Cyber security in US power system suffering from reactive, self-policed rules

Filed Under: Featured, Vulnerability

Power failureNorth America’s electricity generation and distribution network is a vital piece of infrastructure, and is rightly considered a major potential target for attack from terrorists, activists or corporate snoops.

Its cyber defences seem to be inadequate though, with regulation mainly self-imposed and minimally enforced. Policy in the area also appears to focus on reacting to emerging threats, rather than setting up proactive barriers against potential problems.

A major report on the subject has been produced by the offices of two US Congressmen, Ed Markey (D-Mass.) and Henry A. Waxman (D-Calif.). They found that most power companies were under heavy cyber attack, but that few had done more than the minimum to implement protective processes.

A run-down of the report’s major findings can be found at The Register – there are plenty of juicy, scary stats based on responses to a survey sent to over 150 organisations.

The main point the study’s authors are trying to make is that there are many rules in place for how networks and systems should be protected, some mandatory and some optional, and not everyone’s applying all the mandatory steps yet, let alone the optional ones.

The rules are laid out by a non-profit body called NERC, the North American Electric Reliability Corporation. This is a cross-industry group focussed on keeping America’s lights on, generating standards and best practices for electricity generation and infrastructure. They’re overseen by FERC, the Federal Energy Regulatory Commission.

To create a new rule for the power companies to follow, a NERC committee (of which there seem to be many) will draft a guideline, which must then be approved by the membership – which is the power companies. If approved, the guideline is then passed to FERC for further approval before becoming an enforceable standard.

Obviously, this is a slow process, with any rule which is thought likely to cause difficulties to the people it’s supposed to be imposed upon likely to be vetoed, by those very same people.

The complexities of the system, and the highly distributed nature of the US power infrastructure, make it hard to monitor and enforce compliance, even when guidelines do become rules.

NERC publicationNERC produce some epic documents – their full run-down of standards makes for an eye-watering 1800-page read.

The (relatively) juicy bit concerning cyber security is section CIP-007, about a quarter of the way down.

Just keeping up with the latest tweaks and additions must be a tough task, let alone trying to apply or enforce them.

Even if the standard creation process can be sped up and made more enforceable, as the report’s authors are urgently suggesting, there’s another problem here.

The emphasis seems to be heavily on responding to threats – how did people respond to 9/11, what have people done in the wake of Stuxnet, what was their reaction to Aurora.

They need to be thinking much more proactively, predicting new attack vectors and implementing protection against new vulnerabilities before they are discovered, let alone put to use by the bad guys.

At least some people at NERC are thinking along the right lines, with another detailed report, released last year by their Cyber Attack Task Force, emphasising the importance of attack trees and other predictive approaches.

What seems to be needed here is a combination of the two vectors, with carefully considered generally defensive strategies combined with fast responses to new, unforeseen vulnerabilities. Sadly when government and big business intersect, pragmatism and speedy reactions are rarely in evidence.


Image of Power failure cartoon courtesy of Shutterstock.

, , , , ,

You might like

3 Responses to Cyber security in US power system suffering from reactive, self-policed rules

  1. Surely anyone that puts their company's control system on the internet belongs to that unique class of people politely called "nutters."

  2. snert · 329 days ago

    Why in Hades would any power company's control system be on the internet? That's flat out stupid, plain and fancy! I can see alarms hooking to the internet but not any controls.

  3. atavic · 326 days ago

    It's the smart way to screen the consumer... More houses are screened through so-called smart devices that call home (the factory) delivering the daily consumed electricity. There's a sim card into these smart devices that calls with no cables... Hackers mostly welcome is my opinion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.