For years predictions of the horror show that could happen if the nation’s electricity grid was compromised by hackers proliferated in inverse correlation to the number of attacks; the sector went about its peaceful way, adding security as it added increased interconnectivity and meeting standards that left service reliability levels intact.
That “quiet war” in cyberspace is over. The US energy sector is under attack, and there isn’t any indication the situation is going to improve.
The building awareness of both the intensity of attacks and the holes in security made the issue a central point of discussion at the AGRION Energy & Sustainability Summit in New York City recently. “There’s even more awareness now,” IBM Energy Security Leader Andy Bochman told Breaking Energy on the sidelines of the event. “We recommend utilities consider a fresh look at fulfilling their cybersecurity functions.”
In the past, devices have been physically isolated and often not connected by communications technology to more vulnerable IT systems, Bochman explained. As the smart grid, which makes the system more robust and reliable and easier to monitor, has been rolled out though, there is also a greater opportunity for disruption from hackers.
IBM’s technology is embedded across corporate America and in governments and municipalities, and both Bochman and IBM Vice President for Smarter Physical Infrastructure David Bartlett said at the AGRION summit that there is a tradition of building security into systems at the beginning. Big Blue is now recommending utilities revisit the way their own IT and cybersecurity operations work to be better prepared as the hacking heats up.
One of the simplest, but potentially highest-impact, moves energy companies can make is to raise the profile of the head of security in company management, sending a message to employees, investors and other stakeholders about the seriousness with which they view cybersecurity.
“Most utilities have done an excellent job to date but most treat cyber security as a black art,” Bochman said. Creating a new position that reports directly into the C-suite and focuses on security company-wide is IBM’s core recommendation for the sector, and included in a white paper the company released in late 2012.
Bochman admits the move lacks the headline appeal of a major new infrastructure outlay, calling it an “incremental change” that will help utilities find their “security baseline.” He points out it is much harder to bolt on security after a system has been compromised, and understanding the evolving nature of the problem is the best first step most companies can take.
“Lots of companies don’t even know where they are – they need to understand their current risk profile better,” he said.
There are few existing standards for those new high-profile cybersecurity heads at utilities to comply with. The North American Electric Reliability Corporation (NERC) has in place CIP (Critical Infrastructure Protection) guidance that provides the only industry-wide “apples to apples” comparison of security for the sector. Bochman and Bartlett said that although those mandatory sector-specific security rules are widely complained about by utility executives, the sector is also thought to be more secure because of them.
While all of this new personnel and security sounds expensive, by beginning to evaluate their IT systems in light of what they actually need companies could begin to rationalize their IT and end up with cost savings from eliminating redundant systems or personnel, Bochman said.