Improving grid security to combat the threat from global terrorism

Paul Boughton

Because electricity drives virtually all of a nation’s critical infrastructures-from telecommunications to waterworks-the electric power system presents an inviting target for international terrorists.

A coordinated attack on major power plants or substations could trigger a cascading blackout with major social and economic impacts. Depending on the extent and success of such an attackdaily life and business could be disrupted for several days across a wide area of the countryand a complete return to normalcy could take months to years.

Especially worrisome in a time of increasing industry dependence on the internet is the fact that a devastating attack need not be directly physical: The perpetrators could remain anonymous and remoteachieving their goals by disrupting a utility’s computer network or power system controls. A successful cyber attackfor examplecould potentially allow a terrorist to destroy equipment by sending false control signals or by disabling electricity grid protective relays. Every daya typical large electric utility must fight off hundreds or even thousands of cyber intrusions that appear to originate with hackers trying to disrupt normal businessobtain sensitive dataor exert control over parts of the grid.

Most utilitiesof coursehave already enhanced their efforts to protect both physical facilities and computer networks. The fact that virtually all of the illegal entry attempts so far have failed indicates the effectiveness of these security measures. “Utilities throughout North America have made significant strides to implement cyber and physical security” says Luther Taisenior vice presidentcentral servicesConsolidated Edison Co. “While these have greatly reduced the vulnerabilitiesthere is more that can be done through the research and development work that is now under way at Electric Power Research Institute (EPRI).”

Part of the problem is thatwith electric power networks so tightly interconnecteda significant security breach anywhere on the system can have an effect on the system as a whole. Since there are many different types of utilities in the United Stateseach at a different level of cyber preparednessthere is a compelling incentive to improve the coordination of security precautions taken by all utilities.

Utility decision makers face a number of challenges in this area. The broad scope of the security issue has led to development of multiple and sometimes over-lapping requirements from various government agencies. At the same timeutility efforts to increase security are often -constrained by limited access to useful information produced by these agencies and otherseither because of the highly classified nature of the data or because the data are distributed across multiple locations. As a resultutility executives have often been forced to make security-related decisions on the basis of sparseuncertainor anecdotal information. A further challenge for electric utilities involves internal communications-how to effectively communicate security weaknesses identified by utility operationsplanningand engineering personnel to higher-level management.

In order to help provide the needed coordination and establish a unified response to cyber threatsEPRI and other leading industry organisations have formed the PowerSec Initiative. In additionimportant new results are emerging from EPRI’s own long-standing R&D work on electricity infrastructure security as a whole.

Early efforts to enhance security

EPRI was leading an industrywide effort to reinforce US power infrastructure security well before September 112001. But as with most of the nation's protection and emergency response programmesthe terrorist attacks sparked a fundamental rethinkingexpansionand refocusing of utility security efforts. While earlier concerns largely centred on the effects of natural disasterssystem control anomaliesand small-scale vandalismthe 21st Century equation clearly must include protection against calculated assaults designed to disrupt American life and commerce on a large scale. EPRI’s Infrastructure Security Initiative (ISI) was launched in response to these challenges and was designed to develop both prevention counter-measures and enhanced recovery capabilities.

As part of the work to provide utilities with immediately useful countermeasuresISI is documenting lessons learned from actual terrorist attacks and other catastrophic events at utilities around the world for use by ISI participants. One of the highlights of this effort came in 2004 with the receipt of a draft report from Israel Electric Corporation on best practices they have developed to defend their grid against terrorist attacks. The countermeasures project is also providing utilities with information on new ways to protect their physical facilitiesincluding a covert detection system that uses a magnetic field to identify potential intruders by sizespeedand electrical conductivity. Another system uses artificial intelligence technology to automatically analyse the streaming video from cameras in remote locations to detectfor examplewhether an intruder has dropped a suspicious object.

Among potential infrastructure targets attractive to terroristshigh-voltage transformers represent a critical vulnerability. These transformers cost several million dollars each and usually take one to two years to procurebuildand install. In response to this threatISI came up with the concept and developed preliminary designs for a new type of transformer that can be easily storedtransportedand installed for emergency use. An important milestone in development of this so-called recovery transformer was achieved in 2004 with completion of preliminary designs for two unitsrated at 500kV and 345kV. Both can be transported by truckrailor military cargo planeand once all parts are available on sitethey can be installed in about 48hours.

The design studies for the recovery transformers indicate that they will be about 30percent lighter and smaller than conventional unitshave an efficiency of 99percentand have an expected life of about 35 years. EPRI is currently working with the Department of Homeland Security (DHS) seeking sponsorship for the production of prototypes for these transformers. EPRI would provide funding through ISI for the factory testing efforts to ensure that electric utility short-circuit criteria and other critical performance requirements are met.

