by Kristen Wright, senior editor
It’s no secret that U.S. electric grid operators are concerned about cybersecurity. In February, The Wall Street Journal cited unnamed sources who said National Security Agency Director Keith Alexander warned during White House meetings and private sessions that the hacking group Anonymous could bring down the U.S. electric grid within a year or two.
An NSA representative declined to comment on the matter in an email to Electric Light & Power.
Anonymous, whose members frequently wear a Guy Fawkes mask-the one most recently popularized by the 2005 film “V for Vendetta”-when representing the group in public, has claimed responsibility for having hacked websites belonging to the Department of Justice, FBI and Universal Music Group. Even 84-year-old Pope Benedict XVI on March 12 tweeted, “Anonymous have attacked the Vatican website again bringing it down for the second time.”
Technology-based terror threats are among the nation’s most serious, FBI Director Robert Mueller testified in March during a Senate briefing on cyberattacks. Joining him in testimony were the NSA’s Alexander, Homeland Security Secretary Janet Napolitano and Joint Chiefs of Staff Chairman Gen. Martin Dempsey.
About that same time, the FBI revealed the identity of Sabu, the leader of Anonymous offshoot hacking group LulzSec, which has taken credit for shutting down the CIA website and posting a false report of News Corp. founder, Chairman and CEO Rupert Murdoch’s death on The Sun website. Sabu is Hector Xavier Monsegur, a 28-year-old who led hacking operations from his apartment in Manhattan’s Lower East Side. Turns out Sabu had been working as an FBI informant for the past six months. He pleaded guilty in August to 12 counts of computer hacking among other crimes. Sabu also led the FBI to arrest on March 5 five of his suspected underlings who range in age from 19 to 29, according to the indictment.
The Wall Street Journal article said the NSA’s Alexander was not so concerned about rival governments such as China’s hacking the U.S. electric grid, but their outsourcing jobs by leaking information to hacker groups.
Anonymous members have tweeted that bringing down the U.S. electric grid would run contrary to the group’s goals and would hurt too many innocent people. The most serious stunts tied to the group have been the hacking of security firm Stratfor-in December credit card information for 30,000 Stratfor subscribers was posted online-and leaking emails from the law firm representing the U.S. Marine accused in the 2005 Haditha Massacre in Iraq that resulted in the deaths of 24 unarmed civilians.
The U.S. government is ready to play tough defense against multiple unknown cyberthreats, regardless who is behind the mask. Two cybersecurity bills are competing in the Senate. The White House, Democrats and Napolitano favor Connecticut Sen. Joe Lieberman’s bill that would require operators of critical infrastructure to partner with the Department of Homeland Security (DHS). The group would set mandatory security standards.
Not everyone’s praising Lieberman’s bill, however, including the U.S. Chamber of Commerce. The chamber argues that the bill has too much regulation and would strip industry focus from security and move it to fulfilling mandates. A bill sponsored by Arizona Sen. John McCain and seven other Republicans tries to sidestep new regulations. It focuses on the sharing of cyberthreat information between government and industry.
Electric Light & Power recently interviewed cybersecurity expert Bill Curtis, senior vice president and chief scientist at CAST Software and co-author of the Crash Report, the largest study conducted on the quality of software applications. The study, which analyzed 745 applications representing 365 million lines of code submitted by 160 organizations, shows that energy applications had numerous structural quality violations per application. Violations, or inconsistencies with good industry practices, cause problems such as outages, performance degradation, breaches by unauthorized users or data corruption, according to the report.
“What we see for the utility world is the likelihood of an attack on cybersecurity,” Curtis said.
The utility industry is at risk because the coding in which its software is written is new, and not everyone writing software code is trained to find penetrable holes in that code, he said.
“There is substantial risk in these applications,” Curtis said. “Most of the complexity is no longer in the hardware. It’s in the software.”
With input from Curtis, Electric Light & Power developed questions to ask electric utilities about their defensive strategies. High-ranking utility executives agreed to participate in the resulting roundtable: Chuck Tickles, vice president of information technology at Kansas City Power & Light (KCP&L); Dan Traynor, vice president and chief information officer at Tennessee Valley Authority; Doug Sterbenz, executive vice president and chief operating officer at Westar Energy in Kansas; Pablo Vegas, vice president and chief information officer at American Electric Power Co. Inc.; and Kathy Kountze-Tatum, vice president and chief information officer at NSTAR in Massachusetts.
ELP: We’re seeing many operations and IT divisions merge within utilities. Is that true for you?
Tickles: We have a centralized IT function within KCPL, which includes both the infrastructure and application support for the operational support systems including the energy management system-SCADA, outage management, work management, smart grid applications and the telecommunications infrastructure including microwave, fiber and the radio systems.
