Gary Sevounts, Symantec Corp.
Recent reports-most recently one by the General Accounting Office-have raised concerns over network security in the power and energy sector.
An Internet security threat report published by Symantec in March of this year describes and compares the vulnerabilities and cyber security challenges that several industries face. The report identifies power and energy organizations as nearly twice as likely to experience a “severe” Internet attack as were other industries.
Yet, according to the North American Electric Reliability Council (NERC), there have been no cyber security attacks against the U.S. utilities infrastructure that have caused service interruptions. But, they can-and probably will-happen. According to Howard Schmidt, the former chairman of the President’s Critical Infrastructure Protection Board, terrorist groups are already looking at electric utilities as possible targets for direct attacks. “Computers that were seized so far during the war on terrorism [reveal] that these groups have been studying the vulnerabilities of SCADA systems,” he wrote in a report to President Bush.
Many of these vulnerabilities highlight reluctance in applying traditional security measures such as patching, authentication, virus scanning and password management to systems with the precise timing issues required by SCADA systems. Yet, as SCADA systems increasingly connect with other networks and systems to share data and provide online services, their exposure to threats increases.
Some of these vulnerabilities have already caused trouble for utilities. In January 2003, for example, the Slammer worm successfully made its way through the control system of a U.S. nuclear power plant-disabling it for nearly five hours.
Viruses and worms are just one threat to utilities. Direct attacks are of even greater concern-and they’re not new either. For example, nearly four years ago, a hacker manipulated the SCADA systems controlling a wastewater system in Australia-not just once, but 23 times before being caught. The hacker was familiar with the SCADA software in use at the plant and was able to spoof his way into the network, giving him control over 300 SCADA nodes that regulated sewage and drinking water.
In 2002, the Department of Energy (DOE) published a list of 21 steps to improve the cyber security of SCADA networks. Of particular importance is step 20: “Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable for their performance.”
In the past, corporations within the electric power sector used a highly fragmented, divisional organizational approach for protecting their digital assets within corporate networks and SCADA systems. Now, the industry is showing signs of change.
Fortunately, a growing number of technologies and services are available to help electric utilities secure not only their SCADA networks but also the networks to which they are connected. Some information security providers now offer SCADA and corporate network assessment services, for example, to help utilities evaluate their corporate and SCADA networks and connections, identify vulnerabilities and offer recommendations.
Early warning systems, in turn, are available to keep electric utilities alerted to attacks that are occurring elsewhere across the globe and that might affect their corporate or SCADA networks-before those attacks can impact the organization. Early warning is critical to maintaining business continuity.
Antivirus, firewall, and intrusion detection solutions are also available. When implemented at various external and internal points of the cyber infrastructure, electric utilities can quickly recognize and stop malicious code and hack attempts. For example, a firewall placed between the CMS and the SCADA network of RTUs could be configured to block attacks coming from all unknown IP addresses and ports. Additionally, security devices placed on the connection to the RTU gateway will protect the entire SCADA RTU network.
To see attack attempts and, in turn, recognize where vulnerabilities exist, electric utilities can leverage intrusion detection systems-specifically those that use protocol anomaly detection technology to recognize standard SCADA protocols. What’s more, because intrusion detection systems do not block traffic, they do not introduce unwanted latency into the system.
Finally, security policy and vulnerability assessment solutions are available to help electric utilities formulate an information security policy based on industry standards, regulations, and best practices, then measure ongoing adherence.
Used individually, each information security technology and service adds another level of security to SCADA and corporate networks. Used together, these solutions provide electric utilities with a quantum leap toward overall cyber security. So while it may be impossible to predict when the next attack will occur, corporate leadership can create policies and ensure the implementation of appropriate security practices so that productivity and continuity remain when those attacks do come.
Sevounts is director of industry solutions for Symantec Corporation and is responsible for delivering customized information security solutions to investor-owned companies within the electric power sector. He can be reached at firstname.lastname@example.org.