The blackout of August 2003 highlighted the fragility of the North American electric power infrastructure to the government, utility shareholders and the general public. It was the largest blackout in North American history and cost over $50 billion in economic losses. This number is, at least in part, due to the increasing reliance on electric utilities.
As this reliance has increased, so have utilities companies’ efforts to control and manage power from generation through to delivery. These efforts have resulted in the implementation of extensive information systems. Clearly, open system technologies are streamlining core business operations including customer service, power and outage management and supply procurement. Just as people are becoming more reliant on power companies, power companies are becoming more reliant on technology.
Information networks allow companies to maintain centralized monitoring of their energy management systems (EMS). They also enable these organizations to get power from generation to end users – which often involves great distances. Supervisory control and data acquisition (SCADA) systems were created for this very purpose. SCADA systems provide centralized management and monitoring of dispersed facilities and collect electric system data from nodes placed throughout the power system. The immense size of modern power grids has made SCADA systems indispensable. The average SCADA system has between 30,000 to 50,000 data collection and control points. Centralized management of network data ensures coordinated control and maximum staff efficiency.
Because the electric power grid was recognized to be essential to our infrastructure, early EMS and SCADA systems were constructed separately from other corporate systems. However, over time the convergence of power company networks and the demand for remote access to SCADA systems has led to many of them becoming accessible through non-SCADA networks.
EMS and SCADA systems created a more efficient way for electric companies to do business and the Internet took them a step further by enabling more cost-effective operations, more efficient communication and more innovative business practices. The benefits of connectivity are clear. Yet it is only recently that many electric utilities have come to understand the risks involved with making networks more accessible to a wider range and number of users. The reality is that providing better access to customers, suppliers and other third parties significantly increases the threat to the sensitive and proprietary information contained in those systems. Further, linking corporate networks and the networks that run an electric utility’s operational control system are increasingly common. It is just as common for these networks to be inadequately protected.
In many cases, SCADA networks have been installed by third-party systems integrators that have exclusive authority to maintain them. This presents yet another potential security risk, as well as a challenge to sound IT management practices.
To address these risks, electric power companies must focus on collaboration between CIOs and IT staff who run the corporate network, but also COOs and the staff who run the operational network. Cooperation and coordination ensures that risks are properly addressed and assets are properly protected throughout the enterprise.
SCADA systems are a unique beast. Increased business dependence on the corporate network and widespread use of SCADA systems for energy management, means that electric power operational infrastructures are exposed to attack from an increasing pool of potential platforms and sources. However, few SCADA systems were designed with security in mind and adding security to them after the fact has proven to be challenging. There has been an assumption that SCADA systems are complicated and proprietary and therefore few people know enough about them to do much damage. But it is now clear that a determined attacker can obtain the requisite information without much difficulty, often by merely searching for it on the Internet. Furthermore, this assumption of “obscurity” fails to recognize the risk of an insider attack by someone who is not only knowledgeable but may even have legitimate authorization to access the systems.
Yet, a recent study conducted by Gartner Research in February 2003, indicates that many utilities are unwilling to spend the money it would take to implement robust security measures in their SCADA and business networks. In this light, consider these statistics taken from Symantec Corporation’s October 2003, Internet Security Threat Report:
It is clear, electric power companies must take aggressive proactive steps to secure their networks before an incident causes shareholders to lose confidence and the federal government imposes mandatory security regulations.
There are several business cases to be made for preventing security breaches. Operational continuity is perhaps the most important case for ensuring a secure network. The need for reliability and availability of electricity throughout the power grid is at the core of the electric power industry. To prevent unauthorized access and disruption of service, electric utilities must remain vigilant about the protection of their electricity management.
The industry is slowly recognizing the need to protect the North American power grid. On August 13, 2003, just one day before the 2003 blackout, the North American Electric Reliability Council (NERC), approved Urgent Action Standard 1200. The standard recognizes that adherence to industry standards and other proactive cyber security measures are vital to avoiding the imposition of mandatory government enforced security measures.
So how do electric utilities address evolving security challenges? Effective network security begins with a thorough assessment of each network and its security architecture, followed by a carefully developed plan for improving security. Following is an overview of key steps that need to be taken to minimize the number and impact of security breaches:
1. Perform Regular Risk Assessments: Many electric utilities conduct regular risk assessments of their EMS and SCADA systems, but the majority do not. Risk assessment combined with appropriate post-assessment remediation action is essential to mitigate risks. A regularly scheduled assessment of corporate networks, Web servers and customer management systems is also essential to comprehensive security. Reviews of this nature can reveal unintended gaps in security, unknown linkages between public and private networks and firewall configuration problems.
2. Design an Effective Information Security Architecture: Firewalls, intrusion detection systems and virtual private networks can all help protect networks and data from malicious attacks, but if they are not deployed in the right places with the right configurations, these technologies can be rendered effectively useless. To minimize risks associated with poor network architecture, electric utilities should consider working with qualified information security professionals not only for the initial design, but on an ongoing basis to ensure that evolving network architectures do not compromise information security.
