Raising The Bar On Cybersecurity In The Utility IndustryRaising The Bar On Cybersecurity In The Utility Industry

There's long been speculation that terrorists might try to launch attacks on the nation's electricity grids, and that at least some elements of such attacks might involve hacking into utilities' Scada (Supervisory Control and Data Acquisition) systems or other core IT or operational infrastructure. The industry is taking steps to avert that: Testing of new software planned to take place at a federal government laboratory in Idaho this year could result in a leap in cybersecurity for the utility industry. Separately, the North American Electric Reliability Council (NERC) by the middle of January plans to publish a new cybersecurity standard to cover thousands of unprotected electrical substations.

The U.S. Department of Energy's Idaho National Engineering and Environmental Laboratory (INEEL), which includes facilities spread out across an 890-square-mile area in the southeastern part of the state, has as one of its missions testing systems that ultimately should help electric utilities and system operators across the country protect their infrastructure, operations, and apps from real-world and cyberenemies and hackers. Its technology mirrors real-world utility infrastructures, including systems, and wireless technology and processes.

ABB Ltd., a leading control systems and emergency-management system vendor in the utility industry, is an early participant in the INEEL tests. The vendor, whose software monitors and controls the flow of power transmissions and provides operators a view of such traffic, recently paid TecSys Development Inc., which makes the ConsoleWorks Intelligent Event Manager central-monitoring product, to include ABB's new emergency-management software, Network Manager, in TecSys' roster of supported products.

ConsoleWorks gives customers a single view of systems, along with alarms and suggested processes to avert downtime and potential security problems. It supports many IT systems including Cisco routers, HP's HP-UX operating system, and Oracle's database-management software, but this is the first time it has supported an emergency-management system for the utility industry. Utility operators who use Network Manager and run ConsoleWorks could attain a single view of both IT and operational systems, enhancing their ability to monitor potential cyberintrusions, as well as more garden-variety problems, across multiple points. Following the deal between ABB and TecSys, INEEL has begun conducting some early tests of ConsoleWorks, though complete testing awaits funding from Washington, according to the lab.

If the testing goes successfully, the bundled offering has important implications for the industry, says Jim Davidson, consultant technical specialist at INEEL. "From a central source we could monitor the beginning of an attack at the router or firewall level," Davidson says. "Ultimately, we'll test, but we can't certify anything, but we'll report back to utilities, vendors, and users for fixes. Our goal: Teach them how to be more secure."

One ConsoleWorks customer in the utility industry says that software has already helped make his job easier. "Most important, it lets us find the root cause for an IT system outage and resolve it quickly," says Eric Whitley, control systems services manager at California Independent System Operator. "Before ConsoleWorks we had issues that remained open for weeks, and now they're typically closed and resolved in half an hour." He expects even more benefits with the addition of support for ABB's EMS software. "Once it's hardened for security, with its central view, I wouldn't have to harden every single app we touch," he says.

Utility operators across the nation in January will be getting some other help when it comes to securing their systems. NERC in the past has published a standard for securing utility operators' control centers, but it expects to publish a new standard for substation cyber-security by the Martin Luther King Jr. holiday. The current NERC standard includes best-practice requirements, such as enacting procedures for firewall management, secure dial-up modem connections, and antivirus software, and the new standard will also identify best practice requirements.

But "utilities and system operators need to first identify which substations are most critical," cautions Lynn Costantini, CIO at NERC, because it could take many years to implement cybersecurity procedures for the thousands of substations out there.

Lou Leffler, manager of critical infrastructure protection at NERC, says substations represent a major problem to locking down cybersecurity for utilities. Substations have hundreds of times the connections that most anti-virus software is accustomed to dealing with, and their real-time operating systems mean they can't tolerate a millisecond interruption. "Many of them were built for a specific task, during an age we didn't have cybersecurity concerns," he says. "Adding on security systems is quite the challenge, due to bandwidth and timing."

But there's no question there's a need to harden cybersecurity defenses. An independent energy analyst is conducting an analysis for the Energy Department of worldwide damage to utility-control systems. "The highest probability comes from viruses and worms, but next comes corporate IT [at a utility] installing the latest version of antivirus software," says Joe Weiss, an analyst at Kema Inc., a consultancy focused on the energy industry. "Loading the latest version of antivirus software on HP-UX or Solaris could slow down the operation, thus shutting down multiple real-time control systems."

So far Weiss says he can point to six outages that occurred because of cybersecurity breaches--that includes breaches of servers, which are often attached to components that are attached to the grid. And, says Weiss, that's just the tip of the iceberg.