|By Magnuson, Stew|
When experts rank U.S. industries' abilities to ward off potentially damaging cyberattacks, the electric utilities are normally near the bottom.
And that is troubling, these same network security professionals say. Taking down an electric grid, especially one that serves a major city, could do real damage to the economy and may indirectly cost lives.
One of the issues is that there is no sense of alarm. A terrorist group or nation state has heretofore not switched off a power grid.
That doesn't mean that they aren't vulnerable, said
"The good news is that the energy companies and power companies recognize this and they are putting plans in place and forming security |_ partnerships," he said in an interview.
But at this point, the industry is lagging, others interviewed agreed.
And new smart power grids, which will rely on Internet protocols to connect homes and businesses to the energy plants, may complicate matters.
The energy grid is one of the nation's oldest pieces of critical infrastructure, she noted.
"Many of the folks who have worked in energy believe that they have designed a system that has worked very well for 40, 50, 80 years since the delivery of national electricity. They are not necessarily comfortable with modem day information systems," she said.
The supervisory control and data systems, or scada - the specially designed computer programs that operate industrial machines - have been since their creation unconnected to networks. But they are being modernized through attrition, she said. Many of the technicians who operate the systems are reluctant to update the software because they don't know what the full impact will be on the grids they mn, she said.
Aubley said this is just how the industry grew over time. Power plants have separate network and control systems created just to operate that infrastructure.
To infiltrate such a stand-alone system, the perpetrator of an attack would have to physically install rogue software in the system, similar to what happened in
"In some ways that is a little safer because it is not connected to the Internet," Aubley said. "But with the economic challenges that everyone has - and the fact that they want to expand their business - many power companies are starting to connect to the Internet so they can provide more automation and ... more optimization of delivery," he said.
They want to provide more value to customers, but once their systems cross that line, they are vulnerable, he said.
"They are pinching pennies so hard the copper is coming off" he said. "They have very little to spend. It's not only an expertise problem. ... They are trying to get by with the least amount of resources they have and do the best job possible."
The industry relies on custom systems specifically created for managing an infrastructure. Operating systems built with off-theshelf software such as
Grids are built to last for decades. Employees forget to update the computer programs as time goes on.