DOE evaluates top vulnerabilities of smart grid control systems
SUBNET Solutions Inc | Thursday, June 21, 2012
In a recent report issued by the U.S. Department of Energy's Pacific Northwest National Laboratory (PNNL), the agency, along with internet security company McAfee, listed the top vulnerabilities of control systems.
Although the list was originally created in 2006 as a part of the agency's Control Systems Security Working Group, its credit was re-substantiated by the recent Stuxnet and Duqu worms and their variants, which were uncovered in 2011 and 2012.
At the top of the list is inadequate policies, procedures and culture surrounding control system security, and inadequately designed control system networks, which typically fail to contain appropriate defense-in-depth mechanisms, the report stated. Following this, PNNL notes a very concerning vulnerability, as it is a hallmark of smart grid installations: Remote access.
Without appropriate access control or endpoint protection, remotely operated systems can pose serious threats to the power grid. However, remote access is one of the more promising aspects of the smart grid, allowing electric utility professionals to access and manage their intelligent electronic devices (IEDs) from anywhere. To get the most out of this technology, utilities will need to run software that provides both simple and secure access.
SUBNET's Unified IED Access Control Security allows utilities to manage all access to IEDs remotely, automate password management processes and securely connect to field IEDs without having to navigate logins or reset old passwords.
Another serious vulnerability was found to be a lack of quick and easy tools to identify and report on anomalous or inappropriate activity. SUBNET's Unified Fault File Management addresses this problem by allowing utilities to collect, archive and view all fault records in minutes. The software can be used to collect and retrieve fault records from a wide base of installed vendor relays, such as SEL, GE and others, and uses powerful filtering and query capabilities to search large records to quickly find desired information.
Other serious problems include the installation of inappropriate applications on critical control systems host computers, software used in control systems that is not adequately scrutinized and control systems command and control data that has not been authenticated.
Both Stuxnet and Duqu proved that these vulnerabilities are a serious concern for electric utilities now and will continue to be a problem in the future, however SUBNET products can help mitigate these risks.
Substation Cyber Security