Talking about secret stuff
The juxtaposition was hard to miss: a front-page article in The New York Times on a subject typically treated in hushed tones in windowless rooms.
"Survey finds growing fear of cyberattacks" (Jan. 28, 2010, NYT)
Of course, surveys are malleable tools and "fears" can be based on fact or perception. But the salient details of this survey drew my attention and, likely, others', as it was conducted by the credible Center for Strategic and International Studies, commissioned by McAfee, maker of anti-virus software, and the respondents were chief information officers (CIOs).
The report focused on cyberattacks on "critical infrastructure," which includes a full spectrum of advanced industries, all of which need to address this challenge. So this threat and the need to meet it is hardly unique to the electric utility industry, which has taken myriad steps. Still, the new survey had disturbing insights generated by CIOs.
Eighty percent of the respondents (600 IT executives in 14 countries, 100 in the United States) said they work in organizations that depend on systems using Internet Protocol and the report concluded that that presented "troubling vulnerabilities." Half the respondents said they'd already been the subject of sophisticated attacks, which they "believed" were made by foreign governments. The United States was named as one of the most vulnerable countries and as the likeliest source of attacks. (I'm not implying that those two perceptions are linked, just joining them in one sentence.)
Forty percent of respondents said they expected a major cyber security incident lasting more than a day and resulting in death(s) and/or failure of a company within the coming year. Fully 80 percent had this expectation for the next five years.
The respondents in this survey, as CIOs, would appear to be in a position to know about measures taken and ongoing cyber security incidents.
Despite progress within the electric utility industry with the North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) standards, however, headlines still are being generated that make me wonder if we're satisfied with our strategy and now merely in the execution phase. Or does the issue remain thorny? A few recent headllines:
"Organizing cyber security efforts remains key challenge" (Jan. 27, 2010, NextGov)
"Debate heats up over cyber security regulations for electric utilities" (Oct. 27, 2009, NextGov)
This week's news and the headlines above are not necessarily surprising to readers of Intelligent Utility magazine. Our Nov/Dec 2009 issue carried a report on offensive and defensive strategies in the "nitty gritty" of cyber security. And a webcast earlier this month, moderated by H. Christine Richards, vice president, Intelligent Utility Division, and editor-in-chief, Intelligent Utility magazine, delved into the topic.
The one specific statement I remember from the webcast came from a participant who said that, obviously, he couldn't get into any specifics. Not that I could have followed a specific conversation without getting mired in the, well, specifics.
In a complex world, one would like to hope that smart people in a position to understand the risks and affect outcomes are diligently working to meet such challenges. Has that happened in the electric utility industry and it's just invisible to outside observers? Or does this remain as big a challenge as the new survey makes it appear?
Disruptions to the electrical grid can happen for a lot of reasons -- see the 2003 Northeast blackout and the California energy crisis of 2000 to 2001. Have we sufficiently addressed the myriad and still-debated causes of those two debacles? Those were not cyber security events, obviously, but the outcomes were the dreams of cyberattackers.
The actual record of cyberattacks on U.S. electric utilities and how they were dealt with remains a closed book of tightly guarded secrets. Recognizing that specifics are out of the question, I'd appreciate it if readers would share their thoughts on "how to think about" cyber security for the electric utility industry.
Intelligent Utility Daily