December 22, 2024

Critical Infrastructure Protection:
A Priority for Industry

by Francis Bradley, Vice-President, Canadian Electricity Association, bradley@canelect.ca
Potential threats to the continued supply of electric power can come from many quarters and can take many forms. While the terrorist attacks in the United States on 11 September 2001 raised the profile of the need to protect critical infrastructure from malicious attacks, physical damage to infrastructure can also be the result of natural phenomenon, including weather related events such as storms and flooding. Cyber threats also exist, and the potential impact from computer viruses, worms and other attacks to IT resources must be safeguarded against.

How does the electricity sector define critical infrastructure protection? Critical infrastructure protection means safeguarding the essential components of the electric infrastructure against physical and electronic cyber threats in a manner consistent with appropriate risk management, with both industry and industry-government partnerships, while sustaining public confidence in the electricity sector.

A North American Approach
The North American electric power industry, through the North American Electric Reliability Council (NERC), seeks to safeguard the North American bulk electric power system through a variety of activities, principally through the Information Sharing and Analysis Center for the Electricity Sector (ES-ICSAC). The ES-ISAC serves the electricity sector by facilitating communications between electric sector participants, federal government and other critical infrastructure industries. It is the job of the ES-ISAC to promptly disseminate threat indications, analyses, and warnings, together with interpretations, to assist electricity sector participants take protective actions. On a North American basis, most critical infrastructure industries have established an ISAC to communicate with members, government partners, and other ISACs about threat indications, vulnerabilities, and protective strategies. ISACs work together to better understand cross-industry dependencies and to account for them in emergency response planning.

The Canadian Electricity Association (CEA) is an active participant in the ES-ISAC and in the NERC CIP Advisory Group. CEA works cooperatively on a continental basis with a range of partners through NERC, including other industry associations such as the Edison Electric Institute (EEI) and the American Public Power Association (APPA), to ensure coordination and effective CIP program delivery for the electric power sector.

Consistent with the NERC approach, the focus of CEA activities includes both physical and cyber threats to infrastructure. Physical damage, either from natural or malicious means, is easily understood. Recent ice storms, flooding, hurricanes, as well as the September 11 terrorist attacks have served to raise industry and public awareness of the potential impact physical damage may have on infrastructure. Less difficult to quantify is the potential impact of cyber attacks.

While industry is better prepared to both in terms of early warning and in response to cyber incidents, the fact is the frequency of cyber attacks is on the increase. And while the names of some viruses and worms are widely recognized by most people, think of NIMDA, Goner, the socalled Love-Bug, and the recent SQL-Slammer worm, the impact on the economy is anything but ordinary. Computer Economics, a technology consultancy, reported that viruses cost the U.S. economy $13,2 billion in 2001, due mostly to computer network crashes and time spent purging systems of the digital infections.

To date, there has been no loss of service to electricity customers as a result of these cyber incidents. However, as the January 25th SQLSlammer worm incident showed, infrastructure is vulnerable to cyber attacks. The SQL-Slammer worm resulted in a degradation of service in a number of sectors, including financial services, transportation and telecommunications, and due to the inter-dependent nature of infrastructure, some electric power operators felt the impact of the worm through these inter-dependencies.

Clearly, the increasing frequency and impact of cyber-based attacks coupled with the electricity industry’s growing dependence on e-commerce and electronic controls means that risk mitigation in this area is a very significant CIP challenge.

Canadian Activities
In January 2000, following the successful Y2K transition, CEA members formed the Critical Infrastructure Protection (CIP) Working Group in order to coordinate activities, share best practices, and interface with the federal government. In its first year-and-a-half of activities it had established an effective information sharing Intranet site, implemented methods for coordinating activities with the North American Electric Reliability Council (NERC) and other partners, developed and implemented an Early Warning System for threats to electricity infrastructure, and worked closely with the federal government.

Today, all CEA Councils and Working Groups use the CEA Intranet to facilitate their activities. But in early 2000, the CIP Working Group was the first to begin actively testing the Orchestra platform, developed by Ottawa-based Crossdraw, intended to facilitate on-line coordination and cooperation. The initial test was a success, and the CIP section on the CEA Intranet continues to expand and includes: an electronic filing system for key documents; issues monitoring information; an area for on-line discussions; and the alerts and advisories sent by the Canadian federal government as well as those from the Department of Homeland Security’s National Infrastructure Protection Center.

Early Warning
The Early Warning System (EWS) developed by the CIP Working Group is a model being looked at by other sectors as a fast and efficient method of communicating information in times of high alert. CEA’s EWS uses the Internet, email, web-enabled cell phones and Blackberry handheld devices to deliver real-time threat information to members on a 24/7 basis.

The value of the network provided by the CIP Working Group provides was in evidence on 11 September 2001. A CEA delegation was meeting with Energy Ministers that fateful morning. When initial reports began coming in, the scheduled meeting was suspended in order to focus on the events in New York and Washington, and their potential impact on infrastructure. In a matter of minutes, CEA President Hans Konow was able to report to Ministers and officials as to the state of the grid, the level of alert electric utilities were moving towards, and the types of security measure which were being implemented as a result of the alert.

On January25th of this year, as IT specialists first began to see the SQL-Slammer worm impacts, CEA members were notified and were able to take remedial action. Speed of response was critical. This worm spread around the globe in less than 10 minutes, and unlike the “Code Red” worm of 18 months previous which doubled the number of computers it infected every 37 minutes, Slammer initially doubled the number of computers it infected every 8.5 seconds.

A computer security research group led by the Cooperative Association for Internet Data Analysis (CAIDA) noted that while SQLSlammer was a simple worm, it “represents a significant milestone in the evolution of computer worms. It clearly demonstrates that fast worms are not just a theoretical threat, but a reality — one that should be considered a standard tool in the arsenal of an attacker.”

Ensuring Protection
While the above highlights some of the risks and corresponding actions the electric power industry has taken to mitigate those risks, individuals have a role to play as well. All companies have guidelines for both physical and IT security. It is essential that company staff be aware of the risks and potential threats and that they are familiar with standard company and industry policies and procedures for dealing with potential threats to infrastructure.

Through NERC, the North American electric power industry has developed a series of guidelines for the protection of critical assets. These guidelines cover both physical and IT security and can be used by CIP facility operators as a “best practices” guide. They can be accessed on the ES-ISAC Website at www.esisac.com.