Cyber security in US power system suffering from reactive, self-policed rules

Power failureNorth America’s electricity generation and distribution network is a vital piece of infrastructure, and is rightly considered a major potential target for attack from terrorists, activists or corporate snoops.

Its cyber defences seem to be inadequate though, with regulation mainly self-imposed and minimally enforced. Policy in the area also appears to focus on reacting to emerging threats, rather than setting up proactive barriers against potential problems.

A major report on the subject has been produced by the offices of two US Congressmen, Ed Markey (D-Mass.) and Henry A. Waxman (D-Calif.). They found that most power companies were under heavy cyber attack, but that few had done more than the minimum to implement protective processes.

A run-down of the report’s major findings can be found at The Register – there are plenty of juicy, scary stats based on responses to a survey sent to over 150 organisations.

The main point the study’s authors are trying to make is that there are many rules in place for how networks and systems should be protected, some mandatory and some optional, and not everyone’s applying all the mandatory steps yet, let alone the optional ones.

The rules are laid out by a non-profit body called NERC, the North American Electric Reliability Corporation. This is a cross-industry group focussed on keeping America’s lights on, generating standards and best practices for electricity generation and infrastructure. They’re overseen by FERC, the Federal Energy Regulatory Commission.

To create a new rule for the power companies to follow, a NERC committee (of which there seem to be many) will draft a guideline, which must then be approved by the membership – which is the power companies. If approved, the guideline is then passed to FERC for further approval before becoming an enforceable standard.

Obviously, this is a slow process, with any rule which is thought likely to cause difficulties to the people it’s supposed to be imposed upon likely to be vetoed, by those very same people.

The complexities of the system, and the highly distributed nature of the US power infrastructure, make it hard to monitor and enforce compliance, even when guidelines do become rules.

NERC publicationNERC produce some epic documents – their full run-down of standards makes for an eye-watering 1800-page read.

The (relatively) juicy bit concerning cyber security is section CIP-007, about a quarter of the way down.

Just keeping up with the latest tweaks and additions must be a tough task, let alone trying to apply or enforce them.

Even if the standard creation process can be sped up and made more enforceable, as the report’s authors are urgently suggesting, there’s another problem here.

The emphasis seems to be heavily on responding to threats – how did people respond to 9/11, what have people done in the wake of Stuxnet, what was their reaction to Aurora.

They need to be thinking much more proactively, predicting new attack vectors and implementing protection against new vulnerabilities before they are discovered, let alone put to use by the bad guys.

At least some people at NERC are thinking along the right lines, with another detailed report, released last year by their Cyber Attack Task Force, emphasising the importance of attack trees and other predictive approaches.

What seems to be needed here is a combination of the two vectors, with carefully considered generally defensive strategies combined with fast responses to new, unforeseen vulnerabilities. Sadly when government and big business intersect, pragmatism and speedy reactions are rarely in evidence.

Image of Power failure cartoon courtesy of Shutterstock.