- #1
- 11,308
- 8,732
Whenever the subject of cyber security is raised, attacks on the power grid are the first example offered almost all the time. Nobody should be surprised then that there is a tremendous amount of activity and huge amounts of money being spent on grid cyber security. Much of that is being driven by the USA federal government, and by NERC (North American Electric Reliability Corporation) the central nexus on the private side.
Recent revelations, triggered by the actions of Edward Snowden, undermine the credibility of the whole thing. On one hand the government led by President Obama and Congress is demanding much improved security and is using the authority of regulation to impose it. On the other hand the government led by Director of National Intelligence does not want anyone, private or commercial, to enjoy true security. Recent press reports say that NSA works covertly to insert back doors and to weaken security standards. The government has created huge conflicts of interest regarding security.
What about NERC? In recent years, NERC has issued numerous "standards" for all kinds of power grid operation and design issues. I've been told that compliance with NERC standards, rather than doing the right thing in one's best engineering judgement has become the only way to survive in the industry. But is it not foolish to believe that NERC is free from NSA interference? NSA could have compromised NERC without knowledge of NERC staff, or NSA might have ordered them to compromise security and to keep silent about it and to lie if their independence is questioned. (Just as General Clapper admitted that he was obligated to lie while under oath.)
Indeed, the tragedy of this covert government surveillance is that it makes it impossible to distinguish true security from security theater. I'm sure that similar things may be happening in other countries, but I'm not familiar with the details.
Worse, if there are back doors or weaknesses built into the cyber security systems, it is not only possible but inevitable that some day the bad guys will learn how to exploit them for nefarious purposes. The breakdown will likely come when one of the people trained by NSA to use the back doors changes sides.
What to do? I'm sure glad that I am not he security officer for a utility or one of the grid operators today. No doubt, expressing an independent voice in opposition to government security mandates or to NERC standards would be a career ending move. As long as one cooperates and complies fully with the government and with NERC, nothing bad that happens to the grid will be blamed on you. I fear that everyone is personally motivated to promote only security theater.
What to do politics aside? Wearing only my engineer's hat, I note two things. The power grid is highly redundant and highly diverse. Large, regional blackouts have occurred. Think of the years 1965, 1997, and 2003 in the northeast. (The USA does not have a single national power grid and a national blackout has never occurred.) Nevertheless, the power grid is highly resilient to multiple simultaneous failures. Hurricanes, earthquakes, floods, and ice storms introduce hundreds of thousands of concurrent failures and none of them have ever produced a blackout that cascaded into large regions beyond that actual devastation.
But I think the grid's best weapon against cyber attacks is diversity in equipment make, model, and generation. Think about it. Cyber attacks are highly specific to what is being attacked. For example, the Stuxnet virus was designed to attack only Siemens S7 PLCs. The Iranian enrichment plant was vulnerable to that because all the centrifuges used the same PLCs. Electric utilities however, have over the years bought and installed at least some of every make and model of device designed for grid applications from every manufacturer in the business. Large central power plants (not gas turbines) are so diverse that it is nearly true that there are no two alike.
Any attack specific to some make, model and generation of equipment, could conceivably succeed, but the grid operation would only be partially impeded or not at all impeded by the loss of those components. Compare the consequences of man-made attacks with those of natural events, and remember that everything about the power grid since its origins in the 1880s has been designed to be resilient in the face of multiple simultaneous failures. The recent superstorm Sandy devastated power facilities near the shore but it caused no cascading blackouts into the interior of the country. It would be extraordinarily difficult to launch simultaneous attacks that were effective against all makes and models of devices installed in the last 40 years.
What about central command and control computers? Yes, the more central things become, the more vulnerable they area to cyber attack. The trend in recent decades has been toward more centralization into large control areas, and most recently into regional control areas. I also suspect that nearly 100% of the command and control computers installed in the last decade use some variant of Unix, thus decreasing diversity further.
The worst case scenario would be if the USA had a single national control center (as some people in government advocate) If it existed it would be the most juicy, most attractive target for cyber attack in the whole world. The second worse case would be if the design, implementation and philosophy of these command and control systems were to become less diverse via compliance with government mandates and NERC standards. Yes, that's right, some (not all) of the very remedies proposed to improve grid security could actually reduce diversity and to make the grid more vulnerable to attack (IMHO).
I am only a retired power engineer who specialized in bulk power operations and control. If I were a fearless utility security manager, I would be arguing in favor of increased diversity and decentralization of control and of decision making as the primary defense of the national grid. I would vigorously oppose one size fits all national mandates.
