Smart grid vulnerability could leave millions in the dark
SUBNET Solutions Inc | Monday, February 06, 2012
A blackout that consumed large parts of North America in August 2003, leaving 50 million people without power for four days, is just a glimpse into the devastation that could occur if the smart grid is left open to cyber attackers, Bloomberg reports.
According to the news source, internet-savvy terrorists have the capability to cause blackouts "on the order of nine to 18 months" if they were to disable critical infrastructure such as transformers, said Joe Weiss, managing director of Applied Control Solutions LLC, a Cupertino, California-based security consulting company.
"The dollars are incalculable," Weiss said told the news provider. The August 2003 blackout was triggered when a power line simply touched a tree branch in Ohio, but cost about $10 billion.
If utilities hope to reach an ideal level of cyber security, they will need to increase their protection by at least seven-fold, suggests one survey conducted by the Ponemon Institute LLC, a data-security research firm.
James Lewis, technology program director at the Center for Strategic & International Studies, told the publication that utilities often fail to comprehend the risks posed by cyber attacks because, unlike telecom giants and banks, they are not prime targets for theft or espionage - two of the more prevalent and heinous internet-based crimes.
"There’s some percentage of utilities out there that just don’t take this seriously," Lewis said.
Bloomberg conducted a survey of network managers at 21 energy companies, including 14 utilities, and found that such companies plan to spend an average of $45.8 million every year on cyber security, and currently can prevent 69 percent of known cyber attacks on their systems. The same companies noted that over the next 12-to-18 months, they could increase spending to $69.3 million per year and keep 88 percent of attacks at bay.
However, in order for companies to protect themselves against 95 percent of threats, each would have to commit $344.6 million per year to cyber security, the survey found.
But James Fama, vice president for energy delivery at the Edison Electric Institute, says that no amount of money is enough to mitigate the risk of cyber attackers.
"Regardless of how much money we spend, it is simply not possible to eliminate all risk," he said. "Utilities have to make choices and set priorities concerning investments."
The vulnerabilities have arisen as utilities strive to integrate new intelligent electronic devices with antiquated electric infrastructure, created a more connected grid.
"In almost every case, a control system is connected to the Internet and it’s vulnerable to being hacked," Lewis stated.
The effort to prevent crippling attacks on the nation's critical infrastructure has led the North American Electric Reliability Corporation (NERC) to instruct companies to isolate their computers to keep an attack from triggering a sprawling blackout. The standards developed by NERC are reviewed by the Federal Energy Regulatory Commission (FERC) for approval, and if passed, can result in utilities paying fines of up to $1 million per day until the violation is amended.
Joseph McClelland, FERC's electric reliability director, told a congressional panel in 2011 that the agency should receive even more authority to respond to an event before it occurs, Bloomberg reports.
SUBNET Solutions Inc. has expertise in helping electrical utilities maintain strong cyber security standards across their enterprise and substations. SUBNET offers solutions that help generation, transmission and distribution companies meet NERC's Critical Infrastructure Protection standards.
While many vendors require utilities to replace or upgrade in-place hardware and software, SUBNET leverages existing assets and uses established corporate IT policies to help meet such stringent regulations.
Substation Cyber Security