SCADA: The Power Grid Saga

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

SCADA: The Power Grid Saga

In an excellent report published today in the USA Today, Steve Reilly wel-researched work gives examples of just how big the risk from unsecured SCADA devices is.

Attacks

As I wrote in 2009, in my article ‘The Biggest Hole of It All‘, our infrastructure, that is to say the foundations on which our way of life depends, are highly insecure.

For example, Mr. Reilly describes that in the Power Grid area alone, the Department of Homeland Security (DHS), reported more than 151 ‘cyber incidents’, representing a 36% increase over the previous years’ and an astonishing 487% increase over 2012.

The article mentions a 2011 attack on a small electricity co-op in Texas.  What is really telling are the words (emphasis mine)

…CEO R.B. Sloan shared his surprise with the utility’s board of directors.”

Why surprise, you ask?

It seems that the CEO thought the hackers would aim for ‘something else’ to ‘make a bigger impact’.  Is that not another occurrence of the Ostrich Syndrome?

Self Regulation

In 2005, four years after 9/11, even the US Congress (a body which was never accused of acting swiftly) passed a legislation called The Energy Policy Act (of 2005) also known as EPAct.  The Act’s number 3 objective was to “provide for development of a stronger energy infrastructure.“(1, emphasis mine)

As FERC, the Federal Energy Regulatory Commission, claims, this is

“the first time, [that] the Commission was granted authority to oversee mandatory reliability standards governing the nation’s electricity grid.”

What was done to develop those standards, you ask?

Games of Names

After a largest to-then-date power blackout of 1965, Congress deliberated, but not enacted the creation of ‘a council on power coordination‘ (2)

Then, perhaps fearful of government oversight, the industry did what industry does.  In self-defense, it founded the National Electric Reliability Council (now Corporation) (NERC).  Self-regulation ensued.

Bad Call

Under NERC’s regulation (of regulations that should have been written by… you guessed it, FERC), such brilliant processes as Enron, and the New York City Blackout of 1977 were allowed to take place.

Then, in 1993, NERC published its ‘NERC 2000‘ plan recommending mandatory compliance with, you guessed it, its own policies.

In 1997, after two major blackouts in the United States in 1996, the Department of Energy (DOE) and a panel created by NERC stated that ‘Grid reliability rules must be mandatory and enforceable

And finally, in 2000, NERC was, according to its own web site (3) ‘appointed as the electric utility industry’s primary point of contact with the U.S. government for national security and critical infrastructure protection issues’. (emphasis mine)

Notice a trend?  First an industry owned and funded association is created, then it recommended compliance with its own rules, and finally, the keys to the kingdom are given by Congress and by the Executive Branch, the ability to be the point of contact with the US Government.  Presumably silencing others, such as Customer organizations.

 

Response to Problems

As part of a seemingly repeating cycle, in 2003 ‘North America experiences [its] worst blackout to date, as 50 million people lose power in the northeastern and midwestern United States and Ontario, Canada.‘ (3)

The penalty for a stellar failure?

As mentioned above, the EPAct of 2005,

authorizes creation of an audited self-regulatory electric reliability organization spanning North America, with FERC oversight in the United States.
Further, the Legislation states that

compliance with reliability standards will be mandatory and enforceable.

Odd how the Legislation parroted the terms mentioned in the industry’s 1997 guidance, isn’t it?

In human terms:  NERC will write the rules, Congress (presumably through the DOE and FBI) would enforce them.

In 2012, Even Congress’ own research arm, the Congressional Research Service, called that situation ‘unusual’ ‘ and a potential ‘conflict of interest’

 

Grapes of Sloth

(or Grid of Greed)

Today we have a situation in which a critical (and some would say THE critical) part of our way of life, the electrical grid, is not only interconnected between utilities, but is reliant on devices (SCADA and others) and communication protocols (such as RS-232c) predating the Internet and predating modern Information Security practices.

The interconnected nature of the Grid implies that an attack on one provider may lead to compromise at other providers.  The protocols create a situation in which someone with a laptop, in potential, could cripple a large part of the power grid of the United States.  That would not be good, would it?

 

Do you agree that the Hole Keeps Getting Bigger?

 

Referred documents:

  1. FERC & EPAct 2005, at http://www.ferc.gov/legal/fed-sta/ferc-and-epact-2005.pdf).
  2. U.S. Electric Power Reliability Act of 1967
  3. NERC History, at http://www.nerc.com/AboutNERC/Documents/History_Dec12.pdf