The Electric Industry: Understanding Cyber Risk is Key to Resource Allocation

Wednesday, August 07, 2013

Lila Kee


Possible threats to our national critical infrastructure have dominated the news headlines lately and grabbed the attention of Washington D.C. United States Secretary of Defense Leon Panetta who recently gave a speech in which he warned that the nation was becoming increasingly vulnerable to foreign computer hackers that could dismantle our nation’s critical infrastructure, leading to a "Cyber Pearl Harbor."

Terms such as "Cyber Pearl Harbor" can certainly do a service. They help to keep the reality of cyber risk within our infrastructure alive in the public eye and among the security and risk professional community in charge of defending it. If taken out of context though, they can create misunderstanding that can stand in the way of effective security prioritization and resource allocation. To truly understand the risk that critical infrastructures face, and the level of security attention its different sectors require, you must first understand where the risk resides and what is at stake.

The Emergence of Critical Infrastructure

Following 9-11 and the formation of the Department of Homeland Security (DHS), the federal government identified the United States' critical infrastructures. Critical infrastructures are essential to the nation's security, public health and safety, economic vitality, and way of life. Among our nation’s 18 critical infrastructures is the Energy Sector, which includes an electric industry made up of the power distribution system and physical and virtual systems that contribute to its operations. The industry contains more than 6,413 power plants (including 3,273 traditional electric utilities and 1,738 nonutility power producers) with approximately 1,075 gigawatts of installed generation. This may seem a bit techie but just to put it into perspective, this is what it takes to supply our nation with electric power.

The DHS placed the Energy Sector on the critical infrastructure list because it is a target for cyber criminals and terrorists. However, there is significant misunderstanding when it comes to the sector's strengths and weaknesses, how it is protected against cyber threats and the different levels of risk its segments face. This misunderstanding is leading to "fear, uncertainty and doubt," as well as a misallocation of scarce security resources. These problems are especially true within the electric industry, where security and risk professionals are scrambling to establish effective defenses.

Identifying Electric Industry Risk

To think that with a well-placed line of malicious code an attacker could turn off lights between both US coasts is intriguing indeed, and it makes for some genuine cloak-and-dagger drama, but is it reality?

As aforementioned, the electric industry is comprised of multiple physical and virtual systems, and the truth is that an attack on one system is not necessarily going to lead to a  national blackout. Each system has its own associated risk level and its own mandated security standards to protect against cyber threats. An attack on an electric power online trading application may make for great headlines but would likely only disrupt power sales and not power transmission. 

That being said, there have been successful malware attacks that have destroyed industrial equipment and systems, Stuxnet for example. Because Stuxnet was a digital certificate-based attack, it opened the door to further speculation that an attack launched over the Internet could knock out the industrial systems and equipment used to manage electric power generation and transmission. This isn't necessarily the case. The takeaway from Stuxnet was that while systems and controls are vulnerable to malware, they are not necessarily Internet-connected. The Stuxnet perpetrators had to jump the air gap to achieve success.

The Risk-based Approach

Security and risk professionals charged with protecting the electricity industry need to use a risk-based approach. This would allow them to effectively allocate security resources based on the level of risk inherent within different systems they oversee. Does a physical or virtual system need military-grade security and be kept segmented from the Internet, does it need to be protected with a simple password or does it require technologies such as digital certificates and encryption? These questions can only be answered when the associated levels of risk are understood and security policies are followed using assurance levels that are mapped to defined business risk.

While this is by no means a comprehensive guide to establishing a risk framework, security and risk professionals within the electric industry should keep certain things in mind when it comes to priorities:

  • Determine if the system is Internet-connected or segmented via an air gap. In this case, while certain cyber defense technologies used for online systems may be valuable, there could be an entirely non-cyber set of issues you need to consider.
  • Determine the public, organizational and financial impact that a successful cyber attack could have on different systems. Systems and applications that are Internet-connected (such as energy trading applications) but not connected to transmission controls could be used as vectors for attacks that could wreak havoc on markets, but they might not necessarily open doors to a national "light switch." To apply effective security here, you would need to understand who the attacker might be and which proven technologies are effective.
  • Know the standards. The age-old argument of whether or not compliance and standards are effective will always rag; being on one side of the fence or the other is no excuse for not leveraging standards as set forth by organizations such as NAESB and FERC. While nothing in security if fool proof, standards based on proven technologies developed by industry specific experts provide at least a baseline level of security.
  • Stay on top of the standards. As with all things CyberSecurity, technology advances, new actors join the hacker community, and industry tolerance for risk changes. Therefore it’s essential that those responsible for cyber-security are constantly reviewing standards that if done right are sufficiently refreshed to address modern threats.

The public depends on the critical infrastructure for nearly every aspect of life. Organizations, especially those involved in the electric industry, must view security investments as a viable risk-reduction tools that not only protect the nation’s way of life, but also investments they have made in their own businesses.  

About the Author: Lila Kee is chief product and marketing officer at GlobalSign, the enterprise SaaS Certificate Authority (CA), where she drives product vision and product marketing efforts for the global organization. Kee is also an active participant in the North American Energy Standards Board’s (NAESB) Public Key Infrastructure (PKI) subcommittee, where she holds a seat on NAESB’s Wholesale Electric Quadrant (WEQ) Executive Committee and Board of Directors. As a board member, Kee provides cybersecurity expertise and helps shape security policy and technology standards for the energy sector, one of the U.S.' Critical Infrastructures. In November 2012, Kee was appointed to NAESB’s WEQ Board of Directors’ End-user Segment. Kee has helped to construct current and future standards governing how vendors implement cybersecurity policies for digital certificates used to secure business and critical infrastructure applications.

Possibly Related Articles:
Federal Military Municipal State/County Industrial Control Systems
Critical Infrastructure cybersecurity Utility Electric Industry NAESB Cyber Pearl Harbor
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.