3. Deploy a Balanced Security Architecture: Corporate and control networks need to be surrounded by several different robust technologies and practices to be well protected. These components include assessments and early warning technology, protection technologies including firewall technology and finally, monitoring and management technologies.
4. Choose a Trusted Partner: Hiring experienced IT security experts can be cost prohibitive so many organizations decide to outsource the management and monitoring of their security devices to highly specialized managed security companies. These managed security services companies enable corporations to maintain a real-time security monitoring capability at a relatively low cost.
Electric utility companies must take steps to quickly protect electric generation and delivery systems – and their associated business networks – against viruses, hackers and other online threats. Many electric utilities are past the beginning stages for understanding the need for cyber protection but are still trying to educate management and employees on the need to implement appropriate security practices. These practices are essential to maintaining secure networks and ensuring the continuity of power generation and delivery in the future.
ABOUT THE AUTHOR
William K. Campbell, Vice President, Information Security Business Strategy, Symantec Corporation. William K. Campbell is vice president of Information Security Business Strategy in the Strategic Vertical Solutions and Support Group at Symantec. Campbell’s group specializes in the utilities, energy, telecommunications and chemicals industries. With more than 18 years experience in software development, quality management, systems integration and security of networked computing technologies, Campbell has spent his career conceiving, planning and executing technology deployments in complex and dynamic business environments. He has consulted to a broad spectrum of companies including Fidelity Investments, Microsoft, Goldman Sachs, AT&T, Fujitsu, Cisco Systems, BellSouth, Arthur J. Gallagher, Halliburton and ExxonMobil. A graduate of the United States Naval Academy, he designed the first local area network installed at a U.S. Marine Corps facility. Later, he worked as a senior technology consultant with the U.S. Department of Energy, and as a quality engineer for a software company in the energy services industry. He has also spent time in his career with Fidelity Investments, StorageNetworks, Inc and Arthur J. Gallagher & Company. In addition, Campbell founded Eagle’s Reach, an information security consulting firm that also develops specialized software. Campbell is a Certified Information Systems Security Professional. He is currently a member of the Professional Practice Committee of (ISC)2, responsible for reviewing allegations of professional misconduct and a representative to the International Information Integrity Institute (I4).
As this reliance has increased, so have utilities companies’ efforts to control and manage power from generation through to delivery. These efforts have resulted in the implementation of extensive information systems. Clearly, open system technologies are streamlining core business operations including customer service, power and outage management and supply procurement. Just as people are becoming more reliant on power companies, power companies are becoming more reliant on technology.
Information networks allow companies to maintain centralized monitoring of their energy management systems (EMS). They also enable these organizations to get power from generation to end users – which often involves great distances. Supervisory control and data acquisition (SCADA) systems were created for this very purpose. SCADA systems provide centralized management and monitoring of dispersed facilities and collect electric system data from nodes placed throughout the power system. The immense size of modern power grids has made SCADA systems indispensable. The average SCADA system has between 30,000 to 50,000 data collection and control points. Centralized management of network data ensures coordinated control and maximum staff efficiency.
Because the electric power grid was recognized to be essential to our infrastructure, early EMS and SCADA systems were constructed separately from other corporate systems. However, over time the convergence of power company networks and the demand for remote access to SCADA systems has led to many of them becoming accessible through non-SCADA networks.
EMS and SCADA systems created a more efficient way for electric companies to do business and the Internet took them a step further by enabling more cost-effective operations, more efficient communication and more innovative business practices. The benefits of connectivity are clear. Yet it is only recently that many electric utilities have come to understand the risks involved with making networks more accessible to a wider range and number of users. The reality is that providing better access to customers, suppliers and other third parties significantly increases the threat to the sensitive and proprietary information contained in those systems. Further, linking corporate networks and the networks that run an electric utility’s operational control system are increasingly common. It is just as common for these networks to be inadequately protected.
In many cases, SCADA networks have been installed by third-party systems integrators that have exclusive authority to maintain them. This presents yet another potential security risk, as well as a challenge to sound IT management practices.
To address these risks, electric power companies must focus on collaboration between CIOs and IT staff who run the corporate network, but also COOs and the staff who run the operational network. Cooperation and coordination ensures that risks are properly addressed and assets are properly protected throughout the enterprise.
SCADA systems are a unique beast. Increased business dependence on the corporate network and widespread use of SCADA systems for energy management, means that electric power operational infrastructures are exposed to attack from an increasing pool of potential platforms and sources. However, few SCADA systems were designed with security in mind and adding security to them after the fact has proven to be challenging. There has been an assumption that SCADA systems are complicated and proprietary and therefore few people know enough about them to do much damage. But it is now clear that a determined attacker can obtain the requisite information without much difficulty, often by merely searching for it on the Internet. Furthermore, this assumption of “obscurity” fails to recognize the risk of an insider attack by someone who is not only knowledgeable but may even have legitimate authorization to access the systems.