In additionISI is in the process of developing emergency recovery plans for substations that have been knocked out by a terrorist attack or other devastating event. These plans identify methods that utilities can use to assess which equipment is still salvageableto identify the need and availability of spare partsand to attempt to ‘harden’ key sites against possible attack.

Emergency communications technologies are also being evaluated by ISI in order to recommend the best alternatives for use in case of emergency.

Dealing with cyber vulnerability

In this age of ubiquitous digitisationphysical attacks are far from the only concern. The known successes of cyber attacks on a surprising variety of industries offer chilling testimony to the need for countermeasures against computer-based intrusions.

While physical assaults-be they facility break-insweapon attacksor bomb explosions-are certainly frightening possibilitiescyber attacks have the potential to be every bit as destructive and carry the insidious added threats of stealth and long-distance control.

Indeedthe incredible power and flexibility of the internet has made cyberspace part of the global battlefieldand several nations have incorporated explicit plans for attacking information systems into their military preparations. Russiafor examplehas documented successes in cyber attacks against key Chechen web sites. India and Pakistan have pursued competing preparations for electronic warfare. China has formulated an official cyber warfare doctrineand North Korea has experimented with offensive cyber technologies. Terrorist organisations in the Middle East have shown increasing sophistication in the use of information technologies and have made no secret of their intent to attack critical American infrastructures.

The US government has long been concerned over the wide-ranging effects that computer-based attacks could have on the nation’s key infrastructures. After the Morris computer worm brought 10percent of the country’s internet systems to a standstill in 1988the Defense Advanced Research Projects Agency (DARPA) set up the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University to monitor cyber threats and respond to serious security incidents.

Earlier this yearDHS set up the Process Control Systems Forum (PCSF) to focus specifically on threats to the computerised automated control systems that underlie operation of most of the country’s critical infrastructuresincluding the electric power grid. The PCSF will leverage security knowledge currently dispersed among different infrastructures and stimulate cross-functional discussions between those responsible for information technology and operations. EPRI is co-ordinating with the PCSF to ensure that the utility industry’s security concerns and solutions are shared on a confidential basis.

These and other emerging concerns prompted EPRI to add computer-based threats to its portfolio of security R&D. EPRI’s focus on cyber security had its beginnings in the development of the first utility open-systems architecture-the Utility Communications Architecture (UCA)used to share data between various computer systems in a company-and was strengthened after the highly successful programme to prepare utility computer systems and equipment for the Y2K transition. Growing concern over the possibility of computer-based security breaches led to development of EPRI’s Energy Information Security (EIS) programme in 2003. EIS was designed to provide tools that individual utilities could use to enhance their own security programmesincluding cyber security awareness traininginformation sharingapproaches to assessing control system vulnerabilityand risk management protocols.

The EIS programme has already produced valuable results. When vulnerabilities were discovered in standard communications protocolssuch as those specified in UCAEIS researchers developed enhancements designed to increase security. Early exploratory work has also been conducted on fast encryption and instruction detection technologies to protect data and control systems. Publication of the Security Vulnerability Self-Assessment Guideline for the Electric Utility Industry (1001639) enabled companies to conduct their own risk analyseswhile the Guidelines for Detecting and Mitigating Cyber Attacks on Electric Power Companies (1008396) provided basic procedures for enhancing network security.

A co-ordinated approach

Much progress has been made through EPRI’s ISI and EIS programmes. But considering the complexity of the US power infrastructurethe ever-increasing capabilities of cyber attackersand the diverse nature of current security effortsa more comprehensivehighly coordinated effort is clearly required. In response-and in cooperation with several industry organisations and the EPRI Board of Directors EPRI drafted a proposal for an industrywide programmeidentified ongoing security work at various industry and government organisationsand obtained feedback from more than 60 utilitiesrepresenting all segments of the electric power industry. As a resultan alliance has been formed to create the PowerSec Initiativewhich initially will bring together EPRI staffa variety of industry organisationsand several industry experts to address the cyber threat issue.

By examining threatsvulnerabilitiesand potential consequencesthe PowerSec Initiative will evaluate the industry’s current cyber attack readinessidentify gaps in this readinessand specify existing best practices for filling these gaps.

One important goal of PowerSec is to consolidate and leverage ongoing and completed cyber security work from utilitiesgovernmentregulatory agenciesand others. Appropriate information on best practices will be disseminated to the industry using methods consistent with the safeguard of confidential or classified information.

