As electric power companies are modernizing their products and processes they will want to turn more of their attention to protecting their vital assets from cyber attacks. The folks who track such things are saying that while the threats are rising, the defenses to prevent them are not.

Most cyber attacks are going unnoticed because they are only affecting a small number of companies that must deal with the fallout. It is only those widespread assaults that are making the news -- such as the Stuxnet virus allegedly sent by the United States and Israeli governments that is reported to have to have set back the Iranian nuclear program. Governments using those worms and viruses to go after their adversaries are one thing. But criminals using them to extort money from businesses such as utilities are another.

“The right questions that an executive needs to be asking are what is being done to lock down the critical assets and what is being done to lock down the control system environment,” says Pamela Warren, McAfee’s cybercrime strategist, in a telephone interview.

Cyber criminals are after data, or proprietary corporate information. That includes intellectual property, potential acquisitions and business intelligence, adds Dave Marcus, director of McAfee’s security research, in the same phone call. “It’s done for financial reasons or to get an edge up on competitors.”

According to McAfee, 81 percent of a company’s Standard & Poor’s value is tied to intangibles such as intellectual property. Across the energy sector, the software security company says that 85 percent of businesses have had had their networks infiltrated. And even though the threats are real and present, only a small percentage of the energy firms are adopting security technologies, McAfee says.

The response, generally, is two-pronged: The first is the one that the utilities can take to insulate themselves and the second is the one that the federal government is trying to force those power companies to do more. In any event, utilities once had disparate assets that could not talk to each other, but today they are highly digitized with devices that are interwoven, allowing infections to spread.

Higher Standards

Utilities are, of course, spending time and money addressing certain weaknesses within their operational protocols. They do so in a number of ways but one commonly used tactic is the application of “patches” to fix a specific vulnerability. But hackers are always looking for new voids and oftentimes companies are too busy or too preoccupied with other security concerns.

“As in any classic security parlance, you are worried about sustaining the data’s confidentiality, integrity and availability,” writes Jay Cappy of Verizon Business, in an Energy Central blog. “Hence, the key implementation considerations for the communications infrastructure are to encrypt the data – keep it from being viewed or read by unauthorized parties – and to ‘hash’ the data so that any modifications to the packets are readily detected.”

Congress, meanwhile, is considering greater enforcement actions. In May, the Senate Energy and Natural Resources Committee voted unanimously to give the secretary of energy the ability to order utilities to better protect their critical infrastructure from attacks. A second bill, meantime, would give the Federal Energy Regulatory Commission the authority to force utilities to address areas where they are “vulnerable” -- an overreach, say many utilities that insist the commission’s role should only include “imminent threats.”

The protocol is now that the North American Electric Reliability Corp. considers protections, draws up recommendations and then takes public comment. After the council develops guidelines, they are sent to FERC for final approval.
 
According to the General Accountability Office, the nation's wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people.
Because the system is now connected to the outside world, it is open to attack.

Consider the smart grid that allows utilities and customers to communicate with each other: A nemesis can manipulate the data and disrupt the network -- just as a number of smaller but potent viruses have already done.

“The commission’s current authority is not adequate to address cyber or other national security threats to the reliability of our transmission and power system,” says Joseph McClelland, reliability director for FERC, in recent congressional testimony. He is suggesting “mandatory” standards while utilities support “voluntary” ones.

Cyber attacks are escalating and leaving corporate networks increasingly susceptible. Utilities are getting the message but are emphasizing that they must carefully allocate scare resources -- a tactic that the U.S. government wants to dislodge in an effort to get them to be more assertive.


EnergyBiz Insider has been been nominated in 2010 and 2011 for Best Online Column by Media Industry News, MIN. Ken Silverstein has also been named one of the Top Economics Journalists by Wall Street Economists.

Follow Ken on  www.twitter.com/ken_silverstein

Copyright © 1996-2011 by CyberTech, Inc. All rights reserved.

To subscribe or visit go to:  http://www.energycentral.com
energybizinsider@energycentral.com