Cyber Wars begin: is the Power Grid next?

Recent reports have clearly demonstrated that cyber wars are indeed happening. I made this clear in my last Smart Grid Virtual Summit presentation in June 2011. So what are the implications and when are people going to at last take notice? Forbes reported recent attacks included an unprecedented series of cyber attacks on the networks of 72 organizations around the world, including the United Nations, governments and corporations, over a five-year period. The White House as of yet has not disclosed the organizations effected by this most recent attack dubbed “Operation Shady RAT”.

So what are people who work in the cyber security industry saying? I am part of a Smart Grid Security group that has been discussing this and we think that the next Pearl Harbor we confront could very well be a cyber attack that cripples our power grid, our financial systems and governmental systems. The discussion started 14 days ago and with the recent events I thought some of the comments are very appropriate and I would like to share them.

Here is what a few experts have been saying.

Theodore Wood, Partner, Patent Lawyer at Sterne Kessler Goldstein & Fox in the Washington D.C. Metro Area:

“In short, I believe we have to direct more of our immediate attention and grid related stimulus spending towards enhancing the resiliency of the existing grid. William Pentland’s article in Forbes, this past May, discusses his finding that about 75% of the 2009 federal stimulus dollars have been directed to advanced metering infrastructure (AMI). Our own research and analysis of IP in these areas supports this contention. However, to have a more direct impact on grid security, we need more direct investment in cyber resiliency strategies (hardware and software), including strong encryption and key management techniques, network access control, intrusion response systems, and root kit detection. I believe that an infusion of federal spending into these areas will spur R&D, facilitate development of quality IP, and help ensure that cyber security innovation and technology are more commercially attractive from both the vendor’s and investor’s perspectives.

Andrew Wright, CTO at N-Dimension Solutions:

“I agree with Ted regarding the need for more economic stimulus for grid resiliency and cyber security. Of the $4.3 billion American Recovery and Reinvestment Act (ARRA) funding, most of it went to smart meters, MDMs, and consultants, and relatively little to real security. And in any case, that was 100 out of 3300 utilities in the US. We need to change the economic equation so that utilities do not have to prioritize security against other technologies, and the best way to do that is to build security in. But that requires economic incentives for manufacturers to spend time on security functions rather than others. IP protections for grid resiliency is one way to do this.”

Joe Weiss PE CISM CRISC ISA Fellow, Managing Partner at Applied Control Solutions, LLC:

“As an engineer, there is no doubt it is technically possible to do this – I am not a threat analyst and so cannot say why it has or has not happened. Stuxnet should be a glaring example of its potential. I had this specific discussion with Richard Clarke many years ago and provided several reasons why it could happen and yet not be public. There are minimal control system cyber forensics so when there have been major infrastructure failures, it is generally not possible to determine if cyber was involved. There already have been numerous significant control system cyber incidents in the US that have killed people, caused major electric outages, shut down nuclear plants, etc. When a critical infrastructure incident does occur, there is a reticence by the government to acknowledge that it is a cyber incident. I believe the lack of control system cyber forensics and end-users unwillingness to report has stifled progress on securing industrial control systems.”

Stacy Bresler at National Electric Sector Cybersecurity Organization:

“Reporting cyber incidents or potential incidents is an issue. Being a former cyber security manager at a large asset owner, I understand the lack of willingness to report. Currently the mandate to report a cyber incident is to the ES-ISAC which is essentially the regulator despite claims of dividing lines within their organization. That alone is a deterrent for more reporting. I’m with Joe on this . . . I don’t think our intelligence agencies always have the facts before they make blanket statements. We do need better tools to help in forensic efforts but that needs to be coupled with proper training for those in the field. There are forensic experts out there and I believe ICS-CERT has a jump team on the ready . . . but I don’t think that is enough. We definitely do not have an aggregated view of what is really going on and we can’t manage what we can’t measure!

Robert Cragie Consultant for HAN/Smart Energy/Security at Pacific Gas & Electric:

“The 80/20 rule applies here. With a relatively small amount of effort you would get a huge improvement in security. ICS manufacturers and implementers have to wake up to the fact that their ancient systems need to be brought up-to-date using security procedures (business process, physical and cyber) commonplace in IT and telecoms infrastructures. The INL SCADA evaluation report (http://www.inl.gov/technicalpublications/Documents/4374057.pdf) highlights the woeful lack of security in electricity T&D substations, e.g. adding dial-up modems with no cyber security protection to substation equipment still using default passwords so a maintenance operator can control remotely. Stuxnet was clever but still propagated by the practice of passing USB flash drives around with the virus on. Back in the day, it was floppy disks which spread viruses in this way. Do we never learn? This is what the people who are out there every day are seeing. There is always some hype but there are also some things that are not disclosed. From simple fixes to a clear need to invest into new cyber security solutions, the war is on and the war is real. God bless our military and their efforts in securing our country but if our national power grid goes down our losses could be much greater.”

Larry Karisny is the Director of  Project Safety.org, smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.