Cyber expertise lacking?
Outsider advises maintaining electro-mechanical isolation
Several items in the cyber security space collided in my in-box and the outcome provided me with a slightly different take on cyber security issues than we typically hear.
First, we learn from studies that cyber security threats are on the rise and that CIOs are skeptical of their utilities' preparedness. (See "CIOs: Cyber Security Threats Increase.") Anecdotally, we hear that CEOs lack a sense of urgency in the matter, demanding proof of the threat.
A glance at headlines from a week ago (if Stuxnet-related headlines have faded from memory) can answer CEO's understandable request: "'Sophisticated' Attack Targets Two Energy Department Labs" related to the Pacific Northwest National Lab and the Jefferson National Lab. That headline merely echoed one from April, "Top Federal Lab Hacked in Spear-Phishing Attack," about Oak Ridge National Lab. We've detailed the abundance of these seemingly cyclical incidents and resulting headlines in "Cyber Threats Grab Headlines" and "Stuxnet's Lessons Learned."
Stuxnet, of course, was shown to attack control systems, notably an Iranian nuclear facility at Natanz, Iran—a new proof point for cyber security concerns among electric utilities, formerly concerned more with IT system security. The national labs suffered more from the business disruption that accompanied their shutdowns of Internet access and email, to isolate and analyze the breach—an IT security breach. Both cases, however, resulted from cyber attacks.
Another piece that hit my desk recently was a Bloomberg News story, "Lockheed Promises Electric-Grid Security." Lockheed, IBM, Raytheon and Boeing, among others with Department of Defense contracts, are working to "exploit a U.S. push to guard power grids from terrorists and hackers," according to the article.
The Bloomberg piece went on to quote the Government Accountability Office, which issued a report in January stating that smart grid "is vulnerable to attacks that could result in the widespread loss of electrical services essential to maintaining our national economy and security." Further: "Utilities are focusing on regulatory compliance instead of comprehensive security." (You may recall our column, "CIP: Creating a Culture of Compliance?")
So I arranged to speak with a cyber security expert who works for a firm that serves the Department of Defense, but is not involved in providing services to the domestic electric utility industry. Modus Operandi, Inc. works on connecting disparate, human-generated intelligence and reports by using "natural language" science so the massive volume of verbal and written commentary generated by myriad intelligence sources yields actionable responses. The underlying theme between that pursuit and utility security is "information assurance," according to Peter Mozloom, vice president for cyber solutions at Modus Operandi, Inc.
My ensuing conversation with Mozloom touched on some familiar themes and a few fresh conclusions, of which some may seem impractical to Intelligent Utility Daily's audience.
Briefly, Mozloom's main points: Ample proof of cyber threats exist. Increasing complexity is bringing increased vulnerability. ("Complexity" includes adding intermittent renewable energy sources, Mozloom said.) As utilities "sensor up," particularly on the distribution system, they'll become even more vulnerable. Keeping assets such as distribution substations isolated by sticking with electro-mechanical technology is the best short-term solution for cyber security. Power engineering and cyber people have yet to integrate their expertise to adequately protect their utilities.
Stuxnet's ability to attack control systems (as opposed to IT systems) has implications for distribution system automation, Mozloom said. Attacks through that vector could destabilize power generators, knocking them out of phase and introducing faults across the grid. One solution, that utilities might find impractical:
"I guess I'm old-fashioned," Mozloom said. "I say, 'Keep the electro-mechanical switches. Keep substations manually operated.' Because once you network things, you've basically made it easier for a problem to happen sooner."
Expertise to deal with this threat is nascent, at best, he added.
"The people who've traditionally worked on the power side of the house aren't necessarily information-assurance—the new term is 'cyber security'—experts," said Mozloom. "Likewise, the cyber security folks don't really understand the power side. You're going to need someone somewhere in the middle who can translate for both sides. That's going to take some education on both sides to come up with effective solutions."
The cyber security guidelines by the National Institute for Standards and Technology (NIST) is attempting to bridge that gap, he acknowledged. But the NIST process involved a lot of vendors who ensured that their business model "sweet spots" were addressed, according to Mozloom.
"I think the government has to look at ways that the power companies themselves become educated on information assurance. They're [the utilities] definitely going to have to take baby steps."
As for making an effective case to utility CEOs on cyber threats, Mozloom laughed.
"You're asking what drives fear into the heart of CEOs?" he asked. "Business disruption."
Cyber security will be on the agenda at Energy Central's Knowledge2011 Summit, Nov. 7-9, at Amelia Island, Florida.
Other articles on cyber security:
"Security: Organic Effort Required for Cyber Security"
"Security, Part II: Control Systems and IT Systems"
Security, Part III: Cyber Security Demands End-to-End Thinking"
"Wanted: Mature Cyber Security Response Plans"
Intelligent Utility Daily