Yet, a recent study conducted by Gartner Research in February 2003, indicates that many utilities are unwilling to spend the money it would take to implement robust security measures in their SCADA and business networks. In this light, consider these statistics taken from Symantec Corporation’s October 2003, Internet Security Threat Report:
- By October 2003, Symantec documented 1,432 new vulnerabilities, a 12 percent increase over the number found in the same period the previous year.
- The speed of propagation of blended threats is increasing. For example, the Slammer worm impacted systems worldwide in less than a few hours.
- The overall rate of attack activity rose by 19 percent in 2003.
It is clear, electric power companies must take aggressive proactive steps to secure their networks before an incident causes shareholders to lose confidence and the federal government imposes mandatory security regulations.
There are several business cases to be made for preventing security breaches. Operational continuity is perhaps the most important case for ensuring a secure network. The need for reliability and availability of electricity throughout the power grid is at the core of the electric power industry. To prevent unauthorized access and disruption of service, electric utilities must remain vigilant about the protection of their electricity management.
The industry is slowly recognizing the need to protect the North American power grid. On August 13, 2003, just one day before the 2003 blackout, the North American Electric Reliability Council (NERC), approved Urgent Action Standard 1200. The standard recognizes that adherence to industry standards and other proactive cyber security measures are vital to avoiding the imposition of mandatory government enforced security measures.
So how do electric utilities address evolving security challenges? Effective network security begins with a thorough assessment of each network and its security architecture, followed by a carefully developed plan for improving security. Following is an overview of key steps that need to be taken to minimize the number and impact of security breaches:
1. Perform Regular Risk Assessments: Many electric utilities conduct regular risk assessments of their EMS and SCADA systems, but the majority do not. Risk assessment combined with appropriate post-assessment remediation action is essential to mitigate risks. A regularly scheduled assessment of corporate networks, Web servers and customer management systems is also essential to comprehensive security. Reviews of this nature can reveal unintended gaps in security, unknown linkages between public and private networks and firewall configuration problems.
2. Design an Effective Information Security Architecture: Firewalls, intrusion detection systems and virtual private networks can all help protect networks and data from malicious attacks, but if they are not deployed in the right places with the right configurations, these technologies can be rendered effectively useless. To minimize risks associated with poor network architecture, electric utilities should consider working with qualified information security professionals not only for the initial design, but on an ongoing basis to ensure that evolving network architectures do not compromise information security.
3. Deploy a Balanced Security Architecture: Corporate and control networks need to be surrounded by several different robust technologies and practices to be well protected. These components include assessments and early warning technology, protection technologies including firewall technology and finally, monitoring and management technologies.
4. Choose a Trusted Partner: Hiring experienced IT security experts can be cost prohibitive so many organizations decide to outsource the management and monitoring of their security devices to highly specialized managed security companies. These managed security services companies enable corporations to maintain a real-time security monitoring capability at a relatively low cost.
Electric utility companies must take steps to quickly protect electric generation and delivery systems – and their associated business networks – against viruses, hackers and other online threats. Many electric utilities are past the beginning stages for understanding the need for cyber protection but are still trying to educate management and employees on the need to implement appropriate security practices. These practices are essential to maintaining secure networks and ensuring the continuity of power generation and delivery in the future.
ABOUT THE AUTHOR
William K. Campbell, Vice President, Information Security Business Strategy, Symantec Corporation. William K. Campbell is vice president of Information Security Business Strategy in the Strategic Vertical Solutions and Support Group at Symantec. Campbell’s group specializes in the utilities, energy, telecommunications and chemicals industries. With more than 18 years experience in software development, quality management, systems integration and security of networked computing technologies, Campbell has spent his career conceiving, planning and executing technology deployments in complex and dynamic business environments. He has consulted to a broad spectrum of companies including Fidelity Investments, Microsoft, Goldman Sachs, AT&T, Fujitsu, Cisco Systems, BellSouth, Arthur J. Gallagher, Halliburton and ExxonMobil. A graduate of the United States Naval Academy, he designed the first local area network installed at a U.S. Marine Corps facility. Later, he worked as a senior technology consultant with the U.S. Department of Energy, and as a quality engineer for a software company in the energy services industry. He has also spent time in his career with Fidelity Investments, StorageNetworks, Inc and Arthur J. Gallagher & Company. In addition, Campbell founded Eagle’s Reach, an information security consulting firm that also develops specialized software. Campbell is a Certified Information Systems Security Professional. He is currently a member of the Professional Practice Committee of (ISC)2, responsible for reviewing allegations of professional misconduct and a representative to the International Information Integrity Institute (I4).