"Our systems have been designed to be open and don't have the needed level of security," says Joe Weiss, a power consultant at systems integrator Kema Inc. "The entire industrial infrastructure was developed for efficiency and production, not security issues."
Supervisory Control and Data Acquisition systems, known as Scada systems, are used to manage and operate facilities at electric and gas utilities, opening and closing valves and switches to regulate the flow of energy. Congressional auditors have recommended that the Homeland Security Department develop and implement a strategy for working with the private sector and other government agencies to improve security for Scada systems.
Several factors have contributed to the threat of cyberattacks against utility control systems, says the 47-page GAO report. In addition to the growing number of viruses and other Internet threats, GAO cited as problems the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems.
Advances in computer security aren't always incorporated into process-control systems used by the utilities, testified James McDonnell, director of the protective security division at Homeland Security's Infor- mation and Analysis Protection Directorate. As a result, those systems are accessible to hackers, he said.
"Vendors like RSA, Baltimore Technology, and HP know security very well, but if they try to solve control systems, they could cause a lot of outages" because they don't understand these systems, Weiss says. "And the control-system vendors don't know security."
Utility executives say the problems aren't as serious as some think. The National Energy Reliability Council, a group authorized by the Department of Energy that represents utilities across the country, is trying to develop nationwide security standards. "Security has taken on a new meaning for us," says the council's CIO, Lynn Costantini. "Today, the ideas around security have evolved to include guards, gates, and guns, which nuclear facilities always had, as well as cybersecurity."
 |  |
Newer systems are easier to secure, Ameren's Bremer says. | |
|
"If a hacker got to our business system," says James Witges, manager of technical support services at Ameren, "they'd have to break through another firewall and understand our process controls to cause any trouble."
The Scada systems at the Tennessee Valley Authority operate over the utility's own network, and access is limited to plant system engineers. "Regarding control systems, we have our clear demarcation lines," senior VP of IS Diane Bunch says.
Today, individual utilities deploy their own security processes. Still, the National Energy Reliability Council has drafted a security standard, or set of security processes, and is soliciting industry input. A second version of the draft standard will probably be released sometime next year, Costantini says. "The consensus process is time consuming but ensures the eventual standard could be met and adhered to."