Feb. 4, 2002 — Electric utilities are working to protect communications connections as well as their business and power systems from possible attack by cyberterrorists.
SEL has been awarded a federal grant to strengthen cybersecurity within the power grid. Some computer hackers intrude on an electric utility’s IT system via a network or dial-in connection just to prove they can. Even if their intentions are merely playful, such mischief gives intruders access to the utility’s business systems, including customer credit or other identity information.
Coincidentally, the same access quite possibly opens a “back door” to the power system itself, exposing the system to degradation and power outage. If the same situation involved a thief, vandal, or cyberterrorist, it might explain why electric utility IT and power network security represents significant power infrastructure and economic risks.
“The trouble is, many utilities are increasing their reliance on automated control systems with remote access via phone or the Internet without providing the security necessary to thwart potential attackers,” says Dr. Paul Oman, Senior Research Engineer at Schweitzer Engineering Laboratories (SEL) of Pullman, WA. “The shift from mainframe-based computer control systems to distributed systems using open protocols and standards, and the expanded use of public protocols to interconnect previously isolated networks have created a new national mandate to safeguard systems.”
“So, while the use of technologies such as SCADA (Supervisory Control and Data Acquisition) systems makes good sense, it has become equally important for power systems engineers to realize, ‘If I install remote communications devices, there will be vulnerabilities involved, and I need to safeguard or mitigate those vulnerabilities by using the proper security technologies,'” continues Oman. Dr. Edmund O. Schweitzer, President and CEO of Schweitzer Engineering Laboratories Inc. Schweitzer Engineering Laboratories, a provider of power system protection, control, and monitoring equipment, has cautioned government agencies and the power industry about the need for secure communications connections since the 1990s.
As a result, SEL was recently awarded a federal grant from the National Institute for Standards and Technology (NIST) to work in concert with Washington State University and the University of Idaho to strengthen cybersecurity around the electric power grid.
Dr. Schweitzer cites the widespread use of dial-in networks, increased public access to transmission system data (mandated by FERC 888/889), increased terrorism, and rapid worldwide growth of computer-literate population coupled with widespread dissemination of hacker tools and cyberterrorism among the many causes of increasing risks.
“Another vulnerability derives from the large number of roving engineers and others in charge of maintaining transmission and distribution systems. Because they have remote access to the communications and power systems they service, they have created, in effect, a ‘back door’ that can be exploited by hackers unless appropriate security safeguards are in place,” says Dr. Oman. “As with all infrastructures, threats to electric power systems have existed for as long as the technology has been used to support that way of life. But these threats are not static or unchanging. We should assume that as the infrastructure technology changes, so do the threats and risks associated with supporting that service.”
“After the events of September 11, we are more conscious of the need for improved infrastructure security, so many electric utilities are reassessing the vulnerabilities to their communications and power systems,” adds Oman.
Cyber-attacks on utility IT systems are not rare today. Hacking gangs such as PhoneMasters and Global Hell have used electronic theft and extortion to fund their terrorist activities.
Government and expert estimates of economic losses vary, but electronic theft within the U.S. alone is estimated to be in the hundreds of millions of dollars annually. But other potential costs are likely to be much greater.
Cyber-attacks and electronic sabotage targeted against power grid vulnerabilities have the potential for inducing power system fluctuations that can lead to cascading blackouts over very large geographic areas. Loss of manufacturing production and vital services can result from such outages.
The IEEE standard governing substation security defines electronic intrusions as “Entry into the substation via telephone lines or other electronic-based media for the manipulation or disturbance of electronic devices. These devices include digital relays, fault recorders, equipment diagnostic packages, automation equipment, computers, PLCs, and communication interfaces.”
What specific devices are vulnerable, and what means should power systems use to mitigate the risk of intrusion? “There are a host of secure devices out there”, said Dr. Oman. “There are crypto modems, modem-key/lock combinations, LAN cryptology devices, and firewalls that can separate business communications from control communications. Which safeguards are most appropriate for specific situations depends on system design and configuration; but there is probably a good safeguard solution for virtually all of them.
“It is an important mission of SEL to help utilities, whether they are customers of ours or not, to identify their existing vulnerabilities, and shore those up with technological safeguards.”
A comprehensive source of system threat, vulnerability, and mitigation measures and devices can be found in two papers written by Dr. Oman and Dr. Schweitzer, in collaboration with others.
The papers, “Concerns About Intrusions Into Remotely Accessible Substation Controllers and SCADA Systems” and “Safeguarding IEDs, Substations, and SCADA Systems Against Electronic Intrusions,” may be downloaded from the “Technical Papers” section of www.selinc.com. The recently awarded NIST grant will enable SEL to conduct additional applied research in the use of Information Security (InfoSec) principles within the control and protection systems governing the North American power grid.
SEL will be joined by two subcontractors, Washington State University and the University of Idaho, in a collaborative research effort that will apply InfoSec and Internet Protocol Security principles, conduct in situ security and survivability assessments, develop a prototypical secure information infrastructure, and develop greater awareness within the electric power industry. Washington State University lends expertise in the power networking area. The University of Idaho brings expertise in the security and survivability assessment area.
Schweitzer Engineering Laboratories (SEL) has been involved in safety, reliability and efficiency for the electric power industry since 1984. The ISO 9001-certified company serves the electric power industry worldwide through the design, manufacture, supply, and support of products and services for power system protection, control, and monitoring.