildoer can purchase a SCADA attack for about $500, not to mention that the systems were designed by engineers, not computer people, so they don’t necessarily communicate well.
These systems are called embedded systems and the bad guys are fighting them hard. According to Daniel Geer, Sc.D, chief technical officer of @Stake, in Cambridge, Mass., “Cyber smart bombs are what nations are working on.” These bombs are designed to attack embedded systems like SCADA. He strongly feels that “Embedded systems either need to have a remote management interface or they need to have a finite lifetime. They cannot be immortal and unfixable because to do so is to guarantee that something bad will happen.” But to change them would cost the utilities more money.
Todd Borandi, CISSP, an industry veteran and information security architect says, “The root to all security issues is the vendor supplying the hardware and software. This equipment is provided by a small group of companies that experience little to no pressure to provide specialized secure software or hardware, which is expected to last more than a decade with little chance of an update. Many of these devices can now be rebooted and even overwritten from anywhere and by anyone.”
He adds that “Another important issue is the idea that regulatory compliance is a sustainable solution to cyber security challenges. Regulatory laws are often slow to implementation and provide little meaningful guidance or enforcement in a dynamic field like technology.”