Larry Ness
|
||||
|
||||
Background
Contact Information: 2011
Cedar Springs Road , Suite 606 |
||||
Articles
|
11.15.02 |
Is Something Missing in Utility Security? |
|
Is Something Missing in Utility Security? |
||||
|
||||
|
Because of heightened security requirements within the United States
and the volatility of the business environment, Utilities are seeing
the need to move quickly to ensure their service industry is secure
and advising their clients/customers they can depend on their utility.
According to
a number of Government Agencies and National Security Experts the
Utility/Energy industry is vulnerable and ranks high on the list of potential
targets by terrorists. All this having been said, Utility Executives struggle
with improving security of their forty to fifty year old infrastructures,
that were not built with security in mind, and they also have to deal with
deregulation, additional state and federal regulations, and of course the big
question, how to pay for it all with the economy slipping? Utilities are
constantly reminded of how easy it is to access their facilities and control
systems. In addition, we have all heard that it is impossible to protect a
Utility because of remote facilities and infrastructure. We have also heard
that an attack on the Utility industry, or using Utilities to terrorize could
have devastating effects on our nation, our citizens, and the economy. There
is also the scenario it is impossible to protect a Utility 100% from an
attack, be it a cyber attack, or an attack on a Utility facility or
infrastructure. You cannot totally secure a Utility and we all know that,
however, making it tough to penetrate is possible. A number of state
regulators are looking at, and some are requiring security assessments be conducted
at Utility facilities. This must be done before a Utility can request a rate
adjustment to pay for security. Many Utilities are having security
assessments done as a regular course of business and putting recommended
security improvements in place. The majority of Utilities are struggling with
revenue commitments to pay for improvements and enhancements without
compromising their productivity and day-to-day operations. Many utilities
look at physical and cyber security and settle on improving those areas. A
professional security assessment will address physical and cyber security,
SCADA and DCS systems, communications security, grid security, distribution
security, generation security, and biological/chemical issues to include an
anthrax assessment. The security assessment team (usually consultants) needs
to have recognized experts in security as well as technical experts who have
worked in the Utility industry. Conducting an assessment is one thing,
however, coming up with sound solutions and meaningful results is paramount.
A professional Security Assessment team should be knowledgeable of current
technologies and will be able to recommend financially viable options for
implementing solutions. A developing
trend is to put in place a “security collaborative” where several Utilities
share in the cost of an assessment and have a Security Assessment conducted
on a number of facilities at the same time. The Utility Industry has always
been very community oriented, and pride themselves on employing only the best.
It is not uncommon for a Utility employee to have fifteen to twenty years of
service. When Utilities are confronted with the concept of pre-employment
screening or security checks on vendors, there is frequently push back, “we
have known these folks for years”. Pockets or cells of terrorists living in
the United States, once unthinkable but now a probability, not to mention the
everyday criminal, it becomes critical to screen every new employee and
vendor to ensure they are who they say they are. As Utilities
move into this new era of security, the adoption of sound Security Policies,
Procedures, and Guidelines are of the utmost importance, along with
developing an updated “Crisis Management Plan” to address these new scenarios
that could possibly occur at a Utility. Development of the Crisis Management
Plan need to include Federal, State, and Local Law Enforcement and emergency
services personnel to ensure all bases are covered before, during and after
an incident. As recent
news stories confirm, in order for a security plan to be as successful as
possible, it is critical to “Create a Security Culture” at all levels of a
utility from the CEO on down. This can be accomplished through on the job
training seminars put on by a security professional in conjunction with law
enforcement. The more eyes and ears the Utility has, coupled with having
folks trained on what to look for, increase the chances of having a
successful security program. When oil
dips to $17.00 per barrel oil executives begin to panic over the loss of
revenues. When the price at the pump climbs to $2.00 per gallon the consumer
starts to think about rebellion. The simple truth is the Utility/Energy
sector operates like a Swiss watch. Damage one small component and the watch
ceases to function. Destroy a major refinery, severely damage the natural gas
delivery system, sink the tankers, successfully conduct a cyber attack on
telecommunications and electricity delivery grids, sicken the people who keep
the system functioning and then, attack. Those are the scenarios that can
cause the finely tuned system to cascade into catastrophic collapse. Understanding
the threat and knowing your vulnerabilities are only part of the answer to
these troubling questions. Knowing how to plan for the worse case scenario
and building that plan takes time and skill. The skill exists, but do we have
the time? |
|
|
Readers Comments
|
Date |
Comment |
|
****
**** |
Larry,
congratulations on a very interesting article. We should be sending
out the "plan for security" message as much as possible. Too
many organisations see Security as an overhead and rely on the "it
wont happen to us" mentality. We, at Micronage, are particularly
concerned with Computer Security (ie the data held on computers or in
databases falling into the wrong hands and being manipulated for illegal
purposes). To this extent purely criminal intentions come to the fore.