Early goals

The PowerSec Initiative will focus first on electric utility supervisory control and data acquisition (SCADA) systems and energy management systems (EMS)both of which have been identified by experts as critical systems to secure. Identifying and filling existing security gaps in communication and control systems will make it more difficult for potential intruders to gain access and cause damage. Improvements in these systems will also tend to increase overall levels of power system reliabilityproviding a more secure business environment for wholesale power markets and enabling utilities to offer better service to their customers.

EPRI and its members have defined a set of general objectives for the Power-Sec Initiativethe first of which is to develop an overview of the electric power industry’s current cyber security posture. From thisthe initiative will provide utilities with a list of vulnerabilities for each major type of SCADA and EMS control system commonly deployed across North America and will tailor this information to reflect the particular combinations of systems in use. A comprehensiveprioritised list of viable cyber threats will also be developedalong with the compendium of best practices with recommendations on how to maximise cyber security using currently available tools and methods. A compendium of current cyber security projects being pursued by both government and private industry will be developed to clarify which areas are being adequately studied and which need more attention.

Togetherthese results will be used to identify gaps between viable threats and defensesboth current and planned; the analysis will lead to an R&D action plan for developing technologies to eliminate any gapsidentified or perceived.

Clearly the first order of business for PowerSec will be to assess the vulnerability of information and control systems currently used by utilities and system operators. This work will begin with on-site interviews and inspections and will be supplemented by evaluation of past or ongoing security analyses by individual utilitiesEPRIand government organisations. Researchers will also examine existing information systems directly to determine their cyber vulnerabilityand in some casesconduct ‘red teaming’ (mock intrusion) exercises at selected host utility sites. Particular emphasis will be placed on examining SCADA and EMS systems to help prevent hackers from using them to take over control of critical utility equipment.

Each PowerSec participant will receive a confidential document identifying the strengths and weaknesses of its own SCADA and EMS systems. Because the report will identify the best practices for those particular systemsPowerSec participants will have the advantage of being able to enact available countermeasures immediately to reduce the threat of successful cyber attack.

Information gleaned from the vulnerability assessment process is also intended to complement ongoing security standards development by the North American Electric Reliability Council (NERC) and the Federal Energy Regulatory Commission. The Urgent Action Cyber Security Standard 1200 adopted by NERC in 2003 already specifies actions to be taken to protect utility systems in 16 areassuch as access controlinformation protectionpersonnel trainingincident responseand recovery planningamong others. This standardwhich was originally adopted as a temporary measureis now being -extended and modified for development into a set of permanent security standards: CIP-002 through CIP-009.

PowerSec’s assessment phase-expected to take about a year-will provide an objective assessment of the industry's cyber security. If significant security gaps are identifiedEPRI staff will work with PowerSec participants to propose solution approaches to be developed and tested in later phases.

The effectiveness of PowerSec results will be evaluated using independent test-bed exercises at the Idaho National Laboratory and Sandia National Laboratoryas appropriate. These facilities are capable of testing the new tools on a variety of SCADA and other cyber systems provided by manufacturers. Evaluations will also be conducted at individual utilities.

An eye to the future

After developing the draft proposal for the PowerSec InitiativeEPRI submitted the plans to member utility executives for comment and suggestions. This feedback provided important insights on how to proceed with PowerSec formation. The comments revealed that utilities believe they have made considerable progress toward protecting their own cyber systems but recognise that key vulnerabilities remain across the industry as a whole. The executives generally believe that cyber attacks are likelyfrom domestic and/or international terroristsand that disgruntled past or present employees also represent a potentially dangerous threat. They also say that PowerSec should address a combination of cyber and physical threats and vulnerabilitiesbecause successful physical attacks may involve very long recovery times. An area of particular concern is how to ensure the availability of spare parts for long-lead-time equipment.

The PowerSec Initiative will help participants come quickly up the learning curve about cyber security risks and vulnerabilities and will give them enhanced capabilities to assess cyber-related threats on their own systems. Access to government and regulatory thinking on security issues could also help participants better prepare for changes in regulations that impact utilities.

Ultimatelyit is hoped that PowerSec will help focus future government cyber security regulationsspur the development of mitigation tools and methodsand promote enhanced cyber security preparedness by the industry at large. But if continued attacks on the grid are inevitableas many industry leaders believeprevention will only be part of the answer to grid security concerns.

EPRI’s IntelliGridSM Consortium-another industrywide initiative-is working on adaptiveself-healing technologies that can be built into the nation’s electric power delivery system to provide just such resiliency.

John Douglas is with the Electric Power Research InstitutePalo AltoCaliforniaUSA. www.epre.com. Background information for this article was provided by Robert Schainker (rschaink@epri.com) and Thomas Kropp (tkropp@epri.com).

"

Recent Issues