[ISN] Sparks over US power grid cybersecurity

From: InfoSec News (isnat_private)
Date: Mon Apr 14 2003 - 01:01:52 PDT

  • Next message: InfoSec News: "[ISN] NET Guard Dying Quietly"

    http://www.theregister.co.uk/content/55/30226.html
    
    By Kevin Poulsen
    SecurityFocus
    Posted: 11/04/2003
    
    A new measure aims to protect the networks that control electric power 
    distribution throughout North America. But not everyone is juiced over 
    plans to hold utilities accountable to tight security practices, says 
    Kevin Poulsen, of SecurityFocus. 
    
    The organization responsible for keeping electricity flowing 
    throughout the United States and Canada took its first serious step 
    this week to shoring up cybersecurity on the Byzantine computer 
    networks that control electric power distribution. 
    
    That portions of the power grid are vulnerable to hack attack has been 
    known since at least 1997, when a six month vulnerability assessment 
    by the White House's National Security Telecommunications Advisory 
    Committee found basic security flaws in the computerized systems that 
    control generators, switching stations and electrical substations. 
    
    Among other things, the committee reported that operational networks 
    controlling critical portions of the grid were accessible through 
    electric companies' corporate LANs; some digital circuit breakers 
    could be remotely tripped by anyone with the right phone number; and 
    fixed passwords for remote vendor access went unchanged for years. 
    
    Despite the vulnerabilities, the report noted that physical attacks 
    against utilities pose a greater threat than cyber attacks, and years 
    later there are still no known cases of hackers causing service 
    outages. But closing the cybersecurity holes in "critical 
    infrastructures" took on new urgency after September 11, and the 
    Federal Energy Regulatory Committee (FERC), which regulates the 
    electric industry in the U.S., began talking about imposing security 
    requirements on power companies. 
    
    Not surprisingly, the power companies prefer to regulate themselves. 
    On Wednesday, the North American Electrical Reliability Council (NERC) 
    unveiled a proposed mandatory security standard for the electric 
    industry. A not-for-profit group that umbrellas electric utilities in 
    the U.S. and Canada, NERC formed in the wake of the catastrophic 1965 
    blackout that knocked-out power to 30 million people in the 
    northeastern United States. Its mission is to keep the lights on. 
    
    Based on the same broad standards that the government was 
    contemplating, the NERC security rules -- which will face a vote in 
    May -- aren't exactly revolutionary: companies would have to launch 
    cyber security training programs, write security policies, identify 
    their critical "cyber assets," etc... But electric workers say that 
    making the rules an official standard changes everything for the 
    100-year-old industry. "That's a big deal -- to be the NERC standard," 
    says David Norton, a cyber security consultant to the industry. 
    "They've added requirements for compliance monitoring, with sanctions 
    for noncompliance." 
    
    That worries Kenneth Hooper, a protection engineer at NB Power, an 
    electric company serving the Canadian province of New Brunswick. He 
    says mandatory continent-wide security measures are too blunt an 
    instrument for the job. "We feel that security is an issue, but each 
    area should be allowed to address it as they see fit," says Hooper. 
    "Our security issues are not nearly as great as Boston or New York, or 
    one of the major load centers like that." 
    
    
    Risk Management 
    
    Hooper isn't worried about the language of the new standard so much as 
    what will replace it. Under NERC's bylaws, the emergency measure 
    setting the rules will expire two years after passage, and the group 
    has promised regulators that a more specific security standard will be 
    in place before then. No one knows what that will be, but a parallel 
    NERC effort has drafted a new official, but non-binding, cybersecurity 
    "guideline" that Hooper says is a likely candidate to become the next 
    standard. 
    
    The draft guideline offer a much more detailed prescription for curing 
    the power grid's security ills: "Set dial-out modems to not 
    auto-answer," reads one pointer. "Automatically lock accounts or 
    access paths after a preset number of consecutive invalid password 
    attempts," suggests another. 
    
    "All of the new products that we use these days are microprocessor 
    controlled and they have serial ports on them, so they can be accessed 
    remotely by modem, and also by an intranet connection over Ethernet," 
    says Hooper. "So some of these things would impact us, like rotating 
    passwords, and some of the things mentioned in the guide... Who want 
    to have their company's name being published all over the world as 
    being noncompliant with a NERC standard?" 
    
    Shouldn't equipment that controls the flow of electricity at least 
    have its passwords changed periodically, as suggested by the 
    guideline? Hooper says it's a matter of risk management -- even if a 
    malicious hacker gained access to his company's systems, the attacker 
    wouldn't be able to cause any problems that the utility isn't prepared 
    for anyway. "Say that someone hacks into some of my protecting relays, 
    and makes it so it could trip when it shouldn't trip," says Hooper. 
    "We already live with that risk of happening every day, so we have 
    things in place that mitigate the impact." 
    
    Norton agrees that there are downsides to the measure -- for one, he 
    says some power companies will have trouble paying for the cyber 
    security enhancements. "They'll need to go to some government agency 
    and build a case for why consumer rates need to go up." For that 
    reason, he believes that rural and municipal utilities should be given 
    extra time to implement the security standard, and its eventual 
    sequel, before facing sanctions. 
    
    But Norton also describes the power grid's fractal network of 
    interdependent systems. "There's incredibly variety of equipment, 
    generationally, vendor-wise, because it's kind of been cobbled 
    together as neighborhoods get bigger," he says. "You've got 
    increasingly sophisticated control centers and increasingly 
    sophisticated microprocessor-controlled equipment, and linking them 
    are unencrypted 1200-baud lines." 
    
    An industry drive to make that tangled web more secure is long 
    overdue, he says. "The alternative is to the have the NSA and NIST, or 
    somebody who manages rates, FERC, basically coming in without really 
    understanding what the electric power business is all about." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 03:27:59 PDT