Threats to systems supporting critical infrastructure — including the smart grid — are constantly “evolving and growing” and as a result have been termed “government-wide high-risk areas” by the U.S. Government Accountability Office (GAO). Testifying before the House Energy and Commerce Committee’s oversight and investigations panel, Gregory Wilshusen, director of the GAO’s Information Security Issues team, shared his concerns about the security of the infrastructure. The written testimony observes that smart meters are among those devices that have not been “designed with a strong security architecture and lack important security features.” Further, he remarked that utility companies are often unaware of imminent threats or incidents on their systems because some of that intelligence is classified and cannot be shared with them.

Integration of smart grid devices, and other new and emerging technologies reliant on communications to control operations of the device pose a threat to the reliability of the electric grid, according to a new report released by the North American Electric Reliability Corporation (NERC). Providing a 10-year outlook on the North American electric industry, the new '2011 Long Term Reliability Assessment' report released by NERC evaluates key reliability indicators and dives into the impact of regulations and other issues on bulk power system reliability. The key issues discussed in the report were: the decrease in projected generation resources; the growing dependence on natural gas as a primary fuel source of on-peak capacity; the increased demand for integrating and delivering new resources and the subsequent growth of transmission; and the cumulative effect from environmental regulations may reduce reserve margins in ways that could affect bulk power system reliability, depending on the scope and timing of final regulation implementation. Read more »

There is no evidence of a cyber intrusion into the SCADA system of the water utility in Springfield, Illinois, said the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an email yesterday. ICS-CERT and the Federal Bureau of Investigation (FBI) had been investigating the reported incident of a cyber attack on the SCADA systems of the U.S. water utility resulted in a pump failure. It noted that there was no evidence to support claims made in the initial DHS Fusion Center reports. ICS-CERT received a copy of the reports on Nov 16th and inquired to the DHS field office to obtain additional information. The claims of a cyber attack have now also been dismissed by the FBI and DHS. Read more »

The commission seeking greater authority over the cybersecurity of the nation’s electric grid has security problems of its own. A recently released audit of Federal Energy Regulatory Commission’s (FERC) unclassified cybersecurity program by the Inspector General (IG) of the Department of Energy (DOE) has revealed much room for improvement. While acknowledging that the commission has improved since DOE’s FY2010 evaluation, the audit cited continued weaknesses related to timely remediation of software vulnerabilities, and failure to implement FERC’s own Vulnerability Management Program (VMP) as the reasons for its findings. 

The audit stated that “specifically, we noted that 32 of 70 vulnerabilities we identified were rated "high risk" by the vendor and/or the National Vulnerability Database sponsored by the Department of Homeland Security's National Cyber Security Division.” Nine of the issues identified impacted a  significant number of the 45 servers and/or 236 workstations tested, and were primarily associated with third-party productivity and internet applications.  “All of the "high risk" vulnerabilities identified were more than 30 days old, including 18 that were missing patches more than 1 year old. Furthermore, we identified several instances where the Commission was using software that was no longer supported by the vendor.”

While FERC budgeted approximately $3.8 million during fiscal 2011 to secure its information technology assets, FERC cited “budget and resource constraints” as the reason for not following its own VMP. In addition, FERC said that some patches were not instituted because of adverse operational impacts. 

Information about a worm very similar to Stuxnet has been released by the Industrial Control System - Cyber Emergency Response Team (ICS-CERT) in an Industry Alert. This threat has been named "Duqu" because it creates files with the file name prefix "~DQ".

Initial findings suggest that Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, with the intention to easily conduct a future attack against another third party. The creators of the code are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Symantec has labelled this threat the “Precursor to the Next Stuxnet” based on some similarities between the two, and also released a Mitigation Fact Sheet.

The Securities and Exchange Commission (SEC) has issued guidelines to publicly traded companies about what they’re obligated to disclose when hit by a cybersecurity breach. Particularly, the SEC expects companies to disclose “ the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. ” Disclosure would be required of substantial costs for remediation, increased cybersecurity protections, lost revenues, litigation or reputational damage associated with cyber incidents involving theft of intellectual property, other proprietary or financial information or disruption of operations. Additionally, disclosure may be required of material information related to cybersecurity risks, severity and frequency of prior cyber incidents, probability of cyber incidents and adequacy of preventative actions against threatened attacks.

The guidelines clarify that, “While registrants should provide disclosure tailored to their particular circumstances and avoid generic “boilerplate” disclosure, we reiterate that the federal securities laws do not require disclosure that itself would compromise a registrant’s cybersecurity. Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.” This reporting requirement will shed more light on how publicly traded companies’ are dealing with cybersecurity, and will add more pressure to investor-owned utilities already grappling with cybersecurity threats to the smart grid. Pike Research estimated that utility companies worldwide are likely to spend $21 billion by 2015 to improve cybersecurity for smart grid. Meanwhile, the U.S. energy sector awaits national, interoperable security standards to support the modernization of the grid, leading to heightened concerns about grid security and its impacts.

Earlier this year, Sen. Rockefeller, Chair of the Senate Commerce Committee, sent a letter to SEC Chairwoman Mary Schapiro calling on the Commission to clarify corporate disclosure requirements for cybersecurity breaches so that the American public can learn more about when hackers make efforts to penetrate companies’ computer systems. Sen. Rockefeller applauded the SEC action in press release saying, “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it. I asked the SEC about this because these companies are required under law to report these incidents.”
  Read more »

President Obama signed an Executive Order (EO) on October 7, 2011 that calls for structural reforms to the oversight of classified information. The EO supports, codifies, and accelerates ongoing work that includes bolstering detection capabilities, restricting removable media, and strengthening government-wide governance, coordination, and oversight. Utilities that participate in cybersecurity and physical security should review the EO and make themselves aware of the new information sharing structure. Read more »

All too often, I hear smart grid discussions started by someone suggesting that we really ought to come up with a definition for smart grids. Frankly, that makes me wonder how we ended up with so many people who claim to not know what smart grids are telling us what we should be doing about smart grids.

Seriously, if you don't know what smart grids are, either (a) be quiet and listen to those who do or (b) don't diminish what you do have to contribute to the discussion by highlighting what you don't understand about smart grids. Read more »