Cyber expertise lacking?

Outsider advises maintaining electro-mechanical isolation

Phil Carson | Jul 13, 2011

Share/Save  

Several items in the cyber security space collided in my in-box and the outcome provided me with a slightly different take on cyber security issues than we typically hear.

First, we learn from studies that cyber security threats are on the rise and that CIOs are skeptical of their utilities' preparedness. (See "CIOs: Cyber Security Threats Increase.") Anecdotally, we hear that CEOs lack a sense of urgency in the matter, demanding proof of the threat.

A glance at headlines from a week ago (if Stuxnet-related headlines have faded from memory) can answer CEO's understandable request: "'Sophisticated' Attack Targets Two Energy Department Labs" related to the Pacific Northwest National Lab and the Jefferson National Lab. That headline merely echoed one from April, "Top Federal Lab Hacked in Spear-Phishing Attack," about Oak Ridge National Lab. We've detailed the abundance of these seemingly cyclical incidents and resulting headlines in "Cyber Threats Grab Headlines" and "Stuxnet's Lessons Learned."

Stuxnet, of course, was shown to attack control systems, notably an Iranian nuclear facility at Natanz, Iran—a new proof point for cyber security concerns among electric utilities, formerly concerned more with IT system security. The national labs suffered more from the business disruption that accompanied their shutdowns of Internet access and email, to isolate and analyze the breach—an IT security breach. Both cases, however, resulted from cyber attacks.

Another piece that hit my desk recently was a Bloomberg News story, "Lockheed Promises Electric-Grid Security."  Lockheed, IBM, Raytheon and Boeing, among others with Department of Defense contracts, are working to "exploit a U.S. push to guard power grids from terrorists and hackers," according to the article.

The Bloomberg piece went on to quote the Government Accountability Office, which issued a report in January stating that smart grid "is vulnerable to attacks that could result in the widespread loss of electrical services essential to maintaining our national economy and security." Further: "Utilities are focusing on regulatory compliance instead of comprehensive security." (You may recall our column, "CIP: Creating a Culture of Compliance?")

So I arranged to speak with a cyber security expert who works for a firm that serves the Department of Defense, but is not involved in providing services to the domestic electric utility industry. Modus Operandi, Inc. works on connecting disparate, human-generated intelligence and reports by using "natural language" science so the massive volume of verbal and written commentary generated by myriad intelligence sources yields actionable responses. The underlying theme between that pursuit and utility security is "information assurance," according to Peter Mozloom, vice president for cyber solutions at Modus Operandi, Inc.

My ensuing conversation with Mozloom touched on some familiar themes and a few fresh conclusions, of which some may seem impractical to Intelligent Utility Daily's audience.

Briefly, Mozloom's  main points: Ample proof of cyber threats exist. Increasing complexity is bringing increased vulnerability. ("Complexity" includes adding intermittent renewable energy sources, Mozloom said.) As utilities "sensor up," particularly on the distribution system, they'll become even more vulnerable. Keeping assets such as distribution substations isolated by sticking with electro-mechanical technology is the best short-term solution for cyber security. Power engineering and cyber people have yet to integrate their expertise to adequately protect their utilities.

Stuxnet's ability to attack control systems (as opposed to IT systems) has implications for distribution system automation, Mozloom said. Attacks through that vector could destabilize power generators, knocking them out of phase and introducing faults across the grid. One solution, that utilities might find impractical:

"I guess I'm old-fashioned," Mozloom said. "I say, 'Keep the electro-mechanical switches. Keep substations manually operated.' Because once you network things, you've basically made it easier for a problem to happen sooner."

Expertise to deal with this threat is nascent, at best, he added.

"The people who've traditionally worked on the power side of the house aren't necessarily information-assurance—the new term is 'cyber security'—experts," said Mozloom. "Likewise, the cyber security folks don't really understand the power side. You're going to need someone somewhere in the middle who can translate for both sides. That's going to take some education on both sides to come up with effective solutions."

The cyber security guidelines by the National Institute for Standards and Technology (NIST) is attempting to bridge that gap, he acknowledged. But the NIST process involved a lot of vendors who ensured that their business model "sweet spots" were addressed, according to Mozloom.

"I think the government has to look at ways that the power companies themselves become educated on information assurance. They're [the utilities] definitely going to have to take baby steps."

As for making an effective case to utility CEOs on cyber threats, Mozloom laughed.

"You're asking what drives fear into the heart of CEOs?" he asked. "Business disruption."

Cyber security will be on the agenda at Energy Central's Knowledge2011 Summit, Nov. 7-9, at Amelia Island, Florida.

Other articles on cyber security:

"Security: Organic Effort Required for Cyber Security"

"Security, Part II: Control Systems and IT Systems"

Security, Part III: Cyber Security Demands End-to-End Thinking" 

"Wanted: Mature Cyber Security Response Plans"

Phil Carson
Editor-in-chief
Intelligent Utility Daily
pcarson@energycentral.com
303-228-4757

 

Related Topics

Comments

The disinterested party...

I too thought is useful to give the floor to a source without a financial stake in his observations.

Another in that category (possibly) is Joe Weiss, principal at Applied Control Solutions, LLC, who wrote in to say that Peter Mozloom was clueless. Weiss went on to repeat many of Mozloom's points, but with finer granularity. Including his point that the real issue is the vulnerability of industrial control systems (ICS) at electric utilities.

I'll present some of Weiss' points in a column tomorrow for our audience to judge.

Regards, Phil Carson

Cyber Security Lacking?

I like this guy, Mozloom!  He is the first "expert" that I have read that is not trying to sell his company's services or software into the rush of Smart-Grid.

He has some very valid points and observations.  The ironic one is the "support" for Smart-Grid standards through NIST that came from IT experts outside the utility industry.  Who would have guessed that our standards would be tuned to the business model that makes money for the IT industry?

This also sounds so familiar.  In the '80's & '90's the utility industry was told that they could not possibly understand competition, because there had never been any.  That got us Enron and the great NorthEast Blackout of 2003.

One of the problems facing utilities today is the shortage of power engineers, since most universities graduate engineers with computer or electronics specialties.  These graduates are smart enough to understand the cyber-issues but need to understand how the power system works, as well. 

There is a tendancy to throw solutions one knows at a problem one does not fully understand.  I am all for progress and improving reliability, but one must always consider the possibility of unintended consequences.