SCADA: The Power Grid Saga
In an excellent report published today in the USA Today, Steve Reilly wel-researched work gives examples of just how big the risk from unsecured SCADA devices is.
As I wrote in 2009, in my article ‘The Biggest Hole of It All‘, our infrastructure, that is to say the foundations on which our way of life depends, are highly insecure.
For example, Mr. Reilly describes that in the Power Grid area alone, the Department of Homeland Security (DHS), reported more than 151 ‘cyber incidents’, representing a 36% increase over the previous years’ and an astonishing 487% increase over 2012.
The article mentions a 2011 attack on a small electricity co-op in Texas. What is really telling are the words (emphasis mine)
…CEO R.B. Sloan shared his surprise with the utility’s board of directors.”
Why surprise, you ask?
It seems that the CEO thought the hackers would aim for ‘something else’ to ‘make a bigger impact’. Is that not another occurrence of the Ostrich Syndrome?
In 2005, four years after 9/11, even the US Congress (a body which was never accused of acting swiftly) passed a legislation called The Energy Policy Act (of 2005) also known as EPAct. The Act’s number 3 objective was to “provide for development of a stronger energy infrastructure.“(1, emphasis mine)
As FERC, the Federal Energy Regulatory Commission, claims, this is
“the first time, [that] the Commission was granted authority to oversee mandatory reliability standards governing the nation’s electricity grid.”
What was done to develop those standards, you ask?
Games of Names
After a largest to-then-date power blackout of 1965, Congress deliberated, but not enacted the creation of ‘a council on power coordination‘ (2)
Then, perhaps fearful of government oversight, the industry did what industry does. In self-defense, it founded the National Electric Reliability Council (now Corporation) (NERC). Self-regulation ensued.
Under NERC’s regulation (of regulations that should have been written by… you guessed it, FERC), such brilliant processes as Enron, and the New York City Blackout of 1977 were allowed to take place.
Then, in 1993, NERC published its ‘NERC 2000‘ plan recommending mandatory compliance with, you guessed it, its own policies.
In 1997, after two major blackouts in the United States in 1996, the Department of Energy (DOE) and a panel created by NERC stated that ‘Grid reliability rules must be mandatory and enforceable‘
And finally, in 2000, NERC was, according to its own web site (3) ‘appointed as the electric utility industry’s primary point of contact with the U.S. government for national security and critical infrastructure protection issues’. (emphasis mine)
Notice a trend? First an industry owned and funded association is created, then it recommended compliance with its own rules, and finally, the keys to the kingdom are given by Congress and by the Executive Branch, the ability to be the point of contact with the US Government. Presumably silencing others, such as Customer organizations.
Response to Problems
As part of a seemingly repeating cycle, in 2003 ‘North America experiences [its] worst blackout to date, as 50 million people lose power in the northeastern and midwestern United States and Ontario, Canada.‘ (3)
The penalty for a stellar failure?
As mentioned above, the EPAct of 2005,
authorizes creation of an audited self-regulatory electric reliability organization spanning North America, with FERC oversight in the United States.
compliance with reliability standards will be mandatory and enforceable.
Odd how the Legislation parroted the terms mentioned in the industry’s 1997 guidance, isn’t it?
In human terms: NERC will write the rules, Congress (presumably through the DOE and FBI) would enforce them.
In 2012, Even Congress’ own research arm, the Congressional Research Service, called that situation ‘unusual’ ‘ and a potential ‘conflict of interest’
Grapes of Sloth
(or Grid of Greed)
Today we have a situation in which a critical (and some would say THE critical) part of our way of life, the electrical grid, is not only interconnected between utilities, but is reliant on devices (SCADA and others) and communication protocols (such as RS-232c) predating the Internet and predating modern Information Security practices.
The interconnected nature of the Grid implies that an attack on one provider may lead to compromise at other providers. The protocols create a situation in which someone with a laptop, in potential, could cripple a large part of the power grid of the United States. That would not be good, would it?
Do you agree that the Hole Keeps Getting Bigger?
- FERC & EPAct 2005, at http://www.ferc.gov/legal/fed-sta/ferc-and-epact-2005.pdf).
- U.S. Electric Power Reliability Act of 1967
- NERC History, at http://www.nerc.com/AboutNERC/Documents/History_Dec12.pdf