BY JOSE GRANADO AND JOSH AXELROD, ERNST & YOUNG LLP
The headlines are alarming. The U.S. faces a possible “Cyber Pearl Harbor,” former Defense Secretary Leon Panetta warned in 2012. A cyberattack targeting power plants might prove “life- threatening,” said Janet Napolitano, Homeland Security secretary. Enemies of the U.S. are “seeking the ability to sabotage the power grid,” President Barack Obama said in his State of the Union.
So far, no U.S. power plant has suffered a significant cyberattack, and a growing number of utilities are taking steps to mitigate attacks. Nevertheless, the industry remains too vulnerable.
Utilities are high-value targets. They house a treasure trove of financial data and provide essential services that if disrupted for a prolonged period might trigger civic and economic unrest.
Consider the massive 2003 blackout that left some 50 million people across North America without power for up to four days. Officials said the outage, caused when a sagging power line came into contact with overgrown trees, cost an estimated $6 billion and contributed to 11 deaths. The damage caused by a sophisticated cyberattack could be much worse.
How real is the risk of a debilitating cyberattack to the power and utilities sector? According to a report from information technology (IT) security firm McAfee and the Center for Strategy and International Studies in Washington, DC, small-scale incidents occur routinely. The 2011 report found that 85 percent of executives in the power, oil and gas and water sectors globally experienced network infiltrations, and a quarter reported they had been victims of a network-related extortion.
Many of these executives are bracing for more aggressive, larger-scale attacks. Some 40 percent of those surveyed by McAfee said they expected to face a “major” incident that causes a loss of services for at least 24 hours, loss of life or injuries.
Mandiant, a U.S. cybersecurity firm, reported in 2013 that Chinese military personnel likely hacked into a Canadian company that makes switches and other gear for oil and gas pipelines. That access was cut immediately so the intruders could not take command of the systems.
Designing an effective cybersecurity system for an electric utility is particularly challenging. Utilities are enormously complex entities that depend on various devices and technologies to make the power grid function properly.
As a result, no single off-the-shelf product can address the industry’s cybersecurity concerns. Many providers offer pre-packaged solutions, but such an approach cannot fully consider a utility’s cybersecurity needs. Industry security professionals instead must develop customized techniques that protect legacy technology platforms yet remain flexible enough to respond to the frequent introduction of new devices and equipment.
To further complicate matters, utilities also must protect themselves from attacks caused by well-intentioned staff members who unknowingly cause breaches when downloading software or using file-sharing programs. These actions might introduce harmful malware and viruses to the computer network, possibly causing service disruptions.
Power and utility companies should consider the following when developing a successful approach. First, identify the risk profile. Tailored solutions cannot be devised until the challenge is articulated clearly. Questions to help identify the risk profile of a facility include:
- How does the organization define cybersecurity risk? Does the potential risk affect the business?
- What are the avenues by which such threats might enter our environment?
- How prevalent are the risks in our industry? What have our peers and competitors faced, and what can we learn from those incidents?
- What threats might be invited by the behavior of our own employees? Are our policies about network access clear and effectively communicated?
- How can we align our responses to cybersecurity risk with industry standard security principles, such as ISO 27001/27002 or NIST SP800-53?
After making the determinations, develop a cybersecurity strategy. Steps utilities should consider include:
Aligning cybersecurity to the organization’s overall IT strategy based on the defined risk profile. This helps build support from company board members and top executives, as well as field managers and other personnel.
Analyzing the cybersecurity issues unique to operations, supply, procurement, human resources management, etc., and noting areas of difference and integration. Get all parts of the organization working together.
Rather than focusing on tactics to address possible security breaches, develop a cybersecurity approach based on a broad security principle—a rating of breach tolerance, for instance—that can be achieved via several techniques.
Not assuming that a large-scale solution, equivalent to a brand-new IT security system, is needed. Additional security controls implemented for your specific technology environment might be as effective.
Defining the governance and support structure necessary to maintain the solution.
Regulatory, Cost Concerns
The North America Electric Reliability Corp. (NERC) established the critical infrastructure protection (CIP) cybersecurity standards that require designated utility owners and operators to safeguard critical assets that are essential to the operation of the North American bulk power system.
The bulk power system as currently defined, however, excludes facilities below a designated threshold. In some large cities, including New York and Los Angeles, many facilities used for local power distribution are not required to be afforded the protections the NERC CIP standards are intended to provide. Federal regulators are concerned about these exclusions but say there’s little they can do to address the situation. In a 2011 appearance before Congress, a top official with the Federal Energy Regulatory Commission said the organization lacks the legal authority to protect the grid adequately from physical and cyberthreats.
Utilities face additional challenges with cybersecurity regulation, namely cost. Complying with federal standards often is prohibitively expensive. And state regulators have been reluctant to approve rate hikes to help utilities recoup the costs of cybersecurity investments. Utilities must not wait for rate increases or direct government funding before they address their cybersecurity systems. Failing to invest carries too great a risk.
Jose Granado is a principal and security practice leader for Ernst & Young LLP.
Josh Axelrod is a senior manager and power and utilities information security sector lead for Ernst & Young LLP.More PowerGrid International Issue Articles
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com