Utilities' Security Is Too Lax, Report Says

General Accounting Office cites threat of cyberattacks against control systems
Gas and electric utilities are under attack for lax security that leaves their control systems vulnerable to cyber- and physical threats. A General Accounting Office report released last week cited a number of security problems, and witnesses at a congressional hearing presented a mix of dire predictions and power-company defenses.

"Our systems have been designed to be open and don't have the needed level of security," says Joe Weiss, a power consultant at systems integrator Kema Inc. "The entire industrial infrastructure was developed for efficiency and production, not security issues."

Supervisory Control and Data Acquisition systems, known as Scada systems, are used to manage and operate facilities at electric and gas utilities, opening and closing valves and switches to regulate the flow of energy. Congressional auditors have recommended that the Homeland Security Department develop and implement a strategy for working with the private sector and other government agencies to improve security for Scada systems.

Several factors have contributed to the threat of cyberattacks against utility control systems, says the 47-page GAO report. In addition to the growing number of viruses and other Internet threats, GAO cited as problems the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems.

Advances in computer security aren't always incorporated into process-control systems used by the utilities, testified James McDonnell, director of the protective security division at Homeland Security's Infor- mation and Analysis Protection Directorate. As a result, those systems are accessible to hackers, he said.

"Vendors like RSA, Baltimore Technology, and HP know security very well, but if they try to solve control systems, they could cause a lot of outages" because they don't understand these systems, Weiss says. "And the control-system vendors don't know security."

Utility executives say the problems aren't as serious as some think. The National Energy Reliability Council, a group authorized by the Department of Energy that represents utilities across the country, is trying to develop nationwide security standards. "Security has taken on a new meaning for us," says the council's CIO, Lynn Costantini. "Today, the ideas around security have evolved to include guards, gates, and guns, which nuclear facilities always had, as well as cybersecurity."

Ameren  Corp.'s VP of IT Chuck Bremer

Newer systems are easier to secure, Ameren's Bremer says.
Business-technology and operations staff at Ameren Corp., a utility in St. Louis, work together to set security standards for control systems, says VP of IT Chuck Bremer. Newer systems based on Linux and Windows are easier to secure. "But there's a high probability of proprietary control systems still out there," says Bremer, "because companies don't rip them out."

"If a hacker got to our business system," says James Witges, manager of technical support services at Ameren, "they'd have to break through another firewall and understand our process controls to cause any trouble."

The Scada systems at the Tennessee Valley Authority operate over the utility's own network, and access is limited to plant system engineers. "Regarding control systems, we have our clear demarcation lines," senior VP of IS Diane Bunch says.

Today, individual utilities deploy their own security processes. Still, the National Energy Reliability Council has drafted a security standard, or set of security processes, and is soliciting industry input. A second version of the draft standard will probably be released sometime next year, Costantini says. "The consensus process is time consuming but ensures the eventual standard could be met and adhered to."

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author