IT security in energy sector to come under scrutiny

US Congress is to hold a series of hearings next month to find out what caused the recent electricity failure that struck the...

US Congress is to hold a series of hearings next month to find out what caused the recent electricity failure that struck the Northeast and parts of Canada to determine the likely causes and what can be done to prevent future failures.

Committee chairman WJ Tauzin has requested information on the blackout from all of the utility companies and various industry councils affected. 

Officials from the House Committee on Government Reform want to study the security of the national power grid's cyber-based control systems. The concern is that an equally devastating series of failures could be triggered by relatively minor disruptions to the control systems that manage the power grid. 

Such incidents are exactly what security experts from the IT and energy industries have been warning about for years.

The issue came to the forefront during the California energy crisis in 2001. For 17 days, between 25 April and 11 May, hackers managed to remain undetected after they breached the network of the California Independent System Operator (ISO), which manages that state's electric grid. Although no damage was reported, officials traced the intrusion back to a system in China. 

The problem, however, is that electrical grids such as California ISOs are highly integrated and dependent on other regional grids, and all are managed using technology known as Supervisory Control and Data Acquisition (SCADA) systems. Once highly proprietary, SCADA systems are, increasingly, being deployed using commercial off-the-shelf technologies that rely on public internet protocols and connections for ease of management and cost savings, experts said. 

"The [energy] sector has always contained security vulnerabilities, but these vulnerabilities have been compounded by the introduction of new networking technologies, deregulation and structural changes in the industry," according to a report released last December by the Institute for Security Technology Studies.

"There have been dozens of cases where [SCADA] systems - in the electric power, water, waste water, oil, gas and paper industries - have been intentionally or unintentionally impacted by electronic means," the report stated. 

In addition, testimony received by the institute from utility companies "clearly shows that the electric energy sector is vulnerable to cyber impacts, and indications are that terrorists, hostile nation-states or malicious computer hackers pose a threat to the sector". 

"More co-ordinated attacks against regional power networks are also possible in light of current vulnerabilities," the institute's study concluded.

"Attacks that in some way disrupt the national power grid appear possible, but too little information is currently available to accurately assess the potential impact of cyberattacks on the national grid. Therefore, it is imperative to support and expand testing and research in this area." 

Howard Schmidt, former chairman of the President's Critical Infrastructure Protection Board and now chief security officer at eBay, said the IT security technology capable of protecting real-time control systems, such as SCADA systems, from hackers does not yet exist.

Commercial technologies, such as firewall systems, are not capable of operating in the real-time control environment of the power grid. 

"It is an urgent research and development issue that was put in the National Strategy to Secure Cyberspace and one that can help mitigate the vulnerability," Schmidt said. 

Dan Verton writes for Computerworld

Read more on IT risk management