Traynor: Primarily driven by the need for more effective cybersecurity management and regulatory compliance, there is more collaboration and partnership between operations and information technology at TVA than ever before. As cost pressures rise and operational and information technology systems continue to converge on several dimensions-people skills, support processes, technology components and business intelligence-the idea of merging functions is being considered more seriously. However, the likely near-term actions will be to strengthen governance over investment in these areas and collaborate more on technical architecture and big data.
Sterbenz: Yes, we moved the IT-related functions under corporate IT in 2004. In 2011, we brought the entire IT department into operations, reporting to the COO. There was no need to have separate IT staffs to support these functions. Cybersecurity needed to be addressed, and corporate IT had the right mindset to protect the company’s assets. That same mindset needed to be embedded in the operations. We did not want to set up a second cybersecurity group in the operations.
Vegas: In some areas where there was a duplication of efforts or if convergence made sense, we merged operations, and we will continue to take that approach in the future. One example of merging within utilities here at American Electric Power is with our generation dispatch control, it made sense to move support functions into IT, but in other areas, like certain support functions within transmission, the best solution is to leave those work functions under operations. We really look at each system on a case-by-case basis and then make the best business determination.
Kountze-Tatum: No, we still have operations and IT separated for the most part. However, there is a lot of collaboration between the two departments in the communication areas, as well as within transmission and distribution SCADA operations.
ELP: How do you assess the risk of your most critical systems controlling the grid and the software that runs it?
Tickles: The systems and software that control the grid fall under the NERC Critical Infrastructure Protection (CIP) standards. We have a strong compliance culture that includes periodic auditing of systems to ensure they meet the standards. Additionally, we utilize third-party vendors to conduct mock audits to assess our compliance with the standards.
Traynor: Being a federal agency, TVA assesses the risk in its industrial control systems environment-as it does for all of its information systems and assets-using an approach based on guidance from the National Institute of Standards and Technology (NIST 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems). This approach ensures TVA manages technology-related security risks in a consistent manner and aligns with the organization’s business objectives and risk strategy as established by senior leadership. And it is the most practical approach, given the compliance requirements of the most relevant regulations do not differentiate between information and operational technology systems.
Sterbenz: We follow best practices from the National Institute of Standards and Technology, Department of Energy (DOE) and Department of Homeland Security in conjunction with applicable North America Electric Reliability Corp. Critical Infrastructure Protection standards.
Vegas: We have a risk assessment process that varies based on the criticality of the operations and the technology supports. We follow the NERC CIP Critical Cyber Asset definitions and then apply the appropriate compliance as one tier of assessing risk when we talk about all critical systems and apply the proper security controls. We have different levels of security and firewalls pertaining to critical systems and noncritical systems. Our goal is to utilize the best available security technology to protect systems.
Kountze-Tatum: We assess the risk of all systems in the organization through a process that includes conducting regular vulnerability assessments, monitoring the age of the hardware and software environments and working with vendors that provide reliable and secured solutions.
ELP: What actions do you take to ensure these systems are secure?
Tickles: We have intrusion-detection systems (IDS), firewalls, anti-virus, physical security, background checks, log monitoring, strong access management, change control, required awareness training and vulnerability management.
Traynor: We have a defense-in-depth strategy and employ both continuous monitoring and scheduled information security assessments of critical assets. As a federal agency, we base our security program on the Federal Information Security Management Act (FISMA) and then add industry best practices from the utility sector, the SANS Institute, Department of Homeland Security and NIST. NIST special publications provide a solid foundation from which to work and include industrial control system security control guidance (e.g., 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations and 800-82 Guide to Industrial Control Systems (ICS) Security). In addition, all TVA employees, contractors and interns are required to complete cybersecurity training annually with the primary goal to increase end user awareness of security and privacy requirements and best practices.
Sterbenz: Following best practices can help us do our best to secure these systems-for example, staying up-to-date with security patches on all of our PCs.
Vegas: We perform periodic threat assessment reviews against our critical systems to identify and close potential gaps.
Kountze-Tatum: We mitigate security risks by performing the above risk assessment on our systems on a regular basis.
ELP: Are you aware of attempts to penetrate these systems, and what actions have been taken to close those holes?
Tickles: We constantly monitor our perimeter with intrusion-detection systems and are alerted of any suspicious activity. We also closely monitor alerts from NERC, US-CERT (United States Computer Emergency Readiness Team) and other list servers to identify and block known malicious sites.
Sterbenz: Yes, we are aware of attempts to access our network, and because of that we do penetration testing on our networks, looking for any weaknesses in our defenses that need to be strengthened.
