Technology Advances Introduce Vulnerabilities to Energy Grid

18 July, 2012

How could a rogue state, terrorist, or malcontent debilitate a major city or even an entire country? Unfortunately, it would be quite simple — they would strike the facilities that produce and distribute the electrical power that everything else depends on. How did we wind up with a system of energy production and distribution so vulnerable to attack? The answer lies in well-intentioned efforts to modernize energy distribution and make it safer, cleaner, more efficient, less costly, and open to more alternative forms of production.

The problem is that the very thing that makes the grid smart — the ability of a myriad of embedded systems to communicate with each other, often using a combination of legacy and proprietary equipment alongside more modern solutions — has created a duality where communications over serial, wired and wireless Ethernet, cellular, and dial-up modems are used with a combination of common TCP/IP and proprietary protocols. This has expanded the attack surface — making it vulnerable to cyberthreats —and open systems invite hacking.

Why is the energy grid at risk?

  • The three technology domains used to operate energy facilities previously had no direct connection to each other. Bridging the gaps between the three domains — the industrial control systems that run the turbines and generators, the monitoring system, and the provider’s IT network — allows an intruder to gain access to all three domains by entering any of the one of them.
  • With 70% of the existing energy grid more than 30 years old, the focus has been on connecting and updating these aging systems — security has been an afterthought.
  • Operators now rely on the Internet, allowing administrators to telecommute and field workers to reprogram systems from remote locations through their smartphones — essentially opening all computer systems to the outside world.
  • The energy grid relies heavily on embedded systems, which makes it a ripe target for intruders.

The good news is that energy companies and security technology providers are getting smarter about identifying, finding, and fixing vulnerabilities, and technology is increasingly effective at detecting and thwarting attacks. The challenge is that cybersecurity investments — and cybersecurity consciousness have not kept pace with either the sophistication of embedded technology nor the shrewdness and tenacity of attackers. And in spite of energy being perhaps the most regulated sector on the planet, “compliant” doesn’t always translate to “secure.”