Highlights
– Nearly 200 security experts and “industry insiders” most concerned about cyber-security within the energy industry
– Multiple items listed as factors of energy industry’s cyber vulnerability in a report published by Energy Insight
– Cost and apathy listed as top two reasons change within the industry is slow
Results from a cyber-security survey of international security experts and other “industry insiders” from eight different critical infrastructure industries were released on November 10, 2008, showing that respondents believed the energy sector was the biggest target for cyber-attacks. The study conducted in August and September 2008 asked experts in the United States (US), Canada, and Europe which industry was the biggest target, which was the most vulnerable to attack, and which was the most detrimental if breached. In all three cases, the respondents picked the energy sector. The survey also found that despite a growing body of legislation and regulation, a majority of those surveyed believed that most critical infrastructures continue to be vulnerable to cyber-attack. Further, a majority of respondents stated that major attacks have already begun or are likely to occur in the next 12 months.
The director of critical infrastructure solutions for Secure Computing Corporation, the company that conducted the survey, stated that “an attack on any one of these industries could cause widespread economic disruptions, major environmental disasters, loss of property and even loss of life.”
The survey comes after concerns about cyber-attacks on the energy sector spurred US lawmakers to consider legislation to broaden federal authority over electric companies in September 2008. At a hearing before the House Energy and Commerce’s subcommittee on energy and air quality in September 2008, a member of the House Homeland Security Committee stated, “I believe America is disturbingly vulnerable to a cyber-attack against the electric grid that could cause significant consequences to our nation’s critical infrastructure.” The chairman of the Federal Energy Regulatory Commission also testified at this hearing and advocated greater powers for his agency to combat cyber-attacks against the nation’s electrical grid.
In his book Black Ice: Cyber-Terrorism’s Hidden Dangers, author Dan Verton stated that the best chance of preventing a devastating cyber-attack, that includes cascading failures within the US’s critical infrastructure, is for public and private sectors to share information on everything from current and future threats of ongoing cyber-attacks. Verton stated that private companies, who own and operate 85 percent of the nation’s most critical infrastructure systems, continue to balk at sharing with the government the lion’s share of information about cyber-vulnerabilities and security incidents. Verton’s research found that most companies fear that sharing data with the government would disclose proprietary company data to competitors through Freedom of Information Act requests.
We note that the longstanding notion that the best course of action in regards to cyber-security is for industry self-regulation has ultimately absolved the federal government of its national security responsibilities. Those calling for more federal oversight can only hope that changes will be made quickly enough to meet the increasing speed with which the nation’s critical infrastructures are being attacked. In the near to mid-term, the release of the cyber-security survey will likely increase support for advocates seeking to bolster the federal government’s authority over the nation’s electric companies. Nevertheless, recalcitrant private companies, and bureaucratic infighting will likely prevent any major advances from occurring in the immediate future.
Factors Increasing Vulnerability In The Energy Industry
In a white paper released by Energy Insights, a provider of research-based advisory and consulting services to energy industry executives, a multitude of factors were cited as contributing to the energy industry’s increased vulnerability:
• An increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability;
• The use of more Internet Protocol (IP) based networks;
• Integration between corporate and operational networks, thereby increasing the potential for viruses and security breaches to cross over from the corporate network to the operations network and vise versa;
• Reliance on standard or commodity IT platforms such as Microsoft Windows.
• A lack of attention to security by network automation and control system vendors.
Energy companies are clearly embracing technology to streamline and enhance the efficiency of their business models, but are giving little or no thought and effort towards ensuring the new technologies implemented meet established IT security protocols. The critical nature of the nation’s energy infrastructure may demand that energy companies develop specialized IT departments within their companies to develop, test, deploy, and monitor the software and hardware that controls their energy producing and delivering systems instead of relying on third-party consultants and vendors.
Cost and Apathy Cited as Hampering Change
Respondents of the survey cited cost and apathy as the top two reasons the nation’s critical infrastructure remains vulnerable to cyber attacks.
Speaking at a cybersecurity policy forum in 2005, a Californian congressman offered two possible solutions to the problems of cost and apathy when he stated that, “Congress could consider a combination of new regulations and incentives to get companies to take cybersecurity more seriously.” However, he tempered his solutions with concerns that by imposing specific regulations, “we will stifle the kind of innovation that’s available to the private sector to come up with their own fixes.”
Despite Congressional interest in the issue, we do not expect significant legislation to be implemented in the near to mid-term. Further, it appears that without new governmental regulations and oversight – or a large scale cyber attack on one of the nation’s critical infrastructures – the current lack of strong IT protection within the nation’s eight most critical infrastructures will continue to leave American’s venerable to serious service disruptions and personal safety.