A 60 Minutes report last week described the possibility that hackers were behind massive power outages in Brazil in 2007 and 2005. The report also describes how the U.S. infrastructure is likewise vulnerable to hacking. As we’ve seen with incidents like Georgia, hackers are now often politically motivated professionals serving national governments. This leads to cyber-warfare, where a government employs hacking to cripple functionality or steal intelligence from other governments. And if one government does it, then every other government establishes its own cyber-units, and we now have an arms race on the internet. The New York Times has a good article on the issue.
Instead of discussing cyber-warfare at a more general level, I’d like to talk about cybersecurity concerns in the U.S. electrical infrastructure. To understand the issue, we need to look at the key players in the industry, who they are, and how the government is trying to regulate them.
The U.S. power industry is made up of at least two levels of players: there are utilities and infrastructure providers. Utilities generally purchase, deploy, and maintain physical infrastructure purchased from the infrastructure providers. In some cases, these companies also buy and sell energy from other power companies to meet local demand. Examples of such companies include Connecticut Light and Power and Southern California Edison. You pay these guys for your electricity.
The much bigger players are the infrastructure providers like General Electric, Samsung, and Areva. These corporations manufacture the power plants, control systems, and other infrastructure that utilities purchase and install. GE is U.S. based, but Samsung and Areva are German and French respectively, both with sizable stakes in the U.S. market. This raises fairly obvious national security concerns regarding foreign companies manufacturing critical U.S. infrastructure.
Over the past several decades, these power infrastructure corporations have made their monitoring and control systems Internet enabled, so their software now runs over the same networks as the rest of Internet traffic. This is an advantage because it simplifies network infrastructure for supporting the power grid’s management systems, but it also makes the power grid vulnerable to traditional Internet based attacks.
Fortunately, the U.S. government and international agencies are aware of the power grid cybersecurity problem, and are actively legislating and setting standards for power grid security. In the US, we have the Federal Electric Regulatory Commission (FERC) under the Department of Energy. FERC is requiring compliance with the North American Electric Reliability Corporation’s Critical Infrastructure Protection standard (NERC CIP) in 2010. NERC CIP details requirements and implementation plans for North American power utilities to harden themselves against physical, and more importantly, digital intrusion. Additionally, CIP requires mitigation plans in the event of actual attacks.
The National Institute of Standards and Technology also has draft SmartGrid cybersecurity standards, which address Smart Grids, an incoming technology power companies are introducing to increase efficiency and robustness in the grid. Internationally, we have the International Council on Large Electrical Systems (CIGRE), which specifies reference architectures, including the next generation Energy Management System Reference Architecture, which includes cybersecurity as a key component.
Going back to the national level, the Federal Electric Regulatory Commission is requiring compliance according to NERC’s schedule of compliance requirements culminating in a deadline in 2010. NERC CIP includes not only security features, but also auditing, incident reporting, and incident response and mitigation plans in the event of a security breach. NERC specifies timelines for implementation and auditing as well as non-compliance fines of up to $1 million per day. These deadlines put the utility companies on a very tight schedule where total compliance as required seems fairly unlikely for a significant number of the companies.
Unfortunately, in the end NERC CIP is just a step forwards, not the ultimate solution. Even if all utilities comply with NERC CIP requirements, we’re still left with the axiom that no piece of complex software is entirely secure. Acknowleding this, NERC CIP requires mitigation plans to control damage when an actual breach happens. NERC is also in the process of revising CIP, with the revisions set for publication in 2010 or 2011.
As the 60 Minutes video also reports, we already know that foreign agencies have penetrated the U.S. power grid’s networks and systems. In the event of a military action, there is almost no question that foreign governments will consider using these keys to damage U.S. electrical infrastructure. Considering how little the government regulated the power industry with regards to cybersecurity, I’m glad that the government is now locking down the power grid in its wider effort to secure critical infrastructure. In the end, NERC CIP is probably not enough, but it’s a good start.
Yale Law Tech 