Jim Lewis of the Center for Strategic and International Studies (CSIS) authored the White Paper, "The Electrical Grid as a Target for Cyber Attack", dated March 2010. CSIS is a very prestigious think tank that authored the report - "Securing Cyberspace for the 44th Presidency". While the White Paper is a good read, there are a number of issues that need more clarification.
Jim talks about the grid becoming more vulnerable because of IP-connections and then discusses Aurora. IP is only one factor that has to be recognized. Currently, a large portion of utility communications is serial. Serial can be cyber vulnerable - there have been several significant cyber incidents involving serial communications. However, there are minimal efforts in government or industry to address securing serial communications. That needs to be corrected. As for Aurora, it was a control systems-unique event that needs to be addressed in that context.
Jim states: “There is evidence that unknown foreign entities have probed the computer networks of the power grid. Some electrical companies report thousands of probes every month, although we do not know (and it may not make much difference) whether these were cyber crime or part of a military reconnaissance effort.” Jim may be right. The industry needs cyber forensic systems to be better able to understand what is occurring on these critical systems and networks.
Jim states: “It seems unlikely, as part of its reconnaissance, that foreign powers have left behind some kind of cyber time bomb that could be triggered at some later date. Networks are dynamic, almost organic in their constant change and reconfiguration, with equipment being added or changed, patches or new software being installed, usernames changing as personnel leave or are added. A “time bomb” planted in January could not reliably be expected to work in March or April.” ICS systems are different than traditional IT networks. Logic bombs in the ICSs can simply be changes of setpoints on key equipment. As an example, changing the setpoints on Intelligent Electronic Devices (IEDs) can be done six-nine months before the attacker wants something to happen. As SCADA systems are configured today, the SCADA operators would not know that a setpoint has been changed that would result in either more stringent protection causing an inadvertent trip or the converse resulting in loss of equipment protection. The 2008 Florida outage was an example of that phenomena occurring in a non-malicious manner.
Jim states: “This conclusion is different from the strategic consequences on a cyber attack on the power grid. The United States routinely suffers blackouts. The nation does not collapse. In the short term, military power and economic strength are not noticeably affected - a good example for opponents to consider is Hurricane Katrina, which caused massive damage but did not degrade U.S. military power in or even long-term economic performance. Is there any cyber attack that could match the hurricane?” Unfortunately the answer is yes which is why we care. Storm damage is totally different then losing the system due to a sophisticated cyber attack on ICS. With storm damage, utilities can prepare ahead of time; have additional support crews from other utilities on call; have experience in responding; and generally, critical equipment is not damaged. A cyber attack can have almost the opposite scenario: utilities generally won’t be prepared as a cyber attack can change operator displays and alarms to keep the utility from knowing a cyber attack is in progress; cannot call on support crews from other utilities because they could also be under cyber attack; have very little experience in responding to a cyber attack on ICSs; and the utility can experience damage to multiple physical components that are difficult and extremely time and resource consuming to repair/replace.
The Grid including generation, transmission, and distribution utilizes a combination of legacy and modern ICSs and communications. ICS cyber vulnerabilities threaten the long term reliability of the Grid. One needs to take an expert look at the issue as Cyber and the Grid require a thorough view and understanding of ICSs.
Joe Weiss
