Security, Part II: control systems and IT systems
EPRI expert offers guidance on issues, how to proceed
Editor's note: This is the second installment of a three-part series on cyber security that began Friday and concludes tomorrow.
In Part I of my conversation with Annabelle Lee, a technical executive for cyber security at the Electric Power Research Institute (EPRI) and formerly a senior cyber security strategist at the National Institute of Standards and Technology (NIST), we discussed the differences between mandates (NERC CIP, e.g.) and non-prescriptive guidelines, such as the NISTIR 7628, "Guidelines for Smart Grid Cyber Security" (here are links to Volume One, Volume Two, Volume Three) that she coordinated. We also discussed cyber security as one aspect of overall risk management in support of business continuity.
Today we're delving into the Stuxnet virus as proof that control systems are vulnerable, the differences in securing IT systems and control systems and the shift in mindset that needs to accompany the shift from an analog, electro-mechanical world to a digital, ICT-based world. The third part, which runs tomorrow, will look at a step-by-step process to put this discussion in context and offer guidance on cyber security measures.
"Stuxnet established the importance of cyber security to control systems," Lee told me. "Stuxnet is one of the few times where a control system was compromised with a very sophisticated attack. That got a lot of attention and demonstrated that control systems are vulnerable."
(For background, see my column "Stuxnet's Lessons Learned.")
"We need to get organizations to look at cyber security from a control system perspective—not an IT perspective," Lee explained. "There are distinct differences between the two. There are some requirements that are applied to an IT system, that in my opinion, should never be put on a control system. In many organizations—those that deal with IT systems and those that deal with control systems—are different groups. Organizations need to get those groups together to figure out what makes sense for control systems and what makes sense for IT systems."
This is one area where the logic of CIA—confidentiality, integrity, availability—comes into play.
"For IT systems, typically the most important objectives are confidentiality and integrity," Lee said. "For control systems, the primary objectives are integrity and availability. That's a generalization, but typically true.In the electric sector, people know what the commands are—turn it on, turn it off, measure this, measure that. So confidentiality is not important. You need, instead, to ensure the integrity and availability of that information. You want to make sure that whatever command you're sending to a device is the correct one. And that command needs to get there when you want to do something. When you get into meters, then the confidentiality of the data is important."
Cyber security thinking has accelerated, in general, due to the industry's shift from analog, electro-mechanical technologies to digital, IT and telecom (ICT) technologies, and in particular from the distribution of American Recovery and Reinvestment Act grants, according to Lee.
"If you look at analog equipment, you can see why people are reluctant to give it up," Lee said. "You don't have the cyber security issues that you do with the digital technologies."
One major issue from the security standpoint is access control. One unprotected access point on an interconnected system can imperil many systems. Another issue: the life cycle for ICT technologies is typically six months to two years. This is different from an industry accustomed to assets—the proverbial "iron in the ground"—that are 40-50 years old.
"This issue isn't just applicable to the electric sector," Lee said. "Other critical infrastructures have similar life cycles and devices and products that are decades old.
"In talking to IT and telecom people, for instance, they say 'you've got electric meters that get replaced every three or four years.' Utilities say 'no'—they're looking at getting 10 to 15 years of service on those devices. It's a different mindset and we need to figure out how to overlay an ICT approach to an infrastructure that's very conservative and has a wholly different idea of life cycles for products. I don't have an answer on that one," Lee concluded.
Cyber security will be on the agenda this fall at Energy Central's Knowledge2011 conference in Amelia Island, Florida, Nov. 7-9.
Readers may also be interested in our past cyber security coverage:
Intelligent Utility Daily