U.S. power grid remains vulnerable

Published 15 November 2007

As was the case with the chemical industry, the lobbyists for the utilities have blocked meaningful reform and left the North American power grid exceedingly vulnerable

You may recall the video from the Department of Energy’s (DOE) Idaho National Labs showing footage of a simulated cyberattack which managed to subvert physical controls at a power station and blow up a turbine. As we mentioned in an article three weeks ago, there were debates following the airing of the video on CNN as to whether the tape depcited reality or, rather, a somewhat stylized, simulated conditions. The debate is interesting, but as eWeek’s Lisa Vaas wrote a couple of weeks ago, the more important point is experts have known about the security problems of system controls in the U.S. electric power infrastructure for years (also see Vaas’s earlier discussion of the subject). Joe Weiss, an expert on control system cyber-security and managing director of Applied Control Solutions, says that one of the biggest hurdles to doing something meaningful about this vulnerability is that the federal regulatory agency in charge — the Federal Energy Regulatory Commission (FERC) — has absolutely no power to mandate change in the industry. Add to that the unsurprising fact that the industry itself does not want to spend the money to beef-up security procedures, and the dearth of the skilled individuals who can deal with the antiquated control systems. Weiss says that when it comes to security, the system control industry is some twenty years behind the IT industry.

Vaas interviewed Weiss on the topic of the security of the power grid’s control system, and here are some of the questions and answers:

Vaas: How realistic is the scenario of doom and gloom painted by the Idaho video?

Weiss: That video was completely reflective of what’s out there. That’s why people are concerned. [The vulnerability demonstrated in the tape] is an important vulnerability. This is not the only important vulnerability. This just happens to be one. The issue is that this is very, very much representative of what’s out there. The labs have been demonstrating vulnerabilities for years. They just haven’t made a tape showing how they could blow up a machine. Because it was released to CNN, that’s why everybody is going ape.

Vaas: What makes the systems that control electric power so prone to cyber-security risk?

Weiss: There are numerous alarms and interlocks to make it obvious to the operator if something is going wrong. What we’ve normally done is we’ve focused on physical things. Is the temperature going up? Is the pressure going up? Is the fluid level going down? … What we’ve never tried to do is ask ourselves, Did anybody try to do that? We’ve never looked at communication. We focus on physical things: pressure, temperature, levels, flows. Not somebody sending something to try to create that. That’s what makes this different and difficult. This isn’t trivial. These systems were designed and developed years ago, before there was ever any reason to think about security. They were developed to be reliable and available and efficient. What’s worse, security will drive them in the wrong direction. We need to have systems talking to each other. These things have to be responsive immediately. The more you secure things, the less they can talk and the more time it takes. It goes in the opposite direction.

Vaas: What are we doing wrong when it comes to securing these systems?

Weiss: The operator interfaces — where you see pictures of control rooms and whatever — the screens, that’s Windows. Or Unix. Or Linux. You can secure that the way you’re used to having systems secured. The devices that basically feed those interfaces — the actual controllers, the sensors, the things in the field