Imagine the mayhem there will be when some unscrupulous person hacks
into a Utility database and releases all the Customer Credit information.
There will be lawyers everywhere...and thats got to be as bad as terrorists
!! |
|
Joel Gordes |
Larry, this was an excellent assessment of the state of the utility
industry but, as Richard Clarke, Cyberadvisor to Clinton and now Bush
said a few years ago to some executives "you are still in a state
of denial." This became glaringly true to me a few weeks ago. I
was discussing with a Fortune 500 utility CEO the potential for a cyberattack
on the utility grid either through hacking/intrusion and/or use of flux
compression generators against ISO facilities and he barked back that
"that can't happen." I think we need to mount a massive educational
effort to better inform such top "leaders" that it can happened
and that they need to become proactive in designing systems to prevent
what could be massive damage. |
|
TERRY
MEYER |
Utilities
are in denial and won't get real security until they are dragged into
it kicking and screaming. And why should they? Where's the incentive?
For now they can all point to each other and say they're at the industry
standard, just like American Airlines did before 9/11/01. And, just
like the airlines, when it comes time to get security, they'll be just
as happy as the airlines to settle for the APPEARANCE of security at
taxpayer expense. Nothing will be done
about true security until there is true financial liability on the scale
of the terrorism: If the survivors of the victims of the lapse in airline
security were to be awarded HUGE settlements (commensurate with loss
of life) from the airlines, it would send a message to all industries
that security (or lawsuits from lack of security) is part of the cost
of doing business and Big Business would have to wake up and smell the
coffee instead of sitting back on corporate welfare, subsidized profits
and socialized security. Make losers of all lawsuits pay all the expenses,
legal fees, and courts costs of the winner. If Big Business decides
to quantify this cost of doing business through insurance, there is
a whole industry waiting to do business with them. Terry Meyer |
|
**** **** |
I found the article by Mr. Ness very interesting and thought provoking.
I have only involved with Utility Security for a relatively short period
in comparison to my 25 plus years in the industry. What we are facing
today, in my opinion, is not unique. In actuality it is a knee-jerk
reaction to a terrible event, which the majority felt it could not happen
here. The reality is that improved security (which still needs to be
defined) is not going to happen over night. It will be a gradual process
that will utilize risk management tools and not the more common risk
avoidance methods. Security practioners will be more successful if they
take the time to listen and understand the business. We need to work
the problem, seek to achieve meaningful/practical results, and be consistent
(as best we can) in our applications. Yes, there need to be standards,
but they should be workable and fundamental in nature. Above all they
should be developed by those who have experience in the business. Larry
a good article that should be read by more. |
|
Alan
Love |
Larry's
paper is very timing. I used to work in power utility for a while and
now I have been working on purely internet information security area.
In my point of view, hackers (with currently normal hacking knowledge)
can access the control information without too much difficulties. These
infromation can be sniffed, tamperd and to be send to anywhere they
want. This indicates that the utility communication needs to be hardened
and secured at no time. However, as I talked to the leaders and experts
in utilities, they would like to neglect the cyber threats compare to
physical attack threats (eg, bombings to dams, substataions, etc), which
shows information secutity knowledge is over lagged among them. If Larry
can demonstate some real cases of utilities under hacking, that will
be impressed more people in utilities. |