Threats to systems supporting critical infrastructure — including the smart grid — are constantly “evolving and growing” and as a result have been termed “government-wide high-risk areas” by the U.S. Government Accountability Office (GAO). Testifying before the House Energy and Commerce Committee’s oversight and investigations panel, Gregory Wilshusen, director of the GAO’s Information Security Issues team, shared his concerns about the security of the infrastructure. The written testimony observes that smart meters are among those devices that have not been “designed with a strong security architecture and lack important security features.” Further, he remarked that utility companies are often unaware of imminent threats or incidents on their systems because some of that intelligence is classified and cannot be shared with them.

The Industrial Control System Cyber Emergency Response Team (ICS-CERT) has issued an alert on February 3, 2012, concerning SSH scanning activity that is targeting control systems. The agency states that this Alert is being issued  to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell(SSH), a scanning of Internet facing control systems.

As recently as this week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against their networks. The full alert is available for review here.

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

Integration of smart grid devices, and other new and emerging technologies reliant on communications to control operations of the device pose a threat to the reliability of the electric grid, according to a new report released by the North American Electric Reliability Corporation (NERC). Providing a 10-year outlook on the North American electric industry, the new '2011 Long Term Reliability Assessment' report released by NERC evaluates key reliability indicators and dives into the impact of regulations and other issues on bulk power system reliability. The key issues discussed in the report were: the decrease in projected generation resources; the growing dependence on natural gas as a primary fuel source of on-peak capacity; the increased demand for integrating and delivering new resources and the subsequent growth of transmission; and the cumulative effect from environmental regulations may reduce reserve margins in ways that could affect bulk power system reliability, depending on the scope and timing of final regulation implementation. Read more »

President Obama signed an Executive Order (EO) on October 7, 2011 that calls for structural reforms to the oversight of classified information. The EO supports, codifies, and accelerates ongoing work that includes bolstering detection capabilities, restricting removable media, and strengthening government-wide governance, coordination, and oversight. Utilities that participate in cybersecurity and physical security should review the EO and make themselves aware of the new information sharing structure. Read more »

A new document intended to help pipeline operators, power producers, manufacturers and other managers of critical infrastructures to secure their systems while addressing their unique performance, reliability and safety requirements has been issued by National Institute of Standards and Technology (NIST). The document provides an overview of industrial control system (ICS) and typical system topologies, identifies typical threats and vulnerabilities to these systems and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS.

This new guide is recommended to be used along with the NIST Guidelines for Smart Grid Cyber Security (NISTIR 7628), which was issued last September, to tackle security issues arising from the convergence of the electric power Smart Grid and ICS.

The North American Electric Reliability Corp (NERC) is requiring that members of the bulk power system implement protections against a vulnerability that could be exploited to cause physical damage to critical systems that provide electricity. Specifically, NERC has issued a recommendation to the industry on the AURORA vulnerability which provides new sensitive and clarifying information regarding the nature of AURORA. The recommendation requires entities to report on efforts and progress by Dec. 13, with updates every six months until mitigation is complete. Read more »

Cyber security will come to dominate all aspects of information communications technology at utilities in 2011 and 2012. I would love your ideas on what more UTC could do to help you with this.

The National Institute of Standards and Technology (NIST) has just released a final draft of its Smart Grid Cyber Security Strategy and Requirements. This will now drive future cyber security work at the North American Electric Reliability Corporation (NERC) on their Critical Infrastructure Protection (CIP) requirements in 2011. The NIST recommendations and political pressure from Congress will combine to force stronger cyber security protections in both the bulk power grid and the distribution grid. Read more »

Balancing benefits of consumer access to their own consumption data with the costs anticipated by the various approaches was stressed by UTC comments filed in DOE’s request for information on data access, third party use, and privacy. UTC noted that the innovative deployment by energy utilities of smart meters and smart control systems will create a smart energy grid that will unlock the value of what has been called the Energy Information Economy. Smart energy grids will create an environment in which consumers will have greater abilities to manage their own energy usage and utilities will have new tools to affect grid-wide energy efficiencies never before possible. The key to all this is data. How to provide secure access to it for customers and their agents is the crux of this RFI’s questions and the focus of UTC’s responses. Read more »