Information Security News: Sparks over US power grid cybersecurity

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/30226.html

By Kevin Poulsen
SecurityFocus
Posted: 11/04/2003

A new measure aims to protect the networks that control electric power 
distribution throughout North America. But not everyone is juiced over 
plans to hold utilities accountable to tight security practices, says 
Kevin Poulsen, of SecurityFocus. 

The organization responsible for keeping electricity flowing 
throughout the United States and Canada took its first serious step 
this week to shoring up cybersecurity on the Byzantine computer 
networks that control electric power distribution. 

That portions of the power grid are vulnerable to hack attack has been 
known since at least 1997, when a six month vulnerability assessment 
by the White House's National Security Telecommunications Advisory 
Committee found basic security flaws in the computerized systems that 
control generators, switching stations and electrical substations. 

Among other things, the committee reported that operational networks 
controlling critical portions of the grid were accessible through 
electric companies' corporate LANs; some digital circuit breakers 
could be remotely tripped by anyone with the right phone number; and 
fixed passwords for remote vendor access went unchanged for years. 

Despite the vulnerabilities, the report noted that physical attacks 
against utilities pose a greater threat than cyber attacks, and years 
later there are still no known cases of hackers causing service 
outages. But closing the cybersecurity holes in "critical 
infrastructures" took on new urgency after September 11, and the 
Federal Energy Regulatory Committee (FERC), which regulates the 
electric industry in the U.S., began talking about imposing security 
requirements on power companies. 

Not surprisingly, the power companies prefer to regulate themselves. 
On Wednesday, the North American Electrical Reliability Council (NERC) 
unveiled a proposed mandatory security standard for the electric 
industry. A not-for-profit group that umbrellas electric utilities in 
the U.S. and Canada, NERC formed in the wake of the catastrophic 1965 
blackout that knocked-out power to 30 million people in the 
northeastern United States. Its mission is to keep the lights on. 

Based on the same broad standards that the government was 
contemplating, the NERC security rules -- which will face a vote in 
May -- aren't exactly revolutionary: companies would have to launch 
cyber security training programs, write security policies, identify 
their critical "cyber assets," etc... But electric workers say that 
making the rules an official standard changes everything for the 
100-year-old industry. "That's a big deal -- to be the NERC standard," 
says David Norton, a cyber security consultant to the industry. 
"They've added requirements for compliance monitoring, with sanctions 
for noncompliance." 

That worries Kenneth Hooper, a protection engineer at NB Power, an 
electric company serving the Canadian province of New Brunswick. He 
says mandatory continent-wide security measures are too blunt an 
instrument for the job. "We feel that security is an issue, but each 
area should be allowed to address it as they see fit," says Hooper. 
"Our security issues are not nearly as great as Boston or New York, or 
one of the major load centers like that." 


Risk Management 

Hooper isn't worried about the language of the new standard so much as 
what will replace it. Under NERC's bylaws, the emergency measure 
setting the rules will expire two years after passage, and the group 
has promised regulators that a more specific security standard will be 
in place before then. No one knows what that will be, but a parallel 
NERC effort has drafted a new official, but non-binding, cybersecurity 
"guideline" that Hooper says is a likely candidate to become the next 
standard. 

The draft guideline offer a much more detailed prescription for curing 
the power grid's security ills: "Set dial-out modems to not 
auto-answer," reads one pointer. "Automatically lock accounts or 
access paths after a preset number of consecutive invalid password 
attempts," suggests another. 

"All of the new products that we use these days are microprocessor 
controlled and they have serial ports on them, so they can be accessed 
remotely by modem, and also by an intranet connection over Ethernet," 
says Hooper. "So some of these things would impact us, like rotating 
passwords, and some of the things mentioned in the guide... Who want 
to have their company's name being published all over the world as 
being noncompliant with a NERC standard?" 

Shouldn't equipment that controls the flow of electricity at least 
have its passwords changed periodically, as suggested by the 
guideline? Hooper says it's a matter of risk management -- even if a 
malicious hacker gained access to his company's systems, the attacker 
wouldn't be able to cause any problems that the utility isn't prepared 
for anyway. "Say that someone hacks into some of my protecting relays, 
and makes it so it could trip when it shouldn't trip," says Hooper. 
"We already live with that risk of happening every day, so we have 
things in place that mitigate the impact." 

Norton agrees that there are downsides to the measure -- for one, he 
says some power companies will have trouble paying for the cyber 
security enhancements. "They'll need to go to some government agency 
and build a case for why consumer rates need to go up." For that 
reason, he believes that rural and municipal utilities should be given 
extra time to implement the security standard, and its eventual 
sequel, before facing sanctions. 

But Norton also describes the power grid's fractal network of 
interdependent systems. "There's incredibly variety of equipment, 
generationally, vendor-wise, because it's kind of been cobbled 
together as neighborhoods get bigger," he says. "You've got 
increasingly sophisticated control centers and increasingly 
sophisticated microprocessor-controlled equipment, and linking them 
are unencrypted 1200-baud lines." 

An industry drive to make that tangled web more secure is long 
overdue, he says. "The alternative is to the have the NSA and NIST, or 
somebody who manages rates, FERC, basically coming in without really 
understanding what the electric power business is all about." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.