Foreign spies placed malware on the US electricity grid. Where does this leave government security, and the Green Grid?
The US electric grid has been penetrated by foreign spies, who planted software that could disrupt the system, according to a “>report in the Wall Street Journal. The news raises questions about how to secure infrastructure, and whether efforts to build a so-called “smart grids” could increase risks of hacking.
Smart grids embed intelligence across te network, inlcuding meters in homes. In the UK, the CBI has backed the use of smart meters, and the UK government has promised to secure them. In the US, backing for the technology has come from politicians including Al Gore – all this despite warnings that smart grids can be hacked.
While the news of the US hack may on the surface seem shocking, attempts at cracking the networks of US utilities are not new, according to Brandon Dunlap, managing director of research at. Brightfly, a consulting company specialising in security and governance, risk and compliance.
“While I was running the information protection program at Constellation Energy, we expanded our sensor network dramatically, on the order of 800 percent, allowing us to get very granular and expansive information about malicious activity,” Dunlap recalled. “What struck us almost immediately was the sheer volume of activity originating from well beyond our national borders. Many of these events were coming from foreign universities and large corporations.”
As lawmakers decide how best to improve US cyber-security, Dunlap noted cultural issues at play within the utilities industry that affect its security posture and extend beyond the reach of government regulation.
“Over the past few years, I have had the privilege to speak with numerous utilities across the US and I have found that most NERC [North American Electric Reliability Corporation] CIP [Critical Infrastructure Protection] efforts seem to be driven from the plants and wires sides of their businesses,” Dunlap explained.
The divide between IT security and electric plant
“This is a holdover from the days when the utilities kept plant systems segregated from corporate IT resources and when information security operations were relegated to dealing only with corporate-level systems and functions. As the industry has moved to more and more off-the-shelf hardware to run plant controls systems, as well as the trend in increased data sharing, this functional line has blurred.
“While the network borders have become more porous between plant and corporate systems, the old lines of operational activity [have] largely remained as they were years ago,” he continued. “This has resulted in less information sharing between plant operations and information security, which I think is a tragedy since both sides have a lot of knowledge that can be shared. In my opinion, this is a cultural phenomenon and one that cannot be addressed by government intervention. It has to start from within the utility companies themselves.”