Infrastructure protectionU.S. power plants, utilities face growing cyber vulnerability

Published 19 August 2013

American power plants and utility companies face a growing cyber vulnerability. No U.S power plant has so far suffered a significant cyberattack, even if small-scale attacks are nearly constant, but experts say preventative actions must be taken to ensure safety. Utilities provide services which, if disrupted for long periods of time, may result in economic chaos and may even lead to social unrest.

Utilities face growing cybervulnerability // Source: fibco.com.pk

American power plants and utility companies face a growing cyber vulnerability. No U.S power plant has so far suffered a significant cyberattack, but experts say preventative actions must be taken to ensure safety.

Utilities provide services which, if disrupted for long periods of time, may result in economic chaos and may even lead to social unrest. Consider the 2003 blackout, which left about fifty million people across North America without electricity for about four hours. That outage, caused by a sagging power line coming in contact with overgrown trees, cost $6 billion.

A cyberattack with intentions to create chaos could inflict far greater economic damage, and cost lives.

Electric Light & Power reports that a 2011 report from McAfee and the Center for Strategy and International Studies (CSIS) in Washington, D.C., states that small-scale attacks occur often. According to the report, 85 percent of executives in the power, oil and gas, and water sectors experience network infiltrations, and 25 percent reported they had been victims of a network-related extortion.

Power and utility firms are implementing solutions to prevent and thwart cyberattacks, but security professionals who design cybersecurity systems face several challenges. Utilities are complex systems depending on a variety of instruments and technologies. No pre-package solution or off-the shelf product can fully secure a utility or solve its cybersecurity needs. Security professionals must thus implement customized solutions which are unique to each utility’s systems. These solutions must protect established technology platforms yet remain flexible to adapt to new devices and technologies. Utilities must also consider cyberattacks as both external and internal concerns. Security solutions must therefore protect against staff mishandling of technologies, from downloading software to using file-sharing programs which can expose utility operations to malware and viruses.

Writing in ELP, Jose Granado andJosh Axelrod — principal and security practice leader, and senior manager and power and utilities information security sector, respectively, at Ernst & Young LLP —  suggest that when power and utility companies develop a cybersecurity solution,   they should consider the following questions to help identify the risk profile of a facility:

  • How does the organization define cybersecurity risk? Does the potential risk affect the business?
  • What are the avenues by which such threats might enter the organization’s environment?
  • How prevalent are the risks in the industry in which the organization operates? What have the organization’s peers and competitors faced, and what can the organization learn from those incidents?
  • What threats might be invited by the behavior of the organization’s own employees? Are the organization’s policies about network access clear and effectively communicated?
  • How can the organization align its responses to cybersecurity risk with industry standard security principles, such as ISO 27001/27002 or NIST SP800-53?

After making the determinations, the organization should develop a cybersecurity strategy. Steps utilities should consider include:

  • Align cybersecurity to the organization’s overall IT strategy based on the defined risk profile. This helps build support from company board members and top executives, as well as field managers and other personnel.
  • Analyze the cybersecurity issues unique to operations, supply, procurement, human resources management, etc., and noting areas of difference and integration.
  • Get all parts of the organization working together.
  • Rather than focus on tactics to address possible security breaches, develop a cybersecurity approach based on a broad security principle — a rating of breach tolerance, for instance — that can be achieved via several techniques.
  • Not assume that a large-scale solution, equivalent to a brand-new IT security system, is needed. Additional security controls implemented for your specific technology environment might be as effective.
  • Define the governance and support structure necessary to maintain the solution.

Regulatory and cost concerns cannot be ignored when developing a cybersecurity system. Utilities and power companies face high cost when investing in cybersecurity solutions, and state regulators have not been willing to approve rate hikes to help utilities cover the cost of these investments. Utilities and power companies must not allow lack of government funding or lack of rate increases to undermine security investments, because the cost of not investing in cybersecurity are far too great.