The National Research Council report on Terrorism and the Electric Grid
The National Research Council prepared the report, "Terrorism and the Electric Power System". The report was completed in 2007 but was classified by its sponsor, the Department of Homeland Security, until now. The Council lobbied DHS to allow for its release, and said key findings remain "highly relevant." It was publicly released November 14th. The report states: "Without urgent attention to security, the United States risks having large parts of the country blacked out "for weeks or months" at a cost of billions of dollars". "Major cascading blackouts in the U.S. Southwest in 2011, and in India in 2012, underscore the need for the measures discussed in this report," the group said.
The report is a comprehensive look at security of the electric grid as known prior to 2007. I was referenced twice in the report which provides me some credibility in making comments. The report is light on cyber security and does not address actual control system cyber incidents that have affected the electric grid as well as other parts of critical infrastructure.
What is clear is that the grid is not only as vulnerable as it was when the report was printed in 2007 a case can be made it is much more vulnerable today. There are a number of reasons for this:
- The NERC CIPs have turned the utility industry into an industry of compliance not security.
- Cyber vulnerable legacy control systems are still in vast use.
- Even some new control system technology is cyber vulnerable by design.
- Since Stuxnet, control system cyber vulnerabilities are now "fair game" for hackers.
- Aurora was demonstrated in 2007 yet to this day, almost no utilities have implemented a hardware fix.
- There have been more than 25 actual control system cyber incidents with the North American electric grid since the report was issued (including the 2011 Southwest outage).
- There is still a minimal level of control system logging and forensics meaning that most control system cyber incidents are not recognized as cyber.
- Most senior utility management still do not believe control system cyber security is a real problem.
The electric industry is not alone in lack of understanding about control system cyber security. I am on National Research Council panel on cyber security for mass transit. The effort was at least in part driven by the 2009 DC Metro crash that killed 9 and was unintentional cyber incident. The level of understanding of this subject within the mass transit community is miniscule.