Vegas: AEP’s practice is to not comment on any specific cybersecurity devices, vulnerability or threat vector since any comments could be used by our adversaries to give them critical intelligence into AEP’s cybersecurity defensive posture. Having said that, I want to say we are seeing an increase in the number and level of cyberattack attempts over the past year. On Wednesday of this week, the Department of Homeland Security indicated a new interest in hacking as threat to security. The agency reported that during a five-month period between October and February, there were 86 reported attacks on computer systems in the United States that control critical infrastructure, factories and databases. That number compares with 11 over the same period one year ago.
ELP: To what extent are you confident that any known problems have been removed?
Tickles: We have a comprehensive vulnerability management program. We are confident that known problems have been removed but can’t be certain unknown problems have been removed. We are expanding our security-monitoring and control systems to better identify and remove unknown problems.
Traynor: I’m confident we have addressed the known problems in a proactive and timely manner; it is the unknown that keeps me up at night.
Sterbenz: We only know what we know. We use many security tools to identify and eliminate known cyber malware. This is a full-time effort. Our efforts are always advancing and evolving as new threats are suspected or known.
Vegas: As the numbers of threats increase and are continually evolving, AEP has a dynamic system deploying cutting-edge technology that evolves as quickly as the techniques the criminals are using. In addition to protecting the outer walls of our security perimeters, we are constantly monitoring and detecting threats from the inside out. We utilize a defense-in-depth approach, which means we are looking at all layers of the infrastructure from the outer walls to the machines on the inside, constantly looking for threats.
ELP: As the grid becomes more interconnected, how are you making sure all of the systems are interacting in a safe and secure way?
Tickles: Although most of the smart grid systems are considered a demo project, we are treating it like a production environment. Implementing security in the design phase is always more beneficial than trying to add them as an afterthought.
Traynor: While a more interconnected grid does present new challenges, we see an increased dependence on core IT competencies as our best defense: making sure the fundamentals of monitoring, change management, patch management, configuration management, backup and restore, incident response and disaster recovery are in place; conducting system pre-operational security assessments; working closely with industry partners and performing our own validation that security requirements have been incorporated.
Sterbenz: The information is stored encrypted and transported encrypted according to what the experts say is best practice.
Vegas: Our threat assessment activities, our integration and our operational testing are becoming more integrated as operations and IT come together. We are applying the same security techniques to our operational technologies as we do to our information technologies.
ELP: Who do you keep on speed dial? Vendors? The government? Some whiz kid in his parents’ basement?
Tickles: We have a leading industry vendor on retainer to respond to a cyberincident. We keep their number on “speed dial.”
Traynor: At TVA we have a highly skilled security staff with practical experience in power control systems environments. We have dedicated monitoring and incident response functions, as well as an assessment team that performs traditional audits and penetration tests. In the event of a large-scale incident, we would rely on these staff members. We also practice incident response through national-level exercises with our utility industry partners including NERC, as well as other government agencies like DHS, DOE and the FBI.
Sterbenz: We work directly with a government agency that helps us understand these emerging threats better.
Vegas: At AEP, we have all the capabilities in-house to deal with security threats and issues. In addition, we collaborate very closely with law enforcement on the local and federal levels and with a handful of strategic technology partners including Lockheed Martin. We also have a collaborative agreement with the Department of Energy and the Department of Homeland Security.
Kountze-Tatum: We work closely with our vendors, and we also communicate with other companies that are both within and outside of the utility industry.
ELP: How difficult is it to operate on defense 24/7? Or do you feel like you’ve got the ball right now?
Tickles: It is difficult to operate on defense 24/7 due to resources. To alleviate this, we have managed security services that monitor our intrusion-detection systems on a 24/7 basis.
Traynor: One of our guiding principles in TVA information technology is to be one with the business. TVA is a 24/7 operation, and so is the information technology function. We recognize the business runs on technology, so our cybersecurity defenses must operate around the clock, as well. TVA is unique among electric utilities in that it can work more closely with other federal agencies. This gives us an edge that allows us to adopt a more proactive posture. With cybersecurity, it helps if you can be two steps ahead.
Sterbenz: It is very difficult to be on the defensive all the time, not knowing where the next attack is coming from. It is a constant education for our employees, helping them understand the roles they play in protecting our business.
Vegas: It’s an incredible challenge to keep up with the pace of change and the risk that exists. But it’s something that the utility industry and AEP take very seriously. We consider cybersecurity as important as reliability. We’re continuing to improve our cybersecurity capabilities. Our customers are more secure today than they were a year ago and much more secure than five years ago. Outside threats continue to increase. Most threats are people trying to steal financial information from our employees or customers. The issues do range, however, from hackers trying to get identity theft information to protecting against threats to our system and electric service.
Kountze-Tatum: IT departments within most organizations have been running 24/7 shops for well over a decade. Monitoring systems around the clock is a standard mode of operations for any IT group.