Electric utilities are working to protect communications connections as well as their business and power systems from possible attack by cyberterrorists. Schweitzer Engineering Labs (SEL), a major provider of power system protection, control, and monitoring equipment, has been awarded a federal grant to strengthen cybersecurity within the power grid.
Picture this: A computer hacker intrudes on an electric utility's IT system via a network or dial-in connection. They do it just to prove they can. Even if their intentions are merely playful, such mischief gives intruders access to the utility's business systems, including customer credit or other identity information. Coincidentally, the same access quite possibly opens a "back door" to the power system itself, exposing the system to degradation and power outages.
Now picture a thief, vandal, or cyberterrorist in the same situation, and you can graphically appreciate why electric utility IT and power network security represents significant power infrastructure and economic risks.
"The trouble is, many utilities are increasing their reliance on automated control systems with remote access via phone or the Internet without providing the security necessary to thwart potential attackers," says Dr. Paul Oman, senior research engineer at SEL, Pullman, Wash. "The shift from mainframe-based computer control systems to distributed systems using open protocols and standards, along with the expanded use of public protocols to interconnect previously isolated networks, have created a new national mandate to safeguard systems. So, while the use of technologies such as SCADA systems makes good sense, it has become equally important for power systems engineers to realize, 'If I install remote communications devices, there will be vulnerabilities involved, and I need to safeguard or mitigate those vulnerabilities by using the proper security technologies.'"
Dr. Edmund O. Schweitzer, president and CEO of SEL, has cautioned government agencies and the power industry about the need for secure communications connections since the 1990s. As a result, SEL was recently awarded a federal grant from the National Institute for Standards and Technology (NIST) to work in concert with Washington State University and the University of Idaho to strengthen cybersecurity around the electric power grid.
Dr. Schweitzer cites the widespread use of dial-in networks, increased public access to transmission system data (mandated by FERC 888/889),increased terrorism, and rapid worldwide growth of a computer-literate population (coupled with widespread dissemination of hacker tools and cyberterrorism) as the causes behind increasing security risks.
"Another vulnerability derives from the large number of roving engineers and others in charge of maintaining transmission and distribution systems. Because they have remote access to the communications and power systems they service, they have created, in effect, a 'back door' that can be exploited by hackers unless appropriate security safeguards are in place," says Dr. Oman. "As with all infrastructures, threats to electric power systems have existed for as long as the technology has been used to support that way of life. But these threats are not static or unchanging. We should assume that as the infrastructure technology changes, so do the threats and risks associated with supporting that service. After the events of September 11, we are more conscious of the need for improved infrastructure security, so many electric utilities are reassessing the vulnerabilities to their communications and power systems."
Cyberattacks on utility IT systems are not rare today. Hacking gangs such as PhoneMasters and Global Hell have used electronic theft and extortion to fund their terrorist activities. Government and expert estimates of economic losses vary, but electronic theft within the U.S. alone is estimated to be in the hundreds of millions of dollars annually. Still, other potential costs are likely to be much greater. Cyberattacks and electronic sabotage targeted against power grid vulnerabilities have the potential for inducing power system fluctuations that can lead to cascading blackouts over large geographic areas. Loss of manufacturing production and vital services can result from such outages.
The IEEE standard governing substation security defines electronic intrusions as "entry into the substation via telephone lines or other electronic-based media for the manipulation or disturbance of electronic devices. These devices include digital relays, fault recorders, equipment diagnostic packages, automation equipment, computers, PLCs, and communication interfaces."
What specific devices are vulnerable, and what means should power systems use to mitigate the risk of intrusion?
"There are a host of secure devices out there", says Dr. Oman. "There are crypto modems, modem-key/lock combinations, LAN cryptology devices, and firewalls that can separate business communications from control communications. Which safeguards are most appropriate for specific situations depends on system design and configuration—but there is probably a good safeguard solution for virtually all of them."
A comprehensive source of system threat, vulnerability, and mitigation measures and devices can be found in two papers written by Dr. Oman and Dr. Schweitzer, in collaboration with others. The papers, "Concerns About Intrusions Into Remotely Accessible Substation Controllers and SCADA Systems" and "Safeguarding IEDs, Substations, and SCADA Systems Against Electronic Intrusions," may be downloaded from the "Technical Papers" section of SEL's web site at www.selinc.com.
The recently awarded NIST grant will enable SEL to conduct additional applied research in the use of Information Security (InfoSec) principles within the control and protection systems governing the North American powergrid.
SEL will be joined by two subcontractors, Washington State University and the University of Idaho, in a collaborative research effort that will apply InfoSec and Internet Protocol Security principles, conduct onsite security and survivability assessments, develop a prototypical secure information infrastructure, and develop greater awareness within the electric power industry. Washington State University lends expertise in the power networking area. The University of Idaho brings expertise in the security and survivability assessment area.