Vulnerability of infrastructure control systems is growing

Bearded terrorists or violent lunatics vowing to destroy Western civilization are one thing. Silent and stealthy computer hackers who can whittle away at the nation’s critical infrastructure are another. Federal and industry experts say that the technology which allows utilities to run their operations is more vulnerable now than ever before. EnergyBiz Insider Ken Silverstein writes that because these networks are becoming increasingly standardized and linked to other centralized systems, they can be more easily breached and the resulting disturbances can be enormous. The spotlight is on control systems, which can be used to manage and run the generation, transmission, and distribution of electric power. Basically, that hardware and software collects operational data from the field before processing and displaying it. That information is then relayed to local or remote equipment. “Over the past few years, federal agencies have initiated efforts to improve the security of critical infrastructure control systems,” says Greg Wilshusen, director of information systems for the Government Accountability Office (GAO). “However, there is as yet no overall strategy to coordinate the various activities across federal agencies and the private sector. Further, the Department of Homeland Security (DHS) lacks processes needed to address specific weaknesses in sharing information on control system vulnerabilities.”

Silverstein suggest we consider the Browns Ferry nuclear plant in Alabama: In August 2006 two recirculation pumps at Unit 3 tripped and forced the unit to be manually shut down. The loss of the pumps was then traced to excessive traffic on the control systems, possibly caused by the failure of another device. “Therein illustrates the agency’s point, which is networks are more susceptible to attack — whether intentional or not — as they become increasingly interwoven through the Internet,” he writes. In 2003 the National Strategy to Secure Cyberspace reported that the disruption of control systems could have significant consequences for public health and safety and made securing these systems a national priority. It then directed homeland security and the Department of Energy to work with industry to increase awareness and to recommend steps to safeguard the nation’s computer networks. Congress had asked the accountability office to make further suggestions. At a congressional hearing recently held, it suggested that the DHS develop performance measures and overall goals. It also said DHS should establish a rapid and secure process for sharing sensitive control system information with vendors, owners and operators. For its part, the electricity industry has recently implemented standards for cyber security while a gas trade association is preparing guidance for members to use encryption to secure control systems.

Silverstien covers more incidents and initiatives, and concludes:

Much has been done. And more is necessary. But, now, federal and state policymakers are beginning to get in sync with industry to create protocols to deter the disruption of critical infrastructure. According to the experts, vigilance, communication and coordination are the keys to staying one-step ahead.