Power grid operators clueless about critical cyber assets?

One reason why the U.S. electrical grid appears to have been so deeply penetrated by foreign cyberspies could be that many owners and operators of bulk power systems don't even recognize that they own critical cyber assets that need to be protected in the first place.

That's one rather startling conclusion to be drawn from a letter sent to industry stakeholders last week by Michael Assante, chief security officer at the North American Electric Reliability Corp. NERC is the entity responsible for developing and enforcing reliability standards on power companies.

Assante's letter draws attention to the need for entities in the power sector to properly identify and protect critical assets and associated critical cyber assets. The letter is dated April 7-one day before a Wall Street Journal article describing how intelligence agencies in China, Russia and other countries have infiltrated the U.S. power grid and stand poised to created massive disruptions at a moment's notice.

The letter cites a ‘self-certification compliance survey' in which NERC members were asked to identify facilities, systems, and equipment which, if destroyed or otherwise rendered unavailable would affect the reliability or operability of the bulk electric system. More than 70% of the owners and operators of power generation systems and about 37% of transmission companies said they did not possess any assets at all which met that description. Only 23% of non-affiliated members-which are typically smaller entities-reported they had at least one critical cyber asset.

Assante's letter expressed concern over the numbers and indicated that a more detailed analysis would be needed to "determine whether it is possible" that so many entities could in fact not posses any critical assets. He suggested that the low numbers reported may have to do with the manner in which entities in the power sector did their risk assessments. The letter suggested that system planners for example, were focusing more on "unexpected" failures of a single control device within a substation rather than considering the potential for the "simultaneous manipulation" of all devices in a substation or across substations. "It is very important to consider the misuse, not just loss or denial, of a cyber asset and the resulting consequences," in order to be able to accurately identify what a critical asset is, Assante said.

The horizontal nature of networked technology gives cyber attackers a way to impact multiple assets at once, and from a distance, Assante said. What that means is that it is time for the industry to stop looking at cyber assets as standalone points of failure and recognize the potential for simultaneous loss of cyber assets.

Assante's missive highlights the massive challenge the power sector faces in addressing security issues says Ira Winkler, president of the Internet Security Advisors Group, author of Spies Among Us, and a Computerworld columnist. "What these people who are self-certifying don't seem to realize is that the power grid itself is a critical asset," Winkler said. 

The huge problem with the power infrastructure today is that a lot of the computers that control the power generation and distribution systems are on the same IP-based networks as the business systems, Winkler says. As a result, the control systems are as accessible over the Web-and as vulnerable to its threats-as any other Internet-connected system. That's a far cry from the days when control systems typically sat on a closed network that was totally inaccessible from the outside.

There's been "report after report" highlighting the growing threat to the power infrastructure posed by the co-mingling of control networks with business networks, Winkler says.  One of them from the Government Accountability Office (GAO) pointed to how the Tennessee Valley Authority, the nation's largest public power company, had exposed its control system networks to outside threats by interconnecting it with the corporate network. So to have companies still saying they don't have anything to worry about because they didn't own any critical assets is totally baffling, Winkler says.

What all this points to is the need for the government to step in with regulations mandating baseline security controls across the power sector, say Winkler and others. Allowing the industry to continue with self-regulation on the cybersecurity front is a bad idea they say. The fact that power companies are still only in the process of identifying their critical assets and that too via self-certification compliance surveys "is scary in and of itself" Winkler says. Amen to that.