I am a fan of the Die Hard series (and that genre of movies.) The last film in the series Live Free or Die Hard did not disappoint. It was a worst case scenario security breach, that drives home the point that we cannot spend too much time thinking about security of the systems we are continually evolving.
While touring an energy company’s distribution center a few weeks ago, questions arose about how the company secures its SCADA (Supervisory Control and Data Acquisition) and process control systems. Of course this particular energy company goes to great lengths to isolate the distribution control systems from the corporate network, to diligently perform intrusion detection, and to rigidly enforce identity life cycle management.
The United States government is also very interested in how the owners and operators of bulk-power systems have either taken or are taking appropriate steps to protect against cyber-security vulnerabilities. Energy and utility companies are evolving to intelligent grids with integrated business and control systems that require access by a greater number of users. The concern is that as the utility grids become more interconnected to the Internet, run of the mill hackers and even terrorist groups will have greater opportunity to attack power generation, transmission, and distribution centers. A succession of minor disruptions to the flow of electricity flowing across power lines and transformers into homes and business has the potential to greatly impact the profit margins of energy and utility companies.
The problem has gained the attention of the National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security, the Federal Energy Regulatory Commission. Federal regulators have issued a directive which:
'…requires all generator owners, generator operators, transmission owners and transmission operators that are registered by the North American Electric Reliability Corp. and located in the United States to provide to NERC certain information related to actions they have taken or intend to take to protect against' similar cyber vulnerabilities, according to the notice...'
While this is good step in the right direction, I think American energy and utility companies will need to take a good hard look at how they can better thwart future cyber attacks of the energy infrastructure.