In June, 60 Minutes aired a piece on cyber attacks that showed publicly, among other things, that long-rumored cyber attacks on power grid had occurred in 2005 and 2007. These were precisely one of the modes of penetration and manipulation through intrusion we had investigated when I was at EPRI.
This is a discovery that we worked on as far back as 1999. Before and after 9/11, there were 30-44 utilities who were members of our related programs at EPRI. I had the privilege of leading these utilities in the aftermath of 9/11 (although they were a small subset of all the utilities, but we had extensive information sharing and vendor action groups so the word did reach those with a need a need to know in the utilities).
As part of these programs, we “red-teamed” and hacked into all related areas of concern… investigated cyber attacks on power plants, transmission and distribution systems, control centers and communication systems.
There was a potential widespread loss of electrical power, major business and societal impact; in broad brushes, our response in this specific area included:
- Response: Threat and vulnerability assessment, R&D in the areas of prevention, mitigation and restoration
- Technology development: For this type of threat it was secure communication systems
- Secure protocols for communications between control centers, substations, and power plants
- Cyber security technologies specifically for control systems. The cyber security technologies developed for Internet applications such as firewalls and intrusion detection systems may not perform as expected for control systems (which is probably what they are exploiting in most of these attack)
- Risk management frameworks, and vulnerability reduction tools
- Information sharing program and vendor action groups.
Fortunately, although vulnerability was very high, several simple programs were put in place to raise awareness of security issues and establish cyber security programs and remedies. If that is what they are referring to, we remedied these issues, but there remained many more that we collaborated with the industry and related organizations to get compliance of other stakeholders (EPRI, EEI, and NERC’s efforts are critical).
Unfortunately, many of my colleagues in the infrastructure community understand the old-school components of the power systems but are not trained on the cyber threats and thus reduce the emphasis on minimizing these persisting cyber threats.
We must address this reality if we are to develop a secure, resilient, smart and self-healing infrastructure, which underpins our economy, security and quality of life.
Dr. Massoud Amin is the Director of the Technological Leadership Institute (TLI) at the University of Minnesota – Twin Cities. TLI offers graduate studies programs in Masters in security technologies, management of technology and infrastructure systems engineering.
[image credit: weeklylink]