Finally, remember that successful operation of the power grid is defined as keeping the lights on for almost all people almost all of the time. If we manage to contain the success of cyber attacks so that they could only turn the lights off for a few people for short times, that is victory. Do not believe overly sensational reports that hackers could turn off all the lights for extended periods of time.
Recent revelations, triggered by the actions of Edward Snowden, undermine the credibility of the whole thing. On one hand the government led by President Obama and Congress is demanding much improved security and is using the authority of regulation to impose it. On the other hand the government led by Director of National Intelligence does not want anyone, private or commercial, to enjoy true security. Recent press reports say that NSA works covertly to insert back doors and to weaken security standards. The government has created huge conflicts of interest regarding security.
What about NERC? In recent years, NERC has issued numerous "standards" for all kinds of power grid operation and design issues. I've been told that compliance with NERC standards, rather than doing the right thing in one's best engineering judgement has become the only way to survive in the industry. But is it not foolish to believe that NERC is free from NSA interference? NSA could have compromised NERC without knowledge of NERC staff, or NSA might have ordered them to compromise security and to keep silent about it and to lie if their independence is questioned. (Just as General Clapper admitted that he was obligated to lie while under oath.)
Indeed, the tragedy of this covert government surveillance is that it makes it impossible to distinguish true security from security theater. I'm sure that similar things may be happening in other countries, but I'm not familiar with the details.
Worse, if there are back doors or weaknesses built into the cyber security systems, it is not only possible but inevitable that some day the bad guys will learn how to exploit them for nefarious purposes. The breakdown will likely come when one of the people trained by NSA to use the back doors changes sides.
What to do? I'm sure glad that I am not he security officer for a utility or one of the grid operators today. No doubt, expressing an independent voice in opposition to government security mandates or to NERC standards would be a career ending move. As long as one cooperates and complies fully with the government and with NERC, nothing bad that happens to the grid will be blamed on you. I fear that everyone is personally motivated to promote only security theater.
What to do politics aside? Wearing only my engineer's hat, I note two things. The power grid is highly redundant and highly diverse. Large, regional blackouts have occurred. Think of the years 1965, 1997, and 2003 in the northeast. (The USA does not have a single national power grid and a national blackout has never occurred.) Nevertheless, the power grid is highly resilient to multiple simultaneous failures. Hurricanes, earthquakes, floods, and ice storms introduce hundreds of thousands of concurrent failures and none of them have ever produced a blackout that cascaded into large regions beyond that actual devastation.
But I think the grid's best weapon against cyber attacks is diversity in equipment make, model, and generation. Think about it. Cyber attacks are highly specific to what is being attacked. For example, the Stuxnet virus was designed to attack only Siemens S7 PLCs. The Iranian enrichment plant was vulnerable to that because all the centrifuges used the same PLCs. Electric utilities however, have over the years bought and installed at least some of every make and model of device designed for grid applications from every manufacturer in the business. Large central power plants (not gas turbines) are so diverse that it is nearly true that there are no two alike.
Any attack specific to some make, model and generation of equipment, could conceivably succeed, but the grid operation would only be partially impeded or not at all impeded by the loss of those components. Compare the consequences of man-made attacks with those of natural events, and remember that everything about the power grid since its origins in the 1880s has been designed to be resilient in the face of multiple simultaneous failures. The recent superstorm Sandy devastated power facilities near the shore but it caused no cascading blackouts into the interior of the country. It would be extraordinarily difficult to launch simultaneous attacks that were effective against all makes and models of devices installed in the last 40 years.
What about central command and control computers? Yes, the more central things become, the more vulnerable they area to cyber attack. The trend in recent decades has been toward more centralization into large control areas, and most recently into regional control areas. I also suspect that nearly 100% of the command and control computers installed in the last decade use some variant of Unix, thus decreasing diversity further.
The worst case scenario would be if the USA had a single national control center (as some people in government advocate) If it existed it would be the most juicy, most attractive target for cyber attack in the whole world. The second worse case would be if the design, implementation and philosophy of these command and control systems were to become less diverse via compliance with government mandates and NERC standards. Yes, that's right, some (not all) of the very remedies proposed to improve grid security could actually reduce diversity and to make the grid more vulnerable to attack (IMHO).
I am only a retired power engineer who specialized in bulk power operations and control. If I were a fearless utility security manager, I would be arguing in favor of increased diversity and decentralization of control and of decision making as the primary defense of the national grid. I would vigorously oppose one size fits all national mandates.
Finally, remember that successful operation of the power grid is defined as keeping the lights on for almost all people almost all of the time. If we manage to contain the success of cyber attacks so that they could only turn the lights off for a few people for short times, that is victory. Do not believe overly sensational reports that hackers could turn off all the lights for extended periods of time.