A recent poll found that an overwhelming majority of Americans (92%) agree on one thing: the power grid needs better protection. This point of view is understandable. The day before New Year’s 2017, researchers discovered that foreign hackers had infiltrated an internal computer at Vermont utility Burlington Electric.
Thankfully, the attackers did not manage to access the company’s Industrial Control System (ICS) which might have allowed them to wreak havoc on the facility; nevertheless, it raised public concern about the possibility that future attackers might have more luck (or competence).
After all, elsewhere in the world public utilities have already proven susceptible to cyber-terrorism. In 2015, hackers overwrote the firmware on critical devices across 30 power substations in the Ukraine, leading to a loss of power for 230,000 civilians. And recently, as the U.S has gradually shifted to a “Smart Grid” which uses smart equipment to connect power distribution centers, concerns are mounting that the technology will create more security holes.
Proposals and Controversy
It’s clear that there’s an issue, but the answer isn’t so obvious. Earlier this year, the Senate Committee on Energy and Natural Resources attempted to advance a bill that sought – among other things – to retrofit the power grid in order to prevent cyberattacks. According to the bill’s authors, using older forms of power management could make the grid less dependent on devices with security vulnerabilities.
There’s some truth to this. The F.B.I reports that numerous attempts have been made to infiltrate nuclear power stations across the U.S; however, these efforts are never fruitful for the simple reason that vulnerable devices are strictly forbidden from being connected to any vital control mechanisms. Unless a malicious operator is physically present at the station, nothing – in theory – can be sabotaged.
The security community, however, has largely received the Senate’s bill with disappointment, complaining that it will take the U.S power grid backwards at a time when its modernization is more important than ever. James Scott from the Institute for Critical Infrastructure Technology (ICIT) appreciated that solutions were being raised, but also opined,
“Legislation that eschews modern systems in favor of antiquated technologies is a step in the wrong direction because it amounts to significantly crippling the U.S. energy sector instead of addressing the threats.”
A second problem is that the U.S – along with the rest of the world – is trying to reduce dependency on fossil fuels and seek out better ways to produce power, while managing current resources more efficiently. To this end, the Department of Energy (DoE) established the Smart Grid Investment Grant (SGIG) to fund Research and Development (R&D) initiatives in power delivery systems throughout the country.
The Southern Company, an Atlanta-based beneficiary of this grant which serves power to nine million customers, has used that money to fund research in:
- 21st century coal
- Natural gas
- Carbon-free nuclear programs
- Sustainable energy
Opponents to a security strategy that depends on rolling back infrastructure worry that vital R&D initiatives like Southern’s would be thwarted. New technologies may be vulnerable to security risks, but they are also crucial to the DoE’s efforts to push the U.S power grid in the direction of sustainability and environmental friendliness.
Better Practices, Better Reliability
Some experts are less concerned about the possibility of a crippling cyberattack on the U.S power grid for the simple reason that better security practices and infrastructure have made it much safer over the years.
ICS expert Robert M. Lee has worked with power delivery systems in the U.S for many years, and closely studied the Ukrainian attack in 2015. When asked, he expressed optimism about security measures that are already deployed:
“Our regulations and our industry trends have gotten our architecture to a pretty decent place. The passive defenses probably need some work, but we’re getting there.”
Regulations to which he referred presumably includes the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements which apply to public utility operators throughout the country. Areas it addresses include
- Regular risk analysis of protected assets
- Policies to monitor, access and alter configurations for those assets
- Firewall protection and monitoring for security-related events
NERC-CIP is regularly updated, meaning it changes as new technology presents new risks.
Calling in The Experts
For massive utility players like Southern Company, handling this legislation and ensuring regular compliance means hiring experts who can meet minimal requirements while also going the extra mile. And there aren’t many – Lee adds, “There are less than 1,000 ICS cybersecurity professionals worldwide.”
But as the field grows, specialized Infosec providers are able to meet the most pressing needs. Southern turned to Virginia based Securicon, which has a long history of working with the Department of Defense (DoD), and the company was able to implement
- Tiered-access authentication systems to manage data, Operational Technology (OT) and resources
- ICS zoning and segmentation to protect control systems while providing secure access to partners and collaborators
- Creation of specialized architectures, policies and procedures uniquely tailored to Southern Company’s needs
Securicon’s solution has brought Southern into alignment with the latest NERC-CIP requirements, ensuring that its new technology initiatives will remain secure for the long term, and that its existing systems will stay protected from intrusion. No system will ever be completely invulnerable to attack, but the overhaul meets a high bar for safety and reliability.
More importantly, it proves that viable solutions are available to the American public’s mounting concerns regarding the future of the power grid which do not entail crippling R&D progress. As more public utilities take it upon themselves to confront vulnerabilities, legislation can help to ensure that their efforts will become the rule and not the exception.
To that end, ICS professionals and security specialists play a vital role in preventing disasters and moving the U.S power grid in a positive direction. For now, at least, one part of it is as reliable and safe as it has ever been.
Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!